New Digital Shadows research takes a look at how cybercriminals may be profiting from COVID-19 charities. 

The Digital Shadows Photon Research Team revealed that in late March, a user on the prestigious Russian-language cybercriminal forum XSS initiated an English-language thread to share free credentials for accounts with preloaded funds for the automated vending cart (AVC) sites Joker's Stash and UniCC. In exchange, the user requested voluntary donations "to help COVID-19 patients and medical staff in Italy and Spain." The user provided a Bitcoin wallet address to receive donations. Later that same day, the user updated their post to report that the accounts were no longer working, as an unknown forum user must have changed the passwords without leaving a donation.

The next day, says the research team, the user posted credentials for five more Joker's Stash accounts but later updated the thread to announce that all the accounts passwords had been changed but no funds donated. "The following day, the user shared what they promised were the last two sets of account credentials, noting that they had still not received any money. Although several forum members had voiced their support for the idea, it seems that no one went as far as putting their Bitcoin where their mouth was," says the research team.

This incident got the Photon Research Team thinking: should threat actors be expected to have some moral obligation during the coronavirus pandemic?

According to the research team, one post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation: A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was "cruel," they found themselves in an "extremely difficult financial situation". Responses to the proposal were mixed, with one forum user calling the plan "amoral," and another pointing out that cybercrime is inherently an immoral affair. 

Further research revealed that several Russian-language forums—including WT1, Exploit, Verified, Delf Code, and Zismo—provide their members with the opportunity to make donations to the sites themselves. Some make it very difficult to locate the records of those who have voluntarily donated, meaning the donors to these platforms go largely unrecognized (although discerning site administrators may remember their generosity later). On other platforms, the arrangement is entirely less altruistic: A minimum donation results in a pre-defined increase in forum status, allowing donor users  to bask in the added prestige their money has brought them.

On many Russian-language cybercriminal forums, the research team observed a surprising number of threads offering goods and services for free, or even entire sections devoted to giveaways. The most common commodities shared in this manner are account credentials for streaming services and credit-card details (although the validity of this information is often lacking, given the widespread distribution).

"This spirit of selflessness may appear remarkable, but consider the factors behind this phenomenon," says the team. Often cybercriminals are sharing by-products obtained via unrelated cybercriminal schemes and these donors receive a massive boost to their reputation on the forum, and thus, in the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility, claims the team. 

Appeals for help

The research team also found various examples of appeals for help, such as posts describing personal problems and appealing for financial aid, which received mixed responses on cybercriminal forums: In one example of a positive outcome, a user on the Russian-language forum Antichat benefitted from the generosity of the forum’s administrators. The user had applied for paid coding work on a project organizing “cryptoattacks", passed the interview tests and was promised work and payment, but never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father's cancer medication. Other forum members also claimed to have been deceived by the project organizer, sharing correspondence as proof. Ultimately, the Antichat administrators banned the project’s organizer and arranged a “whip around” among forum members, raising $700 for the medical treatment.

Digital Shadows has observed similar schemes on other cybercriminal sites, such as a 2016 Christmas fundraiser on Exploit allegedly raised over $1,300. The organizer praised the "good-natured people [who] still remain on the forum, people who can and want to help the kids." The same user went on to organize similar schemes in 2017 and 2018, with the latter appeal reportedly raising $4,645. Just as on Club2CRD, the organizer posted images of goods they purchased with the funds to "prove" that the money was rightfully spent.

One Exploit user recognized the Exploit community's seeming propensity to respond favorably to such charitable appeals, noting that the New Year's fundraisers had shown that "many people were not indifferent to this issue." They proposed establishing a charitable fund on the forum, saying that donating money in this way would be "a plus for karma at the least, and at the most, helping people who need it," with the forum members becoming "a kind of modern Robin Hood".

The team has observed that the issue of "karma"—finding ways to atone for the harm caused by cybercrime—is a topic discussed not infrequently in Russian-language cybercriminal communities. In this instance, the post noted that in arbitration cases (disputes between two forum members resolved by an impartial third party), compensation could be paid to the charitable fund, rather than going into the forum's coffers.

As Digital Shadows has noted repeatedly, the cybercriminal world has found its way to replicate establishments and customs that form a daily part of real life, "so it's not surprising that the notion of charity also has a presence in the underworld. Just as in real life, some charitable events take off and strike a chord with a large number of people, while other endeavors—even for worthy causes—fizzle out and fail to attract funds," says the team. 

It will be interesting to see whether, as forums' sophistication continues to develop, charity is embedded formally in the forum system. Given some cybercriminals' propensity to view charitable efforts as a way to create good "karma" and negate their crimes, it's likely to be a recurring element on cybercriminal platforms, warns the research team. 

For the full research and findings of more exploits, please visit the Digital Shadows blog: