It’s easy to fall into the trap of thinking about cybercriminal forums as purely transactional platforms; environments in which cut-throat threat actors strive ruthlessly to obtain the best prices for their illicit goods and services, affording little attention to social niceties or interactions beyond anything commercial. We threat researchers write about cybercriminals in the abstract, using the pronoun “they” to cover uncertainty about a user’s gender and assigning likelihood percentages for assumed motivations and possible future activities. 

Yet every now and again, we read news about a cybercriminal being arrested, see images of people in courtrooms, and hear names, dates of birth, and occupation details. As recently as 22 Sep 2020, news broke that a United Kingdom national accused of being a member of “The Dark Overlord” threat group had been sentenced to five years in federal prison in the US. Or we might come across a forum post describing a user’s struggles with COVID-19 or their dispute with a neighbor. This observation uncomfortably jolts us into remembering that these anonymous usernames belong to real-life individuals with their own circumstances, personalities, and reasons for getting involved with a cybercriminal platform. 

We decided to explore four main themes via which threat actors’ personalities or real-life identities are expressed on cybercriminal forums, providing examples we’ve observed over the years. This first blog will look at gender and nationality, while the second in the series will examine morality and forum dynamics. 


Cybercriminal forums appear to be overwhelmingly male-dominated. We have seen users comment that even if females are present on cybercriminal forums, they hide their gender and pretend to be male, so they do not attract unwanted attention. There are numerous examples of sexism and misogyny on cybercriminal forums. Many of these displays contribute to an overly masculine atmosphere that is hostile toward women and might explain why female cybercriminals could feel uncomfortable revealing their true identities.

Negative representations of women

In 2019 a user on the Russian-language cybercriminal forum Exploit initiated a thread in which they posited that all world problems originate from women and that all wars started because of women. If adequately “controlled,” they continued, a woman could be an “angel”, but would be “a messenger from hell” if left to run riot. In the ensuing discussion, although forum members expressed views on both sides of the argument, they posted images such as a woman ready to eat a brain on a plate, with the caption “A woman’s favourite dish.” 

An image posted by Exploit user in a debate about women

Also in 2019 one Exploit user initiated a thread to wish women a happy 8 March (International Women’s Day, celebrated as a holiday in Russia). A later respondent to the thread specifically called out the fact that two users had replied, “thank you,” saying, “It’s more interesting to me why [they] wrote ‘thank you.’” Another user commented, “Clearly we don’t know anything about them.”

Exploit Post
Exploit post sending 8 March wishes

In July 2020 a user on the Russian-language cybercriminal forum XSS organized a contest with a prize fund of $250 to be awarded to the user who posted in the thread with the best naked picture of a female torso. Thus far, the competition has proven popular, with multiple entries submitted, many of which were sexual or pornographic. 

Positive representations of women

On the flip side, back in 2017, an Exploit user proposed establishing a charitable fund on the forum to allow users to donate to good causes and earn good “karma” to atone for their illicit activities. The difficulty, the post said, would be finding someone to run the scheme whom the other forum members trusted. The user concluded that “a girl” would be the best candidate — echoing the widely-held idea on cybercriminal forums that female users are inherently more trustworthy. 

Exploit Charity Post

More recently, July 2019 saw the launch of DarkMarket, an English-speaking “boutique marketplace” that claimed to be the first female-run cybercriminal market (note that this is not the same site as either the English-speaking marketplace that was shut down in 2008 or the Russian-speaking forum active since at least 2011). This launch was undoubtedly the first time we’d observed this sort of approach from marketplaces and exemplifies cybercriminals trying to use their real-life attributes to differentiate themselves in a crowded ecosystem.


One of the most common ways in which threat researchers separate and distinguish between cybercriminal forums is to divide them by language or nationality communities. This division may seem counterintuitive in a globally connected world; a cybercriminal in China can just as easily target a victim in New York as a hacker in the southern United States can. Yet cybercriminal forum users congregate in communities with a common language, both because of the ease of communication and the shared values and rules. 

There is a very prevalent sense of nationality and nationalism on Russian-language cybercriminal forums in particular. We see frequent arguments about how much these forums should allow the use of English, with many users opining that non-Russian-speaking users should not be catered for and that those without Russian-language skills should be disadvantaged.

