Competitions on Russian-language cybercriminal forums: Sharing expertise or threat actor showboating?January 30, 2020
You might be feeling the pinch at this time of year… The financial demands of Christmas have taken their toll and that expensive new gym membership is burning a hole in your wallet. Winning a competition with a healthy prize fund could be just the cash injection you need to get your finances back on track.
Things are no different in the cybercriminal underground. The Russian-language cybercriminal forum XSS recently announced its third forum-wide competition, offering members the chance to win a share of $15,000 in return for writing an article on a set list of topics. In fact, competitions have been a feature of the Russian-language cybercriminal scene practically since the advent of cybercriminal forums (for more on the dynamics of cybercriminal forums, check out our recent report, The Modern Cybercriminal Forum).
The History of Cybercriminal Forum Competition: Humble beginnings
Tracing the history of the forum competition back to the early days of one prominent Russian-language cybercriminal forum, Exploit, reveals that the format, value, and scope of forum competitions have changed considerably since Exploit’s launch in 2005.
Early competitions seem almost innocent in nature compared with the serious events that forums organize nowadays. These first competitions often aimed to foster a sense of community on the forum. In February 2007, for example, Exploit members were invited to participate in a quiz featuring questions about the history of the forum. Questions included “What was the forum’s first domain?”
February 2007 competition to celebrate Exploit’s birthday
Today’s competitions usually require demonstrable skill and technical knowledge, with participants often required to submit original articles containing videos or source code. In contrast, back in January 2008 Exploit ran a competition in which the user with the longest tenure on the forum to post in a specific thread would win $25. In October 2007 members were offered the chance to guess how many registered members the forum had on a specific date.
These early competitions also prized creativity. In December 2010 Exploit users were invited to design a graphic that best represented the Russian-language segment of the Internet (the “Runet”) to win an iPad, while a competition in November 2008 sought the best original desktop wallpaper. In March 2012 a competition offered a monetary prize to the user who submitted the best hand-drawn depiction of what Exploit represented.
Call for members to design a pictorial representation of Exploit
These early competitions are notable for their lack of specific aim and for their small scale. Early competitions appear to have been intended to inject a sense of fun and togetherness into Exploit at a time when the site was trying to build a community and attract new members. In terms of scale, while competitions now offer multi-thousand-dollar prize funds, these early examples show that competition winners back in the mid-2000s could expect to receive a much more modest sum. This situation is replicated on other high-profile Russian-language cybercriminal forums such as XSS.
The Evolution of Forum Competitions: First signs of change
The first mention of a forum competition as we now know it appeared on Exploit in October 2013. One user lamented the slipping standard of coding on the forum and suggested a competition to raise the collective skill level on the site. The user proposed that each competition participant should contribute $10 to a shared pot, with the eventual winner taking the entire pool. However, other forum members were far from enthusiastic about the idea, with some users pointing out that attempts to organize such contests on other cybercriminal forums had failed. The competition went ahead regardless, but the winners were never publicly announced.
One major difference between the early competitions and those of today—and something that seems to have been a contributing factor in the eventual success of the competition model—is the involvement of the forum administration team. While early competitions were organized by individual members, the competition model really took off when the forum administration teams got involved. In December 2015 the Exploit administrator organized a competition to find who could write the best article on “Using SI and NLP tools to install software on a user’s computer”. The victor would win $1,000, with $200 consolation prizes for second and third place. After that, the annual winter competition was born. Exploit’s December 2016 competition included a list of set topics on which users could pen an article, including “malware”, “phreaking” and “hacking”, in return for a $2,000 prize fund. Fast-forward to 2019 and the competition prize fund stood at $10,000, with rules stipulating a word count and content requirements.
Announcement of 2019 competition on Exploit
Forum Competitions Seen Across the Board
The competition development arc is similar on other Russian-language cybercriminal platforms, such as XSS. Since its relaunch as XSS, the former Damagelabs has organized three articles competitions, all with four- or five-figure prize funds. However, the phenomenon is not universal across the scene. The carding forum Verified, for example, last held an articles competition back in February 2010. In 2016 the Verified administrator organized a contest to design new forum buttons (although prizes consisted of VPN service accounts, rather than monetary payment). The Russian-language hacking forum Korovka has not organized an articles competition since 2012, while the carding forum Omerta has only seen a couple of small-scale competitions on the site, neither of which were organized by the administrator.
