Microsocial crime script in a meta criminal context: crime script analysis as applied to hybrid digital crime

This post is about crime script analysis as a method of bridging micro- and meta- analysis of criminal activity. It lays out what crime script is and how it can be used to understand the relationship between the material criminal context and the patterning of criminal action.

The origins and application of crime script analysis

Cohen and Felson (Cohen and Felson, 1979) analysed US crime rates following the Second World War. They suggested crime rates are not well correlated with socio-economic stressors such as unemployment, poverty and inequality. Crime incidence may increase in good times and slow in bad times. It does closely match opportunities. What is there matters more than what is not there. That is why crime can increase in good times. There is more stuff. As a material of theory of crime this works on a basic level. There is no car theft without cars to steal and a large enough market to sell into. That insight is the basis for Routine Activities Theory (RAT) which states that acquisitive crime is patterned and dependent on the existence of an opportunity, a motivated criminal and an absent guardian (Andersen and Farrell, 2015). It also explains some of the reduction of material crime as a result of the rise of the digital economy. As the economy becomes centred on virtual goods it becomes more difficult and less lucrative to traffic in stolen property. In this new environment criminal groups and methods either fall or adapt and exploit new opportunities presented by digital society.

An approach is needed to understand criminal innovation and the success or failure of specific criminal methods which are persistent, patterned and shared between criminals. One way of doing this is through Crime Script Analysis (CSA), developed by Cornish (Cornish, 1994). CSA characterises criminal activity as routine and purposive and identifies a criminal modus operandi. Much criminology and policing practice had focused on the crime event itself, hoping to catch criminals in the act. CSA puts the offending act itself in a context of preparation, commission, and leaving. By laying out the sequence like this the criminal act can be disrupted by situational crime prevention (SCP) measures which interfere with different stages of the script. For example a study of illicit opioid sales might identify lax or corruption prescription of painkillers as a source for drug dealers and reduce incentives for overprescribing (Moreto et al., 2020). Each stage in the script suggests a control intervention like target hardening, control of entry/exit routes, and limiting opportunities to profit from crime. Many of the steps identified might not in isolation constitute illegal acts. As a result CSA can be used to propose changes in the law, for example, criminalising ‘grooming’ by child sexual predators as a critical stage in the preparation of child abuse.

Target attraction is based on VIVA (value, inertia, visibility and accessibility). Felson (Felson, 2000) argues the theory helps avoid common mistakes which assume in a common-sense fashion that social disorder leads to more crime. He argues: “Shabby paint on buildings might be ugly, but it probably does not itself contribute to more crime. Graffiti in subways probably does not lead to more robberies. Extreme deterioration of a neighborhood might cause vice crimes to decline by scaring away customers”. These factors are likely to be correlated not causal. For instance, street drug markets operate in the absence of the guardian, not because the neighourhood lacks streetlighting. ‘Broken windows’ theory of crime might correlate to reality because it signals the absence of a guardian rather than indicating a generalised lawlessness which criminals take advantage of.

Crime script analysis in microsocial detail

CSA is a microsocial analysis of routine criminal activities which at its most basic level divides the crime sequence into three stages: precursors, commission and resolution/departure. Or Sue, Grabbit and Runne. Each stage can be further subdivided into more detailed stages, such as preparation, entry, precondition, instrumental initiation, instrumental actualisation, continuation, post-condition, exit/reset. Each element is required to complete the whole crime chain. Cases for the script are collected from various sources. These might be police investigation files, court transcripts, or raw accounts by those involved given to interviewers.

