One heart-warming aspect of modern society is the increased prevalence of charitable endeavors during times of crisis.
Philanthropy has loomed large in our minds during the ongoing COVID-19 (aka coronavirus) pandemic. In the United States, businesses have stepped in: Amazon’s Jeff Bezos has given $100 million to food banks, Microsoft’s Bill Gates has pledged funds to help develop a coronavirus vaccine, and Elon Musk has donated thousands of ventilators and protective masks. The story of 99-year-old Second World War veteran Captain Tom Moore has gripped the United Kingdom: He has raised over £18 million (at the time of writing) for the National Health Service by completing 100 laps of his garden before his 100th birthday.
The current spirit of charity has also reached the cybercriminal community, although the results in that environment have not necessarily been as successful as those seen in the offline world.
Cybercriminals’ complicated relationship with coronavirus relief
In late March, a user on the prestigious Russian-language cybercriminal forum XSS initiated an English-language thread to share free credentials for accounts with preloaded funds for the automated vending cart (AVC) sites Joker’s Stash and UniCC. In exchange, the user requested voluntary donations “to help COVID-19 patients and medical staff in Italy and Spain”. The user provided a Bitcoin wallet address to receive donations. Later that same day, the user updated their post to report that the accounts were no longer working, as an unknown forum user must have changed the passwords without leaving a donation.
XSS post sharing carding site credentials in return for coronavirus response donations
The next day, the user posted credentials for five more Joker’s Stash accounts but later updated the thread to announce that all the accounts’ passwords had been changed but no funds donated. The following day, the user shared what they promised were the last two sets of account credentials, noting that they had still not received any money. Although several forum members had voiced their support for the idea, it seems that no one went as far as putting their Bitcoin where their mouth was.
This whole episode got us thinking…
Charitable endeavors are promoted on these platforms more than you might expect, but voluntary aid is a gray area. In a world where anonymity—avoiding detection by law enforcement—is paramount, can you rely on good intentions?
Will a forum member channel donations to the promised charity, or make off with the money? And how about targeting charities with cybercrime?
Where does the murky moral line sit in the cybercriminal underground?
One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation. A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was “cruel,” they found themselves in an “extremely difficult financial situation”. Responses to the proposal were mixed, with one forum user calling the plan “amoral,” and another pointing out that cybercrime is inherently an immoral affair.
Korovka post mulling possibility of faking charitable cause to collect donations fraudulently
Donations as an inherent element of forum life
Voluntarily giving away hard-earned money is not an entirely foreign concept on cybercriminal forums. Several Russian-language forums—including WT1, Exploit, Verified, Delf Code, and Zismo—provide their members with the opportunity to make donations to the sites themselves. Some make it very difficult to locate the records of those who have voluntarily donated, meaning the donors to these platforms go largely unrecognized (although discerning site administrators may remember their generosity later). On other platforms, the arrangement is entirely less altruistic: A minimum donation results in a pre-defined increase in forum status, allowing donor users to bask in the added prestige their money has brought them.
Visit any Russian-language cybercriminal forum, and you will quickly come across a surprising number of threads offering goods and services for free, or even entire sections devoted to giveaways. The most common commodities shared in this manner are account credentials for streaming services and credit-card details (although the validity of this information is often lacking, given the widespread distribution). This spirit of selflessness may appear remarkable, but consider the factors behind this phenomenon.
Often cybercriminals are sharing by-products obtained via an unrelated cybercriminal scheme. For instance, a threat actor who has established a botnet of infected computers might search the botnet logs for login information for online bank accounts. Along the way, they may discover that the logs contain credentials for a whole host of other sites and services. Maliciously exploiting the funds in the compromised bank accounts is the real goal here, so the threat actor can afford to share the other credentials they had no intention of using anyway. At other times, cybercriminals may share “second-hand” credentials for accounts that they have already used for nefarious purposes. (Typically, threads selling credentials highlight the fact that they have not been used in this manner.)
XSS giveaways section
All of a sudden, these giveaways don’t seem so generous. The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services. These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.
There does seem to be examples of charitable schemes on cybercriminal forums, and charity is sometimes used as a selling point. On the Russian-language carding forum Verified, a service providing bank drops in the United States promoted the fact that it donates a portion of its profits to charity as a way to market the service.
Drops service advertisement on Verified highlighting charitable donations
In general, cybercriminal forums soliciting real donations can be categorized in two ways: solicitations of help for the threat actor or their families, and solicitations to assist an unrelated cause.
Personal appeals for help
Posts describing personal problems and appealing for financial aid have received mixed responses on cybercriminal forums. In one example of a positive outcome, a user on the Russian-language forum Antichat benefitted from the generosity of the forum’s administrators. The user had applied for paid coding work on a project organizing “cryptoattacks”, passed the interview tests and was promised work and payment, but never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father’s cancer medication. Other forum members also claimed to have been deceived by the project organizer, sharing correspondence as proof. Ultimately, the Antichat administrators banned the project’s organizer and arranged a “whip around” among forum members, raising $700 for the medical treatment.
Announcement of sum sent to a user for medical treatment, with subsequent message of thanks
The author of a January 2019 post on Exploit was not so lucky. They received scathing responses to their post attempting to raise money for their sister, who had allegedly been burned in an accident and could not afford to pay for an operation.
Exploit post soliciting donations for medical treatment
The response to the user’s appeal indicated that the forum community collectively decided this was a scam attempt..
