It’s often the case that a sequel to a great book or a remake of a once-popular TV series doesn’t generate the same enthusiasm or excitement as the original. Of course, there are well-known exceptions to this… For the movie fans out there, The Godfather Part II stands out as one example. More often than not, however, when a format tries to repeat its former glory it doesn’t quite live up to its predecessor.

This phenomenon can also be seen in the cybercriminal world, when a defunct dark web marketplace or cybercriminal forum attempts to return and replicate the notoriety of the original version of the platform. 

While the rest of the world has been busy dealing with the coronavirus pandemic, a once-key platform in the English-language cybercriminal underground may have been making a quiet comeback. Its return would really test whether a sequel can truly live up to—or even surpass—its predecessor in the criminal world.

The Return of KickAss

KickAss Banner Image

On 21 Dec 2020, a user called KickAss initiated a thread on the dark web community forum Dread to allege that the once-notorious dark web forum of the same name had returned following a substantial hiatus. KickAss said that the original forum had been taken offline intentionally in January 2019 following the increasing media and law enforcement attention brought to the platform by the actions of the ransomware collective, TheDarkOverlord

TheDarkOverlord was an active member of the forum at that time and had publicized their high-profile extortion attempt relating to legal documentation associated with the 9/11 terrorist attacks in the US. Although TheDarkOverlord ultimately failed in their attempt to profit from these sensitive documents, it appears the added spotlight on the site was enough to force the KickAss administrators to shut the doors of the formerly prominent hacking forum. 

Prior to its closure, KickAss was referred to on several occasions as the number one hacking forum in the English-language cybercriminal community, with hundreds of members contributing thousands of threads to an array of topics such as ransomware, exploits, data sharing, and card data offerings.

The announcement on Dread of KickAss’s return coincided with similar threads on other English-language dark web forums such as Torigon and RaidForums. All such announcements have been met with users expressing both delight at the site’s revival and suspicion as to the legitimacy of the new version of the service.

KickAss return
Figure 1: Dread post advertising KickAss’s return

What was the reception of the return of KickAss dark web forum?

Some have wondered whether KickAss 2 is a law enforcement honeypot attempt—an entrapment technique that involves creating a decoy version of a cybercriminal entity to gather compromising information about threat actors. But claims from both ex-members of KickAss and established members of sites such as Dread and Torigon indicate that KickAss’s return is legitimate. In fact, the language and tone used in the announcement of the forum’s return suggest it may even have been made by the well-known former administrator of KickAss.

When KickAss went offline in early January 2019, rumours of possible law enforcement action quickly circulated around the dark web. To this day, these claims have not been validated or confirmed. Therefore, it is too early to say whether the forum’s impromptu return is genuine or if it is a coordinated effort to trap unsuspecting users. 

The mixed reaction to KickAss’s return and continued uncertainty as to its credibility led us to wonder whether, in a world built upon dishonesty and manipulation, a platform can ever truly return to its former glory. We’ve been reflecting on historical attempts by dark web marketplaces and forums that have been shut down or rendered offline only to return at a later date under the same name or a rebrand.

Which cybercriminal forums and marketplaces have made a successful return?

Torigon Dark Web Forum

Torigon, another English-language dark web forum, was created September 2019 with the bold intention of unifying the Russian- and English-speaking cybercriminal landscapes.

Torigon’s founders stated:

“Torigon is a cyber security forum connecting Russian & English hackers. Torigon is open for everyone who can program, provide services, sell exploits, code malwares, believe in anonymity & strong darknet and also open for all those who want to learn alongside others, gain general information about hacking and internet security. The first version of Torigon was scrapped very fast but after a lot of work put by few people it is back to serve again. The main purpose of Torigon is to provide a platform for badass internet criminals to make cyber crime more easier & exploit their targets together.”

However, Torigon suffered from a severe lack of interest and dealings behind the scenes never coming to fruition. Following a sustained heavy DDoS attack, the administration team seemingly thought it best to take the forum offline completely in Mid-May 2020 in the hope that the attack would disappear. Unfortunately, this proved not to be the case: Soon after the site’s revival in August 2020, it was once again subjected to the same attack. However, fast-forward a couple of months and, following some work in the backend, the forum is now growing steadily within the English-language criminal underworld and is starting to gain the momentum it never really achieved the first time round.

