Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
If one could predict the future back in the late 1990s when the first cybercriminal web forums emerged, few would have been able to grasp that this model for communication and gathering would endure well into the new millennium.
The survival of the cybercriminal forum in the face of new, more secure technologies and constant pressure from law enforcement does not come as a surprise to researchers at Digital Shadows (now ReliaQuest). Collating extensive research and deep ‘lived’ insights into the cybercriminal underground, the myriad reasons why and how forums persist are outlined in our new paper, The Modern Cybercriminal Forum.
Our research findings cover some revealing insights:
Forums. Dating back to the early 1970s, web forums are among the earliest and most basic Internet communication technologies, the concept of a forum goes back even further. The emergence of a carding forum called CarderPlanet in the first years of the millennium cemented an established model – one emulated by almost all future cybercriminal forums. Much the same as the forum of old, today cybercriminals still use forums to seek advice and discuss the latest techniques and developments. Vendors commonly offer items including:
Compared with the clunky thread-and-post model used by forums, several communication and trading technologies have cropped up, offering improved efficiency, convenience, and security. There are messaging services and encrypted applications like Telegram, Wickr, and Discord, plus decentralized technologies like blockchain DNS, i2P, and BitTorrent. Automatic trading platforms, such as marketplaces and AVCs, have also taken root in the landscape.
Curious on the differences between AVCs, Marketplaces, and Forums? Check out our deep dive blog here: Understanding the Different Cybercriminal Platforms
Alongside the emergence of those technologies, forums have proven a risky—and outdated—arena for threat actors. They’re frequently disrupted by security services in many jurisdictions, and they often vanish quietly. Many believe the forums Hell and KickAss ceased to function for this reason (in 2015 and 2019, respectively), although this has not been confirmed by authorities. At other times, law-enforcement agencies’ successes are publicized in the global media. In September 2019, Belarusian authorities seized the servers of notorious hacking forum Xakfor. The cybercriminal community is well aware of the authorities’ presence on their forums, and that some forums only survive so long because they’re valuable for police to gather intelligence and evidence.
For these reasons, many cyber-security professionals have alluded to forums being doomed to redundancy. With cybercriminals carrying out more transactions and discussions on alternative platforms, you’d expect the need for forums to decrease. It can’t be denied that cybercriminals are increasingly using other platforms; Digital Shadows (now ReliaQuest) has even written about this phenomenon: How Cybercriminals are Using Messaging Platforms. But the rise of alternative technologies hasn’t spelled the end of forums, which seem to be prospering against all odds.
Several factors support the idea that forums are here for the long run. New sites are continually appearing, membership numbers continue to climb, and users frequently express reluctance to deviate from the traditional forum model. The appearance of new forums is driven mainly by the need to replace failed ones.
Out with the old…
The English-language cybercrime scene has experienced remarkable instability in recent years, with established and fledgling forums continually vanishing for many varied reasons.
Figure 1: Lifecycle of prevalent forums (*denotes legal seizure of forum or shutdown by administrators)
Law-enforcement intervention
Takedowns by police or security services have been the reason for the demise of most now-defunct forums. Among them was the prominent Dark0de forum, rendered offline by an FBI-led operation in 2015. Dark0de had been in operation since 2007 and achieved notoriety among English-speaking cybercriminals for the site’s discussion and sale of hacking tools, exploits, breached data, and spamming services. Another casualty was the longstanding Infraud forum. At its height, Infraud maintained a half-billion-dollar operation selling hacking and fraud services, before an international law-enforcement coalition seized the forum in 2018.
Figure 2: The home page of Infraud after its takedown
Owner/member misconduct
Other forums have perished because of their owners’ malpractice. For example, Digital Shadows (now ReliaQuest) has seen sites abandoned by their administrators―0day was a prominent cybercriminal platform that launched in early 2014. Still, by late 2017, the forum’s administrators had apparently forsaken it. Our investigations showed that registration requests went unanswered, and the site’s Jabber services were down. Rumors circulated that the forum was no longer active: The administrators had left without turning off the lights. At the time of writing, the forum’s Tor URL is no longer accessible, and the clear web URL disappeared several years ago.
Figure 3: 0day homepage
Sometimes forum members’ misconduct can also play a part. That Russian-language forums are much more successful than their English-language counterparts can largely be attributed to the incredible discipline of Russian-language platforms. Strict rules govern what kind of language can be used (profanities are out, grammatically correct Russian is in), which sections will accept new threads, and how forum moderators must be treated (challenging moderators’ opinions is definitely out). Such rules guarantee order and ensure that forums can’t fragment because members are unlikely to rebel.
