Twelve trillion dollars. That's the estimated annual volume of cybercrime flowing through the dark web — a figure that surpasses the GDPs of Germany and Japan combined. If the dark web were a country, its economy would trail only the United States and China. And it's growing. At its current trajectory, dark web cybercrime could surpass $20 trillion in the coming years, potentially overtaking China for the number two spot.
These aren't numbers designed to scare you into action (though they probably should nudge you in that direction). They're meant to reframe how you think about cybercrime altogether. This isn't a tech sector problem. It isn't something that only happens to Fortune 500 companies or government agencies. Cybercrime is a global industry — and associations, with their sensitive member data and often-lean IT resources, are very much part of the landscape it operates in.
Eric O'Neill spent years as an FBI counterintelligence operative before becoming one of the country's leading voices on cybersecurity. His assessment of the current threat landscape challenges everything you think you know about cybercriminals: the lone-wolf hacker in a dark hoodie, typing furiously until they hit one key and whisper, "I'm in," is a relic.
Today's cybercriminals operate more like intelligence agencies than basement hobbyists. They're organized into syndicates and gangs with specializations, hierarchies, and revenue models. Many are trained by — or recruited directly from — nation-state espionage units. Countries like China, Russia, North Korea, and Iran maintain sophisticated cyber-operations, and their former operatives often find their way into the criminal ecosystem. These governments largely look the other way, so long as the attacks target the West.
What this means in practice is that the attacks coming at your organization aren't brute-force computer-versus-computer assaults. They're human-driven operations built on traditional espionage techniques: reconnaissance, deception, impersonation, and confidence schemes. A cybercriminal targeting your association has likely researched your organization on social media, identified your vendors, mapped your internal structure, and figured out who has authority to approve payments — all before a single line of code is involved.
O'Neill frames it bluntly: there are no hackers, only spies. Hacking is the natural evolution of espionage. As organizations moved their data from paper filing cabinets to computer systems, spies had to evolve with them. And criminals have evolved by copying the spies. That reframing matters, because it changes what you're actually defending against.
Here's where the conversation gets personal for association leaders.
Cybercriminals don't evaluate targets based on prestige or revenue. They don't care about your mission, your membership size, or whether you consider yourself "important enough" to attack. They evaluate one thing: vulnerability. And they go after charities, associations, and NGOs because the statistical odds are in their favor. These organizations typically have weaker defenses than their corporate counterparts, and criminals — who only get paid when they win — are strategically lazy. They go where the doors are easiest to open.
Associations check several boxes that make them appealing. They hold sensitive member data, including personal information tied to professional credentialing. They often operate with small IT teams — sometimes one or two people — who are responsible for everything from troubleshooting email issues to managing the entire security posture of the organization. And many associations underinvest in cybersecurity because the assumption has always been that they fly under the radar.
That assumption is the first and most dangerous mistake an association can make. Cybercrime has scaled to the point where attacks aren't personally targeted in the way you might imagine. There is so much criminal activity flowing through the dark web that it's a numbers game. Automated tools scan constantly for vulnerability. If your defenses have gaps, you will eventually show up on someone's radar — not because they chose you, but because they found you.
Understanding how these attacks play out is the first step toward defending against them. And the reality is less cinematic and more methodical than most people expect.
It starts with reconnaissance. Cybercriminals study their targets the way an intelligence operative would study a foreign asset. They comb through social media to learn about your organization's recent events, partnerships, and vendor relationships. They identify which companies you work with, which staff members are publicly visible, and who holds authority over financial decisions. LinkedIn, Instagram, event recaps, vendor shout-outs on social media — all of it becomes raw material.
From there, they craft their approach. A common attack pattern against smaller organizations involves fake invoices. Criminals use AI to generate a convincing invoice from a vendor your team actually works with — matching the format, branding, and language your finance staff would expect to see. The invoice arrives with a link to process payment and, helpfully, a phone number to call if anything seems off. When your team calls that number, a polished, professional voice (sometimes human, sometimes AI) talks them through processing the payment. The money disappears. Or worse — the interaction installs a remote access tool on your system, and the real attack, a full-scale ransomware deployment, comes later.
These aren't random phishing blasts sent to a million inboxes hoping someone clicks. They're researched, targeted, and tailored. And they rely on the same principles that have driven espionage for centuries: build trust, create urgency, and exploit the moment of pressure before the target has time to think.
Ransomware attacks in particular are designed for maximum impact. Criminals spread quietly through a network after gaining entry, establishing control over as many systems as possible before revealing themselves. When they do, it's often at the worst possible time — during a major event, at the end of a fiscal year, during a leadership transition — and the demand is simple: pay or lose everything.
If the espionage-driven model of cybercrime was already effective, AI has put it into overdrive.
Cybercriminals now have access to AI tools with no guardrails. Some are stolen from major companies and stripped of their safety features. Others are purpose-built within criminal networks. These tools will do anything asked of them: draft the perfect spear-phishing email tailored to a specific target, generate malicious code, build convincing fake websites, and run entire reconnaissance campaigns autonomously.
One of the more concerning developments is AI that never sleeps. Criminal organizations are deploying AI agents that continuously scan networks looking for unpatched servers, misconfigured security settings, or newly introduced vulnerabilities. When one is found, the AI flags it and presents the criminal with a menu of exploitation options. The barrier to entry for sophisticated cyberattacks has dropped dramatically — you no longer need deep technical expertise to launch one. You just need access to the right tools.
Deepfakes represent another front entirely. Voice cloning technology has advanced to the point where a convincing replica of someone's voice can be generated and used in real time. There are documented cases of AI-generated voice (and video) calls impersonating CFOs and directing staff to wire money immediately. There are cases of families receiving calls from what sounds exactly like a loved one claiming to have been kidnapped. The pattern is always the same: create pressure, create urgency, and force a decision before the target can verify what's happening.
The convergence of AI and cybercrime is pushing the volume, speed, and sophistication of attacks well beyond what even a well-staffed IT department can handle with manual monitoring alone. For associations operating with minimal security infrastructure, the math is uncomfortable.
None of this is intended to suggest that the situation is hopeless. It isn't. But it does require a shift in how association leaders think about cybersecurity.
Cybersecurity is not an IT line item. It's an organizational priority that sits alongside financial management, legal compliance, and member trust. The data your association holds — credentialing information, personal details, financial records — is valuable, and protecting it is part of the promise you've made to your members.
The criminals aren't going away. The dark web economy will continue to grow, the tools will continue to improve, and the attacks will continue to find the path of least resistance. What will you do next?