If one could predict the future back in the late 1990s when the first cybercriminal web forums emerged, few would have been able to grasp that this model for communication and gathering would endure well into the new millennium.

The survival of the cybercriminal forum in the face of new, more secure technologies and constant pressure from law enforcement does not come as a surprise to researchers at Digital Shadows (now ReliaQuest). Collating extensive research and deep ‘lived’ insights into the cybercriminal underground, the myriad reasons why and how forums persist are outlined in our new paper, The Modern Cybercriminal Forum.

Our research findings cover some revealing insights:

  • Alternative Technologies: As new forums continue to appear and forum memberships increase, users have frequently expressed reluctance to move to other platforms for their communication and trading needs. They see drawbacks in alternative technologies, despite the purported security and efficiency they offer. Many threat actors have concerns about the security of alternative technologies, but continue to have faith in the anonymity and protection offered by trusted forums.
  • Pedigree: Many forums boast a long history and respected pedigree, which is hugely appealing to cybercriminals. The venerable forums tend to attract skilled threat actors and act as repositories of cybercriminal information.
  • Credibility: It can be difficult for threat actors to judge who they’re dealing with on a messaging app or Automated Vending Cart (AVC). But forum reputation systems and users’ post histories provide threat actors with valuable indications as to the credibility of other cybercriminals.
  • Arbitration and Escrow Systems: Forums’ arbitration and escrow systems ensure fair deals and consequences for failed transactions. It’s hard to deny the appeal of this feature when one cybercriminal wants to make a deal with another.
  • Advertising Platform: Not only do they offer a space to communicate and trade, forums also give users a valuable advertising space and opportunity to reach a wide userbase.
  • Community: The benefits of a supportive and knowledgeable community are valued by members of a forum, who give and receive advice, and learn from each other’s mistakes.

Introduction – A Background on Forums

Forums. Dating back to the early 1970s, web forums are among the earliest and most basic Internet communication technologies, the concept of a forum goes back even further. The emergence of  a carding forum called CarderPlanet in the first years of the millennium cemented an established model – one emulated by almost all future cybercriminal forums. Much the same as the forum of old, today cybercriminals still use forums to seek advice and discuss the latest techniques and developments. Vendors commonly offer items including:

  • access to internal systems
  • website accounts
  • databases
  • credentials
  • tools
  • malware
  • credit card details
  • cybercrime tutorials

Compared with the clunky thread-and-post model used by forums, several communication and trading technologies have cropped up, offering improved efficiency, convenience, and security. There are messaging services and encrypted applications like Telegram, Wickr, and Discord, plus decentralized technologies like blockchain DNS, i2P, and BitTorrent. Automatic trading platforms, such as marketplaces and AVCs, have also taken root in the landscape.

 

Curious on the differences between AVCs, Marketplaces, and Forums?
Check out our deep dive blog here: Understanding the Different Cybercriminal Platforms

Alongside the emergence of those technologies, forums have proven a risky—and outdated—arena for threat actors. They’re frequently disrupted by security services in many jurisdictions, and they often vanish quietly. Many believe the forums Hell and KickAss ceased to function for this reason (in 2015 and 2019, respectively), although this has not been confirmed by authorities. At other times, law-enforcement agencies’ successes are publicized in the global media. In September 2019, Belarusian authorities seized the servers of notorious hacking forum Xakfor. The cybercriminal community is well aware of the authorities’ presence on their forums, and that some forums only survive so long because they’re valuable for police to gather intelligence and evidence.

For these reasons, many cyber-security professionals have alluded to forums being doomed to redundancy. With cybercriminals carrying out more transactions and discussions on alternative platforms, you’d expect the need for forums to decrease. It can’t be denied that cybercriminals are increasingly using other platforms; Digital Shadows (now ReliaQuest) has even written about this phenomenon: How Cybercriminals are Using Messaging Platforms. But the rise of alternative technologies hasn’t spelled the end of forums, which seem to be prospering against all odds.

Undeniable appeal: Evidence that forums are still popular

Several factors support the idea that forums are here for the long run. New sites are continually appearing, membership numbers continue to climb, and users frequently express reluctance to deviate from the traditional forum model. The appearance of new forums is driven mainly by the need to replace failed ones.

Out with the old…

The English-language cybercrime scene has experienced remarkable instability in recent years, with established and fledgling forums continually vanishing for many varied reasons.

out with the old

Figure 1: Lifecycle of prevalent forums (*denotes legal seizure of forum or shutdown by administrators)

Law-enforcement intervention

Takedowns by police or security services have been the reason for the demise of most now-defunct forums. Among them was the prominent Dark0de forum, rendered offline by an FBI-led operation in 2015. Dark0de had been in operation since 2007 and achieved notoriety among English-speaking cybercriminals for the site’s discussion and sale of hacking tools, exploits, breached data, and spamming services. Another casualty was the longstanding Infraud forum. At its height, Infraud maintained a half-billion-dollar operation selling hacking and fraud services, before an international law-enforcement coalition seized the forum in 2018.

infraud forum

Figure 2: The home page of Infraud after its takedown

Owner/member misconduct

Other forums have perished because of their owners’ malpractice. For example, Digital Shadows (now ReliaQuest) has seen sites abandoned by their administrators―0day was a prominent cybercriminal platform that launched in early 2014. Still, by late 2017, the forum’s administrators had apparently forsaken it. Our investigations showed that registration requests went unanswered, and the site’s Jabber services were down. Rumors circulated that the forum was no longer active: The administrators had left without turning off the lights. At the time of writing, the forum’s Tor URL is no longer accessible, and the clear web URL disappeared several years ago.