Poor execution
Then there are the forums that flop because of poor implementation on the part of their creators. Torigon was launched by a trio of threat actors in September 2019 with the explicit aim of bringing English- and Russian-speaking hackers together to trade malware and exploits on a single platform. But the forum failed to provide translations into Russian for non-English speakers and neglected to promote the site within the cybercriminal community. The result? A lack of engagement and failure to reach the target market.
Figure 4: Torigon branding
…In with the new
Despite the considerable unpredictability, the overall death of English-speaking forums is not imminent. In fact, the scene is best likened to a game of “whack-a-mole”: No sooner does one forum disappear than another pops up to take its place. In the cybercriminal underground, the appetite for new forums is far from diminishing.
The extraordinary tenacity of the forum model within the English-language cybercriminal community indicates that threat actors still see great value in using these platforms. Starting a new forum requires substantial effort and resources that don’t even guarantee success; even so, we see multiple new sites launch each year. Sometimes forums that have been disrupted by police even attempt to return to the scene, relying on their renowned branding to lend them credibility―there have been rumors about the reappearance of Hell (as Hell Reloaded) and Dark0de.
The appetite for new forums is seen even among Russian-speaking cybercriminals. Although their scene is characterized by the remarkable stability and longevity of forums, sometimes sites do perish…but not always for good. In 2018 a formerly defunct forum, DamageLab, was relaunched as XSS. Owing mainly to the pedigree of the experienced team behind the forum, XSS has grown and come to challenge even the most prominent Russian-language platforms. And in March 2019, a new rumor swirled through cybercriminal forums: The coding forum Cult of the Russian Underground (CORU)—missing in action since 2016—would be resurrected. By April 2019, CORU had opened up registration.
Forum membership numbers and thread/post counts show that the popularity of forums is continuously increasing, despite the advent of alternative technologies like Telegram.
Figure 5, 6, and 7: Evidence of growth in membership and post count numbers
Torum
Torum was but a small, fairly insignificant player orbiting the outer rings of the cybercriminal scene in 2017, continuing in much the same vein in 2018. But where it endured, an perhaps by poetic licence, the popular English-language forum KickAss was to be no more. 2019 has been a good year for Torum, in the eight months from February to October 2019, its userbase had increased by 639%, as the English-speaking of the cybercriminal underground found a new place to re-group.
Figure 8: Torum logo
Exploit
Exploit is one of the most high-profile Russian-language cybercriminal forums. It’s operated continuously since 2005, and many threat actors and commentators consider it a platform for some of the most skilled cybercriminals. Despite—or perhaps because of—its longevity and reputation, Exploit has also seen significant growth in membership in recent months. In March 2018, the site had 40,390 registered members. By November 2019, the count was 47,347: a 17.2-percent increase in an already established forum. A contributing factor may have been the decision to introduce automatic registration in English, to enable non-Russian–speaking users to join more easily. Exploit’s post count leaped from 846,020 in March 2018 to 1,012,575 in November 2019.
Figure 9: Exploit logo
XSS
XSS was formerly DamageLab: one of the original Russian-language cybercriminal forums. DamageLab folded after the 2017 arrest of its administrator (we’ll discuss this more in a future blog in this series). Still, the former administrator of Exploit purchased a partial back-up of XSS in late 2018 and has since built the forum into a thriving and active community, reflected in its growing membership numbers. They’ve seen an 84-percent increase between February 2019 (10,344 members) and November 2019 (19,040). And let’s not ignore the post count, which grew from 130,040 to 162,470.
Figure 10: XSS logo
Visit numbers also suggest that forums’ popularity remains steady. The number of visits to two popular English-language cybercriminal forums, Nulled and Raidforums, has barely diminished since April 2019, according to the visit metrics site SimilarWeb[.]com. Visits to Exploit have increased by over 20,000 in the same period, according to the same site.
Figure 11: Comparison of Nulled (blue) and Raidforums (yellow) visit figures, past six months (Source: SimilarWeb[.]com)
Figure 12: Exploit visit figures, past six months (Source: SimilarWeb[.]com)
Now that we have a few examples of prominent forums, what are their alternatives? What makes a good forum? Part 2 of this blog series will discuss forum users’ resistance to moving from the forum model.
Stay tuned.
To access the full, in-depth research report from the team, visit our resources center below.