Back to Blog

Report: Cybercrime Groups choose Black Friday and Cyber Monday to Debut New Attacks

November 30, 2023

November brings discounts from popular retailers, and for many merchants the 24th to 27th is a substantial percentage of their annual sales. Here are some of the attack trends we saw in 2023.

The end of year brings discounts from popular retailers, and for many merchants the days between November 24th and 27th are a substantial percentage of their annual sales.

This provides a unique opportunity for cybercrime groups, who often debut new attacks in the hopes of hiding among increased transaction volumes.

hCaptcha Enterprise customers include many of the largest online payments and e-commerce platforms, so we often see patterns in this annual event that reflect emerging trends.

We will publish a longer report soon, but in the mean time here's a sneak peek at some of our initial observations.

This year, we observed a few interesting dynamics:

🇨🇳 Chinese threat actors led in debuting new attacks.

This will be no surprise to observers of cybercrime: China has historically been in the top three source countries for attackers in each year we have published a trend report, and this year was no different.


of confirmed threat activity

came from groups in mainland China.

🇺🇸 Threat actors from all nations prefer to use US IPs.

As you might expect, due to the US being a focus of e-commerce activity over this period, no matter where we determined threat group members were physically located they tended to prefer US IPs, often via large botnets.


of confirmed threat activity

was performed using US IPs.

⛯ Ultra-distributed attacks are increasingly popular.

We have seen botnet rentals, including of mobile devices, come down in price on blackhat markets over the past few years, and the most sophisticated threat groups averaged less than two requests per residential IP over four days in the BFCM period.


requests per IP

were made by high sophistication threat groups on average. This means blocking individual IPs is not an effective strategy when dealing with more sophisticated attacks.


This exploration of Black Friday and Cyber Monday attack trends underscores the evolving challenges faced by enterprises that do business online.

Any predictable surge in online shopping volume tends to bring increased risk of fraud and sophisticated abuse activity, and the 2023 BFCM period demonstrates this.

As we navigate changing online traffic patterns, it is clear that threat actors are both increasing in number and sophistication, as the cybercrime ecosystem becomes increasingly professionalized and stratified, allowing expertise to develop.

Cybercrime groups strategically deploy their resources to take advantage of major calendar events, and this means enterprises with e-commerce exposure must remain vigilant and flexible in cybersecurity countermeasures.

How does hCaptcha find threat actors like these?

hCaptcha Enterprise Advanced Threat Signatures and Private Learning models reliably detect these requests in real-time thanks to novel privacy-preserving AI/ML, despite threat groups' best efforts to defeat simpler legacy methods.

This capability, along with other unique hCaptcha features designed for APT mitigation, allows us to reach high confidence on which requests are associated with different threat groups, producing analyses like the ones in this report.

Want to see for yourself?

Find fraud and abuse fast, whether automated or human. Reach out for a consultation from our experts at hCaptcha Enterprise.

Subscribe to our newsletter

Stay up to date on the latest trends in cyber security. No spam, promise.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Back to blog