When we review the ideal template for a successful cybercriminal forum, we are on the lookout for several key factors:

  • A platform that can differentiate itself from the crowd
  • A knowledgeable and driven administration team
  • The ability to ensure the platform remains available and accessible, come what may

In the latter part of 2019, Digital Shadows (now ReliaQuest) became aware of another English-language forum entering the scene called Torigon. Although the forum remained on our radar throughout late 2019 into early 2020, we recently had to relent and cease trying to access the site following approximately ten weeks of inactivity, and admit that there was no more life in this forum. It had disappeared as quickly as it had appeared onto the cybercriminal scene. And although the forum was nothing special in terms of content or data exposure, it is interesting to dissect what can make or break a forum in the modern-day. 

In this blog, we review what Torigon forum was, provide an overview of its short tenure on the cybercriminal scene, and look at some of the reasons why Torigon and so many others fail to survive.

Torigon forum

What was Torigon?

Torigon was an English-speaking forum that launched on 03 Sep 2019 with the self-proclaimed aim of connecting Russian- and English-speaking users so they could sell exploits, share malware samples, and discuss hacking and Internet security. The forum’s “About me” page stated the following:

“Torigon is a cyber security forum connecting Russian & English hackers. Torigon is open for everyone who can program, provide services, sell exploits, code malwares, believe in anonymity & strong darknet and also open for all those who want to learn alongside others, gain general information about hacking and internet security. The first version of Torigon was scrapped very fast but after a lot of work put by few people it is back to serve again. The main purpose of Torigon is to provide a platform for badass internet criminals to make cyber crime more easier & exploit their targets together.”

Overview of Torigon’s tenure

By early October 2019, the forum had attracted 650 members. However, the site was soon taken offline for unexplained maintenance work between mid-October 2019 and early-November 2019.

Forums render themselves offline shortly after launching for several reasons: 

  1. Essential forum maintenance works
  2. A switch in key personnel in the administration team
  3. Sustained cyber attacks preventing member access to the forum
Envoy users enquiring about the status of Torigon
Envoy users enquiring about the status of Torigon

In most cases, a forum releases a statement to explain its short-term absence to avoid the forum’s reputation and credibility being tarnished and prevent the spread of fear, uncertainty, and doubt (FUD). However, there was little indication that Torigon was concerned about a lack of engagement or explaining why it was inaccessible. The only sign of the forum’s return was a comment on 11 Nov 2019, added by a member of the Torigon administration team to a thread on Envoy stating that the forum was “waiting for good userbase to launch”. Even after Torigon’s return, its administrators failed to promote reasons why users should visit the forum, or share what they had planned and why Torigon’s offering differed from its competitors. 

Torigon’s admin announcing the site was back online following unexplained downtime
Torigon’s admin announcing the site was back online following unexplained downtime

Considerable efforts are required to execute a successful forum launch. Torigon would have been no different, but little thought and consideration had gone into how the forum would develop following its creation or how it would attract new members. Perhaps the Torigon founders thought the hard work had already been done and that dark web users would flock to the service in a snowball effect due to so few active forums being able to compete with their “offering.” For a short time in December 2019, Torigon was listed on the dark web repository service “dark.fail.” However, it was soon removed following a decision by dark .fail’s owners that determined Torigon was no different in its premise than the already-established Torum platform.

In addition, Torigon had a partnership with the dark web community forum Envoy, likely to attract more members and provide ongoing updates. However, both Torigon and Envoy were targeted in DDoS attacks affecting the dark web community throughout the latter part of 2019 and early 2020, resulting in both platforms frequently being rendered offline. Although sporadic updates from the Torigon team or those affiliated with the forum did emerge on Envoy in January 2020 and March 2020 to state that the forum was still active, users’ level of interest was minimal. 

A March 2020 communication by Envoy user “Lynda” was the last update identified by Digital Shadows (now ReliaQuest) on an external platform from a Torigon affiliated member. This is likely due to Envoy suffering from further downtime relating to DDoS attacks and a recent CMS migration. Still, it also probably reflects a lack of interest in the Envoy membership to discover what had happened to Torigon and an unwillingness by the Torigon team to continue to promote the service.

Torigon affiliated member announcing on Envoy that the site was active in March 2020 following a DDoS event
Torigon affiliated member announcing on Envoy that the site was active in March 2020 following a DDoS event

Digital Shadows (now ReliaQuest) cannot determine if the forum was close to disappearing around this time or not, but the forum likely carried on for a while before a decision was made to close its doors.

Interestingly, there has been little to no interest from other English-language forum users on platforms such as Torum, Dread, and Envoy in Torigon’s unexplained disappearance or even simple inquiries into its current status. This reflects the low level of interest the cybercriminal community had in the forum and its likely demise.

So why did Torigon fail?

The exact reason behind Torigon’s disappearance remains unknown. We will examine some of the plausible explanations for Torigon’s failure, shining a light on some of the issues facing an up-and-coming dark web platform.