The difference in these two cases may lie in the Antichat member’s obvious distress at being scammed out of money and fellow forum members having had similar experiences they showed proof of. A sudden post, such as the Exploit member’s―lacking real detail, posts from other users to support their claims, or evidence that the user had tried to improve their situation themselves first―would ring alarm bells. The issue of apparent intent could also be at work: The defrauded Antichat user seems to have posted only to vent their frustration, with no intention of gathering money from the forum community, but the Exploit user openly sought funds.
These cases highlight the tricky nature of charity on cybercriminal forums: To be willing to donate money, forum members must be sure they can trust that the money will end up where they think it will. After all, there is no honor among thieves, and the numerous new threads each day in every forum’s arbitration section show that these sites are rife with cybercriminals trying to scam and deceive each other. Perhaps because individuals attempting to fraudulently obtain donations with fake charitable schemes present a high risk, schemes designed to help outside parties have historically proven more successful.
Help for chosen beneficiaries
Sometimes forum members post messages describing the desperate situation aided by their chosen charities, appealing to fellow forum members to lend their support. Such posts often appear around the time of the New Year’s holidays in former Soviet Union countries: Just as in the West, the festive season boosts charitable donations.
In one example on the Russian-language carding forum Club2CRD, a user announced their intention to involve the forum community in their habit of visiting children’s homes and donating material goods.
Club2CRD post soliciting donations for children’s home
The user stated that they wished to help an orphanage accommodating young children with illnesses or whose parents have HIV, and would create a Bitcoin wallet for member donations. A few days before the start of the new year, they said they would withdraw funds and purchase the goods, providing all receipts as proof of purchase. The post stated that the user could not predict what exactly they would buy, as they would contact the children’s home to ascertain their exact needs. To highlight their trustworthiness, the user said that “not a single claim has been put forward against me” (i.e. no accusations of scamming or foul play), and that there was there no reason to “doubt my decency.” They added that the scheme had received the consent of the forum administrators.
Ultimately the user did not receive as much money as they had hoped, although they did post screenshots of Bitcoin transactions showing that the wallet had received over $500 in donations. To prove that they had been true to their word, the user posted images of children’s toys and washing supplies, along with a sticky note featuring their forum alias and the name of the site.
Images used as “proof” of purchase from the Club2CRD user named on the note
Digital Shadows (now ReliaQuest) has observed similar schemes on other cybercriminal sites. A 2016 Christmas fundraiser on Exploit allegedly raised over $1,300. The organizer praised the “good-natured people [who] still remain on the forum, people who can and want to help the kids”. The same user went on to organize similar schemes in 2017 and 2018, with the latter appeal reportedly raising $4,645. Just as on Club2CRD, the organizer posted images of goods they purchased with the funds to “prove” that the money was rightfully spent.
Exploit New Year’s fundraiser announcements in 2016, 2017, and 2018
One Exploit user recognized the Exploit community’s seeming propensity to respond favorably to such charitable appeals, noting that the New Year’s fundraisers had shown that “many people were not indifferent to this issue.” They proposed establishing a charitable fund on the forum, saying that donating money in this way would be “a plus for karma at the least, and at the most, helping people who need it,” with the forum members becoming “a kind of modern Robin Hood”.
The issue of “karma”—finding ways to atone for the harm caused by cybercrime—is a topic discussed not infrequently in Russian-language cybercriminal communities. In this instance, the post noted that in arbitration cases (disputes between two forum members resolved by an impartial third party), compensation could be paid to the charitable fund, rather than going into the forum’s coffers.
Exploit post exploring the idea of a forum charitable fund
The difficulty, the post said, would be in the logistics of organization. Although creating a separate thread and a discrete Bitcoin wallet for anonymous donations would be easy, finding someone to run the fund whom the other forum members trusted would be “one of the main problems”. The user concluded that “a girl” would be the best candidate and should be appointed by the forum administrator. Although the forum community responded warmly to this idea, Digital Shadows (now ReliaQuest) could not find any evidence that the plan was actioned. Perhaps the inherent difficulties of actually implementing such a scheme—and the eternal issue of trust—stymied the proposal before it ever became a reality.
Another idea that never got off the ground was a 2017 proposal to collect money to buy flowers and gifts for 10 to 20 older women in the war-torn regions of eastern Ukraine, for Women’s Day on 8 March. The proposed plan seemed to cover all the organizational bases:
- The gifts would be flowers and “things that they would never have bought for themselves,” such as tinned pineapple, red caviar, and Raffaello chocolates.
- There would be a YouTube channel created to show all the packages with gifts, as well as clips of the presents given to the women.
- There should be photographic or video proof of all the money spent.
- The organizer would let the forum guarantor have control of all the wallets.
Although other forum members responded positively to the plan, it seems to have never materialized.
Exploit post proposing 8 March gifts for older women in eastern Ukraine
As Digital Shadows (now ReliaQuest) has noted repeatedly, the cybercriminal world has found its way to replicate establishments and customs that form a daily part of real life, so it’s not surprising that the notion of charity also has a presence in the underworld. Just as in real life, some charitable events take off and strike a chord with a large number of people, while other endeavors—even for worthy causes—fizzle out and fail to attract funds.
It will be interesting to see whether, as forums’ sophistication continues to develop, charity is embedded formally in the forum system. Given some cybercriminals’ propensity to view charitable efforts as a way to create good “karma” and negate their crimes, it’s likely to be a recurring element on cybercriminal platforms.