As we highlighted in our recent blog on Cybercriminal Law Enforcement Crackdowns in 2021, this year has been a busy one in terms of security services disrupting the cybercriminal underground, with dark web marketplaces taken down, malware operators arrested, and major ransomware groups disrupted. These activities got us thinking about how cybercriminals view the possibility of law enforcement operations, which are an ever-present shadow hanging over any threat actor conducting malicious activity. How worried are cybercriminals about the prospect of being arrested? Does it deter threat actors from committing cybercriminal acts, or do the potential lucrative payouts outweigh the perceived risks? We visited a few cybercriminal forums to gather clues and report on the cybercriminal perspective on arrest, prosecution, and incarceration.

Evasion: How Do Cybercriminals Take Preventative Measures?

Personal OPSEC

The ever-increasing number of threads on cybercriminal forums discussing operational security (OPSEC) practices suggests that avoiding detection by law enforcement is a subject at the forefront of many threat actors’ minds. Of course, the best way to evade arrest is to not be suspected in the first place. Regardless of their language community, forum users are constantly chatting about ways to stay anonymous and sharing recommendations for the best techniques to avoid their real-life identities being linked to their online activity. We observed numerous threads discussing aspects of operational security, ranging from which Jabber servers are the best to virtual and physical practices for securing data. Such threads generate a good deal of debate, and discussion frequently becomes heated and absolutist. 

For instance, one common topic of discussion is hard drive encryption or erasing. One forum user remarked that without proper measures, law enforcement “will find whatever takes their fancy.” Another said, “Also, at the moment, there are opportunities and mechanisms available that make it possible to deny the presence of encrypted data plausibly.” While many forum members expressed confidence that such measures would be enough to avoid ending up on law enforcement’s radar, others were not sure. One user quipped, “if it were all as simple as that, then major [cybercrime] cases would never be solved.” 

Taking Care When Working With Others

The risks of working with others also came up frequently. One typical post read, “you can’t have friends on the darknet.” It continued: “restrict communication to work,” and warned: “You’ve got to understand that the majority [of people on the dark web] will sell you out.” Yet, we also found comments from users claiming they had made friends on cybercriminal forums. It’s a catch-22 situation: You can’t develop a solid cybercriminal career without working with others, but collaboration threatens this career if your counterpart isn’t as meticulous as you. Added to this is the risk that once an associate has been captured, they could try to save their skin by informing law enforcement on others. One user noted, “don’t think that you’re too smart [to get caught], if serious players have already given you up, then it’s too late for VPNs and passwords.” The saying “a chain is only as strong as its weakest link” comes to mind…

Figure 1: Advice about making friends on the dark web

Erasing the Past

While we may worry about new friends stumbling upon embarrassing pictures of us on social media captured during our formative years, cybercriminals have to worry about what they did when first starting out. Mistakes made in the early days of a cybercriminal career are hard—or, in some cases, impossible—to amend. Many a threat actor’s downfall stemmed from poor OPSEC practices when they first decided to don the black hat, such as using a spouse’s email address, forgetting to mask their IP, or letting their real name and address slip. And once you realize your mistake, it might be too late. We previously blogged on cybercriminals’ frequent inability to delete old forum accounts containing potentially incriminating evidence. We even saw one thread in which a user requested that their account be deleted because they had been arrested. 

Figure 2: Request that forum account be arrested following arrest
Figure 2: Request that forum account be arrested following arrest

Selective Choice of Victims

One often-quoted tenet of the Russian-speaking cybercriminal community is that law enforcement will leave you alone if you do not target victims in former Soviet Union nations. For instance, one forum user said: “If you’re working on the Russian Federation, then [law enforcement will] hunt you down, but if you’re working on the EU or the US, then nothing will happen, no one will care.” 

Figure 3: Comment about law enforcement’s pursuit of cybercriminals targeting Russia
Figure 3: Comment about law enforcement’s pursuit of cybercriminals targeting Russia

While the involvement of Ukrainian police in the recent takedown of Emotet by Dutch law enforcement and international partners suggests that this rule may not be foolproof, the popularity of this view on cybercriminal forums is telling. This leads us to another aspect threat actors have to worry about: foreign travel. 

Avoiding Foreign Travel

I’m betting that you’ve spent a fair bit of time daydreaming about your next holiday destination once the world returns to “normal.” The sky’s the limit for us, but cybercriminals may only want to go as far as the border. The advice “a Russian resort is better than a US prison” is frequently touted on forums to dissuade threat actors from traveling abroad. Many in the Russian-language cybercriminal scene understand that while their governments might leave them alone, they would not be so lucky when venturing abroad. One user commented: “[these hackers] live peacefully in Russia, decided to go on holiday abroad – and that’s it, they don’t even make it out of the airport without the cuffs on.” Perhaps the cybersecurity adage of “Hackers only need to get it right once; we need to get it right every time” works both ways—just one momentary slip up in any part of a threat actor’s life can haunt them forever.

