Just a few short months ago, the Russian-language cybercriminal scene was rocked by the news of an arbitration case involving a trusted member of the community and one of the most notorious ransomware groups around. This case revolved around the actions of a trusted forum guarantor and got us thinking about the whole system of escrow in place on cybercriminal forums representing various language communities and the strengths and weaknesses of the arrangement as a whole.

A quick stop for a couple of definitions here: 

Arbitration is a formalized system in operation on many Russian-language platforms in which a forum member who feels they have been wronged in some way during a transaction can bring a claim against the other party in the deal. A senior member of the forum team will hear both sides’ versions of events and collect evidence from both plaintiff and defendant (usually in the form of conversation logs from private messaging services). Other forum members often chip in with their own opinions or perhaps experiences of working with one of the parties. The senior forum member takes all of this into consideration to decide on the case and may demand reimbursement of funds, order compensation to be paid, or mark one of the users a “scammer” and ban them from the forum.

Wikipedia defines escrow as “a contractual arrangement in which a third party (the stakeholder or escrow agent) receives and disburses money or property for the primary transacting parties.” The term is best known in the United States in the context of real estate purchases. On cybercriminal forums, it describes an arrangement where, after a deal has been agreed upon, the buyer sends their funds through to a neutral third party known as a “guarantor.” Only after the buyer has confirmed that the goods or services they receive from the seller meet their expectations or the deal’s agreed conditions will the guarantor release the money to the seller.  Sometimes the guarantor takes a percentage cut of the funds as “payment” for services rendered. The system is designed to reduce buyers’ and sellers’ chances of falling victim to a scam and ensure that everyone gets what they were expecting. Many vendors on cybercriminal platforms will only transact via an escrow service; a refusal to do so is a tell-tale sign that there might be something amiss with that vendor’s offering. 

Complications of the escrow system 

Russian-language cybercriminal forums

Escrow systems are extremely commonplace on Russian-language cybercriminal forums. Most platforms offer an official escrow service for their members, with a senior member of the forum team designated as the trusted guarantor. Let’s take Exploit and XSS as specific examples. 

Exploit escrow service announcement
Exploit escrow service announcement

On both sites, the buyer and seller must fill out an escrow form and contact the forum’s guarantor via the Jabber messaging service, following which the buyer sends money to the guarantor, the seller transfers the goods to the buyer, and the satisfied buyer authorizes the guarantor to release the funds to the vendor. These escrow services charge a 3-10% commission, depending on several factors. The transaction amount, the potential risks, and the type of goods involved can all increase the cut obtained by the escrow service. This commission is payable regardless of the outcome of the transaction. Exploit recently created a new official guarantor account for the forum with its own official Jabber ID. The forum is considered financially responsible for transactions made via this guarantor. On XSS, the administrator fulfills the role.

XSS escrow
XSS escrow service announcement

English-language cybercriminal forums

English-language cybercriminal forums are far less likely than their Russian-language counterparts to feature formalized escrow systems. Vendors and buyers are often dependent on other forum members, preferably highly ranked members who are willing to take on ad-hoc requests to act as a guarantor.  Torum is one notable exception whose escrow model appears to emulate the Russian system. From September 2019, the platform had three fully verified users who acted as the official forum guarantors overseeing the escrow process: “Terminal,” “Chargen19”, and “TheAngryDwarf.” However, this cohort was reduced to one when the escrow services provided by Chargen19 and Terminal were closed in September 2019 and February 2020 respectively. Torum’s last remaining escrow moderator, TheAngryDwarf, currently takes a 2% commission fee for the transaction and accepts transactions in both Bitcoin and Monero

Torum’s escrow
Torum’s escrow moderators

Although forum administrators do not usually provide escrow services on English-language sites, they typically advise that transacting parties use a guarantor in their deals. For example, in arbitration cases, we have observed several instances in which forum administrators called out the buyer who  filed a scam report against a vendor for not doing their due diligence before making a purchase. As such, escrow schemes appear to have become much more common overall, but their use is far from widespread in the English-language cybercriminal community.

Current Torum escrow moderator - snippet of escrow transaction guidelines
Current Torum escrow moderator – snippet of escrow transaction guidelines

German-language cybercriminal forums 

Taking a different language community as another example, escrow is commonplace on German-language cybercriminal forums, where it is known as “Treuhand.” The classic Treuhand process typically follows a standard escrow model in which funds are held until both buyer and seller are satisfied with the deal’s conditions.

