Mirror, Mirror, on the wall. Who’s the best cybercriminal of them all?

The terms cybercriminal and hacker often conjure up images of hooded caricatures à la Mr. Robot’s Elliot Alderson: Elite programmers hastily clacking away to the beat of synthwave at computer terminals behind Matrix- or Outrun-inspired aesthetics. An eternal quest for the elusive:

cybercriminal underground

Sure, these types of figures exist (to an extent—where else would Sam Esmail get his inspiration from?), but in many cases the cybercriminal underground is a lot more familiar than you might be led to believe. Many platforms and products deliberately seek to mirror the user experiences of what the everyday user is used to: It isn’t all proprietary tools and complex terminal commands. There’s an argument to be made that this notion of familiarity can normalize criminal behavior and lower the barrier of entry to the cybercriminal world. And for those already established, forum administrators and malware developers can make sure to retain existing users by offering a well-designed and comfortable user experience while attracting new members along the way.

Cybercriminal Forums 

For decades, Internet forums have existed as centralized platforms where like-minded netizens can gather to discuss any topic under the sun. From Soviet-era car collections to Dungeons & Dragons, there’s a forum for everyone. While many of these topics are innocuous, it should come as no surprise that thousands of forums across the open, deep, and dark web are specifically dedicated to more sinister tradecrafts: Hacking, social engineering, fraud, carding, drugs, you name it.

Basic forum layouts haven’t really changed all too much since they first came to existence. Some dark web forums, like the self proclaimed “Cyber Security Forum” Torum look like they’ve jumped straight out of the early 2000s.

Marketplace Discussions section of Torum

Marketplace Discussions section of Torum


This isn’t a coincidence. Many forums on the clear and dark web alike are built on the same open-source software. phpBB and vBulletin, both of which were actually first launched in 2000 spring to mind as two of the more popular ones (note the similarities between Torum (above) and Ars Technica (below)). These technologies offer familiarity, ease of use, and even security: Because they’ve been around for so long, they’ve been stress tested, are typically cheaper, and are easier options than building something brand new. Plus, with new technology comes new vulnerabilities. Tools that have been around for years have had time for many of their vulnerabilities to be identified and fixed.

Battlefront section of the (legitimate) Ars Technica forum

Battlefront section of the (legitimate) Ars Technica forum


As described in our blog on Nightmare Market’s current state of disarray, user experience (UX) and site performance are key factors in keeping customers happy, establishing loyalty, and maintaining demand. Why fix what isn’t broken?

Even more unconventional forums like Reddit are being emulated by dark web sites in terms of layout, style, and interactions, the main one being Dread. The two even use very similar naming conventions like /d/ (Dread) and /r/ (Reddit) to denote different subforums. These similarities are completely deliberate: If they’re already familiar with Reddit, people who stumble across Dread won’t have to re-learn how the forum works, letting them jump right into it with little to no learning curve.

Layout of Dread

layout of reddit

Layout of Dread (top) vs. Reddit (Bottom)


Although, instead of discussing movies, pets, and memes, Dread users are typically seen sharing their favorite dark web markets and complaining that their drug shipments have yet to arrive.

For more on this topic, we discussed the eternal appeal of forums in depth in our recently published three-part blog series Forums are Forever.

Forums are Forever – Part 1: Cybercrime Never Dies

Cybercrime Functions and Culture

In addition to looking similar to their clear web equivalents, many dark web and cybercriminal sites also feature mirrored functionalities. For example, sites like WeLeakData, a criminal forum that specializes in the trade of leaked databases, uses the third-party e-commerce platform Shoppy for membership upgrades. On WeLeakData’s Shoppy site, forum users can choose to buy a variety of membership upgrades that give access to exclusive sections of the forum.

 WeLeakData membership upgrades for sale on Shoppy

 WeLeakData membership upgrades for sale on Shoppy


In addition to providing an easy-to-use platform for existing users, this can also be a way for forums to attract new members and capitalize on established userbases. While not inherently criminal, Shoppy is often used in the video game community to buy and sell accounts, items, and hacks. With a significant overlap in the video game/hacking communities, users (especially novices) on cybercriminal platforms would likely be more inclined to use a checkout feature that they are already familiar with.

These parallels of familiarity aren’t just limited to websites either: Mirrors of legitimate business practices are frequently seen in cybercriminal offerings. For example malware can feature almost identical life cycles to legitimate software. This is particularly important for malware-as-a-service (MaaS) offerings. Beta phases, subscription models, 24/7 live tech support, and an attractive, easy-to-use graphical user interface (GUI) have become the norm in the real world, and are now all ingredients that can make all the difference in determining the success of cybercriminal offerings.

Like we discussed in our blog that covered Black Friday deals on the dark web, cybercriminals have adopted many of the same sales tactics that we’re used to seeing in our everyday lives. Much like on popular e-commerce websites like Amazon, cybercriminals offer Black Friday deals of their own during the shopping season to capitalize on hype and attract buyers, old and new.

BriansClub admin offering Black Friday deals on Telegram

BriansClub admin offering Black Friday deals on Telegram

In the professional world, we use out of office notices on our work emails to inform colleagues when we go on vacation. But this notion of common courtesy is also used by vendors on cybercriminal forums and marketplaces, and it isn’t even limited to the English-language landscape either. “Out of office” notices have been seen posted by Russian-language threat actors on popular criminal forums like Exploit.

Out of office notices on XSS

Out of office notices on Exploit (Translated from Russian: [Top] “on holiday until 11.09.19, don’t go away” [Bottom] “i’ve returned from my holiday. fresh updates on all fronts. get in touch!”

For many, cybercrime is a full time profession after all; even criminals need to take vacation sometimes.

cybercriminal vacation



If there’s anything to take away from this blog is that however daunting and foreign the cybercriminal underground may seem, the people behind the keyboard are only human and they’ll act in familiar ways.

While this can mostly be chalked up to human nature, there’s also a sense of deliberateness in the way that the cybercriminal landscape functions. It’s in most cybercriminals’ best interest for platforms like forums and marketplaces to be set up with user friendliness and ease of access in mind. Except for the most exclusive of platforms, how else are administrators and vendors going to build a dedicated following?

Likewise, it should also come as no surprise that many MaaS developers have crafted their products to be attractive to as wide a user base as possible. More happy users equals more revenue. But this also points towards a more unfortunate side of the mirrors of the real world in the cybercriminal underground. By building products and creating platforms that can be used by the most novice of users, cybercriminals are contributing to a lowered barrier of entry into cybercrime.


Want to gain visibility into criminal and fraudulent activity impacting your brand on the deep and dark web? Check out how our SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) platform can help with dark web monitoring.

dark web monitoring tool