When going out on a shopping spree, you would naturally have different expectations of price, accessibility, quality, and exclusivity of the clothes you buy depending on the type of shop or brand you choose. Say you’re buying a jacket; if you’re going for haute couture from a high-end designer brand, you would typically expect the jacket to be exclusive and of high quality. If you instead buy the jacket from a brand or store that sells mass-produced items, you would probably expect the price to be lower and to see perhaps other people on the street wearing the same jacket as you.

The same concept can be applied to business practices in the cybercriminal community: Some vendors offer exclusive products to one individual, the haute couture products of cybercrime if you will. In contrast, other vendors sell the same listing, a “mass-produced item,” to multiple buyers. Subsequently, just like in real life, there are specific expectations and benefits for both types of practices.

Overview of multiple and exclusive sales

The practice of vendors selling their products to multiple buyers is especially common in English-language cybercriminal forums and marketplaces.

For instance, users on the English-language cybercriminal forum RaidForums frequently share databases, account credentials, and credit card dumps. The plain-text data or download links are often “hidden” and require forum members with privileged access to use forum credits to unlock the hidden content. This means that an unlimited number of users can access the information as long as they are willing to pay a relatively low price or maintain regular activity on the forum. Vendors on English-language cybercriminal markets, such as Empire, also frequently offer an unlimited number of sales of their listings unless the product by nature is limited to a set quantity, e.g., a one-off invitation code for joining an exclusive forum. Even so, there is no guarantee that the vendor won’t sell the same item to multiple buyers.

By contrast, Russian-language cybercriminal forums tend to focus more on what can loosely be translated as “one-hand” sales, in which vendors sell exclusively to one buyer. For example, in the high-profile, Russian-language forum Exploit’s Auction section, listings undergo a bidding process and are sold exclusively to the highest bidder.

Auction listing on Exploit
Auction listing on Exploit

While in the real world, exclusive products often demand a steeper price; this is not always the case in the cybercriminal community. Network accesses can be sold to one buyer on Exploit for a few hundred dollars. In contrast, databases on Empire can be sold for several thousand dollars to an unlimited number of buyers. In other words, the price doesn’t necessarily depend on exclusivity. Instead, a listing’s value is determined by how far a buyer can monetize their purchase, e.g., by selling any personal information it may provide or by extorting victims. With, for instance, data breaches, another factor that might affect the price is if the database is associated with any media attention, and whether the data-set is already publicly available.  

Benefits for vendors

The reason for this disparity between the English- and Russian-language cybercriminal scenes is unclear. It may be that the continuing elite status of longstanding Russian-language forums such as Exploit has led to an emphasis on quality and exclusivity. Subsequently, these forums also often tend to attract more serious types of users who demand that the products they buy, such as network accesses or datasets from specific target industries, are exclusive. This means sales are more likely if listings are not offered to multiple purchasers.

On English-language forums, however, exclusivity does not equal quality. The more “open” vendors keep their sale, the more chance they have of making a profit as buyers are sometimes hesitant to purchase until another user has bought the product and verified the legitimacy of the vendor and the product. This tends to be the most successful strategy for the vendors as users on the English-language cybercriminal scene tend to have quite varying levels of skills and knowledge. By keeping their sales more “open” and accessible, the vendors don’t run the risk of out-pricing themselves of a potential sale.

Demonstrating this disparity between the English- and the Russian-language cybercriminal forums, there have been instances of successful vendors on the English-language cybercriminal scene attempting to expand into the realm of the Russian-language forums; however, they more often than not only receive limited interest. This is possibly due to the users on the Russian-language forums being aware that the English-speaking vendors are likely offering the same products on several English-language forums as well.

ShinyHunters advertising RapidForums
ShinyHunters advertising Exploit
ShinyHunters advertising the same database on both RaidForums and Exploit

Benefits for buyers

Gaining exclusive rights to a listing may lead to a higher chance of monetizing the product further down the line. Exclusivity can allow more specific, targeted, and successful attacks. For example, an exclusive email list means other threat actors can’t conduct phishing campaigns against the same victims. Exclusive network access ensures only one malicious actor is operating on a victim network at any one time.