Some German-language forums have gone a step further and provide an escrow system called “Multisig.” Under this arrangement, both parties in a deal enter their public Bitcoin wallet keys. A multi-signature cryptocurrency wallet will then be generated, into which the buyer can deposit their funds. Once the transaction has been verified, the seller can then send the goods to the buyer, upon which the buyer confirms the quality of their purchase and the funds are released to the vendor. Release of funds in any direction requires two out of the three participants (buyer, seller, and guarantor) to agree to a payment being sent. This means the guarantor cannot steal the money for themselves. Additional safeguards such as this could add a greater sense of security if adopted on other escrow systems in, for example, the Russian- and English-language cybercriminal scenes. 

Crimenetwork escrow
Crimenetwork escrow form

The German-language cybercriminal forum Crimenetwork is an excellent example of a formalized escrow service, operating two distinct systems. Both arrangements charge a 5% commission fee and are automated through the use of a “dashboard”-style payment platform. Crimenetwork’s escrow systems only involve a forum guarantor (the forum administrator in this case) in the event of a dispute.

AD0 vs Sodinokibi

So what exactly prompted us to think about escrow systems in the first place? In mid-March 2020, a new arbitration thread appeared on the prestigious Russian-language cybercriminal forums Exploit and XSS to dispute the princely sum of $170,000. The plaintiff was the forum representative of the Sodinokibi (or REvil) ransomware group, who at that time was going by the usernames UNKN and Unknown on Exploit and XSS respectively (although Unknown recently changed their username to “ZeleniyHach” for unspecified reasons). The defendant was an individual known as “AD0”, who acted as a guarantor in the disputed escrow transaction.

UNKN/Unknown claimed that they had agreed to several deals for another forum member to carry out commissioned work and turned to AD0 to act as the guarantor in these transactions, which were worth $170,000. UNKN/Unknown said they transferred their payment for these commissions to AD0, but the seller never received the funds. When both parties questioned AD0, they were told that the funds were “locked up” but that the situation would soon be sorted out. When the money didn’t appear after one week, the transaction for the commissioned work broke down, so UNKN/Unknown asked AD0 to return their funds… which they reportedly failed to do. UNKN/Unknown alleged that AD0 had used the escrow funds to speculate on the cryptocurrency market, hoping to profit from changes in the dollar exchange rate. For their part, AD0 responded, “I do not deny [the] claim, this is my problem,” although they later posted lists of Bitcoin exchange rates to show that they could not have made a profit from invested funds.

UNKN’s arbitration thread on Exploit
UNKN’s arbitration thread on Exploit

UNKN/Unknown’s arbitration claim requested that AD0 be barred from acting as a guarantor on Exploit, XSS, and Zloy (another Russian-language forum) and asked for an exact deadline to be set by which AD0 should pay back the entire disputed amount. If AD0 failed to return the funds, UNKN/Unknown demanded that AD0 be banned from the forums and branded a “scammer.” They even requested that Zloy forum accept full financial responsibility for the claim in the event of non-payment because AD0 was the official guarantor on this site.

Following this claim’s instigation, both the Exploit and XSS administrators posted on the arbitration threads explaining that AD0 was suspended from the forums. AD0 had agreed to repay the debt over three months and would remain banned from the sites until the money had been refunded in full, although the situation would be reviewed every month.

The case unfolds… 

Over the next three months, AD0 repaid the disputed funds in installments, despite UNKN/Unknown’s frequent exhortations that they should pay back the money in one lump sum as it was clearly available to them (AD0 maintained there was no point in doing so as their punishment—suspension from the forum—could not get any worse). Other forum users on both Exploit and XSS regularly commented on the arbitration threads to discuss the repayment plan’s progress, expressing mixed views that supported both parties.

By mid-June 2020, UNKN/Unknown posted on both Exploit and XSS to say that the debt had been repaid in full and that they had no further claims against the defendant. The Exploit forum administrator welcomed the repayment of the debt but bemoaned AD0’s “inappropriate” behavior, noting they had abused their “serious reputational powers,” putting two forums at risk and undermining trust in the forum administration teams. The administrator explained that due to this loss of trust, AD0’s status would not be changed, and they would remain banned from Exploit. They added that it would be at the discretion of each individual whether to work further with AD0 or not and that the forum would no longer take responsibility for transactions with them. The administrator’s decision caused much discussion among Exploit members, who expressed divergent opinions about the permanent ban.

 AD0’s
Announcement of AD0’s continued ban on Exploit

By contrast, the administrator of XSS forum had overturned AD0’s ban in May 2020 after AD0 had repaid $45,000 of their debt. Explaining their decision to allow AD0 to continue to operate on XSS when they had been banned from Exploit, the administrator said that the arbitration case had been decided “as publicly and transparently as possible,” meaning that forum members would be able to draw their own conclusions.

