Most cybercriminals make between $1,000 and $3,000 a month, but 20 percent earn $20,000 a month or more, according to a recent report.
The data is based on a survey conducted by a closed underground community, said report author Andrei Barysevich, director of advanced collection at cybersecurity firm Recorded Future.
"We actually saw criminals who made way more than that, $50,000 to $200,000 a month," he said. "This is what they keep, this is not revenues, but pure profit. This is what they can spend on loose women, fast cars and nice clothes."
Barysevich said that Recorded Future stumbled onto this survey when it was investigating activities in underground, invitation-only cybercriminal forums.
He added that he was surprised to see that the forum did a survey, and that a couple of hundred criminals participated, anonymously, and revealed details about how they worked.
But he wasn't surprised by the results.
"What we saw actually supported our previous research," he said.
Recorded Future has been gathering information about cybercriminals for years, he said.
Andrei Barysevich, director of advanced collection at cybersecurity firm Recorded Future
"Our job involves engaging with cybercriminals and we talk to them all the time," he said. "And they share with us quite intimate details, which city they are in, if they actually have a regular job, if they have families. And we see a lot of weird stuff."
Most criminals work part-time, he added, and for some cybercrime is a family business.
"We've seen several generations that engaged in cybercriminal activity," he said. "We've seen messages between bad guys, with one guy complaining that today his wife was only able to purchase cheap electronics with stolen credit cards, worth a few hundred dollars, while as his father was doing Internet crime."
The biggest demographic group are individuals with no criminal records, no ties to organized crime, who actually have steady day jobs. Many got into cybercrime while in college, then continued to keep their hand in.
But the most damaging are the people who run criminal syndicates, Barysevich said.
"They are not dilettantes," he said. "They are professionals, but in real life, and in cybercrime. They plan their operations very carefully, they have trusted people on the team of different professionals, so they have lawyers and ex-law enforcement officers. They also have professional forgers if they need to establish shell companies and need fake documents. They have people responsible for money laundering. They have real estate developers that help them build a legitimate business empire on the profits they make from illegal activities."
In many ways, the cybercrime organizations mirror traditional mafia groups, he said.