Ensuring order in the underground: Recruiting moderators on cybercriminal forums

Ensuring order in the underground: Recruiting moderators on cybercriminal forums
Photon Research Team
Read More From Photon Research Team
June 18, 2020 | 10 Min Read

While there have been many predictable consequences of the ongoing global COVID-19 (aka coronavirus) pandemic, few would have foreseen significant growth for multiple cybercriminal forums. Digital Shadows has observed forums being stretched at the seams due to their newfound pandemic popularity. In retrospect, it’s not that surprising: The coronavirus has placed enormous economic pressure on millions of people worldwide. It’s not illogical to surmise that some individuals may have turned to cybercrime to plug holes in their finances. 

In April 2020, the administrator of the English-language cybercriminal forum Nulled announced that the site was recruiting two new “trials moderators” to help the current forum team cope with Nulled’s recent growth. The administrator’s post stated that the Nulled community was “especially growing rapidly during COVID-19”, meaning that the site “require[s] additional assistance.”

Nulled forum calling for new trials moderators
Nulled forum administrator’s post calling for new trials moderators

Also in April 2020, another English-language cybercriminal forum, CrackedTO, made almost the same plea. The near-identical post from CrackedTO’s administrator cited unspecified “recent events,” rather than naming the pandemic, as a cause of the site’s growth that has necessitated hiring new trials moderators for the site.

CrackedTO forum administrator’s post calling for new trials moderators
CrackedTO forum administrator’s post calling for new trials moderators

This development is interesting in itself. It seems that cybercriminal forums—like pretty much everything else in life—will be permanently altered by the effects of COVID-19. We will watch closely to see whether Nulled and CrackedTO’s increasing prominence changes the dynamics of the constantly-shifting English-language cybercriminal scene. 

The recruitment calls got us thinking more broadly about the whole concept of hiring moderators for forums and the varying ways different sites go about recruiting team members. 

What exactly are forum moderators?

Many cybercriminal forums operate a formalized system in which rank and responsibility are distributed in a pyramid-like structure. At the top of the heap is the administrator: Usually, this is the individual responsible for founding the site. However, forums have changed hands on several occasions in recent years (most notably the change of administration on the Russian-language cybercriminal forum Exploit in 2018). Site administrators exercise varying levels of control over or involvement in the communities they manage, with some only engaging in top-level discussions and decisions and others participating in the minutiae of everyday forum life. 

Especially on the larger and more active sites, overseeing the day-to-day activity of the forum is delegated to several forum moderators, with some sites operating subdivisions within the moderation team. For example, on Exploit, four “special moderators” have particularly significant responsibilities on the site, such as acting as the arbitrator in the forum arbitration section, fulfilling a technical support role, and arranging payment for advertisements on the site. Below these four special moderators are several other moderators who each assume responsibility for one or more forum subsections. 

Forum Moderators on Exploit
List of forum moderators on Exploit

While moderators’ particular taskings vary across forums, these individuals are generally responsible for enforcing forum regulations, issuing warnings or bans to members following rule infractions, answering forum users’ questions, moving content into more appropriate subsections, deleting “empty” posts with no meaningful content, looking out for and eliminating potentially damaging scamming activity, and—in somewhere like the Arbitration section, which may have a set template for new threads—ensuring that users’ content follows the expected form. 

Moderators’ prestige, ranking, rights, and power also differ between cybercriminal forums. On the Russian-language forum Antichat, for example, moderators do not have the right to respond to user posts with insults or jokes; they must remain silent if they are offended by another forum member. In contrast, on Exploit, moderators are particularly powerful: The forum rules state that moderators’ opinions and judgments cannot be questioned and that users who do so risk a complete forum ban. On the English-language dark web community forum Dread, site rules also emphasize the sanctity of moderators’ decisions: “Do not cry to the global mods if your post gets removed by a subdread mod because you broke their rules. I can say with 100% certainty that if the post is removed by a subdread mod there is not a single case of it ever coming back because we got cried to.” Even so, moderators are not untouchable or infallible: In March 2020 a forum moderator and guarantor operating on Exploit and another Russian-language forum, XSS, was banned from both forums following unspecified financial difficulties that saw them fail to pay parties in the deals in which they were acting as guarantor.

Not all forums operate such formalized moderation structures. For example, the English-language forum Torum does have a moderation system and personnel assigned to carry out certain duties (e.g. banning users or operating the escrow service), but for a forum of its size and reputation, moderation on the site is not apparent, and plenty of rule-breaking activity remains unflagged. It is usually down to those members with a higher status and reputation on the platform to initiate procedures to get forum members banned or threads removed. The reason for Torum’s lack of emphasis on moderation is unclear. However, it may be connected to Torum’s avowed status as a non-profit site: Its owners’ fortunes are not linked with the forum’s success.  

Moderator recruitment process

The process for recruiting new moderators is relatively formalized on most cybercriminal platforms. Generally, it involves interested individuals submitting a written application detailing their experience, enthusiasm, and knowledge of the forum. Let’s take a look at how five popular cybercriminal platforms hire their site help, and what the forums expect from those who apply.

Nulled and CrackedTO’s moderator recruitment

The afore-mentioned advertisements on Nulled and CrackedTO sought “trials moderators” who would help “maintain peace on the forum and help it grow even more. According to the posts, trials moderators should be able to dedicate a “decent amount of time” daily to “assist users” and “enforce the rules.” The posts stipulated that trials moderators should spend at least 30 to 60 minutes daily solving “forum reports.”

