Extortion-as-a-Service: The Latest Threat Actor Criminal Ecosystem

For centuries, threat actors, both cyber and physical, have understood the benefits of using extortion to further their criminal activities. This has led some cyber threat groups to create Extortion-as-a-Service (EaaS) businesses. These are a formalized way for cybercriminals to offer extortion services to others for a fee or profit share.

And, as we shall see, it is just one of many newer -as-a-service models that threat actors are applying.

Cybercriminals who no longer need expertise in every domain can increasingly outsource or supplement missing skills through the broader cybercrime-as-a-service ecosystem.

So far, this has led to, among others, Phishing-as-a-Service, Botnet-as-a-Service, DDoS-as-a-Service, and especially Ransomware-as-a-Service (RaaS) becoming dominant templates.

That’s a Mighty Nice Network You Have There….

Building on this trend, Extortion-as-a-Service (EaaS) has emerged as a structured, modular business model within the global cybercrime economy, representing a mature evolution of extortion operations.

In part, EaaS is a spinoff of the double-extortion ransomware model, data theft plus encryption, that has been in effect since about 2018. Since then, extortion has become a distinct profit stream, separate from the encryption payload. This separation of functions, data theft, negotiation, and publicity, sets the stage for Extortion-as-a-Service.

Placing EaaS in Historical Context

As noted, extortion has long served as a tool for coercion and financial gain. In the cyber domain, this practice predates the formalization of EaaS, with early ransomware campaigns exemplifying a single-leverage approach centered on encryption-for-ransom schemes.

Over roughly the past decade, however, the cybercriminal ecosystem has evolved toward offerings that exploit economies of scale and specialized labor, mirroring the structure of legitimate SaaS enterprises.

Figure 1. Example of a typical recent DDoS-as-a-Service advertisement.

Early ransomware variants such as CryptoLocker and Locky primarily targeted endpoints and servers, encrypting data and demanding payments for decryption keys.

While initially lucrative, these attacks lost effectiveness as organizations adopted stronger backup and offline storage practices. This decline prompted threat actors to innovate, refining both their malware and methods to sustain revenue generation.

By 2016, more advanced ransomware families had emerged, and by 2018, operators began exfiltrating data prior to encryption. This introduced new layers of pressure on victims by combining reputational damage with operational disruption. The resulting dual-leverage model, rapidly standardized through RaaS programs, formalized multi-vector extortion, establishing data theft as an independent and profitable revenue stream.

As ransomware operations matured, their surrounding ecosystem followed suit. What began as loosely coordinated groups gradually evolved into structured networks of specialists, each fulfilling a distinct operational role.

This transformation gave rise to what we now recognize as Cybercrime-as-a-Service (CaaS) – a marketplace-driven model in which developers, access brokers, and operators collaborate through underground forums and encrypted messaging platforms. By distributing labor and lowering technical barriers, CaaS not only enhanced efficiency and scalability but also created the ideal conditions for more focused services such as EaaS to emerge.

Although the term EaaS is relatively recent, its underlying principles were already taking shape by 2022.

The concept evolved from informal underground language into an operationalized business model, reflecting the growing professionalization of cyber extortion. Increasingly, “EaaS” serves as both a criminal brand and functional model, describing offerings that allow opportunistic actors to exploit the reputation, tools, and infrastructure of established extortion groups to coerce victims.

Historically speaking, references to “Extortion-as-a-Service” first surfaced in underground communities around 2015–2016, often used jokingly alongside terms like “Hacking-as-a-Service” and “Doxing-as-a-Service”.

Initially, the phrase functioned as satire – a parody of corporate SaaS branding and a tongue-in-cheek signal of professionalism. Yet as extortion operations grew more sophisticated and brand recognition became a commodity, this informal terminology solidified into real service categories.

Figure 2. Example of contemporary “Hacking-as-a-Service” posts/ads offering extortion services.

This linguistic evolution mirrored operational reality. The double-extortion model, combining data theft with encryption, has gradually fragmented into distinct, monetized components such as intrusion, negotiation, and data publication.

This separation of functions not only improved efficiency but also laid the foundation for EaaS, where each stage of the extortion process could be offered independently. By mid-2022, EaaS-like offerings were proliferating, including dedicated vishing operations marketed to ransomware affiliates and structured distribution services supporting broader extortion campaigns.

By 2023–2025, the EaaS framework had matured into a recognizable operational and marketing model across the criminal underground – even when not explicitly labeled as such. Economic pressures, including reduced victim payment rates, pushed actors to monetize their most valuable intangible asset: reputation. Independent actors began offering negotiation, intimidation, and leak-site management services as standalone products, while established groups started licensing their brands to affiliates. This trend culminated in initiatives such as Scattered LAPSUS$ Hunters, which explicitly announced an “Extortion-as-a-Service” platform, selling not just access or malware, but the brand credibility associated with a known extortion identity.

