This week, Digital Shadows (now ReliaQuest) hosted a webinar covering dark web trends that we have recently observed, the risk impact associated with cybercriminal behaviors, and mitigation strategies for your organizations’ digital risk on the dark web. While the webinar is available here, we wanted to go the extra mile and offer our video content in a slightly more digestible text form.

Here’s the recording in case you prefer to watch the full video:

Dark Web Digest: Gaining Valuable Threat Intel from Cybercriminal Forums

This blog covers three specific topics: Dark web trends, tactics and techniques criminals use to compromise your data, and how to gain visibility into your dark web risks.

Forum competitions continue to proliferate.

Early competitions on criminal forums started as small and were seemingly innocent compared to the severe events we have recently observed. They began as challenges for users, including trivia questions or image design contests with modest prizes such as VPN services or status points.

  • In January 2008, Exploit ran a competition where the user with the longest tenure on the forum to post in a specific thread would win $25.
  • In October 2007, members were offered a reward by accurately guessing how many registered members were on the forum on a specific date.

Over time, these competitions have grown to be more involved. They can now pay up to five figures to find zero-day vulnerabilities, cracking encryption keys or users rolling their encryption, and developing new malware. Individual users used to be responsible for coordinating competition efforts; however, as more participants entered and prizes grew in size, forum administrative groups began to plan out and initiate competition criteria and parameters.

One of the main reasons why criminal forums fizzle out is because of user attrition. To combat this, forum competitions assist in:

  • Gaining new users
  • Maintaining current users
  • Promoting community culture
  • Serving as a reputation booster for forum participants
  • Building knowledge and improving skills for forum users

In many cases, forum competition prizes are sponsored by a group of people. In December 2019, XSS administrators revealed that an annual forum competition was sponsored by the Sodinokibi (aka REvil) ransomware operators; the competition winner would be allowed to work with their team. In theory, the Sodinokibi team can increase awareness of ransomware on the forum (thus potentially increasing their sales) and perhaps gain valuable intelligence for use in their future malware development.

Interested in learning more about Russian-language forum competitions? Check out our blog: Competitions on russian-language cybercriminal forums: sharing expertise or threat actor showboating?

Announcement of third annual articles competition on XSS
Figure 1: Announcement of third annual articles competition on XSS

However, the competition model on English-language forums has not gone down the same road compared to their Russian counterparts. English-language forum administrators coordinate small prizes and make use of simple competition formats that require minimum effort. The focus for English-language sites seems to be focused on simple and easy entertainment rather than prestige, money, or harnessing new skills, much like the earlier days of competitions on the Russian landscape.

While English-language forums may attempt to coordinate more competitions in the future, due to dwindling enthusiasm or user drop-off, we don’t imagine this will happen any time soon.

Morality and ethics are a gray area in forum culture.

Often, when you look at cybercriminal platforms, you may imagine that they’re inherently criminal, but that’s not always the case. While some people may be on cybercriminal forums, they may not be cybercriminals themselves. Many nuances go into criminal forums, and we’ve seen individuals on forums that maintain a different intent and mindset than what you may expect.

The COVID-19 (aka coronavirus) pandemic can serve as a prime example of this: Some users have been slightly more hesitant to profit off of the pandemic. Throughout the spread and media coverage of COVID-19, we have observed solidarity from forum users with countries that have been severely affected – Italy, for example. Additionally, we have seen multiple posts providing helpful health and safety information.

COVID-19 thread on Torum
Figure 2: COVID-19 thread on Torum

To build on this gray area, some forums and their users have attempted to coordinate charitable efforts:

  • On the Russian-language carding forum Verified, a service providing bank drops in the United States promoted the fact that it donates a portion of its profits to charity as a way to market the service.
  • A forum member of the Russian-language forum, Antichat, had applied for paid coding work on a project organizing “cryptoattacks,” passed the interview tests and was promised work and payment, but never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father’s cancer medication. In turn, the user received $700 for their father’s medical treatment.
  • A user on Club2CRD announced their intention to involve the forum community in their habit of visiting children’s homes and donating material goods.
  • An Exploit user proposed establishing a charitable fund on the forum, saying that donating money would be “a plus for karma at the least, and the most, helping people who need it,” with the forum members becoming “a kind of modern Robin Hood.” 

COVID-19 continues to be a popular topic.