Complications of the escrow system 

While the advantages of using a guarantor are clear, the arrangement isn’t without problems. The most apparent disadvantage of the escrow system is the risk that the trust given to the guarantor is misplaced. The case with AD0 highlighted this major weakness of the system–that even if transacting parties do their homework and choose a guarantor with a stellar reputation, at some point, they have to take a leap into the unknown and trust this third party. What made the AD0 arbitration claim so shocking was that AD0 had spent years building up their credibility as a trusted guarantor, to the point where their alias was used almost as a byword for the entire escrow system. The case shook many in the Russian-language underground, destroying long-held beliefs about the stability of the system. 

The escrow system has other shortcomings too:

  • For sellers, one major drawback of offering to transact via an escrow service is losing money via the commission charged. It is not uncommon for official escrow services to charge up to 10% on transactions, which really begins to eat into profits. 
  • For forums that designate a user as their site’s guarantor service or offer an official system, one potential danger is that the forum must then assume financial responsibility for the actions of the guarantor. Should this individual fail to fulfill their obligations, the forum could be culpable. 
  • Individuals providing escrow services are not always available. Buyers and sellers who want to conduct urgent transactions must go through a lengthy process of contacting the guarantor, filling out the appropriate forms, and waiting for that individual to come online and find the time to oversee the transaction. In fact, this is one reason why many forum administrators appoint other users as guarantors rather than fulfilling the role themselves, despite the risks: Administrators have too much other forum-related work to do. It’s easy to see why it might be tempting to bypass all this waiting and paperwork and conduct deals without a guarantor’s safety net. 
  • Placing the responsibility for escrow services on a nominally independent third party means that the success of transactions may depend upon the whims or situation of the guarantor. A forum escrow representative may relish the reputation and kudos bestowed upon them for being an official guarantor but may find that greed or a change in personal circumstances could compel them to give in to the temptation to misuse transacting parties’ escrow funds.
MarketMS
MarketMS transaction options

Some platforms have tried to address the disadvantages of the current escrow arrangement by introducing automated systems. The now-defunct cybercriminal marketplace MarketMS, for example, permitted buyers to challenge the quality of the goods they received and obtain refunds. Funds were not credited to the vendor until 72 hours had elapsed after the purchase, in which time a buyer could open an arbitration case or choose to complete the transaction. If a seller decided to transact via this type of deal, this was supposed to instill confidence in the buyer.

Verified, another Russian-language cybercriminal forum, has been making gradual changes to its escrow system for many years now, introducing more elements of automation. In March 2018, for example, the site introduced the following changes: 

  • Users could now summon an arbitrator with just one click in the case of disputes
  • Users could now start the refund process with only one click if one of the parties in a transaction disappeared
  • Buyers could now confirm transactions by pressing one button, rather than going through a back-and-forth conversation
  • Users would now be able to see how much money the transaction’s guarantor had received 
Escrow System
Verified escrow system

However, many cybercriminals feel uncomfortable with fully automated escrow services and only choose to use such schemes for lower-value transactions. Many threat actors value having the input of a third party in a transaction if any issues arise, rather than relying on crude automation. What’s more, these systems aren’t without risk themselves: Many marketplaces offer versions of automated escrow systems or hold funds before releasing them to the transacting parties. Yet there is no guarantee that the administrator of that marketplace–who has access to all funds deposited in the site–will not perform an exit scam and make off with members’ cash. 

Conclusions

Despite the drawbacks of the escrow system, the apparent lack of a perfect arrangement that would mitigate the potential shortcomings means that cybercriminal forums are unlikely to abandon the scheme soon.

Indeed, some sites are doubling down on the use of escrow. Verified forum, for instance, had always fiercely protected access to its content, with membership on the platform only available to those who paid a hefty sum. However, towards the end of 2019, the site introduced a free, highly-restricted version of membership designed solely to enable individuals to use the forum’s escrow service. As the forum said: “Now the excuse that a person does not have an account on Verified and therefore will not transact through the guarantor will not work.” Free registration would provide a highly limited version of the site, and such members would not be able to see any sections other than the “Automatic Escrow” and “Black List” sections. 

By January 2020, the forum support account reported positive results stemming from these changes and the gradual automation of the site’s escrow service. They announced that transactions using this service had increased, with deals of $50-300 “finally” appearing in large numbers–meaning the escrow service was becoming an “everyday tool” for users to quickly and safely conduct a transaction. By March 2020, the forum reported  “50 active deals in the escrow service”. 

It might be that more forums choose to follow the German model. The English-language marketplace “Versus” has adopted an exclusively “multisig” system and has published guides for its members on how to use it. However, it is much easier to trial a new arrangement on a platform with hundreds of users as opposed to thousands, which might preclude escrow experimentation for the big players like Exploit. 

In its myriad forms, the imperfect solution of escrow on cybercriminal forums looks here to stay–albeit with a few tweaks here and there–for the foreseeable future.

<