Forums are Forever – Part 3: From Runet with LoveDecember 17, 2019
The rise of alternative technologies hasn’t spelled the end of forums, which seem to be prospering against all odds. In part 1 and part 2 of this blog series on The Modern Cybercriminal Forum, we discussed evidence around forums’ continued popularity as well as forum users’ resistance to moving away from the forum model.
The third and final installment of this blog series investigates several characteristics of forums that make them ideal for supporting cybercriminal communities.
To access the full, in-depth research report from the team, visit our resources center below:
Why forums are still winning the popularity contest
It’s clear that forums aren’t giving up the ghost, so what’s behind their members’ loyalty? The answer lies in several aspects that could apply to even legitimate customer services:
- A long history and venerable reputation
- Proof of credibility
- Guarantees of fair deals
Beyond that, forums also offer an advertising platform and a supportive, knowledgeable community.
Longevity breeds respect
The enduring popularity of forums is, to some extent, driven by their history, especially for Russian-speaking threat actors. Many of the prominent Russian-language cybercriminal forums operating today have a long pedigree. The Photon Research Team spotted a post on XSS that mentioned the “pantheon of the firsts,” referring to “the first forums that opened on the Runet in the 2000s,” which the post named as Carder Planet, Web Hack, Zloy, Antichat, Exploit, Maza, and DamageLab. The same user said these forums raised “a whole generation of first-class specialists… a whole generation, a whole life, a whole epoch”. The reputation of these long-established cybercriminal forums—and the prestige associated with being a forum member—is attractive to many threat actors. Linking to a profile on a hallowed forum is an almost failsafe way to prove your credibility and legitimacy.
Figure 1: XSS homepage
In the case of DamageLab, the perceived preeminence of the forum led to one of the most surprising developments in the Russian-language cybercrime landscape in recent years. DamageLab was founded in 2004 and grew to be one of the most prominent Russian-language forums. In December 2017, one of DamageLab’s administrators, the Belarusian Sergey Yarets, was arrested in a joint operation of Belarusian, United States, and European police forces for his involvement in the forum and in the Andromeda botnet. Following the arrest of “Ar3s” (Yarets’s username on the forum), the remaining DamageLab administration team decided to close the forum entirely to protect the user base from further investigation by the authorities.
What’s unusual is that, after almost a year (late 2018), the former administrator of the high-profile Exploit purchased a back-up of DamageLab, dating back to late 2015, and reopened the site. The new administrator vowed that the forum would never again work under its old name because it would be “unsafe, unethical, and bad for karma”. They rebranded the site “XSS” and set about restoring, rebuilding, and attracting new members.
Figure 2: Message announcing reboot of DamageLab
Despite the apparent dangers of operating on a platform associated with an individual known to law-enforcement agencies, the forum has flourished. Membership numbers have grown and the forum now boasts highly skilled threat actors prepared to discuss cutting-edge attack techniques and trade high-value offerings. This success has occurred, in no small part, thanks to the heritage of the forum; many of the older members are still active participants who contribute knowledge and experience.
Even Ar3s, who’s now been released from prison (six months in custody meant his fine was waived), holds a legacy role on XSS and has recently been appointed as a moderator of Exploit. And the new XSS administrator used the reputation they acquired as the administrator of Exploit to build trust in their new venture. (This individual has also ridden the coattails of their Exploit success to promote other projects, including a marketplace and a Jabber server.) The prestige and longevity of DamageLab outweighed the potential negative implications of restoring a defunct forum; Ar3s’s experiences with the law are often called upon by other forum members and his opinions are highly valued.
Promoting a forum by relying on a site’s previous reputation has even taken place in the English-language cyber community. The hacking forum Hell, which was taken down in a law-enforcement operation in July 2015, reappeared in early 2016 as Hell Reloaded. One of Hell’s original moderators, who created the sequel site, tried to market the new forum and attract new members by relying on the illustrious name of the defunct forum. But many new users remained wary, suspicious that the site was a security services “honeypot”. Hell Reloaded is no longer active.
Figure 3: Homepage of Exploit, which has operated continuously since 2005
A forum like Exploit, which has operated continuously since 2005, attracts users who are aware of the reputation it has built up over many years and the prestige they’ll gain as a member, but are also aware of its demonstrable success in surviving threats that have taken down other forums. Forum users who choose Exploit feel safe that time and energy put into building a brand and customer base on the forum will not be wasted.
These forums’ extraordinary longevity also means that the sites hold invaluable repositories of cybercrime-related content spanning many years. Exploit, for instance, boasts over a million posts containing discussions, advice, guidance, and recommendations. Sites like Hackforums, which has operated since 2009, are attempting to capitalize on their lifespan and significance of information by promoting themselves as educational resources, rather than simply hacking forums (an approach that may also help deflect unwanted attention from the authorities).
