In the first part of this blog series, we looked at numerous examples of ways cybercriminals have expressed their gender and nationality — or a fake version thereof that they want to present to the world. This time we’re going to explore morality and forum dynamics. Our research has shown us, time and time again, that one of the reasons for the continued success of cybercriminal forums (despite their outdated technology and ostensibly insecure public content) is the opportunity they provide for members to interact with other users and express their quirks and firmly-held opinions. Threads touching on cybercrime ethics or those focused on issues that divide a site’s users can generate popular and sometimes heated discussions. While this may seem divisive, ultimately, these conversations and users’ sense of involvement build forum communities and contribute to their longevity. At other times, it is the forum administration teams’ individual circumstances that determine a site’s success, reminding us that behind every cybercriminal platform is a real-life individual. Let’s look at how users have referenced morals on cybercriminal forums and how forum dynamics or politics have come to the fore.
Morals and charity
Another instance when our research joltingly reminds us of the individual personalities behind usernames is when cybercriminals begin to discuss morality issues or go out of their way to display kindness. We have seen some users worry about their illicit work’s karmic implications or debate the moral dilemmas inherent in getting involved in cybercrime. With the varying personalities of individuals at play, it’s interesting to see where different cybercriminals draw the line.
The coronavirus pandemic has provided plenty of opportunities for individuals’ qualms and red lines to shine through. In April 2020, the administration team of the English-language forum CrackedTO banned posts relating to trading or sharing accounts for the video conferencing platform Zoom, amid media reports of a considerable rise in cybercriminals targeting this increasingly-used application. A threat actor operating on the English-language cybercriminal forum RaidForums claimed to have received a smishing campaign text message containing a malicious link impersonating a site that offered a “cure” for COVID-19. They stated, “while I don’t – and won’t – proclaim any holier-than-thou intentions, I personally feel these types of scams are a little out there in terms of exploiting fears of a pandemic.”
In August 2020, a user on Exploit advertised access to a health center treating psychological illnesses and drug dependency. Another forum user swiftly posted to condemn the seller for offering access to such an institution on moral grounds. The vendor responded by removing the sale’s listing, eliciting thanks and promises of good karma from the complainant.
Personal cries for help
At the beginning of July 2020, a user on the now-defunct English-language cybercriminal forum Torum posted what appeared to be a sort of suicide note or at least a plea for help. They explained that their allegedly non-criminal, legitimate passport agency company had been badly hit by the coronavirus pandemic and said they had turned to cybercrime to pay their debts. However, they had been scammed by other threat actors on several occasions when trying to hire a hacker’s services. Another forum member responded by asking the user not to harm themselves and offered to talk about “how to turn things around.”
One user on the Russian-language forum Antichat had applied for paid coding work on a project organizing “cryptoattacks,” passed the interview tests, and was promised work and payment, but never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father’s cancer medication. Other forum members also claimed to have been deceived by the project organizer, sharing correspondence as proof. Ultimately, the Antichat administrators banned the project’s organizer and arranged a “whip around” among forum members, raising $700 for the medical treatment.
Forum dynamics and individual circumstances
Individual circumstances affecting forums’ fates
Our objective manner of viewing cybercriminal forums as transactional platforms and our focus on identifying commercial activity that might target our clients leads us to forget that these sites function as businesses whose development depends on the people behind them. We talk about the reasons for some platforms’ longevity and try to find outside factors influencing sites’ successes. Then we read posts connecting these platforms’ trajectories with people.
In April 2020, for example, rumors swirled that the administrator of the Russian-language forum Migalki had shut down the forum because they could no longer face running the site after experiencing a breakdown following the death of several family members from coronavirus. Another example is the administrator of the German-language cybercriminal forum Crime Network, who went MIA in summer 2019. Although one of the forum moderators has since been fulfilling the administrator role, the site’s visitor numbers, as judged by a third-party aggregator, do seem to have dropped since the actual administrator’s disappearance.
Dynamics between threat actors
In addition to forum administrators’ personal circumstances, politics and internal factions play a significant role in dark web forums, especially because many are interconnected.
The current XSS administrator was the Exploit forum administrator for many years and was highly respected within that role. As such, there is a complex interplay between the administrator’s old and new forums. The individual is careful not to criticize the new Exploit administrator for their policies, some of which the Exploit community has vociferously disagreed with. In one recent case, a formerly respected guarantor active on Exploit and XSS was involved in an arbitration claim. They had failed to pay parties in several transactions, a total sum of $170,000. The user was banned from both forums; the ban was lifted on XSS, but the Exploit administrator vowed that they would never allow them back on to their site.
Sometimes politics leads to more significant problems – there has been speculation that the Russian-language forum Phreaker disappeared because of disagreements between its two founders.
On Raidforums back in May 2020, one of the forum moderators decided to publicly “out” the current forum owner, stating the owner was “bad” and announcing that they wished to become the new forum owner. The moderator even created a poll in which other forum members could vote either “yes” or “probably” on whether the moderator should become forum owner – out of eight votes, five users had voted “yes,” and three users had voted “probably.” Users had also expressed their support for the moderator in the thread. Only one user had commented saying that they did not support the moderator’s idea. There have been no public or official replies from the forum owner or other staff. The dispute might have been dealt with behind the scenes – at the time of writing, the forum owner remains the same, and the moderator remains a forum moderator.
Obviously, it’s important not to get too involved in these personal stories when assessing available intelligence objectively. Our job as threat research analysts is to use our years of experience to judge the extent of a threat posed by forum users and help our clients assess the potential credibility of claims we see day in and day out on these underground platforms. A certain level of detachment is helpful. However, it’s also important to remember that sometimes, rational explanations cannot be provided for some of the actions or posts we see on these sites. Sometimes, a user’s personal circumstances, beliefs, or motivations will drive their behaviors, and it’s essential to consider this factor when we make our assessments.