Collectively, these developments show how operational specialization, economic incentive structures, and reputational capitalization converged to institutionalize EaaS within the underground economy. What began as ironic “-as-a-Service” jokes in early forum posts has evolved into a structured, scalable industry – treating coercion, intimidation, and data exploitation as configurable and competitive services.

Current Operational Models and Market Dynamics

As of 2025, EaaS comprises a range of overlapping services that collectively lower barriers for less-experienced threat actors while providing professionalized capabilities. Among the most prominent offerings are outsourced call operations, commonly also referred to as Vishing-as-a-Service (VaaS).

These operations rely on human operators to conduct social-engineering calls, callback phishing, and hybrid attack campaigns. Pricing typically follows a per-call or duration-based model, that is usually in the low double-digits in USD equivalents.

One example, the QuattrO/CallMix/Procallmix services, first advertised in 2019, at times offered multilingual operators capable of executing fraud, dating-related scams, and complex corporate social engineering campaigns across the globe, excluding Russia. These operators conduct target research, gather contact information, and execute calls using male and female staff fluent in English, French, German, Italian, and Spanish.

Figure 3. Call operators available for hire through the QuattrO/CallMix/Procallmix underground service.

As a more recent example, in July 2025, a service named VoicePhishing introduced AI-powered VoIP software designed to extract OTPs, payment card details, and PINs from victims, with stolen data delivered directly to the attacker via Telegram.

Figure 4. Screenshot of VoicePhishing’s Telegram bot interface used to collect sensitive data from victims.

Complementing vishing, data auditing, and impact presentation services have become increasingly prevalent. In these offerings, third-party actors analyze exfiltrated datasets, identify high-value records, prepare tailored presentations, and assist in ransom negotiations, typically in exchange for either a fixed fee or a percentage of the payment.

For instance, in April 2025, the actor Audit_Team provided dataset analysis and negotiation support to extortion and ransomware groups, charging either 15% of ransom payments or a $1,000 flat fee. Their services target organizations with annual revenues exceeding $500 million, completing analyses in two to three days to maximize efficiency.

Phishing-as-a-Service (PhaaS), often used in supporting EaaS operations, has also seen significant growth, evolving into cloud-hosted subscription models priced below $200 per month. Platforms such as SheByte enable users to generate fully functional phishing templates using AI, directly from screenshots, complete with anti-bot filtering, real-time OTP interception, and encrypted log storage. This demonstrates how AI accelerates campaign deployment while reducing technical barriers for attackers.

Figure 5: SheByte’s AI-powered interface for automatically generating phishing templates from screenshots.

Brand licensing further enhances EaaS operations by enabling affiliates to capitalize on the credibility of established extortion or leak brands, thereby increasing campaign legitimacy. Leak hosting services provide critical technical infrastructure, including Tor portals, mirror sites, and operational support – for a fee or revenue-sharing arrangement.

In parallel, cryptocurrency wallet-draining tools are increasingly available via Drainer-as-a-Service (DaaS) models, which supply preconfigured malware, phishing templates, and smart contracts to affiliates for a fee or revenue share.

A notable example is Angel Drainer, launched in February 2023, which enables even low-skilled actors to conduct large-scale credential theft and fund exfiltration efficiently.

Figure 6. Screenshots of Angel Drainer’s sales thread posted by the actor mrangel, showing available tools and features for affiliates.

Taken together, these operational indicators illustrate a highly modular, service-oriented approach to cyber extortion. What makes this ecosystem particularly fluid is that threat actors often define and package their offerings independently, blurring traditional lines between service categories and demonstrating how actors creatively adapt “-as-a-Service” terminology to differentiate and market their operations.

As of 2025, EaaS continues to fundamentally reshape the cyber extortion landscape. By commoditizing operational expertise, social engineering, and brand credibility, it lowers barriers for non-expert actors while simultaneously amplifying psychological pressure on victims.

Profit-sharing structures encourage professionalism and reputation management, while the modular nature of these services complicates attribution and diminishes the impact of partial takedown efforts. Effective defensive strategies must therefore be multi-layered, combining data loss prevention, incident response, and proactive monitoring of service-oriented extortion activity.

Looking into 2026, EaaS offerings are expected to persist and evolve. High-probability developments include deeper integration of AI-assisted social engineering, the proliferation of subscription-based leak platforms, and the expansion of adjacent services. Medium-probability developments involve adaptive responses to law enforcement interventions, as well as enhanced operational security and rebranding strategies to mitigate non-payment risks.

AI-driven content generation represents a wildcard scenario, potentially enabling fully automated, large-scale extortion campaigns that reduce costs and challenge defenders’ ability to respond in real time. Taken together, economic and technological drivers suggest that EaaS will remain a central and enduring force in shaping the cyber extortion landscape.