WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
There’s a new kid on the block, and their name is Dark Web Forums (DWF). Have they come to stay? Only time will tell. Forums come and go at a rapid pace in the English-language cybercriminal scene, and initially, DWF does not appear to be a unique case. With DWF being less than one year old, it doesn’t have a high level of activity or much content just yet. Like many newcomers on the scene, it has faced the typical struggles of a newly created forum, including stiff competition, shifting ownership, and difficulty attracting new members.
However, there appears to be a possible connection between DWF and an old forum friend of ours: the English-language carding forum Altenen. This unique connection might enable DWF to set itself aside from its competitors and will be explored further in this blog. But first, let’s examine DWF’s first seven months, as they provide valuable insight into the early stages in a forum’s lifecycle.
DWF is an English-language cybercriminal forum that was launched on the 30th of Jan 2020. DWF initially started out as a small carding-based forum, but in March 2020, the forum added two new sections: “Hacking & Cracking Zone” and “Making Money & Cryptocurrency.” The site’s content currently spans an array of topics, including carding, cryptocurrency, hacking, “dark web” discussions, cracking tools, and offers of databases and accounts.
In our blog on the forum Torigon’s demise, we talked about the struggles new forums can have in getting off the ground. DWF seems to be facing the same difficulties.
As a newcomer on the English-language cybercriminal scene, DWF has faced fierce competition from the get-go from more veteran English-language forums offering similar content, such as RaidForums, Cracking King, Nulled, and Cracked TO. Its vague stated aim of being a forum “dedicated to making money on the Internet, various earning schemes, IT issues and much more” applies to almost any given cybercriminal forum, and has likely not helped DWF stand out amongst more prolific forums.
DWF has only accumulated 2,497 members to date—a relatively low number for a platform that has been active for seven months. As a result, the site isn’t particularly busy and only has 846 threads. Some forum sections contain few or no threads at all.
The most active section on DWF is the Carding Zone, which includes subforums relating to credit cards and database dumps, cardable websites, tools, and general discussion on carding activity and methods. The section’s “free fresh credit cards and database dump” subforum appears to be especially popular amongst its members, with over 220 threads mainly offering various credit card dumps–both mixed and from specific regions–and different streaming and food delivery accounts. Some of the forum’s staff members appear to be particularly active in this section and have created a high proportion of its threads.
Although not as active, other areas of the forum still provide useful insight into DWF’s community and what type of information its members require. The following sections are particularly noteworthy:
Despite its low post count and membership numbers, there have been some interesting developments on DWF during its seven months of existence.
DWF does not appear to have a dedicated list of its staff members and their associated roles. However, forum administrators have a “Verified Members” mark in their profile banner, while moderators are marked with a “Super Moderator Title,” making both staff roles easy to spot.
DWF’s hierarchy appears to have changed over the course of its first two months. The platform’s administrator “Professor” was the first forum staff member to post on the site, sharing a “welcome” post on 30 Jan 2020. This indicated that they were likely the most senior forum staff member at the time. Since then, forum user “t0r” appears to have taken over as the most senior forum staff member after joining the site on 29 Feb 2020.
The forum ownership question is vague as none of the forum staff have specifically been marked as the forum owner. The closest we get is t0r, who uses the title “forum founder” and essentially acts as a dedicated forum owner (though the ownership has not been officially confirmed). They provide regular updates on DWF’s development, and on one occasion, they also warned users against potential scammers impersonating the forum’s verified sellers on Telegram. t0r does not appear to be a native English-speaker as there are frequent grammar and spelling mistakes in their posts.
New users on DWF must have their accounts verified by the forum team before they can fully access the forum or view the actual contents of threads. Additionally, if users want to purchase one of the two available upgrades, VIP or “Verified Seller,” they must contact one of the forum administrators directly on Telegram to have their purchase confirmed and their upgraded account activated.
Although it is not uncommon for forum staff to ask users to contact them directly when purchasing an upgrade, this usually happens on a site’s own internal messaging system. This is the first instance we have observed in both the English- and Russian-language cybercriminal scenes in which members are asked to contact the forum staff on Telegram. The underground community–particularly on Russian-language cybercriminal forums–has frequently criticized Telegram for not being secure and anonymous enough compared to other instant messaging services such as Discord, Wickr, and Jabber. So far, no users on DWF have commented or questioned the forum’s use of Telegram.
DWF appears to have struggled with attracting new users since its creation. This is often the case with brand new forums, especially in the English-language scene with its ferocious competition and frequent migration of users from one platform to another. As early as March 2020, a user stated DWF had already become “dead” and “boring” and said users should share more knowledge and skills to make the forum lively again.
