May 30 Webinar | SOC Talk: Automating Threat Response
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
May 01, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
In June 2020, the administrator of the English-language cybercriminal carding forum Altenen announced a “big victory” for the site in terms of its website traffic rank statistics. The administrator posted several key metrics, sourced from a traffic information service called HypeStat, to show just how “popular” Altenen was and how well the forum was doing overall. The statistics included the number of unique daily visitors, traffic sources (whether visitors access the site directly, by search queries, by referrals on other websites, or via social media pages), daily revenue estimate, and daily earning by country. This announcement received positive feedback from forum members, with many posting congratulatory comments on the thread.
Website traffic statistics are nothing new — anyone can look up their favorite website’s metrics. What is interesting about this case, though, is that the Altenen administrator deliberately used these metrics to quantify Altenen’s existing popularity and encourage forum users to “spread the Altenen all around the world [sic]” to grow the platform further. This is the first instance we have observed in which a forum staff member has deliberately posted the forum’s traffic rank statistics for promotional purposes.
This apparent reliance on site statistics to demonstrate Altenen’s popularity might indicate a degree of desperation from the forum administrator. Forums gain credibility and popularity by appearing attractive (e.g. by offering high-quality content and attracting highly skilled threat actors), not by highlighting subjective statistics such as website traffic rank. Website traffic numbers and forum statistics can be manipulated and therefore are not accurate indications of genuine popularity. And suppose the forums get caught manipulating these numbers. In that case, things can turn sour quickly, just like when BitBazaar market allegedly attempted to falsify their subscriber numbers and got banned from Dread, a Reddit-style cybercriminal forum.
The Altenen case got us thinking about how some less-prolific forums may use similarly deceptive tactics to increase visitor traffic and fight for scraps. In contrast, the more prolific, already-established forums would not be dependent on this. With this in mind, what can website traffic statistics tell us about cybercriminal forums? We’ve used the same source as Altenen’s administrator, HypeStat, to gather some key statistics for several English-, German-, and Russian-language forums. While there are many data points we could have included, we have limited ourselves to metrics focusing on Alexa rank history, unique daily visitors, visiting countries, traffic sources, and daily revenue estimates. We wanted to see whether the statistics align with our pre-existing perceptions of these sites, whether they show any trends we were previously unaware of, and find out what the numbers alone can’t show us.
Meet the forums
Altenen
Altenen is a carding forum that initially started as an Arabic-language cybercriminal forum and morphed into an English-language carding-based platform in 2013. After several cyberattacks, Altenen went offline in either late 2016 or early 2017, before the forum administrator resurrected the site in June 2018. Since then, the platform appears to have attracted users from across the globe and has experienced a steady increase in forum membership, though it has been described as a scam site by multiple users within the cybercriminal community.
RaidForums
RaidForums is a popular English-language cybercriminal forum, created in March 2015, that features content relating to an array of cybercriminal topics, including general hacking activity, vulnerabilities, cracking methods and tools, cryptography, and breach datasets. RaidForums appears to have recently increased its profile within the cybercriminal community, with several prominent threat actors from other prolific platforms, such as Exploit, creating accounts on the forum.
Nulled
Nulled is an English-language cybercriminal forum that first appeared in January 2015. The forum hosts content relating to various cybercrime topics, including penetration testing, coding and programming, reverse engineering, social engineering, and breach datasets. Since its creation, Nulled appears to have experienced a steady increase in users, and in April 2020, the forum administrator proclaimed that the forum had experienced significant COVID-19-related growth in membership.
Cracked TO
Cracked TO is an English-language cybercriminal forum created in May 2015, and while unconfirmed, Cracked TO may have some connection or degree of collaboration with Nulled’s administration team. Cracked TO, like Nulled, purportedly experienced significant COVID-19-related growth in membership around April and May 2020. Cracked TO also hosts similar content to Nulled.
Cracking King
Cracking King is an English-language cybercriminal forum and created in September 2014. The forum hosts content mostly relating to breach datasets, cracking tools and tutorials, and configurations. Cracking King appears to have been highly active in its first few years, but its activity has decreased over the past two years.
Crimenetwork
Crimenetwork is a German-language cybercriminal forum hosting content related to an array of cybercriminal activity, including counterfeit documents, accounts, drugs, carding, malware, exploits, and social engineering. Security researchers named Crimenetwork as one of the top five German-language forums back in 2015, and it is the only forum out of that five that remains active. However, the forum administrator has been missing since around June 2019, and forum moderators have had to take charge of the forum during the administrator’s absence.
Exploit
Exploit has been a stalwart of the Russian-language cybercriminal underground scene since 2005. It is widely regarded as one of the most prominent Russian-language cybercriminal forums and sees users trading a wide range of high-value goods and services. The forum has sections for malware, network access sales, exploits, hacking, social engineering, cryptocurrency, spam, and social media.
XSS
XSS is a recent rebranding of the previously long-standing Russian-language cybercriminal forum DamageLab, which was one of the first Russian-language cybercriminal forums to be established. DamageLab, in its original incarnation, was closed when its administrator had a run-in with law enforcement. Now run by a former Exploit administrator, XSS is well regarded within the cybercriminal scene and features discussions and commercial activity in several fields, including malware, spam, exploits, vulnerabilities, carding, access sales, and credential databases.