0day homepage

Figure 3: 0day homepage

Sometimes forum members’ misconduct can also play a part. That Russian-language forums are much more successful than their English-language counterparts can largely be attributed to the incredible discipline of Russian-language platforms. Strict rules govern what kind of language can be used (profanities are out, grammatically correct Russian is in), which sections will accept new threads, and how forum moderators must be treated (challenging moderators’ opinions is definitely out). Such rules guarantee order and ensure that forums can’t fragment because members are unlikely to rebel.

Poor execution

Then there are the forums that flop because of poor implementation on the part of their creators. Torigon was launched by a trio of threat actors in September 2019 with the explicit aim of bringing English- and Russian-speaking hackers together to trade malware and exploits on a single platform. But the forum failed to provide translations into Russian for non-English speakers and neglected to promote the site within the cybercriminal community. The result? A lack of engagement and failure to reach the target market.

Torigon branding

Figure 4: Torigon branding

 

…In with the new

Despite the considerable unpredictability, the overall death of English-speaking forums is not imminent. In fact, the scene is best likened to a game of “whack-a-mole”: No sooner does one forum disappear than another pops up to take its place. In the cybercriminal underground, the appetite for new forums is far from diminishing.

The extraordinary tenacity of the forum model within the English-language cybercriminal community indicates that threat actors still see great value in using these platforms. Starting a new forum requires substantial effort and resources that don’t even guarantee success; even so, we see multiple new sites launch each year. Sometimes forums that have been disrupted by police even attempt to return to the scene, relying on their renowned branding to lend them credibility―there have been rumors about the reappearance of Hell (as Hell Reloaded) and Dark0de.

The appetite for new forums is seen even among Russian-speaking cybercriminals. Although their scene is characterized by the remarkable stability and longevity of forums, sometimes sites do perish…but not always for good. In 2018 a formerly defunct forum, DamageLab, was relaunched as XSS. Owing mainly to the pedigree of the experienced team behind the forum, XSS has grown and come to challenge even the most prominent Russian-language platforms. And in March 2019, a new rumor swirled through cybercriminal forums: The coding forum Cult of the Russian Underground (CORU)—missing in action since 2016—would be resurrected. By April 2019, CORU had opened up registration.

Strength in numbers: The ever-growing forum member and post count

Forum membership numbers and thread/post counts show that the popularity of forums is continuously increasing, despite the advent of alternative technologies like Telegram.

Torum

Exploit

XSS

Figure 5, 6, and 7: Evidence of growth in membership and post count numbers

Torum

Torum was but a small, fairly insignificant player orbiting the outer rings of the cybercriminal scene in 2017, continuing in much the same vein in 2018. But where it endured, an perhaps by poetic licence, the popular English-language forum KickAss was to be no more. 2019 has been a good year for Torum, in the eight months from February to October 2019, its userbase had increased by 639%, as the English-speaking of the cybercriminal underground found a new place to re-group.

Torum logo

Figure 8: Torum logo

 

Exploit

Exploit is one of the most high-profile Russian-language cybercriminal forums. It’s operated continuously since 2005, and many threat actors and commentators consider it a platform for some of the most skilled cybercriminals. Despite—or perhaps because of—its longevity and reputation, Exploit has also seen significant growth in membership in recent months. In March 2018, the site had 40,390 registered members. By November 2019, the count was 47,347: a 17.2-percent increase in an already established forum. A contributing factor may have been the decision to introduce automatic registration in English, to enable non-Russian–speaking users to join more easily. Exploit’s post count leaped from 846,020 in March 2018 to 1,012,575 in November 2019.

Exploit logo

Figure 9: Exploit logo

 

XSS

XSS was formerly DamageLab: one of the original Russian-language cybercriminal forums. DamageLab folded after the 2017 arrest of its administrator (we’ll discuss this more in a future blog in this series). Still, the former administrator of Exploit purchased a partial back-up of XSS in late 2018 and has since built the forum into a thriving and active community, reflected in its growing membership numbers. They’ve seen an 84-percent increase between February 2019 (10,344 members) and November 2019 (19,040). And let’s not ignore the post count, which grew from 130,040 to 162,470.

XSS logo

Figure 10: XSS logo

Visit numbers also suggest that forums’ popularity remains steady. The number of visits to two popular English-language cybercriminal forums, Nulled and Raidforums, has barely diminished since April 2019, according to the visit metrics site SimilarWeb[.]com. Visits to Exploit have increased by over 20,000 in the same period, according to the same site.

nulled raidforums

Figure 11: Comparison of Nulled (blue) and Raidforums (yellow) visit figures, past six months (Source: SimilarWeb[.]com)

 

exploit visit figures

Figure 12: Exploit visit figures, past six months (Source: SimilarWeb[.]com)

Now that we have a few examples of prominent forums, what are their alternatives? What makes a good forum? Part 2 of this blog series will discuss forum users’ resistance to moving from the forum model.

Stay tuned.

To access the full, in-depth research report from the team, visit our resources center below.

The Modern Cybercriminal Forum