According to the National Hi-Tech Crime Unit, growing numbers of hackers are finding increasingly sophisticated ways to make money out of vulnerable computer systems.

First it was the distributed denial-of-service (DDoS) attacks against online bookies, for extortion campaigns. The bookies would be knocked off the internet for a time and then threatened with further attacks at regular intervals - especially before important football matches or big races - unless they paid "protection money".

I first saw these attacks several years ago in Hong Kong, was briefed by the NHTCU on the events and then watched in amazement as the "cyber-detectives" managed not only to track the criminals, but to arrest and prosecute them.

Now, though, the criminals have apparently shifted their attention elsewhere. They are targeting other organisations - hacking into systems and launching DDoS attacks, before making demands. No major business in our modern world is proof against attacks such as these; the more we use the internet the more we come to rely upon it and the greater our vulnerabilities. And criminals are good at exploiting vulnerabilities.

DDoS attacks are very effective for attacking computers. Using possibly hundreds of zombie systems, scattered throughout the internet, they make it all but impossible to identify the original source of the attack. One single hacker can work from anywhere - even a hijacked wireless LAN connection - to mount the attack; and with a wide range of more powerful systems under their control, they can do their work with only a small laptop. The hijacked LAN might not retain any records; the zombie systems might not contain records - and with some forms of DDoS there might not even be a trace back to those zombies. From the criminal's perspective, it is a perfect crime, safe from observation.

But the NHTCU has shown that these criminals are not entirely untraceable and can be caught and prosecuted. How? Well, by good old-fashioned police work. The internet connection might be hard to trace, but if the criminals wish to profit from the attack they need some way of obtaining the money - and as in all ransom or extortion demands, it's in the payment, the collection and the disposal of the money that the criminal is at their most vulnerable.

The NHTCU caught the eastern European extortionists not by following their IP trail, but by following the money - tracking the flow of currency from account to account in a painstaking exercise using the most methodical of detective skills. And when the detectives caught up with the money, they caught up with the criminals.

So, the moral of the story is: to be a master criminal on the internet, you don't just need to understand the internet, hacking and TCP/IP masquerade; you must also know about money. So many hackers and crooks have been caught over the years because of their carelessness with cash - whether they were teenage hackers arousing suspicion by a sudden ownership of a top-of-the-range skateboard, or organised criminals. So if you want to succeed, study the finance issues as hard as the technical ones.

See what other readers are saying in our Letters blog and add your own comments instantly.