Competition to design forum buttons on Verified
Interestingly, what connects these forums without a strong tradition of competitions is their common lack of a strong sense of community. Users on successful forums such as Exploit and XSS strongly identify as members of those sites and see the value in participating not only for their own benefit but also for the good of the forum. After all, helping the development of the forum is one of the major drivers behind organizing competitions: Cybercriminal forums need to attract and retain members in order to survive, and being able to present a site as a valuable repository of articles discussing pertinent cybercriminal issues is a real draw. Articles competitions raise the level of collective expertise on the forum, thus increasing the site’s objective “value” as a hacking resource. Articles competitions may also encourage trading in the subjects discussed in the pieces, which in turn benefits the site via earned commission. Finally, fostering a sense of community is an important part of competitions that should not be overlooked: Forums with the strongest feelings of togetherness tend to be the most disciplined, which in turn leads to a better user experience for all involved.
Cybercriminal Forum Competitions: Latest developments
The latest development in forum competition organization may actually be a return to form. Way back in October 2005 the Exploit administrator initiated a thread calling for competition sponsors (i.e. users willing to put up the winners’ prize), indicating that sponsoring a competition would be a huge boost to a user’s reputation within the cybercriminal community. In fact, while the most successful competitions nowadays are generally organized by the forum administrators, in the early days of forum competitions, regular forum members would often organize small-scale competitions for personal gain. Forum users who needed a new avatar, for example, could hold a competition to get other forum members to design one in return for a small financial prize or a six-digit ICQ number (a prized commodity in the early days of the Russian-language cybercriminal underground). The arrangement was win-win: A skilled graphics designer could knock up an avatar with little personal effort and win a small prize in the process and the competition organizer would get the new profile picture that they lacked the skills to design themselves, along with a sense of increased standing in the forum community for having organized a mass event.
Following years of administrator-funded competitions, Russian-speaking cybercriminals now seem to be remembering the benefits of not-so-benevolently offering a competition prize fund. In December 2019 the XSS administrator announced a third annual forum articles competition. Accepted topics for original articles included (translated from Russian):
- “Searching for 0day and 1day vulnerabilities. Developing exploits for them
- APT attacks. Hacking LAN, elevating rights, hijacking domain controller, attack development
- Interesting combinations, algorithms. Writing your own crypto algorithms and hacking other people’s
- Innovative functionality, reviews, analysis of interesting algorithms that are used, development prospects
- Forensics. Digital forensics. Software, tricks, methods”
Announcement of third annual articles competition on XSS
The competition winner would win $5,000, with prizes decreasing by $1,000 each time for second through fifth place, totaling an overall prize fund of $15,000. At the end of the competition announcement, the administrator revealed that the competition had been sponsored and funded by the Sodinokibi (aka REvil) ransomware team, which has representatives on the forum. The most “suitable” competition finalist would also win the opportunity to “work with” the Sodinokibi team under “mutually beneficial conditions”. The forum community’s reaction to the competition announcement has been mixed. Some opined that the competition would help to raise the level of collective expertise on the forum. However, many users pointed out that the choice of topics was likely influenced by the forum sponsor. In late January 2020, the XSS admin posted that the competition had not received many entries. It is unclear whether this is due to the competition’s proximity to the previous contest (December 2019 and then January 2020) or forum members’ reluctance to take part in this sponsored event.
In theory, by sponsoring a competition in which forum users pen articles on topics related to ransomware, the Sodinokibi team can increase awareness of ransomware on the forum (thus potentially increasing their sales) and perhaps gain valuable intelligence they could use in their future malware development. If competition entries do increase for this event, it may be that in the coming months more cybercriminals will come to realize the advantageous cost-benefit calculation associated with organizing a forum competition and that similar competitions will become more frequent. It appears that, after a slow start, the forum competition in some form or another is here to stay.
Want to gain visibility into criminal and fraudulent activity impacting your brand on the deep and dark web? Learn how we help businesses with dark web monitoring.