It comes as no surprise that cybercriminals are taking advantage of the current situation for profit. We have identified plenty of examples of criminals leveraging phishing, social engineering methods, the sale of fraudulent goods, and misinformation campaigns to carry out their nefarious deeds. Users on the English-language cybercriminal forum, Torum, were observed requesting templates and ideas for spreading coronavirus-specific phishing emails. Similarly, vendors on Empire, a cybercriminal marketplace, were seen trying to sell various types of personal protective equipment (PPE) and sketchy COVID-19 antibody test kits. We also observed some outlandish claims by marketplace vendors that advertise the sale of recovered COVID-19 patient plasma.

Advertisement for a recovered patient’s plasma on Empire marketplace
Figure 3: Advertisement for a recovered patient’s plasma on Empire marketplace
COVID-19 antibody test kit advertised on Empire marketplace
Figure 4: COVID-19 antibody test kit advertised on Empire marketplace

Previous to COVID-19, marketplace vendors were identified as selling illicit drugs, such as cocaine or heroin, but are now adjusting their business plan to remain relevant to current circumstances.

Rebooting dark web search engines: Kilos and Recon


Kilos emerged in November 2019 and is a one-stop-shop offering an extensive index of marketplaces, vendors, listings, reviews, and advanced filter functions. Based on visual observations, it’s possible that Kilos evolved from the popular dark web search engine, “Grams,” which ceased operations in 2017. The search engine is currently indexing 718,781 forum posts, 96,529 listings, 4,178 vendors, and has 1,296,311 reviews from ten markets and six forums. The creator of Kilos is keen on the platform’s success and is consistently pushing updates and added features that ensure the security and anonymity of its users while maintaining a robust and resilient resource for dark web goods and services.

Kilos search engine interface with advanced filtering options
Figure 5: Kilos search engine interface with advanced filtering options

In addition to its advanced filter capabilities, Kilos offers a Bitcoin mixer service called Krumble, a CAPTCHA system that improves the site’s sentiment analysis, a grading scale for rendered search results for qualitative improvements, and direct communication with the administrator.

Just as Grams proved extremely useful to cybercriminals and researchers alike, it is highly likely that Kilos will become an equally great – or an even more valuable – platform for dark web offerings.


Recon is another dark web search engine released in Beta in March 2020 by “HugBunter,” the creator and administrator of the Reddit-style cybercriminal community, Dread. To date, Recon has indexed 32 marketplaces, 23,000 vendors, 49500 listings, and 1,400 reviews. Currently, only six of the 32 marketplaces are online: CannaHome, Cannazon, Empire, Monopoly, Versus, and White House Market. The remaining 26 marketplaces are down due to various reasons, including exit scams, law enforcement seizures, and the disappearance of administration members.

As Recon continues to build its features and archival capabilities, it will likely be a strong competitor of Kilos.

Recon’s interface, showing current index statistics
Figure 6: Recon’s interface, showing current index statistics

Tactics and techniques remain unchanged.

Social engineering and phishing

Coronavirus phishing method advertised on XSS
Figure 7: Coronavirus phishing method advertised on XSS

We’ve said it before, and you’re probably sick of hearing it: Phishing is one of the most popular attack techniques. It’s simple to do, and it works. You don’t need to be a skilled threat actor or have a detailed understanding of your target to conduct an effective phishing attack as long as you have the means to buy a template. Commonly, templates offered on criminal forums and marketplaces contain how-to guides and are intended to masquerade as legitimate company emails.

Phishing-as-a-service (PHaaS) and phishing kits are an alternative to phishing templates, allowing an attacker to rent the infrastructure required for conducting phishing attacks. PHaaS offerings are monetized in familiar ways, offering various monthly subscription rates, each with multiple feature tiers, and gradually mirroring as-a-service offerings like that of those in real life.

Phishers take advantage of current events to make their emails relevant, e.g., COVID-19. Reports of email phishing campaigns using COVID-19-related lures surfaced almost immediately after confirmed infections began increasing in January 2020. Health organizations such as the World Health Organization (WHO) United States Centers for Disease Control and Prevention (CDC) have been prime targets for impersonation due to their perceived authority, which have included malicious domains or document downloads using promises of relevant safety documentation or infection maps.

But wait – there’s more!

