WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
While there have been many predictable consequences of the ongoing global COVID-19 (aka coronavirus) pandemic, few would have foreseen significant growth for multiple cybercriminal forums. Digital Shadows (now ReliaQuest) has observed forums being stretched at the seams due to their newfound pandemic popularity. In retrospect, it’s not that surprising: The coronavirus has placed enormous economic pressure on millions of people worldwide. It’s not illogical to surmise that some individuals may have turned to cybercrime to plug holes in their finances.
In April 2020, the administrator of the English-language cybercriminal forum Nulled announced that the site was recruiting two new “trials moderators” to help the current forum team cope with Nulled’s recent growth. The administrator’s post stated that the Nulled community was “especially growing rapidly during COVID-19”, meaning that the site “require[s] additional assistance.”
Also in April 2020, another English-language cybercriminal forum, CrackedTO, made almost the same plea. The near-identical post from CrackedTO’s administrator cited unspecified “recent events,” rather than naming the pandemic, as a cause of the site’s growth that has necessitated hiring new trials moderators for the site.
This development is interesting in itself. It seems that cybercriminal forums—like pretty much everything else in life—will be permanently altered by the effects of COVID-19. We will watch closely to see whether Nulled and CrackedTO’s increasing prominence changes the dynamics of the constantly-shifting English-language cybercriminal scene.
The recruitment calls got us thinking more broadly about the whole concept of hiring moderators for forums and the varying ways different sites go about recruiting team members.
Many cybercriminal forums operate a formalized system in which rank and responsibility are distributed in a pyramid-like structure. At the top of the heap is the administrator: Usually, this is the individual responsible for founding the site. However, forums have changed hands on several occasions in recent years (most notably the change of administration on the Russian-language cybercriminal forum Exploit in 2018). Site administrators exercise varying levels of control over or involvement in the communities they manage, with some only engaging in top-level discussions and decisions and others participating in the minutiae of everyday forum life.
Especially on the larger and more active sites, overseeing the day-to-day activity of the forum is delegated to several forum moderators, with some sites operating subdivisions within the moderation team. For example, on Exploit, four “special moderators” have particularly significant responsibilities on the site, such as acting as the arbitrator in the forum arbitration section, fulfilling a technical support role, and arranging payment for advertisements on the site. Below these four special moderators are several other moderators who each assume responsibility for one or more forum subsections.
While moderators’ particular taskings vary across forums, these individuals are generally responsible for enforcing forum regulations, issuing warnings or bans to members following rule infractions, answering forum users’ questions, moving content into more appropriate subsections, deleting “empty” posts with no meaningful content, looking out for and eliminating potentially damaging scamming activity, and—in somewhere like the Arbitration section, which may have a set template for new threads—ensuring that users’ content follows the expected form.
Moderators’ prestige, ranking, rights, and power also differ between cybercriminal forums. On the Russian-language forum Antichat, for example, moderators do not have the right to respond to user posts with insults or jokes; they must remain silent if they are offended by another forum member. In contrast, on Exploit, moderators are particularly powerful: The forum rules state that moderators’ opinions and judgments cannot be questioned and that users who do so risk a complete forum ban. On the English-language dark web community forum Dread, site rules also emphasize the sanctity of moderators’ decisions: “Do not cry to the global mods if your post gets removed by a subdread mod because you broke their rules. I can say with 100% certainty that if the post is removed by a subdread mod there is not a single case of it ever coming back because we got cried to.” Even so, moderators are not untouchable or infallible: In March 2020 a forum moderator and guarantor operating on Exploit and another Russian-language forum, XSS, was banned from both forums following unspecified financial difficulties that saw them fail to pay parties in the deals in which they were acting as guarantor.
Not all forums operate such formalized moderation structures. For example, the English-language forum Torum does have a moderation system and personnel assigned to carry out certain duties (e.g. banning users or operating the escrow service), but for a forum of its size and reputation, moderation on the site is not apparent, and plenty of rule-breaking activity remains unflagged. It is usually down to those members with a higher status and reputation on the platform to initiate procedures to get forum members banned or threads removed. The reason for Torum’s lack of emphasis on moderation is unclear. However, it may be connected to Torum’s avowed status as a non-profit site: Its owners’ fortunes are not linked with the forum’s success.
