What’s more threatening than the thought of a cybercriminal sitting at their laptop and carefully manipulating their way into your bank account, stealing all of your hard-earned savings, and nonchalantly selling your login information to the highest bidder on a prestigious cybercriminal forum…?
A cybercriminal who can do all of this just using their mobile device!
The notion of threat actors adopting novel methods to facilitate their online activities is nothing new: The cybercriminal underground is continuously evolving and responding to new technologies and challenges. However, forums continue to be very much an active part of the cybercriminal landscape.
Digital Shadows (now ReliaQuest) recently observed the proposed development of a mobile application (app) for the English-language cybercriminal forum Nulled, indicating the site’s desire to keep the forum format very much alive. Historically, we’ve seen users across the cybercriminal community using and endorsing third-party applications, such as Telegram, Discord, and Jabber. But—as another subset of the cybercriminal underground is quick to point out—these come with their risks. This latest move might be an attempt to reduce these risks and cut out the middleman.
This blog will assess the historical concept of mobile-oriented forums, the benefits this stance could have for a forum in a world that is increasingly mobile-centric, and the potential pitfalls that explain why it may still not be a feasible idea in reality.
What is Nulled?
Nulled is an English-language cybercriminal cracking forum, founded in 2015, that has amassed over three million members to date. The site describes itself as a place “where you can find tons of great leaks, make new friends, participate in active discussion”. The forum’s statistics page highlights that the site has a large user base, with more than 3,000 new registrants a day and a daily average of 24,000-plus new posts.
Although Nulled may not be held in such high regard when compared to such prestigious forums as Exploit or XSS, the community aspect the forum has created remains intact. Nulled’s longevity in the volatile English-language cybercriminal scene indicates it’s stable and reliable.
Nulled: What happened in the past? And why now…?
Throughout early 2020, we observed a select number of users of Nulled actively developing an app on GitHub that aimed to provide a portable format of the forum in its entirety. Although mobile UIs for cybercriminal forums have existed for a long time, they are clunky and not very user friendly. This app seems to be trying to change this narrative and bring the traditional desktop forum to a mobile-centric audience. Initial feedback on the Nulled app was mostly positive. However, in recent days, its leading developer was suddenly banned from the forum for unknown reasons.
While the Nulled app’s existence hangs in the balance, the whole episode got us thinking: If it’s that simple, why has such a thing not emerged in the past? Although it’s not abundantly clear, we thought of a few potential reasons:
- Forum users have never expressed the need to access a forum in a mobile format
- Consolidating the content of a forum with a vast membership and post count is not a simple task
- It would require a lot of skill to develop an app that’s secure, reliable, and accessible to a broad geographical audience all at the same time
So at this point, we asked ourselves why the Nulled team even bothered initiating the project in the first place. Such an app is likely to have been intended as a proof of concept, to see whether the idea is feasible, and could add another legitimate way to access the forum in a world where the mobile device is increasingly becoming everyone’s go-to computer.
We’ll now look into the potential benefits a mobile-oriented forum could bring to the cybercriminal scene and, conversely, explore why mobile forums haven’t struck a chord before.
What are the incentives for creating a mobile-oriented cybercriminal forum?
Although there are potential negatives to any new concept, there are various positives that a forum app could bring:
- An open-source application helps ensure security and encourages a community effort to safeguard the forum’s membership and protect the forum’s content.
- Mobile devices may bring extra security benefits when compared to a laptop or desktop computer.
- Being able to access a forum on a mobile device 24/7 is likely to encourage more activity, increasing the sense of community and inspiring active participation.
Let’s examine those positives in detail.
- Creating an application on an open-source platform like GitHub helps encourage active participation in the project while ensuring security and reliability. Open-source platforms allow many individuals to highlight weaknesses in the app’s source code and functioning. Additionally, having the source code openly available for forum members to review encourages complete openness. It reassures them that the project is a legitimate venture and that nothing nefarious is hiding during development. What’s more, an open-source application helps reduce the risk of snooping or tracking by law enforcement, as code reviews will highlight potential changes such agencies may have introduced.