Yes, phishing and social engineering are a significant risk to everyone, from individuals to global organizations. While we see them less often, we wanted to consolidate a few more methods that cybercriminals use to compromise your brand:

Compromised payment card details can be useful for fraud and allow criminals to access victim accounts on their behalf or leveraged for monetary gain. When attackers carry out network attacks, they will occasionally gain more information than what they were targeting. Card information can be a byproduct of a network attack so that criminals can sell bonus data for bottom dollar on criminal marketplaces. For credit-card vendors, advertising on cybercriminal forums can mean a more significant profit and greater control over who can view or buy it.

Exposed account credentials are regularly sold on criminal marketplaces for what seems like reasonable prices. Data breaches, system compromises, financial losses, and reputational damage are all possible outcomes of account takeover. These compromises can lead to privilege escalation and additional attacks on partners or supply chain vendors. Credential stuffing is a common method that attackers use to gain access to more accounts. If the same password is used on one account, they can likely gain access to a different account with the same credential pair. A common method for account takeover involves impersonation. The victim is led to believe that an email came from someone they knew, giving the victim comfort in familiarity; instead, it includes clicking malicious links or following specific transaction instructions.

Vulnerability exploitation is also a common attack vector that cybercriminals and advanced persistent threats (APTs) use to gain system access. Forum users will commonly list zero-day vulnerabilities for sale, or other exploit PoC code, opening the doors for more threat actors to use during their campaigns. While many threat actors will use phishing emails to distribute malware, vulnerability exploitation is a close second. Notoriously, the WannaCry ransomware attacks in May 2017 leveraged a vulnerability in Windows. In December 2019, Travelex was hit with a ransomware attack that leveraged a critical Citrix vulnerability (CVE-2019-19781). Following the attack, Sodinokibi (aka REvil) was observed targeting other vulnerable systems to spread ransomware.

Ransomware: Pay or get breached

Ransomware is another topic that we continually hear about; however, a new method of attack dubbed the “pay-or-get-breached” model, was spearheaded by Maze and began surfacing in late 2019. With this technique, organizations aren’t just dealing with the technical obstacles of a ransomware attack; they’re also forced to treat these attacks as a breach. Unfortunately, mitigating this type of attack goes beyond the traditional ransomware mitigations, such as storing backups to ensure business continuity – you have to deal with the threat actors that have stolen your data. The ramifications of this type of attack can be devastating, especially if the attackers post your organizations’ stolen information on a public website. Not only does this method affect IT and Security departments, legal, operations, and public relations efforts are also required.

Screenshot of the DoppelPaymer leak site
Figure 8: Screenshot of the DoppelPaymer leak site

The pay-or-get-breached method will likely continue to gain in popularity among threat groups and ransomware operators, due to the added pressure it puts on its targets.

Gaining visibility into your dark web risks is invaluable.

When you’re considering dark web monitoring, you have to bear in mind that the dark web does not necessarily mean criminality; even Facebook and the Wall Street Journal have platforms supported by .onion links. If you’re pulling in only dark web sources for your monitoring practices, you will also have to (possibly manually) filter through sources that are false positives. When you’re looking at threat intelligence feeds or data points, it is imperative to establish context by determining intelligence requirements. Otherwise, you won’t know what kind of problem you’re facing or how you want to solve it.

In this instance, we find the Pyramid of Pain to be a helpful model for risk prioritization. This model helps illustrate what kind of indicators are out there and how much “pain” you may cause your adversaries if you deny them those indicators. To give you a hint, the “good stuff” is at the top. For example, if you deny your attackers their tactics, techniques, and procedures (TTPs), they’re going to be hurting; however, if you deny their hash values, it won’t serve as much of an obstacle.

Pyramid of Pain
Figure 10: Pyramid of Pain

Digital Shadows (now ReliaQuest) has your back.

Digital Shadows (now ReliaQuest) provides valuable and actionable intelligence for your digital risks and customized threat intelligence and security alerts based on your organization’s assets. With Search Light (now ReliaQuest GreyMatter Digital Risk Protection), >95% of the noise is removed, giving your organization timely access and context to valuable threat intelligence.

top challenges facing customers for dark web monitoring

Based on our research of dark web risks, exposed passwords and customer accounts are some of the top challenges that customers face – we can help.

To learn more about Search Light (now ReliaQuest GreyMatter Digital Risk Protection) or Digital Shadows (now ReliaQuest)’ offerings, or get started with a free demo here.

Thanks for reading and feel free to check out the full webinar recording below:

Dark Web Digest: Gaining Valuable Threat Intel from Cybercriminal Forums