WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
When we review the ideal template for a successful cybercriminal forum, we are on the lookout for several key factors:
In the latter part of 2019, Digital Shadows (now ReliaQuest) became aware of another English-language forum entering the scene called Torigon. Although the forum remained on our radar throughout late 2019 into early 2020, we recently had to relent and cease trying to access the site following approximately ten weeks of inactivity, and admit that there was no more life in this forum. It had disappeared as quickly as it had appeared onto the cybercriminal scene. And although the forum was nothing special in terms of content or data exposure, it is interesting to dissect what can make or break a forum in the modern-day.
In this blog, we review what Torigon forum was, provide an overview of its short tenure on the cybercriminal scene, and look at some of the reasons why Torigon and so many others fail to survive.
Torigon was an English-speaking forum that launched on 03 Sep 2019 with the self-proclaimed aim of connecting Russian- and English-speaking users so they could sell exploits, share malware samples, and discuss hacking and Internet security. The forum’s “About me” page stated the following:
“Torigon is a cyber security forum connecting Russian & English hackers. Torigon is open for everyone who can program, provide services, sell exploits, code malwares, believe in anonymity & strong darknet and also open for all those who want to learn alongside others, gain general information about hacking and internet security. The first version of Torigon was scrapped very fast but after a lot of work put by few people it is back to serve again. The main purpose of Torigon is to provide a platform for badass internet criminals to make cyber crime more easier & exploit their targets together.”
By early October 2019, the forum had attracted 650 members. However, the site was soon taken offline for unexplained maintenance work between mid-October 2019 and early-November 2019.
Forums render themselves offline shortly after launching for several reasons:
In most cases, a forum releases a statement to explain its short-term absence to avoid the forum’s reputation and credibility being tarnished and prevent the spread of fear, uncertainty, and doubt (FUD). However, there was little indication that Torigon was concerned about a lack of engagement or explaining why it was inaccessible. The only sign of the forum’s return was a comment on 11 Nov 2019, added by a member of the Torigon administration team to a thread on Envoy stating that the forum was “waiting for good userbase to launch”. Even after Torigon’s return, its administrators failed to promote reasons why users should visit the forum, or share what they had planned and why Torigon’s offering differed from its competitors.
Considerable efforts are required to execute a successful forum launch. Torigon would have been no different, but little thought and consideration had gone into how the forum would develop following its creation or how it would attract new members. Perhaps the Torigon founders thought the hard work had already been done and that dark web users would flock to the service in a snowball effect due to so few active forums being able to compete with their “offering.” For a short time in December 2019, Torigon was listed on the dark web repository service “dark.fail.” However, it was soon removed following a decision by dark .fail’s owners that determined Torigon was no different in its premise than the already-established Torum platform.
In addition, Torigon had a partnership with the dark web community forum Envoy, likely to attract more members and provide ongoing updates. However, both Torigon and Envoy were targeted in DDoS attacks affecting the dark web community throughout the latter part of 2019 and early 2020, resulting in both platforms frequently being rendered offline. Although sporadic updates from the Torigon team or those affiliated with the forum did emerge on Envoy in January 2020 and March 2020 to state that the forum was still active, users’ level of interest was minimal.
A March 2020 communication by Envoy user “Lynda” was the last update identified by Digital Shadows (now ReliaQuest) on an external platform from a Torigon affiliated member. This is likely due to Envoy suffering from further downtime relating to DDoS attacks and a recent CMS migration. Still, it also probably reflects a lack of interest in the Envoy membership to discover what had happened to Torigon and an unwillingness by the Torigon team to continue to promote the service.
Digital Shadows (now ReliaQuest) cannot determine if the forum was close to disappearing around this time or not, but the forum likely carried on for a while before a decision was made to close its doors.
Interestingly, there has been little to no interest from other English-language forum users on platforms such as Torum, Dread, and Envoy in Torigon’s unexplained disappearance or even simple inquiries into its current status. This reflects the low level of interest the cybercriminal community had in the forum and its likely demise.
The exact reason behind Torigon’s disappearance remains unknown. We will examine some of the plausible explanations for Torigon’s failure, shining a light on some of the issues facing an up-and-coming dark web platform.