Lack of differentiating features

A platform’s ability to differentiate itself from the competition is a crucial element in success. From the get-go, Torigon set out to be a pioneer in the cybercriminal scene by attempting to bridge the gap between Russian- and English-speaking hackers. However, this has already been achieved to some extent–perhaps inadvertently–on currently-available Russian-language forums such as Exploit and XSS. While those platforms don’t appear to have made an active choice to attract more English speakers, the sites have softened their stance towards non-Russian-speakers. For example, Exploit has introduced an automated English-language registration system that makes it much easier for non-Russian speakers to join the site, perhaps to increase membership numbers and, consequently, forum profits. Torigon was, therefore, setting out to fill a gap that was in some ways already being addressed by much more established platforms. In addition, the forum announced a project to develop a GitHub-type platform for the dark web called “Torigit” shortly after it was launched in September 2019. However, this was soon abandoned when the administrators realized another platform was already fulfilling the project.

Torigon admin updating Envoy community that they abandoned their Torigit project
Torigon admin updating Envoy community that they abandoned their Torigit project

Lack of user traffic

Torigon didn’t consistently engage and promote itself on other English-language forums like Torum, Envoy, and Dread. Although there was evidence of the Torigon administration team being active on Torum and Envoy, their communications were sporadic and were by no means an active advertisement for the platform. A post identified on Torum in January 2020 said that while Envoy, Dread, and Torigon were all affected by DDoS attacks, the latter would only make “2 and a half users unhappy lol”, likely implying that Torigon’s membership levels were very low and the forum was considered irrelevant. It is, therefore, likely that the forum failed to generate and sustain enough Internet traffic to gain any momentum and build upon user engagement and interaction with the service. 

Following its launch in September 2019, the forum had only gained 650 members by October of that year and did not build further than this. Forum activity is dependent on both user engagement and an active administration team; it seems that the low levels of both of these elements in evidence on Torigon were not enough to entice new members to join continuously. A proactive stance on the forums mentioned above might have allowed Torigon to connect with the audiences active within those spaces and potentially garner further interest. Another factor possibly contributing to Torigon’s disappearance could have been the site’s inability to compete with other established platforms for user traffic operating in a similar space, including:

  • Torum
  • RaidForums
  • CryptBB
  • Exploit
  • XSS
Torum user indicating that Torigon was affected by a DDoS event in Jan 2020

Lack of engagement from the Russian side

Although Torigon wanted to appeal to both English- and Russian-speaking cybercriminals, the site’s content was only written in English. Little attempt was made to cater to a non-English-speaking audience by providing translation services or even attempting to advertise the service on non-English-language cybercriminal forums. This language barrier likely led to a lack of take-up by Russian-speaking cybercriminals. Additionally, the Russian-speaking hacking community is notoriously suspicious of the English-speaking scene because of a complicated mix of factors such as past scamming activity, patriotism, and the instability of the English-language scene. The recent increase in the numbers of English-speaking members on these sites and the resultant shift in forum dynamics has led to many Russian-speaking users flatly refusing to deal with English speakers. This hostility towards English-speakers on Russian-based forums may have led to a widespread reluctance to embrace a forum stemming from the English-speaking community. This was evidenced on Envoy, when the Torigon administrator uploaded a post on 04 Jan 2020 stating that although Torigon was designed to bring together Russian and English hackers, their “Russian contacts had their own vested interested [sic], due to ideological differences, we denied to take their support.”  

Torigon admin stating that the forum had “ideological differences” with their Russian counterparts
Torigon admin stating that the forum had “ideological differences” with their Russian counterparts

Lack of committed resources

A new forum’s continuous investment in stability and usability is paramount to its success. Like all dark web services, the platform would have needed to adjust to scaling issues for membership numbers, address any software bugs affecting the accessibility of the service, and mitigate any potential attacks (e.g., DDoS) threatening the service’s availability. Fellow forums Dread and Torum have recently introduced a new CAPTCHA mechanism designed to decrease scammer and DDoS services affecting the service, and Envoy forum is currently upgrading its CMS infrastructure. The sustained DDoS attack Torigon experienced right at the beginning of its existence and then throughout its tenure affected both the accessibility and availability of the forum for prolonged periods. The forum team did not commit the required resources to show prospective members that they could combat such threats. It seems Torigon’s team bit off more than they could chew, and the forum likely became an afterthought when they realized the work involved in maintaining the site for little reward.

 Torum users attempting to gain access
Envoy users attempting to gain access
Examples of forum users on Envoy and Torum attempting to gain access to the forum

Therefore, after reflecting on the life of Torigon, we are no closer to knowing the real reason why the forum disappeared. However, the factors behind its closure had been building for some time, and ultimately its disappearance came as no surprise. Usually, a platform might cease to exist for one of the following reasons:

  • Not enough users are joining and contributing to the forum to justify running costs
  • The incapacitation of one or all of the administration team through injury, death, or law-enforcement involvement
  • The forum has simply been abandoned

In Torigon’s case, it may have been a case of all three.

Although Torigon’s journey was short and sweet, it demonstrates the fluidity of the broader dark web community. Torigon is one of many platforms that have risen but fallen short of expectations. Although no one in the dark web community has the perfect recipe to succeed in a world full of stubborn personas, reliability concerns, and fragile credibilities, this blog has shown that there were some critical areas that Torigon’s founders failed to address that meant its downfall was almost inevitable. The small gap Torigon’s absence will leave will likely be filled just as quickly by another active service attempting to make an impact with its bold claims and promises. 

But for now, it looks like Torigon is Tori-gone. 

Interested in learning more about how we monitor for risks on the dark web for our clients? Check out more information below.