In June 2020, the administrator of the English-language cybercriminal carding forum Altenen announced a “big victory” for the site in terms of its website traffic rank statistics. The administrator posted several key metrics, sourced from a traffic information service called HypeStat, to show just how “popular” Altenen was and how well the forum was doing overall. The statistics included the number of unique daily visitors, traffic sources (whether visitors access the site directly, by search queries, by referrals on other websites, or via social media pages), daily revenue estimate, and daily earning by country. This announcement received positive feedback from forum members, with many posting congratulatory comments on the thread.
Website traffic statistics are nothing new — anyone can look up their favorite website’s metrics. What is interesting about this case, though, is that the Altenen administrator deliberately used these metrics to quantify Altenen’s existing popularity and encourage forum users to “spread the Altenen all around the world [sic]” to grow the platform further. This is the first instance we have observed in which a forum staff member has deliberately posted the forum’s traffic rank statistics for promotional purposes.
This apparent reliance on site statistics to demonstrate Altenen’s popularity might indicate a degree of desperation from the forum administrator. Forums gain credibility and popularity by appearing attractive (e.g. by offering high-quality content and attracting highly skilled threat actors), not by highlighting subjective statistics such as website traffic rank. Website traffic numbers and forum statistics can be manipulated and therefore are not accurate indications of genuine popularity. And suppose the forums get caught manipulating these numbers. In that case, things can turn sour quickly, just like when BitBazaar market allegedly attempted to falsify their subscriber numbers and got banned from Dread, a Reddit-style cybercriminal forum.
The Altenen case got us thinking about how some less-prolific forums may use similarly deceptive tactics to increase visitor traffic and fight for scraps. In contrast, the more prolific, already-established forums would not be dependent on this. With this in mind, what can website traffic statistics tell us about cybercriminal forums? We’ve used the same source as Altenen’s administrator, HypeStat, to gather some key statistics for several English-, German-, and Russian-language forums. While there are many data points we could have included, we have limited ourselves to metrics focusing on Alexa rank history, unique daily visitors, visiting countries, traffic sources, and daily revenue estimates. We wanted to see whether the statistics align with our pre-existing perceptions of these sites, whether they show any trends we were previously unaware of, and find out what the numbers alone can’t show us.
Meet the forums
Altenen is a carding forum that initially started as an Arabic-language cybercriminal forum and morphed into an English-language carding-based platform in 2013. After several cyberattacks, Altenen went offline in either late 2016 or early 2017, before the forum administrator resurrected the site in June 2018. Since then, the platform appears to have attracted users from across the globe and has experienced a steady increase in forum membership, though it has been described as a scam site by multiple users within the cybercriminal community.
RaidForums is a popular English-language cybercriminal forum, created in March 2015, that features content relating to an array of cybercriminal topics, including general hacking activity, vulnerabilities, cracking methods and tools, cryptography, and breach datasets. RaidForums appears to have recently increased its profile within the cybercriminal community, with several prominent threat actors from other prolific platforms, such as Exploit, creating accounts on the forum.
Nulled is an English-language cybercriminal forum that first appeared in January 2015. The forum hosts content relating to various cybercrime topics, including penetration testing, coding and programming, reverse engineering, social engineering, and breach datasets. Since its creation, Nulled appears to have experienced a steady increase in users, and in April 2020, the forum administrator proclaimed that the forum had experienced significant COVID-19-related growth in membership.
Cracked TO is an English-language cybercriminal forum created in May 2015, and while unconfirmed, Cracked TO may have some connection or degree of collaboration with Nulled’s administration team. Cracked TO, like Nulled, purportedly experienced significant COVID-19-related growth in membership around April and May 2020. Cracked TO also hosts similar content to Nulled.
Cracking King is an English-language cybercriminal forum and created in September 2014. The forum hosts content mostly relating to breach datasets, cracking tools and tutorials, and configurations. Cracking King appears to have been highly active in its first few years, but its activity has decreased over the past two years.
Crimenetwork is a German-language cybercriminal forum hosting content related to an array of cybercriminal activity, including counterfeit documents, accounts, drugs, carding, malware, exploits, and social engineering. Security researchers named Crimenetwork as one of the top five German-language forums back in 2015, and it is the only forum out of that five that remains active. However, the forum administrator has been missing since around June 2019, and forum moderators have had to take charge of the forum during the administrator’s absence.