In terms of basic capability, there’s very little a threat actor can do on a messaging platform that they can’t also achieve on a forum. Several forums have added chat functionalities, enabling users to communicate in groups―as on a messaging platform’s public groups or private channels, or in one-to-one conversations. Many forums also promote the privacy of this feature, ruling that forum administrators do not have the ability to read users’ private messages.
But there’s a major difference between communicating via a messaging service and via a forum: the amount of associated user information. Many messaging services strip away as much data as possible about their users. Often, the only information available is a username, a handle, and maybe an avatar. Some services also allow a short biography. This lack of information is touted as an advantage: Surely, in a world in which staying anonymous is paramount, providing few details to your interlocutor is optimal?
Paradoxically, however, in a world of shadows and anonymity, more information can be the key to success. It’s very difficult to judge whether it’s safe to trust a username and avatar on a messaging service, especially when you can’t see how that user has interacted with other threat actors. Although cybercriminals undoubtedly don’t want to reveal any of their real-life, personal information, for successful transactions they need to present details of their online identities. Forums let them build up entire virtual personas.
A forum member considering interacting for the first time with another user will likely be able to see a history of that user’s previous forum activity. They can judge their credibility accordingly, considering several factors:
- When did the user join the forum?
- How many posts have they made?
- Do they initiate their own threads or just reply to other members’ threads?
- What have they bought? What have they sold?
- How involved are they in “forum life”―do they contribute to community threads? Highlight bugs? Suggest ways the forum can improve?
- How have other forum members reviewed this user’s services? Have they reported any problems?
Illogically, trust is even more important in the cybercriminal underground than in everyday life. When there’s no information available on an individual’s real identity, threat actors can rely only on trust when making decisions. Should they send hundreds of dollars to a vendor in the hope of receiving what they’ve ordered? Reviewing a user’s past activity on a forum can help determine whether they’re a credible forum member, an inexperienced threat actor, or—even worse—a scammer, researcher, or law-enforcement official.
Forums promote countless tools and systems that can aid their members in making such assessments. Many English-language cracking forums have “leecher” or “lurker” ratings to highlight users who don’t contribute to forum life, resulting in a ban during the frequent member culls. And most forums operate a system for members to award positive or negative reputation points to a user. This can either reflect the results of a transaction or an opinion on the user’s contribution to a thread. Negative points can lead to a ban on some forums, so it’s in members’ interests to try to ensure their score is as high as possible, and they value this opportunity; Exploit removed its reputation system following a site redesign, prompting many users to clamor for its restoration.
Figure 4: CrackedTO announcement of leecher banning
There are a host of other ways to boost member trust. Some forums that focus heavily on the sale of goods and services will close a thread temporarily after it begins, so that moderators can verify the vendor’s claims. Many forums operate a status system for users with a long tenure and high post count to move up through the ranks of the site; users with a higher rank are automatically afforded greater respect. On some forums, users can only attain a certain rank by being vouched for by other forum members―a sure sign of legitimacy. Still other forums allow users to pay to increase their status, because making such a payment would be undesirable or impossible for some law-enforcement officials, and for individuals looking to just scam other users.
The Photon Research Team has found that strict forum rules and conventions also help build a picture of an individual. A user who contributes to forum life and answers other users’ questions is more likely to be genuine. Substantive answers and posts also indicate a user’s knowledge and experience. Users who only ask, or leave inconsequential replies, are likely to be inexperienced amateurs. Many forums rule that posts must contain meaningful content, and allow negative reputation points to be awarded for so-called empty posts.
A good reputation and positive user feedback can also be invaluable to a threat actor marketing goods or services. Whether promoting offerings on other forums or updating existing advertising threads, linking to a high-scoring forum profile or appreciative reviews from other forum users is one of the only ways threat actors can try to convince other members to enter into a transaction. Sometimes they even try to use positive reviews to distract attention from problems they’re experiencing. The founder of the recently established MagBo shells shop, “mrbo”, used a thread containing positive reviews on the Russian-language cybercriminal forum Antichat to promote their site on XSS, despite admitting in the same post that they had been banned from Exploit.
Figure 5: mrbo’s banned user profile
Forums’ utility as advertising platforms represents another advantage over alternative technologies. Very few threat actors can operate successfully on alternative platforms alone, finding that forum membership widens the user base to which they can advertise their goods and services. In a November 2019 discussion on the English-language cracking forum CrackedTO, many users admitted that they had fewer than 50 “friends” on the messaging platform Discord, indicating that the level of exposure on a messaging app is often much lower than on a forum.