Detention: What Is the Worst That Could Happen?

So how do cybercriminals rate their chances of being let go once there’s a target on their back? Well, there is little chatter about being arrested in the English-language scene due to English-language forums’ fickle reputation—English-language platforms are frequently disrupted or taken down by law enforcement. In addition to this, there are numerous allegations of English-language forums and marketplaces becoming law enforcement honey pots. It’s a less trusting environment than Russian-language forums, on which users talk more freely about law enforcement practices, sharing anecdotes of arrests and incarceration.

Most cybercriminals doubt they could wriggle out of detention once the cops are at the door. One user wrote that “[putting] bars on your windows and doors” would give cybercriminals “more security than dual VPNs, TORs, etc.” Threat actors also frequently refer to the “human factor”—no matter how good password encryption practices are, the police will access cybercriminals’ information “sooner or later.” Some commenters on Russian-language forums held that law enforcement would “stop at nothing” to get information, even sharing graphic anecdotes about police torture. Many posts asserted that cybercriminals, unlike other types of law-breakers, would not be able to sustain physical punishment. One user alleged that the police would “catch you,” then “‘treat’ you with a stun gun and spell out what’s in store for you […] if you don’t give up all your passwords”. They concluded, “like a nice dear you’ll give them up.” 

Other users disagreed, saying that while the police may threaten violence, such threats were empty and that “only an idiot would fall for the cops’ bluff.” Some refuted the idea that law enforcement in the former Soviet Union would even threaten violence to get past encryption, saying that the police aren’t interested in such crimes as long as there’s no “public threat to life.” One remarked, “people don’t get tortured for having unlicensed Windows on a disk in their wardrobe.” Despite the lack of agreement on this issue, the possibility of violence from police following arrest is a clear worry for many cybercriminals. 

Figure 4: User recounting experiences of acquaintances who were allegedly tortured by police
Figure 4: User recounting experiences of acquaintances who were allegedly tortured by police

Prosecution: What Are the Odds?

So, poor OPSEC has led to a cybercriminal’s arrest and detention. The cops have all their computers… What happens next?

Some in the cybercriminal community are pretty bullish about the prospect of actually being convicted of any crime. For instance, we found one comment claiming that if any dark web site were compromised, this would only provide law enforcement “the [mere] prospect of identifying entities and facts concerning illegal activities; in fact, little can be used in court even if you post about the sale of malware, installs, etc., there can be no proof that it was really you who wrote them.”

Whatever the truth of this view, it’s true that for many cybercriminals who await trial, the legislation simply hasn’t caught up with the nature of the crimes they’ve committed. Conviction rates for cybercrime in Russia have fallen in recent years. Even in Western countries like the US, it’s notoriously challenging to convict cybercriminals compared to, say, those accused of offline theft or drug dealing. The burden of proof may be much higher, and the specificities of the crime are often too complex for members of the courts to understand, particularly if they don’t have a background in cybersecurity. 

Figure 5: User expressing confidence in law enforcement’s inability to use evidence against cybercriminals
Figure 5: User expressing confidence in law enforcement’s inability to use evidence against cybercriminals

We also found many comments from Russian-speaking cybercriminals who took great comfort in the belief that law enforcement and the courts could be corrupted. Many users spoke about needing to save funds to bribe the right individuals and provided anecdotes of personal experiences of evading prosecution through paying people off. The value of a “motivated and trusted” lawyer is recognized throughout the cybercriminal community. This was seen as even more critical in countries where the courts may be more susceptible to financial influence. As one user put it, “a good lawyer knows the law, a better one knows the judge.” For all the talk of bulletproof OPSEC practices and blasé attitudes towards the police and the courts, in the world of cybercriminality the idea of arrest can never be ignored. Otherwise, they can look forward to, as one user put it, “housing and three meals a day” at the government’s expense. 

Always On My Mind… 

Despite confidence in bribing law enforcement and the appallingly low conviction rates worldwide, threat actors continue to actively discuss ways to avoid detection, dissecting where convicted threat actors went wrong, and sharing post-arrest experiences. This constant chatter suggests that the threat of prosecution is very real in the minds of cybercriminals. 

This debate shows us that, like the organizations they target, cybercriminals must always have one eye on their security practices. There are so many things for them to worry about and ways they can slip up. It must be pretty tiring. Threat actors must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. Digital Shadows (now ReliaQuest) monitors threat actor activity across the cybercriminal landscape, providing unique insights to help organizations understand the nature of the threat actors looking to get access to their assets. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.