- The type of users accessing a mobile version of a cybercriminal forum are likely to consider security a central tenet of their Internet activity. These users may be accessing the app via a “jailbroken” or rooted device in combination with tools to enhance their safety, including anonymizing browsers and SOCKS/proxies to obfuscate network traffic and connection requests. A potential benefit of using a mobile device is the ease of erasure if a user is subject to a criminal investigation. Erasing data on a standard laptop is more complicated and costly.
- The forum being accessible to its audience 24/7 on a mobile device is likely to boost participation from forum members, helping users establish higher post counts and enhancing their credibility and reputations. For example, forum content suggests that skilled cybercriminals only conduct their forum activity at specific times of day (e.g. during office hours). An app may incentivize users to stay online into the evenings and during their “downtime”, given the ease of access. On the other hand, script kiddies who are already likely to be more active will have a more natural method of access, differentiating a forum within the crowded cybercriminal community.
What are the potential pitfalls of a project like this?
The benefits of a mobile-oriented forum sound great, so what’s holding the cybercriminal community back? There are a few possible answers:
- Cybercriminals may be resistant to going “mobile” because they’re wary of the potential of compromised security and anonymity.
- There may be a lack of interest: If there’s no desire for this type of access, then why bother in the first place?
- Although cybercriminals are open to new strategies in their attack efforts, they like their “home” (aka the forum) to be stable, easily accessed, and reliable.
Now let’s break down those pitfalls to see if they hold weight.
- The main risk when developing a mobile-oriented cybercriminal forum is compromised security and anonymity. Cybercriminals are notoriously risk averse when it comes to anonymity, and rightly so. If an app is going to compromise this in any way, a cybercriminal will drop it like a hot stone. For example, in many countries, a cybercriminal would need to give a name and passport details to buy a SIM card, making it harder to get a phone that can be associated with cybercrime. Though apps can be created with anonymity and security at the forefront, if there are any potential indications of weakness or unreliability, uptake would likely be minimal, and the app would soon disappear. The effort required to develop an app that’s not only dedicated but scrutinized to the max, to ensure it’s fit for purpose, may have seemed unappealing to forum administrators so far.
- Interest is paramount to a new feature’s uptake and longevity. Digital Shadows (now ReliaQuest) has seen various initiatives from the cybercriminal community that sound good on paper. Still, in practice, the interest is simply not there to justify their existence and the ongoing effort to maintain them. Take MarketMS, which entered the Russian-language scene to much hype and initial interest, but soon faded away when it transpired that the benefits over a regular forum or marketplace were minimal. No one wants to be the first to try something, for fear of failure. This rings true in our day-to-day lives, but is executed viciously in the cybercriminal community: living or dying in the implementation of your idea. If you strike it right, you can achieve glory, but if you fail miserably, your name will be vilified.
- Forums are inherently conservative. Forum users are highly resistant to change, and if an idea doesn’t strike a chord with the audience, it’s likely to fail. For example, the members of the Russian-language forum Exploit complained when the site administrators introduced changes to the site’s format and the site engine, even though proposed changes were designed to enhance the site’s security. Paradoxically, reluctance to change contradicts most cybercriminals’ attitude to attack methodology and their inclination to embrace ingenuity. They want their home to be stable and reliable.
Nulled: Next Steps
At the time of writing, the Nulled app is very much in a beta stage, with the latest updates released in early April 2020. But with the developer’s ban from the forum, it’s not clear if the app will ever get released publicly. Accessibility and convenience can both be significant driving factors in the longevity and success of a forum and the uptake from its members. Still, these must not come at the cost of security and anonymity. Maybe Weighing up these considerations ultimately determines whether a project is a success or a failure in the cybercriminal underground.
What we can say for sure is that this whole Nulled debacle suggests the forum is here to stay for the foreseeable future. Although its current format may adapt to suit an evolving society, the heartbeat of the cybercriminal community is drumming faster than ever.