In an update posted on 01 Apr 2020, t0r called on experienced users to suggest ways to gain more members. In response, users suggested anything from paying for low-cost advertisements to making highly ranked vendors “mention” the forum on their other platforms.
DWF displays several advertisements linking to other platforms, indicating that other sites have paid DWF for advertisement space. However, we have not been able yet to detect any platforms advertising DWF…
DWF could initially only be accessed via Tor, but on 08 Apr 2020, t0r announced that they had launched a new clear web version of the forum. The launch means that users can access the site using their preferred, standard web browsers. It is possible that creating a clear web version of the forum, albeit less anonymous, allows for easier access, thereby enticing more users to join the forum. In doing so, DWF joins several of its competitors in offering a clear web version of the site, such as RaidForums, Nulled, and Cracked TO. It is important to note, though, that none of these forums can be accessed via Tor, and they have been easy to access since their creation, likely ensuring their steady increase in forum members over time. Since introducing the clear web version, there has been no mention on DWF that they have experienced a growth in members, and traffic rank sites, like Alexa, do not currently display any visitor data for DWF.
One of the most interesting aspects of DWF is a possible link between DWF and the English-language cybercriminal forum Altenen (also known as Alboraaq).
Altenen initially started out as an Arabic-language cybercriminal forum with a user base stemming from Arabic-speaking countries. Later, Altenen changed its premise and became an English-language carding-based forum. WHOIS records suggest that the first English-language version of Altenen was created on 13 Jun 2013. Altenen appears to have experienced several attacks since its inception. It allegedly had its database leaked in 2014, and in either late 2016 or 2017 (specific date unknown), the forum went offline for a significant period. In June 2018, Altenen’s administrator, “T3eS,” resurrected the site. Since its “reinvention,” the platform appears to have attracted users from across the globe and has experienced a steady increase in forum membership.
Back to the connection with DWF. Yes, both focused on carding before branching out into other topics. Yet there are other, more striking, similarities and direct connections between Altenen and DWF that suggest there might be a strong link between the two.
The description of DWF’s “free fresh cards and Database Dumps” subforum contains mentions of Altenen/Alboraaq that indicate Altenen may be a source of carding-related items for DWF:
“Fresh Credit Cards, Fresh Fullz, Fresh Cardable websites, Fresh Carding methods, Altenen Cards, Altenen Carding, premium accounts netflix spotify etc, Alboraaq Carding.”
Both forums’ logos, though not identical, resemble each other as they both display a red, devil-like figure with horns. This type of imagery has not been observed on other English-language cybercriminal forums. Additionally, there are further links that appear to connect some of DWF’s staff directly to Altenen.
“[Forum name] is a forum dedicated to making money on the Internet, various earning schemes, IT issues and much more. This is a forum about making money on the Internet, Also we share knowledge about carding forum , malware modification, hacking, security, programming, cracking, among many other things. Also of tools related to the above. If you have interest and desire to learn do not hesitate to register and start being part of our community, if you are new we will help you in everything we can.”
As DWF is still in its start-up phase, it will be interesting to see whether the forum will manage to gain more traction in the foreseeable future. In our recent blogs on Torigon and Nulled, we mentioned the three key factors forums need to consider to ensure longevity: differentiation from the crowd, having a knowledgeable and driven administration team, and ensuring the platform remains available and accessible. Before meeting its demise, Torigon tried to partner with more established platforms like Envoy and Dread to counter its growth issues; DWF may be leaning on its connection to Altenen for the same reasons. However, like Torigon, DWF might still have difficulties attracting new members if it does not become more visible and its administration team does not proactively advertise it on other similar forums.
Although DWF appears to have a dedicated team of administrators and moderators, who not only moderate the forum but also actively contribute to the various forum sections with their own content, DWF would still need to work towards building up its community and position itself among its competitors, while protecting itself from any possible attacks. It will also be interesting to see whether the apparent collaboration with Altenen will increase and turn into the sort of relationship we have observed between Nulled and Cracked TO. These sites have recently experienced strikingly similar developments in both growth in forum membership and hiring of new staff.
If you’re interested in dark web monitoring, Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) (now ReliaQuest’s GreyMatter Digital Risk Protection) monitors across sources where criminals are active, no matter is that is on the open, deep, or dark web. This includes continually monitoring and indexing hundreds of millions of dark web pages, pastes, criminal forums, Telegram, IRC, and I2P pages.If you’d like to see your organization’s exposure on the dark web, you can sign up for a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) (GreyMatter DRP) here.