The process for recruiting new moderators is relatively formalized on most cybercriminal platforms. Generally, it involves interested individuals submitting a written application detailing their experience, enthusiasm, and knowledge of the forum. Let’s take a look at how five popular cybercriminal platforms hire their site help, and what the forums expect from those who apply.
Nulled and CrackedTO’s moderator recruitment
The afore-mentioned advertisements on Nulled and CrackedTO sought “trials moderators” who would help “maintain peace on the forum and help it grow even more. According to the posts, trials moderators should be able to dedicate a “decent amount of time” daily to “assist users” and “enforce the rules.” The posts stipulated that trials moderators should spend at least 30 to 60 minutes daily solving “forum reports.”
The advertisements emphasized the need for trials moderators to be “friendly,” “approachable,” and able to use their initiative. The Nulled post listed the specific duties of the role as:
Applicants on CrackedTO would also have to “Clean the forum from malware and spam.” Interested users were directed to send applications to the forum administrator via forum private message and encouraged to upload PDF documents via We-Transfer if necessary.
XSS’s moderator recruitment
In September 2019, the XSS administrator initiated the site’s recruitment drive for moderators, calling for “young, energetic, serious people” to help moderate the forum’s off-topic section. The post noted that the moderator role was accompanied by “a number of responsibilities and privileges,” adding “the position is serious.” Aspiring moderators should have:
The administrator’s post discouraged users from applying who were only interested in a green username (the distinguishing sign of a moderator on the site) or the authority they would gain from the position. Instead, they said applicants should be driven by “credibility, respect, trust, and a circle of interesting acquaintances.” Interested users were directed to leave their applications as a reply to the administrator’s post, via forum private message, or through the messaging service Jabber. Although no newly vacant forum moderator positions have been advertised since the administrator’s initial post, several users have expressed a desire to be considered for the role, most recently on 26 May 2020.
Exploit’s moderator recruitment
The moderator recruitment thread on Exploit has been active since February 2005. In this thread, the Exploit administrator highlighted several aspects of the site’s recruitment process:
In the years since the thread’s inception, the site administrator has posted several times to call for new applicants. For example, e.g., in 2018, they called for “sensible, honest, competent people” for unspecified forum sections. Interestingly, one of the administrator’s posts from 2017 revealed that, at the time, individuals were writing to them almost every day to express interest in a moderator position but that the application rarely progressed beyond the initial conversation as most users only cared about the “prestige.”
RaidForums’s moderator recruitment
A 2016 post from the administrator of the popular English-language cybercriminal forum RaidForums outlined the requirements for moderators that are still applicable for current moderator applications in the site’s dedicated section. The post noted that the site is “always looking for new staff members, but the requirements are high and few are cut out for the job,” adding that being a staff member is a “long term commitment, and not many people realize what they are getting into.”
Applicants would need to:
Cybercriminal forums, particularly in different language communities, often take varying approaches to forum organization and structure issues. Some of the central tenets of many Russian-language platforms, for instance, are not present in the English-speaking cybercriminal community – think formalized arbitration processes complete with judge, jury, and compensation. What’s interesting about the moderation system is that the five very different forums we have taken as case studies place a similarly high emphasis on the importance of the moderator role within forum life. They have all implemented a lengthy and involved process to ensure success in moderator recruitment drives. Another point to note is the elements of the recruitment advertisements that come up again and again: the importance of devoting a significant chunk of time to the role, the requirements for applicants to have a thorough knowledge of the section, and the perceived prestige associated with the role. Most also emphasized that these positions are unpaid!
Recruiting new team members and finding the right individuals to take on the moderator role is accorded great importance within the cybercriminal landscape. Starting the recruitment process would require a lot of the forum team’s time and effort. Given this, plus the significance of these appointments, a site’s decision to recruit new moderators, change its application process, or fire existing team members would not be taken lightly. Therefore, the moderator recruitment process could be viewed as a subtle bellwether for the changing circumstances of a particular forum and the cybercriminal scene more widely. Maybe opening up applications hints that something more is at play – perhaps it presages significant changes within the community.