Figure 2: Torigon post explaining the forum’s hiatus

Altenen Cybercriminal Forum

Altenen initially started out as an Arabic-language cybercriminal forum and morphed into an English-language carding-focused platform in 2013. After several cyberattacks, Altenen went offline in either late 2016 or early 2017 before the forum administrator resurrected the site in June 2018. Since then, the platform appears to have attracted users from across the globe and has experienced a steady increase in forum membership, though multiple users within the cybercriminal community have described it as a scam site..

XSS Cybercriminal Forum

XSS is a recent rebranding of the previously long-standing Russian-language cybercriminal forum DamageLab, one of the first Russian-language cybercriminal forums to be established. DamageLab in its original incarnation closed down to protect its users from investigation when its administrator had a run-in with law enforcement. Now run by a former administrator of the popular Russian-language cybercriminal forum Exploit, XSS is well regarded within the cybercriminal scene and features discussions and commercial activity relating to several fields, including malware, spam, exploits, vulnerabilities, carding, access sales, and credential databases

Figure 3: XSS’s forum banner showing its Christmas customization

And which failed to make a comeback?

Silk Road 2.0 Dark Web Marketplace

The administrators who helped launch and maintain the original Silk Road platform, which was the dark web’s number 1 marketplace in its heyday, created the dark web marketplace Silk Road 2.0 in November 2013. The administration team recreated Silk Road’s original set-up and promised improved security. However, just a month later, it was reported that three administrators had been arrested for their alleged roles as moderators on the original platform, which law enforcement agencies had shut down in October 2013. An administrator called Defcon maintained Silk Road 2.0 until its eventual seizure by law enforcement in November 2014.

Figure 4: Silk Road’s marketplace banner

Dark0de Cybercriminal Forum

The original Dark0de forum was a big hub in the cybercriminal community that collected together prominent hackers who had to undergo a rigorous registration process to obtain access to the site. It facilitated trade in malware, zero-day exploits, rentable botnets, and access to compromised servers. Following the site’s high-profile takedown by law enforcement in July 2015, one administrator who had managed to evade capture relaunched the forum under the same branding just ten days after the shut-down of the first. However, due to a number of security and poor configuration issues on the revised forum, the revived platform failed to gain anywhere near the traction attained by its older sibling. It died off when it became clear that the cybercriminal community had no trust in the forum and how it was being run.

Dark0de Forum Banner
Figure 5: Dark0de’s forum banner

Hell Reloaded Cybercriminal Forum

The hacking forum Hell Reloaded was created in late 2015 in response to the alleged law enforcement shut-down of the forum’s predecessor, ‘Hell’. Hell had gained popularity as a hub for hacking activity but was undone by its publication of 4 million user accounts for “Adult Friend Finder”. The resulting media attention quickly led to the site’s shut down by law enforcement in July 2015. A few months later, the forum was back online under the branding Hell Reloaded. However, suspicions that the forum was a honeypot were soon raised, because the registration process was opened to the public and the original site founder was notably absent. Hell Reloaded later went offline likely as a result of the increased suspicions surrounding it and a notable lack of traction.

Do cybercriminal forums and dark web marketplaces pose a threat to your organization?

It remains to be seen whether the new KickAss will return to its self-made claim of being “the number 1 english hacking forum”, or whether rumours and suspicions about law enforcement will continue to keep the community and its trust away from the forum. It is still within the realm of possibility that the forum administrator genuinely took the forum offline back in 2019 and waited for media attention to subside before attempting to bring the forum back online. And with a small number of well-known dark web threat actors backing up the new version’s claims to legitimacy, there might just be enough impetus for the forum community to grow once again. 

But, as we’ve seen with other attempted forum resurrections, associations with law enforcement can be hard to shift, and we wouldn’t be surprised if the forum struggles to attain the same popularity it once garnered before its impromptu shut down.

Despite the uncertainty of KickAss’s life cycle, it’s sure that there will always be cybercriminals on the lookout to exploit your organization’s digital footprint. Security professionals should take a proactive approach to detect data loss before it is leaked to the wrong places, as well as monitoring the cybercriminal forums and marketplaces for mentions of their company name or postings of sensitive data or credentials for sale.

To see how Digital Shadows (now ReliaQuest) helps monitor your organization’s digital footprint to protect against digital risks, try Search Light (now ReliaQuest GreyMatter Digital Risk Protection) for free now.

Additionally, get our research report on How Cybercriminals Monitor Our Online Exposure with a growing market for network accesses, stolen documents, and extortion guide, alongside practical tips for mitigation.