It’s common for a threat actor to use the same username across discrete forums, establishing a marketing persona, and to extend that “brand” to alternative channels. The prolific travel fraudster “Sergik00”, who’s offered fraudulent airline tickets and hotel bookings on forums for almost four years, directs interested buyers to their Telegram channels to make orders. We’ve even seen them work their Telegram handle into custom advertising graphics included in their threads. Crucially, however, Sergik00 has maintained a footprint across a wide variety of cybercriminal forums and included positive customer feedback in their dedicated threads, building their brand across multiple sites.
Figure 6: Serggik00’s travel offerings
Similarly, the operators of the carding scheme Project13 use Telegram in a variety of ways—with separate European and United States accounts to deal with user orders and a Telegram bot to field user queries. But even with this extensive Telegram infrastructure, they still maintain active advertising threads on numerous Russian-language forums. Even the notorious carding AVC Joker’s Stash updates multiple dedicated forum threads each time they upload a large set of new card details to their site.
The ease of arbitration
Another shortfall cybercriminals see in using alternative platforms is the high risk of falling victim to fraud, and having no recourse if they do. If a threat actor operating exclusively on Discord or Wickr refuses to sell another user a data set after the deal is made, there’s not much the buyer—or anyone else—can do about it. The injured party doesn’t even have a place to air their anger. But Russian-language cybercriminal forums have built-in justice systems designed to settle disputes, ensure parties stick to the terms of an agreement, and punish wrongdoers.
In general, most forums have a well-used arbitration section, in which users can create threads when they feel deceived by another forum member. Such disputes usually revolve around one party failing to pay the agreed price in a transaction, failing to deliver goods by an agreed deadline, or providing goods that fall short of their description.
Figure 7: Exploit arbitration section
The claimant initiating an arbitration thread should provide all contact details the defendant has used (e.g. Jabber IDs), any other usernames by which they are known, and the logs of one-on-one conversations detailing the full negotiations between the two parties. Forums usually have templates for arbitration claims that participants must use. The forum arbiter can then read through the conversation logs and call upon the defendant to provide their version of events or evidence of their innocence. Other forum members will also supplement the discussion; sometimes these users have also been wronged by the defendant, but sometimes they’re contributing out of a sense of community spirit.
Eventually the forum arbiter comes to a decision, usually giving the defendant a chance to pay back any money owed, if they’re judged to be guilty. If the defendant fails to make this payment, or if their crimes are considered too egregious, the forum arbiter will ban them from the site. The defendant’s name will then be placed on a blacklist as a warning to other forum members not to interact with their username. Resolved arbitration cases in which the defendant was not banned are also kept as “public” record. This means forum users considering transacting with an unfamiliar vendor can see any arbitration cases involving that vendor.
On some forums, the justice system is even more involved. Verified, a high-profile Russian-language cybercriminal forum specializing in carding, runs a compensation system whereby wronged parties can recoup some of their losses. The user who scammed them may have deposited funds with Verified, and their victim(s) can apply to receive those funds. In most cases, guilty defendants have more than one victim; once all users have made claims against them, a member of the forum team steps in to dole out funds proportionally, according to the users’ claims. In most cases, the wronged parties are owed much more than the funds deposited by the fraudster in the forum, but at least they receive some form of compensation.
Figure 8: Verified compensation section
In one extraordinary example of forum justice, observed on the Russian-language Antichat, a user applied for paid coding work on a project organizing “cryptoattacks”. Despite passing the interview tests and being promised work and payment by the project organizer, the user never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father’s cancer medication. Other forum members also claimed to have been deceived by the project organizer, and shared their own correspondence. Ultimately, the Antichat administrators banned the project organizer and arranged a “whip around” among forum members, to raise funds for the medical treatment. As a result, the forum transferred USD 700 to the defendant. This kind of help from a supportive community does not exist on platforms other than forums.
Figure 9: Announcement of sum sent to user for medical treatment, with subsequent message of thanks
Sense of community
The previous case is just one example of the sense of community spirit that prevails on cybercriminal forums and contributes to their continued persistence. The forum community even celebrates together: Members wish each other a happy birthday or send New Year’s greetings, and Exploit even celebrated Halloween.
