Cybersecurity leaders: Why threat actor behaviour should be your priority

If you’re leading a cybersecurity team today, understanding your adversary is just as important as knowing your tech stack. Because threat actors aren’t just opportunistic hackers – they’re running a business. 

The new Threat Actor Behaviour report by Arkose Labs makes it clear that if we want to stop them, we need to think like them. 

When we asked Jason Lau (CISO at crypto.com) what advice he’d give to his younger self, he said:

“I would advise my younger self to take more courses on psychology...understanding human behaviour is crucial for anticipating and mitigating cybersecurity threats. 

“Knowing what motivates threat actors and how they think can enhance strategies and responses to attacks…This insight is invaluable for a CISO, as it helps in developing more effective defence mechanisms and fostering a proactive rather than reactive security posture.”

He’s spot on. Cybersecurity leadership requires psychological acuity. The Arkose report is full of data that can help you understand how threat actors are thinking right now – so we’ve pulled key insights for you to integrate into your knowledge base. 

Scammers are chasing ROI, not chaos 

Arkose Labs researchers analysed nearly 20 billion malicious traffic patterns across sectors, and the report is a window into the industrial mindset of scammers. The motive is simple: money. And opportunities to make money are readily available. 

One standout stat: scammers in El Salvador can earn 20x more attacking gaming platforms than working as software developers. In Pakistan, that jumps to 25x.

Even a solo threat actor can earn USD $145,176 per year by targeting just five premium gaming platforms with account takeovers. When defences are weak, this becomes a repeatable revenue model; and when the cost-to-attack gets too high, they move on. 

So scammers are both agile and ROI-driven. They’re not shooting in the dark. 

Their favourite attack point? Your sign-up flow 

Over 50% of all attacks in 2024 began at account sign-up. In Q4 alone, 64% of attacks started there – representing 309% increase from Q3. 

Why? Because sign-up is often the least protected and most scalable entry point. For fintech platforms, sign-up attacks surged 11,600% in Q3. In dating apps, they exploded by 4,900% in Q4.

Scammers hide in high-volume seasons. The Paris Olympics, US elections, and end-of-year holidays all saw spikes in malicious traffic – not because attackers love sports or democracy, but because noise offers cover.

The modern scammer arsenal includes bots, fraud farms, and AI

The old-school image of a lone hacker is becoming outdated in today’s threat landscape. Current cybercriminals use AI-enhanced bots, human fraud farms, and attack automation services to optimise and personalise their scams. 

• Advanced bot traffic grew 556% from Q3 to Q4 2024.
• Fraud farm activity rebounded 599% in Q4 after a drop in Q3 – attackers pivoted quickly.
• SMS toll fraud, a niche but high-reward tactic, more than doubled to 9% of all attacks by year-end.

And let’s not forget the dark web economies behind these tools. Powerful kits offer phishing-as-a-service for around $400/month, and they’re capable of bypassing MFA and hijacking real user sessions.

Timing is tactical

Attackers work when users are online – and when defenders are distracted. Examples of this from the report include:

• 60% of attacks in El Salvador occurred between 4 PM and midnight.
• Scammers across countries operate most heavily from Tuesday to Friday each week.
• After the Paris Olympics, scammers took a break – malicious traffic dropped to less than 1% of annual totals in August and September, before ramping up again in Q4.

There’s choreography at play here. 

What should cybersecurity leaders do? 

Understanding threat actor behaviour is essential. Based on insights provided by Arkose’s researchers, here’s where to start:

1. Model their economics. Make your environment too expensive to attack. Use layered defences that increase their costs.
2. Protect the front door. Harden sign-up and sign-in flows with dynamic friction, device intelligence and behavioural analytics.
3. Train teams in cyber psychology. As Jason Lau recommends, understanding motivation and mindset is crucial.
4. Monitor seasonal patterns. Q4, major events, and election seasons are threat windows.
5. Share intelligence across departments. Fraud teams, marketing and cybersecurity must work together. Anomalies in SMS spend or user registrations can expose major fraud campaigns.

Cybercrime today is strategic, scalable and deeply human. By studying attacker behaviour (instead of just studying their tools), we can build smarter defences and reclaim control of our digital environments.

Understanding the why behind attacks gives leaders the power to fight back proactively. And that, more than any firewall, is how we win.