A platform’s ability to differentiate itself from the competition is a crucial element in success. From the get-go, Torigon set out to be a pioneer in the cybercriminal scene by attempting to bridge the gap between Russian- and English-speaking hackers. However, this has already been achieved to some extent–perhaps inadvertently–on currently-available Russian-language forums such as Exploit and XSS. While those platforms don’t appear to have made an active choice to attract more English speakers, the sites have softened their stance towards non-Russian-speakers. For example, Exploit has introduced an automated English-language registration system that makes it much easier for non-Russian speakers to join the site, perhaps to increase membership numbers and, consequently, forum profits. Torigon was, therefore, setting out to fill a gap that was in some ways already being addressed by much more established platforms. In addition, the forum announced a project to develop a GitHub-type platform for the dark web called “Torigit” shortly after it was launched in September 2019. However, this was soon abandoned when the administrators realized another platform was already fulfilling the project.
Torigon didn’t consistently engage and promote itself on other English-language forums like Torum, Envoy, and Dread. Although there was evidence of the Torigon administration team being active on Torum and Envoy, their communications were sporadic and were by no means an active advertisement for the platform. A post identified on Torum in January 2020 said that while Envoy, Dread, and Torigon were all affected by DDoS attacks, the latter would only make “2 and a half users unhappy lol”, likely implying that Torigon’s membership levels were very low and the forum was considered irrelevant. It is, therefore, likely that the forum failed to generate and sustain enough Internet traffic to gain any momentum and build upon user engagement and interaction with the service.
Following its launch in September 2019, the forum had only gained 650 members by October of that year and did not build further than this. Forum activity is dependent on both user engagement and an active administration team; it seems that the low levels of both of these elements in evidence on Torigon were not enough to entice new members to join continuously. A proactive stance on the forums mentioned above might have allowed Torigon to connect with the audiences active within those spaces and potentially garner further interest. Another factor possibly contributing to Torigon’s disappearance could have been the site’s inability to compete with other established platforms for user traffic operating in a similar space, including:
Although Torigon wanted to appeal to both English- and Russian-speaking cybercriminals, the site’s content was only written in English. Little attempt was made to cater to a non-English-speaking audience by providing translation services or even attempting to advertise the service on non-English-language cybercriminal forums. This language barrier likely led to a lack of take-up by Russian-speaking cybercriminals. Additionally, the Russian-speaking hacking community is notoriously suspicious of the English-speaking scene because of a complicated mix of factors such as past scamming activity, patriotism, and the instability of the English-language scene. The recent increase in the numbers of English-speaking members on these sites and the resultant shift in forum dynamics has led to many Russian-speaking users flatly refusing to deal with English speakers. This hostility towards English-speakers on Russian-based forums may have led to a widespread reluctance to embrace a forum stemming from the English-speaking community. This was evidenced on Envoy, when the Torigon administrator uploaded a post on 04 Jan 2020 stating that although Torigon was designed to bring together Russian and English hackers, their “Russian contacts had their own vested interested [sic], due to ideological differences, we denied to take their support.”
A new forum’s continuous investment in stability and usability is paramount to its success. Like all dark web services, the platform would have needed to adjust to scaling issues for membership numbers, address any software bugs affecting the accessibility of the service, and mitigate any potential attacks (e.g., DDoS) threatening the service’s availability. Fellow forums Dread and Torum have recently introduced a new CAPTCHA mechanism designed to decrease scammer and DDoS services affecting the service, and Envoy forum is currently upgrading its CMS infrastructure. The sustained DDoS attack Torigon experienced right at the beginning of its existence and then throughout its tenure affected both the accessibility and availability of the forum for prolonged periods. The forum team did not commit the required resources to show prospective members that they could combat such threats. It seems Torigon’s team bit off more than they could chew, and the forum likely became an afterthought when they realized the work involved in maintaining the site for little reward.
Therefore, after reflecting on the life of Torigon, we are no closer to knowing the real reason why the forum disappeared. However, the factors behind its closure had been building for some time, and ultimately its disappearance came as no surprise. Usually, a platform might cease to exist for one of the following reasons:
In Torigon’s case, it may have been a case of all three.
Although Torigon’s journey was short and sweet, it demonstrates the fluidity of the broader dark web community. Torigon is one of many platforms that have risen but fallen short of expectations. Although no one in the dark web community has the perfect recipe to succeed in a world full of stubborn personas, reliability concerns, and fragile credibilities, this blog has shown that there were some critical areas that Torigon’s founders failed to address that meant its downfall was almost inevitable. The small gap Torigon’s absence will leave will likely be filled just as quickly by another active service attempting to make an impact with its bold claims and promises.
But for now, it looks like Torigon is Tori-gone.
Interested in learning more about how we monitor for risks on the dark web for our clients? Check out more information below.