Figure 10: Exploit Halloween banner
By contrast, messaging services, marketplaces, and AVCs are almost exclusively platforms for buying and selling goods and services, and this doesn’t satisfy all users. The Photon Research Team has observed users on CrackedTO bemoaning the transactional nature of Discord, for example. Forums offer a place to conduct transactions but come with the added bonus of the knowledge and skills of an entire user base, arguably enhancing trading. On a forum, a threat actor can open up discussions with specific vendors, to ask for details of other goods the vendor offers, or inquire about the geographies/systems that can be targeted; in a marketplace, that threat actor can only send limited queries about a specific listing. Several well-known marketplaces, including Rapture, Empire, Olympus, and HYDRA, have even run forums alongside their main marketplace offering, to facilitate further discussions and reap the benefits of a forum community.
A good example of cybercriminal forums’ community-mindedness lies in the discussions on most major Russian-language forums about law-enforcement activity. In dedicated sections their users discuss the fate of fellow members who’ve fallen foul of the police or intelligence services, sharing as many details about their story as they can find, so the community can learn from that user’s mistakes. Users often post news articles about cybercriminals’ arrests, forensically examining the details of the case to work out how they were caught.
For example, a discussion arose on Exploit about the case of hacker Roman Seleznev, who was sentenced to 37 years’ imprisonment for credit-card fraud in 2016. One user said Seleznev was aware of Western intelligence agencies’ interest in him but chose to travel abroad for a vacation anyway. He was caught “while passing through passport control at an airport in a country without an extradition agreement with the United States”, the forum user said. The user also said officials discovered Seleznev’s real-life identity because he used the same email address his wife used for social media as a back-up email address that received malware logs. When Exploit users moved on to discuss the danger of Russian-speaking cybercriminals travelling abroad, one forum member remarked darkly, “Russian resorts are better than American prisons.”
Even more striking is the propensity of forum members who have had brushes with the law to return to the forum, then share the details of their experience with the community. XSS user “maza-in”—the supposed creator of the “Anubis” banking trojan—was arrested in early 2019, but that didn’t mark the end of their forum activity. maza-in’s arrest had followed an investigation by an unspecified Russian security force, and in August 2019 XSS users posted links to local news websites in Stavropol, Russia, saying maza-in was due to appear before Stavropol military court with an unnamed accomplice. In October 2019 maza-in reappeared on XSS with a new username (appending “1” to the end of their previous moniker) to provide details about the circumstances of their arrest.
Figure 11: maza-in1’s post recounting the story of their arrest
maza-in1 wondered whether their “excessive self-confidence” had “destroyed” them, adding that they had been “ruined” by “a careless attitude to security”. They explained that they had registered an email account using a “white” IP address (i.e. legitimate and not shielded by VPN technology) and then used that email address to sign up to Exploit. maza-in1 allegedly had no intention of engaging in cybercrime when they registered on Exploit, so they didn’t consider the security implications of using the email address. maza-in1 stated that their former partner, “cccalypse”, had not been arrested because they were so “paranoid” about monitoring their anonymity.
Ultimately maza-in1 was sentenced to 18 months’ imprisonment on probation, confiscation of documents, and a fine of RUB 120,000 (USD 1,872). They claimed that they were “saved” from a harsher sentence for not having targeted countries in the Commonwealth of Independent States and there being no identifiable “injured party”. Although some XSS users were suspicious of maza-in1’s return, the community was generally welcoming, valuing the insight into the criminal justice system and the small mistakes that could lead to capture. Cybercriminals can’t find such continual insight anywhere online except a forum.
Airing doubts about alternative technologies
A key concern for cybercriminals when choosing where and how to operate is security, and how easy it is to maintain absolute anonymity. Relying on new technologies and messaging services for security—no matter how ostensibly secure they are—inherently means trusting those platforms’ operators not to compromise their users’ anonymity, either deliberately or inadvertently.
Consider Telegram, which has come under sustained pressure from the Russian authorities to share the app’s encryption keys with the security services. A Moscow court even banned Telegram in April 2018, although Russia-based users continue to use the app via VPNs. Telegram creator Pavel Durov left Russia in 2014 following repeated clashes over his other project, the social network VKontakte. Although Durov regularly asserts that he’ll never give in to the Russian government’s demands, it’s possible to imagine circumstances arising that could compel him to agree.
Figure 12: Exploit users discuss WhatsApp
Not only are cybercriminals subject to the behavior of messaging app operators, but the services may have vulnerabilities that can put user security at risk. Commercial spyware, such as Pegasus, has exploited a vulnerability in WhatsApp to infect user devices and intercept communications. The infection was triggered after a WhatsApp call to the target’s phone, which allegedly didn’t require the user to answer the call. Pegasus can also remove any trace of the infection from the device’s communication logs. Users on Exploit have repeatedly discussed the security of WhatsApp; in one example thread from May 2019, a long discussion was prompted by Pavel Durov’s own comments that WhatsApp would “never be safe”.
