The dark web hosts a complex ecosystem where licit and illicit activities intertwine, offering anonymity but also exposing to significant risks. The main communication between criminal hackers takes place in specialised forums that serve as hubs for organised criminal activities. These virtual spaces allow individuals and groups to interact, exchange information and conduct illicit transactions in relative safety and anonymity.
These forums act as platforms for organised criminal activities, facilitating the buying and selling of illicit goods and services. Criminal gangs use these forums to collaborate, exploiting escrow services to ensure secure transactions and forming alliances to carry out complex attacks such as DDoS. We analyse in detail what happens in these Dark Web sites and the attackers’ code of honour.
Access to forums
Let us start with the barriers to accessing these criminal forums. The most reputable ones on the Dark Web take strict measures to control access and maintain exclusivity. Some require a simple free registration, while others impose high fees that can range from $200 to $500, with prospects of future increases up to $1,000.
These costs serve both as a barrier to entry for unwanted users and as an indicator of the level of seriousness and security of the forum. In some cases, free access can be obtained by presenting a solid reputation on affiliated forums or through invitations from already accredited members.
Goods and services offered
Dark Web forums offer a wide range of illegal goods and services, including:
- Hacking services: access to compromised corporate networks, DDoS attacks for hire, development and sale of malware and stealers.
- Fake documents: creation and sale of counterfeit documents from various countries.
- Illegal substances: trade in drugs and weapons.
- Customised services: physical damage on commission, cryptocurrency laundering, collection of personal or corporate information, sabotage of social media accounts and more.
Collaboration between bands
Criminal gangs on the Dark Web often form alliances to exploit complementary skills. For instance, DDoS attacks require the use of botnets, networks of compromised computers used to overload target servers.
Creating and managing these botnets requires specific skills, leading gangs to collaborate with other groups or recruit individual users willing to participate in attacks from their own devices in exchange for a reward.
Code of Honour
Despite the apparent oxymoron, unwritten codes of conduct are observed within certain cybercriminal communities, which regulate interactions and illicit activities.
Some cybercriminals, for instance, categorically refuse to target hospitals or critical infrastructures, almost as if there were an invisible line that must not be crossed. Others, however, specialise in one type of attack, becoming true experts in that particular area. Then there is the rule of silence, a pact of silence that protects the identity of all members of the community, guaranteeing anonymity and the security of operations.
Another code that is always respected is ‘fairness’ in business: payments must be made on time, information shared must be accurate, and internal scams are severely punished.
Ransomware policies
The attack on the Colonial Pipeline on 7 May 2021 had significant repercussions on the Dark Web community. Many forums, concerned about increased law enforcement attention, have banned ransomware-related discussions.
However, some continue to allow such topics, but have increased registration fees to discourage unwanted activity and attract only serious users.
Securing transactions
To mitigate the risk of scams, many forums implement escrow services run by administrators or trusted members. In a typical transaction, the buyer transfers funds to the escrow service, which holds them until the seller delivers the agreed product or service. Only after confirmation by the buyer are the funds released to the seller.
This system protects both parties and guarantees the integrity of transactions. In the event of disputes, administrators intervene by analysing the evidence provided and making binding decisions. In addition, some forums require sellers to deposit a sum in cryptocurrency as collateral; in case of fraudulent behaviour, these funds are used to compensate victims.
Geographical Restrictions
In some forums, especially Russian-speaking ones, there are restrictions prohibiting criminal activities against countries of the Commonwealth of Independent States (CIS).
To ensure compliance with these rules, many stealers are programmed not to activate on systems using the Russian language keyboard or other specific local settings.
Focus: Threat Intelligence
Understanding the dynamics of the Dark Web is crucial for developing effective law enforcement and protection strategies in the field of cyber security. In this scenario, Threat Intelligence emerges as an indispensable activity to anticipate the moves of cyber criminals, revealing their tactics, techniques and procedures (TTP) before they can do any damage.
Investing in this form of intelligence means equipping oneself with a strategic advantage, turning threat knowledge into a solid proactive defence. Only through in-depth and constant analysis of the cybercriminal landscape can effective countermeasures be developed, protecting sensitive data and critical infrastructure from increasingly sophisticated attacks.
Analysis by Vasily Kononov – Threat Intelligence Lead, CYBEROO
