Cybersecurity reporting tends to focus on stories about governments and law enforcement agencies moving to catch the threat actors responsible for major cyberattacks. We rarely stop to think about the cybercriminal underground’s own policing activity.
Contrary to what you might expect, successful cybercriminal platforms are not the “wild west”. They have their own rules and regulations that are strictly enforced. Every day, forum administrators move to protect their own interests by banning problematic threat actors from the platforms they run.
What is a cybercriminal forum ban?
If forum members aren’t playing by the rules, they can be temporarily or indefinitely banned. Often, a single transgression on a forum can be enough for a permanent ban, regardless of the individual’s contribution to the site. Banned users often have little scope to challenge these decisions. However, becoming a banned user can cause significant damage to a threat actor’s personal brand, resulting in reputational damages in the cybercriminal community and potentially cutting off their sources of income.
Just as we saw with several forums’ recent decision to ban profitable ransomware affiliate programs, what is best for the platform trumps self-serving, individual threat actor interests. Although forum administrators do weigh up the pros and cons of such controversial decisions, at the end of the day, forums want to protect their business, safeguard their brand, maintain administrators’ authority, and avoid unwanted attention.
In this article, we set out to examine six common reasons cybercriminals are banned from forums:
- Arbitration claims in which defendants are “proved” to be scammers
- Violating forum rules
- Public opinion and pressure
- Reported to be a scraping account or a researcher
- Criticizing the forum team
- Requesting account deletion
Arbitration claims in which defendants are “proved” to be scammers
While some cybercriminals are out there trying to make an “honest” living by swindling the general public, others like to prey on their fellow forum members with attempted scams. The scam is usually advertising something for sale, taking someone’s payment for the goods or service, and never delivering on what was promised. This is probably the most frequently occurring reason that threat actors are banned from cybercriminal forums, and it is common across sites from many different language communities.
Victims of such scams seek recourse through forums’ arbitration processes, often resulting in the scammer’s expulsion from the site. If the claimant can prove that they were scammed through images or screenshots of a conversation with the fraudster, the defendant will usually be permanently banned from the forum. A forum administrator or moderator typically oversees the process, representing figures of authority in the lawless criminal underground.
On one popular English-language forum, for instance, a user approached the site’s arbitration system to accuse another member of not delivering them stolen credentials after they had paid the vendor. The claimant provided a screenshot that reflected their proof of payment to the scammer. After a forum administrator reviewed the case, the defendant was given a chance to explain their side of the story. When they did not respond to the accusation, the administrator ruled in favor of the claimant and the scammer was banned from the site.
On another high-profile Russian-language cybercriminal forum, one forum user filed a complaint directly against another member for taking USD 210 from them without delivering a specially-crafted phishing document that the claimant had purchased. They initiated an arbitration claim and provided “proof” of their dealings with the vendor in the form of conversation logs. The arbitration process showed that the defendant had impersonated the site’s escrow service in private messages. In addition, the defendant never responded to the accusation and the arbitrator banned the scammer from the site.
Arbitration processes can be avoided altogether if forum members use a legitimate escrow service—an arrangement where, after a deal has been agreed upon, the buyer sends their funds through to a neutral third party known as a “guarantor.” Only after the buyer has confirmed that the goods or services they receive from the seller meet their expectations or the deal’s agreed conditions will the guarantor release the money to the seller.
Violating forum rules
While forums have different thresholds for what they deem inappropriate content, it is common for them to have a set of rules laying out the regulations for that site so users know what’s acceptable on that platform. The forum team of administrators and moderators usually enforce these rules. Particularly on Russian-language forums, ordinary forum members also play a role in reinforcing rules through social reminders.
A common rule on Russian-speaking cybercriminal platforms is a ban on targeting victims located in Russia and countries in the former Soviet bloc. This rule has likely become the norm for Russian-speaking threat actors for a variety of reasons, including patriotism and the relative lack of wealth in CIS countries compared with the West. Users who flout this rule may receive a warning from a moderator, a “heads up” from other forum members, or even a full ban for a particularly egregious case.
A common rule on Russian-speaking cybercriminal platforms is a ban on targeting victims located in Russia and countries in the former Soviet bloc. —Photon Research, 2021
For instance, on one Russian-language cybercriminal forum, a user was looking for Telegram botnets that could be used to command and control malicious apps. In response to their search, another user suggested Russian-language bots being used to target individuals in CIS countries. Another threat actor implored the interested party not to use the bots because they targeted Russia and other CIS countries, or, as they put it, “don’t work on your own people!”
Other rules are designed to better protect a forum’s integrity. For example, one popular English-language cybercriminal forum prohibits users from having more than one account. This ensures that users cannot be impersonated. If a scammer impersonates another reputable forum member, they likely have a better chance of stealing from a victim. For instance, one user on the forum was found to be using an account that was almost identical to another user’s account. By inserting a “1” at the end of their username, they attempted to impersonate a reputable forum member in the hope that others would not notice. Needless to say, their disguise did not work, and they were banned under the site’s policy.
Other common cybercriminal platform rules include bans on spamming or artificially inflating reputation scores. Inflating one’s reputation can be done by making meaningless posts such as “thanks” or “cool”; users may do this to appear more legitimate or view hidden content on a site.
One Chinese-language cybercriminal marketplace that we looked at, for example, had warnings repeated in bold letters on the site’s homepage, reminding users that such behavior is “frowned upon” and would lead to users being banned, regardless of their account status or whether they have funds deposited in their account.
