Key Takeaways
- The cybercrime ecosystem is highly interdependent, giving criminals economies of scale that amplify their impact.
- Fragmented knowledge and isolated defender efforts hinder effective disruption; greater transparency is essential.
- The Cybercrime Atlas — through its open‑source Cosmos knowledge graph — provides a shared, dynamic map of criminal groups, tools, infrastructure, and their relationships.
- Cosmos integrates a formal ontology with nine core categories, 229 elements, and 849 connections, and is designed to grow as new intelligence is contributed.
- A common language (taxonomies, ontologies, data normalization) enables coordinated incident reporting, analysis, and joint action across industry, law‑enforcement, academia, and civil society.
- The tool invites the wider community to continuously refine and use the map, turning visibility into systematic disruption of cybercrime.
Overview of the Cybercrime Challenge
Numerous interdependent players in the cybercrime ecosystem create economies of scale for criminals. Given the covert nature of cybercrime operations, greater information and transparency will help combat them. A shared map of the ecosystem will serve cybercrime defenders, prosecutors, legislators, and investigators to plan, communicate, and collaborate effectively.
Current Threat Landscape
As highlighted in the Global Cybersecurity Outlook 2026, cybersecurity is accelerating in response to escalating threats, geopolitical fragmentation, and a widening technological divide. Global cybercrime damages are projected to exceed trillions annually, while ransomware, fraud, and illicit digital services are becoming increasingly industrialized. The need for coordinated disruption has never been greater.
Fragmentation and Isolation
Yet, in a landscape where cyber defenders often operate in isolation, the Cybercrime Atlas offers a platform that connects experts and organizations, amplifying the impact of their individual efforts and enabling a more coordinated, systematic disruption of cybercriminal activities. Knowledge about how cybercriminal groups operate remains fragmented, often siloed within individual organizations or countries, leaving defenders without a complete picture. Responses are scattered; law‑enforcement and industry efforts are frequently constrained by borders and limited coordination.
Introducing the Cybercrime Atlas and Cosmos
Cybercrime has evolved into a vast and complex ecosystem, comprised of diverse players that trade, collaborate, specialize, and depend on each other across every phase of criminal operations. The groups are large, globally distributed, and supported by complex technical and money‑laundering infrastructure. To address this, the Cybercrime Atlas has launched Cosmos, an open‑source map of the cybercrime ecosystem. The tool is available on the Cybercrime Atlas website and was developed by the Cybercrime Atlas community, led by Orange Cyberdefense, with contributions from Banco Santander, Universitat de Girona, and Scitum.
How Cosmos Works
Defenders, legislators, prosecutors, and investigators can use this shared “map” to develop a unified view of the ecosystem and its constituent parts; to plan, communicate, and collaborate effectively; and ultimately to prevail in the struggle against cybercrime. Cosmos is built on a formal ontology, with uniform definitions and categories that can be expanded using open‑source principles and community collaboration. It represents what we believe to be the world’s first open‑source cybercrime ecosystem knowledge graph—an interactive map that connects cybercriminal groups, tools, infrastructure, and their relationships.
Data Structure and Dynamism
Cosmos currently includes nine core categories, 229 identified elements (such as cybercriminal groups, tools, services, and infrastructure), and 849 connections that map how these elements interact and support one another. Together, this creates a structured view of the cybercrime ecosystem, showing not just who and what is involved, but how they are linked. Importantly, the dataset is designed to be dynamic, expanding and evolving as new intelligence is contributed, and the community’s understanding deepens.
Intended Audience and Accessibility
The resource is intended for both specialist and non‑specialist users, including researchers, journalists, investigators, policymakers, and practitioners from a wide range of fields. Improving visibility is a first step toward more effective disruption. By providing an interactive, accessible map, the Cybercrime Atlas community aims to lower the barrier for stakeholders to grasp the full scope of cybercriminal operations and to act on that insight.
Limitations of Existing Frameworks
Disrupting cybercrime requires collaboration. The complexity of cybercrimes has led to numerous frameworks aimed at breaking them down into understandable events—typologies, taxonomies, ontologies, crime scripts, and cyber kill chains. Researchers and practitioners also apply social network analysis and machine‑learning techniques to map the ecosystem. However, these approaches rarely provide a single, integrated view of both criminal processes and the wider ecosystem that enables them. Different organizations often use different terms for the same concepts, making communication difficult and hindering a unified response.
Toward a Common Language
Cybercrime taxonomies and ontologies create a common language, making it easier for organizations to communicate, identify, and classify threats quickly and consistently. They also streamline incident reporting by ensuring everyone describes cyber events consistently. Data normalization builds on this by bringing information from different systems into a consistent format. Since threat data comes from many sources and in many forms, normalization makes it comparable and usable, enabling more effective analysis, sharing, and coordinated action. Without a shared, practical way to understand how individual threats fit together as a system, efforts to combat cybercrime risk remaining fragmented and reactive.
Community Involvement and Acknowledgments
The Cybercrime Atlas community and its partners are proud to release the first version of this new initiative. Cosmos provides a map of the cybercrime landscape as we understand it today and invites the wider community to help build, refine, and use that map in the fight against cybercrime. We extend our deepest thanks to the researchers, investigators, engineers, and experts from the Cybercrime Atlas community who contributed to this report. For reasons of operational security, they cannot be named, but the findings shared here are based on insights developed through collaborative research by experts from the following organisations that participate in the Cybercrime Atlas community: research led by Orange Cyberdefense with contributions from Banco Santander, Universitat de Girona, and Scitum.
Prepared as a concise yet comprehensive summary (approximately 910 words) with bolded sub‑headings for each paragraph and an opening “Key Takeaways” section.