Exploit has been a stalwart of the Russian-language cybercriminal underground scene since 2005. It is widely regarded as one of the most prominent Russian-language cybercriminal forums and sees users trading a wide range of high-value goods and services. The forum has sections for malware, network access sales, exploits, hacking, social engineering, cryptocurrency, spam, and social media.
XSS is a recent rebranding of the previously long-standing Russian-language cybercriminal forum DamageLab, which was one of the first Russian-language cybercriminal forums to be established. DamageLab, in its original incarnation, was closed when its administrator had a run-in with law enforcement. Now run by a former Exploit administrator, XSS is well regarded within the cybercriminal scene and features discussions and commercial activity in several fields, including malware, spam, exploits, vulnerabilities, carding, access sales, and credential databases.
Website traffic statistics
|Platform||Altenen||RaidForums||Nulled||Cracked TO||Cracking King||Crimenetwork||Exploit||XXS|
|Current Alexa Ranking||27,025||27,063||8,282||10,905||261,124||3,107,635||97,919||150,609|
|Difference in Alexa ranking in last 90 days||+ 157,836||– 613||+ 4631||– 50||– 104,628||Alexa does not have a graph displaying Crimenetwork’s traffic rank over the past 90 days. An older graph shows that the forum’s ranking dropped more than 600,000 places between July and December 2019.||+ 10,403||+ 7041|
|Countries (Highest to lowest)||Egypt, Algeria, Morocco, the United States, India, Tunisia, Albania, Turkey, Bangladesh, Viet Nnam, Jordan, and Palestinian Territory.||United States, Australia, India, Indonesia, Turkey, Sri Lanka, Egypt, Russian, Iran, Vietnam, Morocco, Tunisia, Algeria, and Ukraine||United States, India, Egypt, Canada, Algeria, Brazil, Turkey, Morocco, Chile, Pakistan, Tunisia, Israel, Indonesia, Russia, Vietnam, and the United Arab Emirates||United States, India, Algeria, Egypt, Morocco, Turkey, Denmark, Pakistan, Canada, Israel, Saudi Arabia, Mexico, Tunisia, Bangladesh, Sri Lanka, Iran, Vietnam, Indonesia, Australia, Hong Kong, Colombia, Peru, and Russia.||United States, India, Italy, the United Kingdom, Mexico, Brazil, Germany, Qatar. France, Canada, Spain, Egypt, Greece, Netherlands, Iran, Turkey, Morocco, Argentina, Pakistan, Australia, Taiwan, Saudi Arabia, Sweden, United Arab Emirates, Romania, Tunisia, Serbia, Philippines, Algeria, Singapore, Bosnia and Herzegovina, Russia, and Poland.||Germany||Russia, Germany, United States, Netherlands, Sweden, United Kingdom, Canada, France, Spain, Italy, Ukraine, Poland, Switzerland, Latvia, Belarus, India, Indonesia, and Kazakhstan.||Russia, Luxembourg, Poland, Germany, Azerbaijan, Ukraine, and Belarus|
|Average site duration (Minutes)||22.02||07.00||09.50||08.53||No data available.||22.01||07.52||06.37|
|Traffic sources||Direct (69,68%), Search (21.08%), Social (5.46%) referral (2.46%)||Direct (52,48%), Search (39,40%), Social (3,69%), Referral (1,65%), Paid (0.01%)||Direct (56,56%), Search (34,19%), Social (3.35%). Referral (0.75%), Paid (0.03)||Direct (47,70%), Search (45,47%), Social (3,13%), Referral (0,56%), Paid (0,04%)||No data available.||Direct (78,56%), Search (14,29%), Referral (7,15%)||No data available.||No data available.|
|Daily revenue (USD)||1,601.31||2,678.69||5,909.99||4,031||8,100||4.84||2,635||N4,437|
Table 1: Website traffic statistics of selected cybercriminal forums
How do the statistics align with our perceptions of the forums?
Increase in membership
The Alexa ranking of Altenen over the past 90 days shows that the forum appears to have experienced a significant increase in user traffic, as the administrator indicated when publishing the forum’s website traffic statistics. Nulled’s Alexa ranking over the past 90 days also shows that the site has experienced a slight upwards trend since May 2020, which appears to correlate with the site’s April 2020 announcement about membership growth. However, the statistics do not show that many of the site’s visitors may be automated bots used by the forum administration teams to manipulate visitor numbers and increase overall ranking. So while the statistics do seem to back up the claims made by these forum teams, we cannot be sure whether the Alexa rankings are legitimate. Altenen’s drastic increase in rank, in particular, seems almost too good to be true, as none of the other forums we regard as popular, such as RaidForums, have experienced a similar increase during the same period.