In order to compile the crime script, begin with a blank sheet of categories to be populated:

Table 1 Blank Crime Script  
          Scene Action Example of a house burglary Overall stage
Preparation Obtain necessary tools/precursors Obtain lockpicking tools, intelligence about opportunities, associate with accomplices Precusors
Entry Gain access to targeted space Find neighbourhood judged to be sufficiently undefended/lucrative
Precondition Condition necessary for target choice Choose time of day/night when residents out or asleep
Selection Identify specific opportunity Choose dwelling
Instrumental initiation Begin action sequence Approach entryway/other weak point Commission
Instrumental actualisation Initiate action Gain entry illegally
Continuation Carry out action Take value items/Remain on scene to conduct opportunistic criminal acts
Post condition Maintain role out of scene, getting away, extracting value, other necessary end states to reset the sequence. Leave, divide up and sell stolen goods Resolution/departure
Exit/reset Return to starting point/desist Cash out goods

The script can be adapted to a wide range of criminal activity. A study of illicit meth production might identify sources of precursor chemicals, spaces used for laboratories, and processes of integrating with cartel buyers or other distributors. Many non-or semi-criminal actors are involved in activities such as facilitating infrastructure, finding transport, security, and sorting out legal and administrative issues for example by creating front companies. Larger illicit operations use front entities like fake pharmaceutical buyers, requiring a greater degree of network extent and complexity. A point we learn from this is that there is no such actor as ‘the criminal’. The person running the lab may be a part time hire, they may be supplied by a knowing person in the chemical industry. One task assigned was popping Sudafed out of thousands of pill blisters (Chiu et al., 2011).

When we use the CSA method then we see that there may be no central criminal actor and guiding mind. Scripts then connect to further scripts, for example, one for drug distribution which might involve a different subset of actors. Scripts can also be incomplete. The hacking group LAPSUS$ was very successful in applying login credentials purchased in a criminal marketplace to access Electronic Arts’ internal systems – potentially a major breach. However it had no idea what to do after that and was reduced to begging a journalist for contact details for the company in order to make a failed attempt to blackmail them (Cox, 2022).

A reason for using CSA is it allows analysts to identify control conditions that can be applied at different stages. How might absent guardians be substituted? How might opportunities be reduced? How might motivated actors be demotivated? The script can be used to recommend actions at each stage and evaluate their potential cost effectiveness. For example, knowing that counterfeit cigarette manufactures buy second hand cigarette manufacturing machines and also draw on cash rich businesses as a ready source of capital, then manufacturers might be required to account for those sold into the second hand market and the accounts of nightclubs closely monitored (Antonopoulos and Hall, 2016). For that reason, each sequence stage must be necessary for completion of the whole script. The analysis must separate out extraneous activity and focus on those conditions without which the script would fail.

Applied to digital and hybrid crime

The digital sphere appears to lack some of the qualities involved in routine activities theory however, time-space stretching means co-presence in the same time and space are not needed but there does need to be some kind of shared networked connection. The digital environment may enable absent guardianship through anonymity and other features of distanced responsibility, de-personalisation and remoteness of consequences. As increasingly digital crime is hybridised scripts can usefully identified transition points between online and face to face action (Brown, 2006; Roks et al., 2020). Leukfeldt (Leukfeldt, 2014) describes a situation where a phishing network largely coordinates in person and uses social engineering rather than malware to suborn victims.

The lens might need to shift from capable guardianship to relative visibility (Leukfeldt and Yar, 2016). We also need to rethink motivation. A study of web defacement in the Netherlands showed that those motivated by fun, patriotism and revenge tended to stick to local websites and use known SQL vulnerabilities, and so were more easily deterred than those doing it to demonstrate skill (Holt et al., 2020).

Case: A Darknet Counterfeit Currency Vendor

I am using a case where I mapped counterfeit currency distributor and user crime scripts using a sales and discussion thread scraped from a darknet market. The distributor sold fake US Dollars in $20, $50 and $100 denominations. The discussion thread was extensive and took place over several years. The distributor ‘Benjamin’ and their customers discussed the quality of the notes and how to successfully use them. The thread was open coded using NVIVO and then recoded according to crime script stages for both distributor and user. Contextualisation codes were also used which identified the material and social context of the criminal community. For instance, one code which became important in relation to the users’ moral justification for what they were doing was ‘Politics’. Users justified their activity in relation to the US Federal Reserve’s degrading the currency.