Website traffic statistics
Table 1: Website traffic statistics of selected cybercriminal forums
How do the statistics align with our perceptions of the forums?
Increase in membership
The Alexa ranking of Altenen over the past 90 days shows that the forum appears to have experienced a significant increase in user traffic, as the administrator indicated when publishing the forum’s website traffic statistics. Nulled’s Alexa ranking over the past 90 days also shows that the site has experienced a slight upwards trend since May 2020, which appears to correlate with the site’s April 2020 announcement about membership growth. However, the statistics do not show that many of the site’s visitors may be automated bots used by the forum administration teams to manipulate visitor numbers and increase overall ranking. So while the statistics do seem to back up the claims made by these forum teams, we cannot be sure whether the Alexa rankings are legitimate. Altenen’s drastic increase in rank, in particular, seems almost too good to be true, as none of the other forums we regard as popular, such as RaidForums, have experienced a similar increase during the same period.
Languages used on forums
As expected, users of language-specific forums appear to originate from the regions where the respective languages are spoken: The statistics show that most of Crimenetwork’s visitors are from Germany, for example, while visitors of Exploit and XSS mainly originate from Russia. However, the numbers do not show whether these users accessed the sites using VPNs concealing their true origins. Forums such as Exploit and XXS have grown to become popular beyond their original borders; additional international visitors are likely to use VPNs to increase anonymity or bypass any regional restrictions these forums might have.
A few surprises
Forum ranks
We expected to see RaidForums (rank 27,063) as the highest-ranked English-language forum on our list; RaidForums has proven to be a stable platform that has increased its popularity and overall activity over the past two months. Contrarily, Altenen (rank 27,025) has a similar rank to RaidForums, and both Nulled (rank 8,282) and Cracked TO (rank 10,905) significantly outrank both. Another surprising metric is the relatively low rankings of the Russian-language forums Exploit (rank 97,919) and XSS (rank 150,609) compared with the English-language forums. Both forums enjoy prominence within the English-language and Russian speaking cybercriminal community.
Possible distortion of rankings
Multiple factors may have affected the rankings, though. In addition to the possible use of automated bots by forum administrators, there is also a possibility that a site’s ease of connection can influence rankings. Freely roaming bots on the Internet attempt to connect to sites for various purposes, including indexing information and spam. This type of bot activity might cause a site’s ranking to increase if it is relatively easy to access, as is the case with some clear web forums. Several of the forums also have a .onion mirror domain that can only be accessed via Tor. Visitor numbers from .onion domains are not counted as part of website traffic statistics on Alexa. Therefore the actual number of visitors is not accurately represented in these Alexa rankings.
What new information can the numbers give us?
Average visit time
According to the statistics we collected, the average time spent on most forums tends to be less than 10 minutes. The exceptions to this are Altenen and Crimenetwork, where users spend, on average, 20 minutes perusing the site. This metric may reveal whether a forum has more guest users merely browsing the forum for a couple of minutes or more committed users who spend more time on the site. However, intricacies of specific forums show that we should treat these metrics with a grain of salt. For instance, users on Exploit only spend an average of 07:52 minutes on the forum, according to the statistics. Yet, because Exploit is a fully gated forum, none of these visitors are random guest users.
Visitor geography
While visitor geography can be distorted by using tools such as VPNs, the list of visitor countries still gives a good indication of the regions that visitors come from. The United States was the most popular country for visitors overall, not just on English-language forums; US visitors rank highly on Exploit and XXS. The only exception amongst the English-language forums is Altenen. Most Altenen visitors come from Egypt, Algeria, and Morocco, most likely due to Altenen’s origins as an Arabic-language forum. The relatively high presence of visitors from several Middle Eastern and Asian countries on English-language forums may also indicate a shortage of suitable Arabic- and Asian-language platforms, necessitating Arabic and Asian-language speakers to seek out international platforms instead.
Lastly, what can the numbers not tell us?
First of all, the statistics we collected give no indications as to a forum’s content (a niche focus, naturally leading to a more selective membership and visitor numbers, or more generic, with wider appeal) or quality (highly skilled threat actors invited to join the site after proving their skills versus inexperienced “script kiddies).
Secondly, advertisement revenue estimates do not show a forum’s actual economy. These sites can also earn money by requiring users to pay to register or upgrade their accounts to gain VIP access and charge commission on escrow services during transactions.
Thirdly, the statistics provide no reasons for the fluctuations in the Alexa rankings over time. Such changes could be regular, “seasonal” variations or down to the ongoing COVID-19 pandemic (as claimed by Nulled and Cracked TO). Similarly, Crimenetwork’s Alexa ranking doesn’t indicate that its significant rank drop in June 2019 is due to its administrator’s concurrent disappearance.
The limitations of these figures highlight the importance of having the human in the loop — an analyst observing these cybercriminal forums’ behavior over time. Without sufficient context, the statistics could potentially provide a distorted image of the cybercriminal community. It seems that Alexa does not yet have the answer to everything.