Dutch study finds teen cybercrime is mostly just a phase

December 1, 2025 TH Author

Young threat actors may be rebels without a cause. These cybercriminals typically grow out of their offending ways by the time they turn 20, according to data published by the Dutch government.

In a report examining the social cost of adolescent crime, the Dutch House of Representatives cited various research papers to show that teenagers tend to explore their criminal tendencies at similar ages, regardless of the type of crime.

The report stated that cybercriminals tend to develop their skills at an early age – no shocks there – and do so through “hacking games.” The number of teenage cyber offenders is similar to those involved in weapons or drug offenses; together they are the three least common offense types for adolescents. Property offenses such as theft were the most common.

Young cybercriminals reach peak criminality at around age 20, although this tends to fluctuate by a few years, depending on the decade. For example, between 2010-2012 and 2018-2021, the peak age floated between 17 and 19, but, in between, it remained at 20.

Research also shows that these peak ages broadly apply to all crimes, cyber or otherwise.

In 2013, one study of 323 cybercriminals found that 76 percent of offenders reached peak offending at age 20, before veering away from the trade gradually in the following years.

Only around four percent of those who embark on an early black hat career maintain a high likelihood of continuing that into ages well beyond the 20 mark.

In 2016, researcher Alice Hutchings published a study positing that those who continue their criminality do so because they stay curious about technology and keep building their skillset, which opens up different opportunities to test those skills in criminal settings, rather than extrinsic factors such as money.

Granted, this was nearly 10 years ago, and while ransomware certainly existed at the time, its status as an appealing business model was nowhere near as great as it came to be in the following years.

The age of the research cited by the Dutch government is emblematic of cybercrime as a phenomenon. The report acknowledged that compared to more traditional types of crime, the longitudinal research looking into cyber just isn’t there, and what does exist is at risk of becoming quickly outdated.

Overall, the social cost of adolescent crime in the Netherlands stands at €10.3 billion ($11.9 billion) per year, the majority of which is shouldered by victims either through medical bills or other quality of life losses. The other costs are borne by the government, through things like resources spent on the police, prison system, and courts.

The lack of longitudinal data also means that the specific social cost of cybercrime annually was not calculated in the same way as others were.

For example, the report stated that the social costs related to murder and manslaughter – the costliest crimes – were around €2.25 million ($2.6 million) per crime per year.

On the other end of the scale, property crimes such as theft typically incur lower per-crime costs for the government, but given the high volume of offenses, they are the costliest of any category at €1.58 billion ($1.8 billion) annually.

Although the Dutch report did not count the social cost of cybercrime specifically, given the substantial international policing resources spent tracking specific offenders and investigating incidents, we can reasonably assume that its impact on the economy is considerable.

A recent study commissioned by the UK government into the economic impact of cybercrime concluded that, with an estimated frequency of three attacks per year, the cost of a single attack on a major hospital stands at £11.14 million ($14.7 million) per year.

That figure alone places cybercrime costs above those related to all traffic offenses and sexual offenses committed in the Netherlands for the entire year, and that does not account for attacks on other critical infrastructure such as manufacturing or utilities providers, or other types of entity.

Various branches of the Dutch government have previously been reluctant to put a numerical cost on cybercrime due to the myriad unquantifiable impacts of offenses. It is often difficult to price up the impact of intellectual property theft for organizations or the psychological toll on individuals, for example.

A Deloitte report commissioned by the Netherlands in 2016 pegged the total cost for organizations at €10 billion per year, and while not all of it will be attributable to Dutch cybercriminals, it is a near-identical figure to the total cost of all adolescent crime in the country. ®