Buyers of multi-sale offers cannot guarantee how the other buyers will use the purchased products. For instance, a database sold to multiple buyers may soon be shared freely across cybercriminal platforms. Despite this, the purchased goods or data can still be monetized, re-sold, or used in effective cyber-attacks. If the purchased credentials pertain to a streaming or gaming service, buyers might even use them to conduct account takeover themselves and use them for their pleasure.

When expectations are not met

When a buyer does not receive the product they have paid for, or the product does not live up to the expected standards, users are quick to express their discontent and demand reimbursement or for the vendor to be marked as a scammer or receive a forum ban.

On Russian-language forums, buyers in “one-hand” sales expect vendors to keep their end of the bargain and not sell the listing to anyone else. The cost involved and the high reputation required to gain initial access to some of these higher-level forums on the Russian-language cybercriminal scene is likely to deter vendors from attempting any form of scams. However, it does sometimes happen. When this fundamental agreement is broken, the original buyer can submit a scam report in the forum’s arbitration section. If found guilty, a fraudulent seller will likely be banned from the forum. Regardless of the value of the goods involved, the broken trust between buyer and vendor is a transgression of such magnitude that it leads to the severest punishments.

One example of such a case involves a buyer on the Russian-language forum Exploit who had bought 71,000 bots, and the vendor had agreed to a “one-hand” sale. However, the access was taken away from the buyer after the sale. The buyer made an arbitration claim against the vendor, and it soon came to light that the vendor had sold the same goods to at least three other parties. The vendor ended up being banned from the forum. Another example involves a user winning an auction lot, but who found out that another user had also paid for the same lot. The vendor assured that both buyers would receive different products, but when comparing the links they received, the buyers discovered that they had been given the same logs. The vendor ended up getting banned.

With multi-sale offers, the expectations are naturally different. Buyers of multi-sale offers acknowledge that their purchase will also end up in the hands of several other buyers. Instead, disputes tend to arise for reasons more directly related to the quality or accessibility of the product itself. For instance, it is not unusual to see users who have bought a credential database on an English-language forum complaining that the data is outdated and that passwords have already been changed. In cases involving a hidden download link that requires unlocking, users may encounter expired links. Perhaps because buyers involved in multi-sale offers recognize the more significant dangers stemming from this type of transaction, users tend to rely on each other to provide indications of the legitimacy of the vendor, report on the quality of the content, and reporting broken links.

These types of small disputes, in which for instance vendors provide broken download links, tend to happen frequently on English-language cybercriminal forums. Also more severe disputes occur on a regular basis, for instance when a buyer completes their purchase of an item, only to never receive the goods they paid for. One example of such a case was when a user on Altenen had purchased a credit card dump for EUR 50, but never received the dataset they had paid for, and subsequently reported the vendor who ended up getting banned.

Scam report on Altenen
Example of scam report on Altenen

The tendency of English-language vendors to be prone to more risqué behavior is possibly because the threat of being banned or having their reputation tarnished does not act as a strong deterrent. Unless joining a forum has required an application or money to gain access, the vendors have relative ease of access to most English-language forums. They can often acquire a new account using a new email address and get back on the forum. Unless the vendor has spent considerable time building a prolific reputation, it likely does not take much for them to “burn” their original scam profile and set up a new one.

Conclusion

Just like with real-life retail businesses, whether a listing is offered as a multiple (mass-produced) or “one-hand” sale (haute couture) may provide an insight into how vendors and buyers alike expect to monetize their products, what both parties expect to come out of a deal, and what actions buyers on different forums would deem a “breach of contract.” A vendor on a Russian-language forum, for instance, who offers exclusive goods, builds their reputation and monetizes their products by keeping their goods exclusive, just like haute couture designer brands do in real life. And you as a buyer would then expect the goods that you’ve bought from them to be exclusive to you, and not offered on every corner store for half the price.

The disparity between English- and Russian-language forums also emphasizes that cybercriminals choose business practices based on the traditions and structure of the community they operate within to make a profit, just like real-life businesses do. A tiny, independent corner shop probably wouldn’t be successful at selling mass-produced jumpers on 5th Avenue in New York, just like cybercriminal vendors who attempt to get away with “breach of contracts” or try to move grounds to a completely different platform will likely continue to be unsuccessful as long as their business practices do not follow the traditions and structure of the communities they are in.