The advertisements emphasized the need for trials moderators to be “friendly,” “approachable,” and able to use their initiative. The Nulled post listed the specific duties of the role as:

  • “Find spammers / leechers / multis”
  • “Maintain peace and order in the shoutbox”
  • “be mature and handle situations professionally”
  • “be good at making unbiased decisions”
  • “treat each member equally”

Applicants on CrackedTO would also have to “Clean the forum from malware and spam.” Interested users were directed to send applications to the forum administrator via forum private message and encouraged to upload PDF documents via We-Transfer if necessary. 

XSS’s moderator recruitment

In September 2019, the XSS administrator initiated the site’s recruitment drive for moderators, calling for “young, energetic, serious people” to help moderate the forum’s off-topic section. The post noted that the moderator role was accompanied by “a number of responsibilities and privileges,” adding “the position is serious.” Aspiring moderators should have:

  • Knowledge of the field covered by the forum section they wished to moderate
  • Enough free time to devote to the position on a long-term basis
  • A willingness to fill the forum section with interesting content to generate discussion on topics
  • The ability to speak Russian
  • Demonstrable forum experience on XSS or another site

The administrator’s post discouraged users from applying who were only interested in a green username (the distinguishing sign of a moderator on the site) or the authority they would gain from the position. Instead, they said applicants should be driven by “credibility, respect, trust, and a circle of interesting acquaintances.” Interested users were directed to leave their applications as a reply to the administrator’s post, via forum private message, or through the messaging service Jabber. Although no newly vacant forum moderator positions have been advertised since the administrator’s initial post, several users have expressed a desire to be considered for the role, most recently on 26 May 2020.

Recruitment for forum moderators on XSS
Recruitment post calling for forum moderators on XSS

Exploit’s moderator recruitment

The moderator recruitment thread on Exploit has been active since February 2005. In this thread, the Exploit administrator highlighted several aspects of the site’s recruitment process:

  • Applicants with a recent registration date on the forum and a low post count should not apply
  • Applicants should thoroughly understand the topic covered by the section they wish to moderate: “to moderate and control what you do not know is unrealistic.” 
  • The process of becoming a moderator would not be instantaneous, and appointments would only take place after consultation with other forum moderators 
  • Applicants should post regularly in the section they wished to moderate to “show users that you care about the topic of the section, that you want to participate in the life of the forum.”

In the years since the thread’s inception, the site administrator has posted several times to call for new applicants. For example, e.g., in 2018, they called for “sensible, honest, competent people” for unspecified forum sections. Interestingly, one of the administrator’s posts from 2017 revealed that, at the time, individuals were writing to them almost every day to express interest in a moderator position but that the application rarely progressed beyond the initial conversation as most users only cared about the “prestige.”

RaidForums’s moderator recruitment

A 2016 post from the administrator of the popular English-language cybercriminal forum RaidForums outlined the requirements for moderators that are still applicable for current moderator applications in the site’s dedicated section. The post noted that the site is “always looking for new staff members, but the requirements are high and few are cut out for the job,” adding that being a staff member is a “long term commitment, and not many people realize what they are getting into.”

Applicants would need to: 

  • Be willing to make a commitment of at least three hours per day for at least six months 
  • Give up any staff positions on other sites to avoid a conflict of interest
  • Have a minimum of six months’ tenure on the forum, a positive reputation count, no warnings, and a track record of following forum rules
  • Be willing to use voice communications via Skype or Discord 
RaidForums’s moderator recruitment section showing active applications
RaidForums’s moderator recruitment section showing active applications at time of writing

The importance of monitoring moderator recruitment

Cybercriminal forums, particularly in different language communities, often take varying approaches to forum organization and structure issues. Some of the central tenets of many Russian-language platforms, for instance, are not present in the English-speaking cybercriminal community – think formalized arbitration processes complete with judge, jury, and compensation. What’s interesting about the moderation system is that the five very different forums we have taken as case studies place a similarly high emphasis on the importance of the moderator role within forum life. They have all implemented a lengthy and involved process to ensure success in moderator recruitment drives. Another point to note is the elements of the recruitment advertisements that come up again and again: the importance of devoting a significant chunk of time to the role, the requirements for applicants to have a thorough knowledge of the section, and the perceived prestige associated with the role. Most also emphasized that these positions are unpaid!

Recruiting new team members and finding the right individuals to take on the moderator role is accorded great importance within the cybercriminal landscape. Starting the recruitment process would require a lot of the forum team’s time and effort. Given this, plus the significance of these appointments, a site’s decision to recruit new moderators, change its application process, or fire existing team members would not be taken lightly. Therefore, the moderator recruitment process could be viewed as a subtle bellwether for the changing circumstances of a particular forum and the cybercriminal scene more widely. Maybe opening up applications hints that something more is at play – perhaps it presages significant changes within the community. 

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

Holiday Cybercrime: Retail Risks and Dark Web Kicks

Holiday Cybercrime: Retail Risks and Dark Web Kicks

November 19, 2020 | 7 Min Read

The holidays are right around the corner,...
To Code or Not to Code? Cybercriminals and the world of programming

To Code or Not to Code? Cybercriminals and the world of programming

November 12, 2020 | 9 Min Read

If you keep a pulse on the technology sector...
Work Smarter, Not Harder: The Evolution of DDoS Activity in 2020

Work Smarter, Not Harder: The Evolution of DDoS Activity in 2020

November 10, 2020 | 10 Min Read

Ransomware operations have undoubtedly...
A Eulogy for Maze: The end of a ransomware era?

A Eulogy for Maze: The end of a ransomware era?

November 9, 2020 | 6 Min Read

Maze— a high profile ransomware gang in...