Use of English

An XSS user recently reinvigorated an old thread from 2012 to debate the issue of banning foreigners from signing up to the site by introducing questions during the registration process that could only be answered by Russian-speakers or those from the former Soviet Union (FSU). XSS users have expressed views on both sides of this argument, suggesting the community is divided on this issue. 

Old XX discussing working with English Spekers
Old XSS thread discussing working with English-speakers

The Russian-language LCP forum had a check-box option for users posting on threads to block English-speaking members from reading their replies. 

Several vendors on Russian-language sites even state within their posts that they will not deal with non-Russian-speaking buyers. One notable recent example of this is the Sodinokibi (aka REvil) ransomware team’s advertisements on Russian-language cybercriminal forums, in which they categorically refused to work with English-speakers. 

Exploit refusing to work with English Speakers
Post from the Sodinokibi ransomware team’s forum representative on Exploit refusing to work with English-speakers

Protecting former Soviet nations

Many Russian-language forums also ban targeting any nation within the FSU, likely out of a sense of solidarity and nationalism. In November 2019, the XSS forum administrator posted a manifesto against working on these countries, using the typical shorthand “RU” to refer to Russian-speaking nations. The manifesto stated:

We are against work on RU/CIS. We do not work on it ourselves and do not recommend it to others. 

  • To every person who works on RU we send rays of negativity;
  • We remind you of your own safety – working on RU damages it;
  • We repeat the theory “Those who work on RU have it coming to them in the morning” – this has been proven many times;
  • We remind you about patriotism;
  • Working on RU does not include goods/services that increase personal safety levels (e.g. socks, debit cards etc).

XSS even posted a badge that forum users could include in their signatures that read, “I am against working on RU! And you?”

XSS banner
XSS forum banner declaring a user’s refusal to target Russian-speaking nations

We often see very derogatory language used to talk about English-speaking individuals and forums, with negative language being used to discuss the West in general and the United States in particular. Russian-language forums also feature frequent posts celebrating FSU-specific holidays such as Victory Day and 8 March. 

Vicotry Day on Exploit
Post celebrating Victory Day on Exploit

Non-Russian-speaking sites

English-language cybercriminal forums are generally more international, judging by the frequent language and grammatical mistakes many users make in their posts, which indicates a large proportion of members are not native English speakers and come from many different countries. Therefore, predominantly English-language forums are not necessarily bound by a sense of nationality, and users’ views on this issue are not typically on display. Instead, forums must find other unifying factors to develop communities and a sense of togetherness. Sites often try to achieve this by offering exclusive services and social activities to create a more engaging platform and draw users together. For example, in June 2020, a user on the English-language forum Nulled launched a free self-developed streaming service for site members. 

Numerous language-specific forums unite cybercriminals based on their common language, although these do not appear to be as nationalistic as the Russian-speaking forums. One good example of language specificity is Altenen, which started out as an Arabic-language forum and, over the years, has morphed into an English-speaking carding forum. Nowadays, Altenen is a global forum with users located worldwide (according to third-party statistics). It even has an “International” section with dedicated language-specific subforums. While these sections are not hugely popular, they show that Altenen is open to the use of multiple languages and provides a space for users to speak to those with whom they share a language if they wish — a marked contrast to Russian-language forums. 

In conclusion

In a sense, gender and nationality are two of the easiest personal attributes to conceal. Cybercriminal forum users could simply avoid alluding to these characteristics. They could make no mention of their own nationalities and show no prejudice towards users from other countries. In terms of gender, in cases in which languages require speakers to express their gender in verb conjugations or adjectival declensions, it is easy to simply use the most widely used variant (i.e. the male option) and avoid attracting attention. Yet providing indications of gender and nationality are two of the most common ways in which individuals express aspects of themselves on cybercriminal forums. Perhaps this comes down to the fact that threat actors can be whoever they want to be behind a name on the screen and that gender and nationality are two easy characteristics to fake. Users see these forums as a platform of comfort, a safe haven, and somewhere to obtain recognition of their skills in a world, ultimately building up to the “personality” they desire–and therefore represent–when online. In the second part of this series, we’ll delve into two slightly less straightforward aspects of cybercriminal personalities that may not be as easy to conceal or feign — cybercriminal morality and forum dynamics.