There’s a new kid on the block, and their name is Dark Web Forums (DWF). Have they come to stay? Only time will tell. Forums come and go at a rapid pace in the English-language cybercriminal scene, and initially, DWF does not appear to be a unique case. With DWF being less than one year old, it doesn’t have a high level of activity or much content just yet. Like many newcomers on the scene, it has faced the typical struggles of a newly created forum, including stiff competition, shifting ownership, and difficulty attracting new members.

However, there appears to be a possible connection between DWF and an old forum friend of ours: the English-language carding forum Altenen. This unique connection might enable DWF to set itself aside from its competitors and will be explored further in this blog. But first, let’s examine DWF’s first seven months, as they provide valuable insight into the early stages in a forum’s lifecycle. 

Dark web forums (DWF) overview

DWF is an English-language cybercriminal forum that was launched on the 30th of Jan 2020. DWF initially started out as a small carding-based forum, but in March 2020, the forum added two new sections: “Hacking & Cracking Zone” and “Making Money & Cryptocurrency.” The site’s content currently spans an array of topics, including carding, cryptocurrency, hacking, “dark web” discussions, cracking tools, and offers of databases and accounts. 

In our blog on the forum Torigon’s demise, we talked about the struggles new forums can have in getting off the ground. DWF seems to be facing the same difficulties. 

As a newcomer on the English-language cybercriminal scene, DWF has faced fierce competition from the get-go from more veteran English-language forums offering similar content, such as RaidForums, Cracking King, Nulled, and Cracked TO. Its vague stated aim of being a forum “dedicated to making money on the Internet, various earning schemes, IT issues and much more” applies to almost any given cybercriminal forum, and has likely not helped DWF stand out amongst more prolific forums. 

DWF has only accumulated 2,497 members to date—a relatively low number for a platform that has been active for seven months. As a result, the site isn’t particularly busy and only has 846 threads. Some forum sections contain few or no threads at all.

The most active section on DWF is the Carding Zone, which includes subforums relating to credit cards and database dumps, cardable websites, tools, and general discussion on carding activity and methods. The section’s “free fresh credit cards and database dump” subforum appears to be especially popular amongst its members, with over 220 threads mainly offering various credit card dumps–both mixed and from specific regions–and different streaming and food delivery accounts. Some of the forum’s staff members appear to be particularly active in this section and have created a high proportion of its threads.

Carking Zone Dark Web Forum
Carding Zone section on DWF

Although not as active, other areas of the forum still provide useful insight into DWF’s community and what type of information its members require. The following sections are particularly noteworthy:

  • General Discussions: A platform for forum users to discuss (almost) any matter of the heart. Forum users have used the General Discussions section on DWF to ask for help and advice (e.g. how to monetize credit card details purchased from vendors on the forum), share various tools and methods, and offer “hacking services.”
  • Premium Accounts: Members share premium accounts for streaming services, food sites, cloud services, payment services, and gaming. 
  • Leaked database: This section is dedicated to sharing and offering databases. At the time of writing, the section only has 19 threads and is not often updated. However, users have provided an array of data sets, including mixed “combolists,” databases pertaining to specific sites or companies, and region-specific files.
  • Dark Web Zone: Similar to Dread, a Reddit-style underground forum, in which members engage in general discussion about the “dark web.” Includes users sharing links to other cybercriminal forums, offering illicit goods and services, and providing marketplace reviews. Carding or cracking forums don’t usually have an entire section dedicated to “dark web” discussion, so this section is a bold inclusion.

Updates on Dark Web Forums (DWF)

Despite its low post count and membership numbers, there have been some interesting developments on DWF during its seven months of existence. 

Forum ownership

DWF does not appear to have a dedicated list of its staff members and their associated roles. However, forum administrators have a “Verified Members” mark in their profile banner, while moderators are marked with a “Super Moderator Title,” making both staff roles easy to spot.

DWF’s hierarchy appears to have changed over the course of its first two months. The platform’s administrator “Professor” was the first forum staff member to post on the site, sharing a “welcome” post on 30 Jan 2020. This indicated that they were likely the most senior forum staff member at the time. Since then, forum user “t0r” appears to have taken over as the most senior forum staff member after joining the site on 29 Feb 2020. 

The forum ownership question is vague as none of the forum staff have specifically been marked as the forum owner. The closest we get is t0r, who uses the title “forum founder” and essentially acts as a dedicated forum owner (though the ownership has not been officially confirmed). They provide regular updates on DWF’s development, and on one occasion, they also warned users against potential scammers impersonating the forum’s verified sellers on Telegram. t0r does not appear to be a native English-speaker as there are frequent grammar and spelling mistakes in their posts.

t0r spelling mistakes
Post by t0r displaying spelling mistakes

Accounts and paid upgrades

New users on DWF must have their accounts verified by the forum team before they can fully access the forum or view the actual contents of threads. Additionally, if users want to purchase one of the two available upgrades, VIP or “Verified Seller,” they must contact one of the forum administrators directly on Telegram to have their purchase confirmed and their upgraded account activated.

Although it is not uncommon for forum staff to ask users to contact them directly when purchasing an upgrade, this usually happens on a site’s own internal messaging system. This is the first instance we have observed in both the English- and Russian-language cybercriminal scenes in which members are asked to contact the forum staff on Telegram. The underground community–particularly on Russian-language cybercriminal forums–has frequently criticized Telegram for not being secure and anonymous enough compared to other instant messaging services such as Discord, Wickr, and Jabber. So far, no users on DWF have commented or questioned the forum’s use of Telegram.

Struggles with attracting new forum members

DWF appears to have struggled with attracting new users since its creation. This is often the case with brand new forums, especially in the English-language scene with its ferocious competition and frequent migration of users from one platform to another. As early as March 2020, a user stated DWF had already become “dead” and “boring” and said users should share more knowledge and skills to make the forum lively again.  