Languages used on forums
As expected, users of language-specific forums appear to originate from the regions where the respective languages are spoken: The statistics show that most of Crimenetwork’s visitors are from Germany, for example, while visitors of Exploit and XSS mainly originate from Russia. However, the numbers do not show whether these users accessed the sites using VPNs concealing their true origins. Forums such as Exploit and XXS have grown to become popular beyond their original borders; additional international visitors are likely to use VPNs to increase anonymity or bypass any regional restrictions these forums might have.
A few surprises
We expected to see RaidForums (rank 27,063) as the highest-ranked English-language forum on our list; RaidForums has proven to be a stable platform that has increased its popularity and overall activity over the past two months. Contrarily, Altenen (rank 27,025) has a similar rank to RaidForums, and both Nulled (rank 8,282) and Cracked TO (rank 10,905) significantly outrank both. Another surprising metric is the relatively low rankings of the Russian-language forums Exploit (rank 97,919) and XSS (rank 150,609) compared with the English-language forums. Both forums enjoy prominence within the English-language and Russian speaking cybercriminal community.
Possible distortion of rankings
Multiple factors may have affected the rankings, though. In addition to the possible use of automated bots by forum administrators, there is also a possibility that a site’s ease of connection can influence rankings. Freely roaming bots on the Internet attempt to connect to sites for various purposes, including indexing information and spam. This type of bot activity might cause a site’s ranking to increase if it is relatively easy to access, as is the case with some clear web forums. Several of the forums also have a .onion mirror domain that can only be accessed via Tor. Visitor numbers from .onion domains are not counted as part of website traffic statistics on Alexa. Therefore the actual number of visitors is not accurately represented in these Alexa rankings.
What new information can the numbers give us?
Average visit time
According to the statistics we collected, the average time spent on most forums tends to be less than 10 minutes. The exceptions to this are Altenen and Crimenetwork, where users spend, on average, 20 minutes perusing the site. This metric may reveal whether a forum has more guest users merely browsing the forum for a couple of minutes or more committed users who spend more time on the site. However, intricacies of specific forums show that we should treat these metrics with a grain of salt. For instance, users on Exploit only spend an average of 07:52 minutes on the forum, according to the statistics. Yet, because Exploit is a fully gated forum, none of these visitors are random guest users.
While visitor geography can be distorted by using tools such as VPNs, the list of visitor countries still gives a good indication of the regions that visitors come from. The United States was the most popular country for visitors overall, not just on English-language forums; US visitors rank highly on Exploit and XXS. The only exception amongst the English-language forums is Altenen. Most Altenen visitors come from Egypt, Algeria, and Morocco, most likely due to Altenen’s origins as an Arabic-language forum. The relatively high presence of visitors from several Middle Eastern and Asian countries on English-language forums may also indicate a shortage of suitable Arabic- and Asian-language platforms, necessitating Arabic and Asian-language speakers to seek out international platforms instead.
Lastly, what can the numbers not tell us?
First of all, the statistics we collected give no indications as to a forum’s content (a niche focus, naturally leading to a more selective membership and visitor numbers, or more generic, with wider appeal) or quality (highly skilled threat actors invited to join the site after proving their skills versus inexperienced “script kiddies).
Secondly, advertisement revenue estimates do not show a forum’s actual economy. These sites can also earn money by requiring users to pay to register or upgrade their accounts to gain VIP access and charge commission on escrow services during transactions.
Thirdly, the statistics provide no reasons for the fluctuations in the Alexa rankings over time. Such changes could be regular, “seasonal” variations or down to the ongoing COVID-19 pandemic (as claimed by Nulled and Cracked TO). Similarly, Crimenetwork’s Alexa ranking doesn’t indicate that its significant rank drop in June 2019 is due to its administrator’s concurrent disappearance.
The limitations of these figures highlight the importance of having the human in the loop — an analyst observing these cybercriminal forums’ behavior over time. Without sufficient context, the statistics could potentially provide a distorted image of the cybercriminal community. It seems that Alexa does not yet have the answer to everything.