Matrix coding was then conducted, cross tabulating the contextualizing codes with the CSA codes. These codes fed into the crime script coding, for example, technical features were coded and then distributed according to their function in the precondition/actualisation parts of the script. That exposed the technical, stealth, performative and organisational features at different stages of the script execution.

Cases were created for each contributor to the forum and the attribute function was used to record their role/stance. While some roles were immediately obvious, such as Benjamin, others emerged during the contextualising analysis. For example, some contributors took on the role of mediating the crime script, advising others on how to successfully use the notes in different contexts and de-risk their use.  The following crime script was developed:

Table 2 Crime Scripts for Benjamin and Users
Benjamin Users
Entry Bulk order from supplier Set up cryptomarket account Receive currency

Target scoping

Precondition Pricing and divide up note ‘packs’ Choose high traffic setting

Work notes


Selection Market/sales/advertise Select/stealth person/car

Select young cashier/busy time

Instrumental initiation Receive orders from buyers Identify high value/good return good
Instrumental actualisation Process orders, select consumer/delivery Buy goods/swap out cash
Continuation After sales support/manage reputation/expectations on forum Recycle bad product into good notes
Post condition Close the feedback loop with supplier Transfer legit cash
Exit/reset Cash out/repost Return to thread/leave

Distribution of counterfeit currency in this way is an example of a hybrid crime combining online distribution and offline actualisation. The script required understanding the meta-criminal context in which Benjamin and the users operated. Benjamin was a secondary distributor for the primary note producer. Therefore they had to manage both their supply and manage expectations within the darknet community about the effectiveness of the notes. Benjamin’s second stage role meant they could palm off some of the responsibility for poor quality product onto the supplier but still needed to maintain a reasonably high hit rate among their customers. It was vital in order to keep selling the notes that users reported success with them. So Benjamin and some key contributors maintained a modus operandi document, effectively their own crime script, to guide users through the process. This involved ensuring users did not try too high and invite suspicion, for example, by buying a one dollar item with a one hundred dollar note.

The discussion was open to different kinds of qualitative analysis. A narrative analysis was also conducted which showed the evolution of the community over time. It began well. Buyers expressed excitement at a new source of counterfeit notes which appeared to come directly from a well known producer. Initial batches were received well and were passed off successfully. The second batch had a noticeable drop in quality. Gradually the group turns against Benjamin and they withdraw from the forum. The narrative analysis also allowed me to understand much more about how the script was developed and finessed by the group. It showed how much criminal innovation is about learning and adapting in the moment.

Strengths and limits

CSA itself is scaleable. Examples of its application run from smash and grab robberies, interest rate market manipulation, polluting a river, the assault on the US Capitol Building in January 2021. This makes it eminently suitable for darknet and other digital crime research which uses a range of data covering for example drug dealing enforcement to cross-border ransomware activity. The offender themselves is less central to this theory and it therefore means we might miss significant demographic attributes such as sex, or assume they are irrelevant or not present. Sex is critical to many crimes, particularly those involving sexual predation. It does not  account for effervescence, feedback loops and the seductions of crime which may make digital offending more attractive in itself (Goldsmith and Wall, 2019; Katz, 1988). On the counterfeit currency thread it was questionable how profitable the activity really was, given the likely costs. One motive some users had was a political one, getting something for nothing and engaging in the thrill of purchase using counterfeit notes. These elements are likely to keep criminals involved and looking for opportunities even as some are closed off.


Crime Script Analysis can be used effectively with a large volume of qualitative data scraped from the Tor darknet. I used it to derive two distinct scripts for different criminal actor types. Further data would have allowed for further scripts to be developed, for example, coving the notes producer, or the supporting characters who guided others through their own scripts.

Author: Angus Bancroft

I'm a lecturer at the University of Edinburgh department of Sociology, studying illicit drug use, illicit markets and various shades of cyber crime. Email angus.bancroft@ed.ac.uk Tweet @angusbancroft

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.