Reflecting on the reliability of messaging apps, a Torum user said (verbatim): “I know peoples that have been busted cause to wickr, snapchat and whatsapp. Telegram has been cracked by feds too a year or two ago (I remember a big seized of terrorist weapons thanks to Telegram).” Another forum user warned on Verified: “don’t use whats[app]/viber, the FBI have already downloaded conversations from there. telegram at your own risk.”
In general, conversations about operational security and anonymity are common on cybercriminal forums: In the same thread on Torum as mentioned above, another user wrote, “The only chat app that is 100% safe is SkyEcc but it’s about $800/mo.” In a different thread on a similar topic, a member claimed: “With high level of resources, any centralized messaging service can potentially be compromised. I am not saying it is easy, but it is still a possibility that should be considered.”
Figure 13: Torum discussions of app safety
If we judge by these frequent conversations, many forum users seem to see an innate disadvantage in messaging apps. This is because the safety of the teams running the app services doesn’t depend on the apps remaining secure; on a forum, the administrator is, in most jurisdictions, committing a criminal act by running their platform. They have a vested interest in keeping the forum as secure as possible and maintaining their own anonymity and that of their members. Understandably, the teams behind forums take this responsibility seriously.
The now-defunct English-language forum KickAss prioritized security to such an extent that forum users were disadvantaged. In late 2018 the administrator removed all time and date stamps from posts, probably to thwart police forces’ efforts to collate intelligence for their enquiries. But the side effect is that it also made the forum much more inconvenient for its members to use. The CrackedTO forum also employed this tactic, as did the English-language Carding Forum―which also went so far as to expunge all user IP address information from forum logs (to impede investigations if the log database were seized).
A final downside to using legitimate messaging services is the risk that the companies behind them will not tolerate criminal activity. In one discussion on CrackedTO, users noted that they had been subject to regular bans on Discord for breaking that platform’s rules on permitted activities.
The future of cybercriminal forums: Is there an end to the trend?
Despite the age—and ostensible outdatedness—of the forum model and technology, cybercriminal forum administrators show every sign of striving to ensure these platforms remain popular in years to come. They’re acknowledging the primary concerns of their users, as described above: security, trust, and anonymity.
Three major site updates, all recorded in October 2019, demonstrate forums’ future-looking stance. Firstly, XSS introduced two-factor authentication (2FA). The forum administrator said the move was intended to increase the security of users’ accounts and minimize the risk of such compromises as “brute-force cracking attacks, [unauthorized] password retrieval, and interceptions by other services”.
Figure 14: XSS 2FA announcement
Next, the English-language forum Dread introduced a “Canary” feature, aimed at updating forum members of the status of Dread’s administrator and their control of the forum. These weekly updates, conducted via a personalized, cryptographically signed message from the administrator, were likely introduced following that individual’s September 2019 disappearance from the forum, which threw the community into disarray. The Canary feature demonstrates a clear intent to sustain the credibility of the forum, eliminate the potential for a law-enforcement takeover, and avoid a takeover by someone masquerading as the legitimate administrator.
Figure 15: Canary announcement message
Lastly, Verified introduced a free version of registration that allows users limited access to the forum’s escrow system. Many forums run escrow services, in which a third-party guarantor ensures that both buyer and seller receive what they expect from a transaction. Making use of this function provides added reassurance to sellers that they are dealing with a credible buyer rather than a scammer, researcher, or security service representative, all of whom would be reluctant to commit funds in this way. Verified offering their escrow system to users for free―rather than requiring a full Verified membership―extends the forum’s reach even beyond the bounds of the site.
Figure 16: Verified free registration announcement
We’ve also seen cases of forum users taking it upon themselves to bolster their security, rather than relying on directives from forum administrators. In recent months both English- and Russian-language forum users have started taking advantage of escrow services when transactions have barely even been initiated. Interested buyers usually contact vendors to request more details about their advertisement, such as screenshots of internal system access that prove that the offering is legitimate. But recently many vendors have begun insisting that buyers place money in a forum escrow service before they send any additional details.
The drive to pioneer new features and site improvements, to adapt to a changing security landscape, suggests that the threat actors running cybercriminal forums recognize the necessity to provide value for their users. Even long-established forums see the need to innovate; Exploit recently embarked on an entire site redesign. Forum members themselves take an active role in suggesting improvements or changing the way they use forums. With this continuous push for improvement, and a host of features and benefits simply not obtainable from other types of technologies, it’s highly unlikely that cybercriminal forums’ popularity will diminish in the coming years. Instead, the symbiotic relationship between alternative technologies and forums—in which the former can’t thrive without the latter—will flourish.