In an update posted on 01 Apr 2020, t0r called on experienced users to suggest ways to gain more members. In response, users suggested anything from paying for low-cost advertisements to making highly ranked vendors “mention” the forum on their other platforms. 

DWF displays several advertisements linking to other platforms, indicating that other sites have paid DWF for advertisement space. However, we have not been able yet to detect any platforms advertising DWF…

t0r calling on users for help
t0r calling on experienced users for help

Announcement of clear web version of forum

DWF could initially only be accessed via Tor, but on 08 Apr 2020, t0r announced that they had launched a new clear web version of the forum. The launch means that users can access the site using their preferred, standard web browsers. It is possible that creating a clear web version of the forum, albeit less anonymous, allows for easier access, thereby enticing more users to join the forum. In doing so, DWF joins several of its competitors in offering a clear web version of the site, such as RaidForums, Nulled, and Cracked TO. It is important to note, though, that none of these forums can be accessed via Tor, and they have been easy to access since their creation, likely ensuring their steady increase in forum members over time. Since introducing the clear web version, there has been no mention on DWF that they have experienced a growth in members, and traffic rank sites, like Alexa, do not currently display any visitor data for DWF. 

Possible connection to Altenen

One of the most interesting aspects of DWF is a possible link between DWF and the English-language cybercriminal forum Altenen (also known as Alboraaq). 

Altenen initially started out as an Arabic-language cybercriminal forum with a user base stemming from Arabic-speaking countries. Later, Altenen changed its premise and became an English-language carding-based forum. WHOIS records suggest that the first English-language version of Altenen was created on 13 Jun 2013. Altenen appears to have experienced several attacks since its inception. It allegedly had its database leaked in 2014, and in either late 2016 or 2017 (specific date unknown), the forum went offline for a significant period. In June 2018, Altenen’s administrator, “T3eS,” resurrected the site. Since its “reinvention,” the platform appears to have attracted users from across the globe and has experienced a steady increase in forum membership. 

Back to the connection with DWF. Yes, both focused on carding before branching out into other topics. Yet there are other, more striking, similarities and direct connections between Altenen and DWF that suggest there might be a strong link between the two.

The description of DWF’s “free fresh cards and Database Dumps” subforum contains mentions of Altenen/Alboraaq that indicate Altenen may be a source of carding-related items for DWF:

“Fresh Credit Cards, Fresh Fullz, Fresh Cardable websites, Fresh Carding methods, Altenen Cards, Altenen Carding, premium accounts netflix spotify etc, Alboraaq Carding.”

Mention of Altenen
Mention of Altenen on DWF
Alten and Dark Web Forums Logo
Altenen logo (left) and DWF logo (right)

Both forums’ logos, though not identical, resemble each other as they both display a red, devil-like figure with horns. This type of imagery has not been observed on other English-language cybercriminal forums. Additionally, there are further links that appear to connect some of DWF’s staff directly to Altenen. 

  • The forum owner t0r has signed off posts with “ATN Team,” a signature previously used by Altenen forum staff. 
  • DWF appears to have a similar user interface as Altenen, exemplified by the identical filter functions both forums have in all forum sections. This might suggest that DWF was built on the same script as Altenen. 
  • Both forums display the exact same forum descriptions: 

“[Forum name] is a forum dedicated to making money on the Internet, various earning schemes, IT issues and much more. This is a forum about making money on the Internet, Also we share knowledge about carding forum , malware modification, hacking, security, programming, cracking, among many other things. Also of tools related to the above. If you have interest and desire to learn do not hesitate to register and start being part of our community, if you are new we will help you in everything we can.”

  • At least two of DWF’s staff members, forum administrator “Professor” and forum moderator “Richman,” have highly ranked profiles on Altenen.
    • August 2018—Richman joined Altenen and has a “Legendary Member” rank on the forum and over 5,000 profile views. 
    • November 2018—Professor joined Altenen, as a “Respected Member” rank on the forum, and has mostly made posts relating to the sharing of Socks4 and Socks5 proxy server lists, various free cybersecurity courses, and methods targeting streaming services (Netflix in particular). 

Predictions for Dark Web Forum (DWF)

As DWF is still in its start-up phase, it will be interesting to see whether the forum will manage to gain more traction in the foreseeable future. In our recent blogs on Torigon and Nulled, we mentioned the three key factors forums need to consider to ensure longevity: differentiation from the crowd, having a knowledgeable and driven administration team, and ensuring the platform remains available and accessible. Before meeting its demise, Torigon tried to partner with more established platforms like Envoy and Dread to counter its growth issues; DWF may be leaning on its connection to Altenen for the same reasons. However, like Torigon, DWF might still have difficulties attracting new members if it does not become more visible and its administration team does not proactively advertise it on other similar forums. 

Although DWF appears to have a dedicated team of administrators and moderators, who not only moderate the forum but also actively contribute to the various forum sections with their own content, DWF would still need to work towards building up its community and position itself among its competitors, while protecting itself from any possible attacks. It will also be interesting to see whether the apparent collaboration with Altenen will increase and turn into the sort of relationship we have observed between Nulled and Cracked TO. These sites have recently experienced strikingly similar developments in both growth in forum membership and hiring of new staff.

If you’re interested in dark web monitoring, Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) (now ReliaQuest’s GreyMatter Digital Risk Protection) monitors across sources where criminals are active, no matter is that is on the open, deep, or dark web. This includes continually monitoring and indexing hundreds of millions of dark web pages, pastes, criminal forums, Telegram, IRC, and I2P pages.If you’d like to see your organization’s exposure on the dark web, you can sign up for a demo request of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) (GreyMatter DRP) here.