Public opinion and pressure
Given their chosen profession, individuals earning a living on cybercriminal forums are guided by a different moral compass. However, each individual threat actor has an ethical line that they will not cross or tolerate for themselves or from others.
In the court of public opinion on cybercriminal forums, material related to the exploitation of children or pornography displaying minorsis often an intolerable offense. On an English-language cybercriminal forum, a user was banned for reportedly providing a link to pornography that exposed a minor. Despite some positive reviews in the post from other forum users, the forum administrator banned the user for violating the anti-child pornography policy.
Another instance of a post ruining a user’s reputation can be found on a prominent Russian-language cybercriminal platform, where a user advertised for sale a reputable account on another forum. Other forum users immediately condemned the post, and expressed shock that someone would sabotage their reputation with such a blatant offering. The accused defended themselves, claiming they had permission from the other forum team to sell the account and urged naysayers to contact the other forum. Despite this, multiple users called for the seller to be banned, resulting in their expulsion from the site.
Reported to be a scraping account or a researcher
Forum users actually call out other members they suspect to be law enforcement when they ask suspicious questions. As stakes are high, it’s a natural instinct to be suspicious of other users on a cybercriminal forum. After all, researchers, scammers, and law enforcement agents all have a presence in the cybercriminal underground.
Red-flags to other forum users include asking for specific company names or lacking a reputation score and history of posts on the forum. —Photon Research, 2021
A question such as, “What is the name of the company you are selling access to?” is an immediate red flag, and that user then risks being reported and banned from the forum. Suspicious account activity may also result in a ban. For example, a user that never makes any posts on a forum and only searches for the names of companies may be suspected of being a researcher.
Other accounts may be considered suspicious if they have made zero posts on the forum and don’t have a reputation score. In the screenshot below, one account on an English-language forum was suspected of being a scraping bot, meaning it was likely a mass scraping bot designed to extract content and data from the website.
In the Russian-language cybercriminal scene, paranoia is arguably even higher, especially with Western intelligence agencies attributing an increasing number of cyberattacks to Russia. In fact, many native Russian speakers on forums refuse to even work or discuss projects with native English speakers, as they deem it too risky or don’t want to work around the language barrier. If enough users suspect that a forum member is not who they say they are, there is a good chance they could be blacklisted.
Criticizing the forum team
The adage of “don’t bite the hand that feeds you” rings true here. While forum teams don’t always make the most popular decisions, becoming a forum’s critic can result in another user who is willing to defend the site reporting your account. The recent decision by Exploit, XSS, and RaidForums to ban the sale and advertisement of ransomware was very divisive. Exploit forum members bemoaned one user for their selfish reaction to the ban on ransomware. Their critique of the forum and vow to “make revenge” eventually resulted in their ban from the forum.
In some cases, a forum member criticizes the forum team or the forum itself. On one Russian-language forum, questioning the moderator or administrator is expressly forbidden, and on another, this activity can also be considered a serious offense.
One forum member learned this the hard way after they accused the forum of being compromised by law enforcement. The user even joked that the forum administrator’s real name was “Comrade sergeant Ivanov”. As you can imagine, the forum administrator did not find the joke funny, and the user was ultimately banned for their accusation.
Request account deletion
Why would a user ban themselves from a forum? While it isn’t common, users have asked to be removed from forums either because they thought they were being tracked by law enforcement or because their account had been compromised. However, it’s ultimately up to the forum team if they will fulfill members’ requests.
In fact, one forum explicitly states in their account rules that “we do not delete accounts for whatever reason you have.” Digital Shadows (now ReliaQuest) recently observed a moderator on this site abruptly denying a member’s request that their account be deleted, pointing to the forum rule that accounts will not be removed for any reason, along with the tagline, “Think before you register.” Despite this, one user was recently allowed to have their account banned for unknown reasons.
On a different forum, the rules section establishes a remediation process for a hacked account. However, the rules also state that everyone is responsible for their own posts and they must take responsibility, even if their account is hacked.
A platform ban might not seem like a big deal, especially when there are tons of other marketplaces and forums where one can buy or sell similar goods and services. However, bans can often be a dark stain on a user’s otherwise great reputation or prompt the banned user to seek vengeance. Shortly after ransomware affiliate programs and a few ransomware operators were banned on Exploit, for instance, the site experienced retaliatory DDoS attacks suspected to be from previously-banned forum members. In addition, the site had to handle arbitration claims from members who were owed money by the DarkSide ransomware representative who was forced out of the forum.
Forum administrators and moderators ultimately have to maintain some “law and order” or they risk losing everything. In fact, lack of rule enforcement has been a contributing factor to the demise of numerous cybercriminal platforms—a lack of trust, discipline, and failure to moderate explicit content could cause a platform to unravel. For this reason alone, there have to be consequences for rogue cybercriminals that have little respect for authority. After all, platforms have a better chance of survival if they are well-moderated and take precautions against law enforcement by “flying under the radar.”
At Digital Shadows (now ReliaQuest), we continue to track the dynamics of cybercriminal forums and marketplaces. By building complete threat profiles for cybercriminal platforms, threat actors, and crime syndicates, we develop unique insight of great intelligence value. If you’d like to keep up to date with the state of the dark web and cybercriminal underworld, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight across open, deep, and dark web sources cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Get a free, seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.