New Digital Shadows research provides a breakdown of the traffic data behind the top cybercriminal forums and how they square up against each other. The research was inspired by a June 2020 post on the English-language cybercriminal carding forum Altenen announcing a “big victory” for the site in terms of its website traffic rank statistics. This piqued the interest of the Digital Shadows research team who compared how the statistics aligned with their pre-existing perceptions of these sites, whether they show any trends they were previously unaware of, and if there was anything that would indicate deceptive tactics behind these numbers.  

Here, we explore some key findings. 

According to Digital Shadows, in June 2020, the administrator of the English-language cybercriminal carding forum Altenen announced a “big victory” for the site in terms of its website traffic rank statistics. The administrator posted several key metrics, sourced from a traffic information service called HypeStat, to show just how “popular” Altenen was and how well the forum was doing overall. The statistics included the number of unique daily visitors, traffic sources (whether visitors access the site directly, by search queries, by referrals on other websites, or via social media pages), daily revenue estimate, and daily earning by country. This announcement received positive feedback from forum members, with many posting congratulatory comments on the thread.

"Website traffic statistics are nothing new -- anyone can look up their favorite website’s metrics. What is interesting about this case, though, is that the Altenen administrator deliberately used these metrics to quantify Altenen’s existing popularity and encourage forum users to “spread the Altenen all around the world [sic]” to grow the platform further. This is the first instance we have observed in which a forum staff member has deliberately posted the forum’s traffic rank statistics for promotional purposes," says the Photon Research Team. "This apparent reliance on site statistics to demonstrate Altenen’s popularity might indicate a degree of desperation from the forum administrator. Forums gain credibility and popularity by appearing attractive (e.g. by offering high-quality content and attracting highly skilled threat actors), not by highlighting subjective statistics such as website traffic rank. Website traffic numbers and forum statistics can be manipulated and therefore are not accurate indications of genuine popularity. And suppose the forums get caught manipulating these numbers. In that case, things can turn sour quickly, just like when BitBazaar market allegedly attempted to falsify their subscriber numbers and got banned from Dread, a Reddit-style cybercriminal forum."

The research team thinking set out to find what website traffic statistics can tell us about cybercriminal forums. "We’ve used the same source as Altenen’s administrator, HypeStat, to gather some key statistics for several English-, German-, and Russian-language forums. While there are many data points we could have included, we have limited ourselves to metrics focusing on Alexa rank history, unique daily visitors, visiting countries, traffic sources, and daily revenue estimates. We wanted to see whether the statistics align with our pre-existing perceptions of these sites, whether they show any trends we were previously unaware of, and find out what the numbers alone can’t show us," explains the team. 

The findings, below, are courtesy of Digital Shadows. For more information, and detailed findings, please visit https://www.digitalshadows.com/blog-and-research/alexa-who-is-the-number-one-cybercrminal-forum-to-rule-them-all/

The forums:

Altenen

Altenen is a carding forum that initially started as an Arabic-language cybercriminal forum and morphed into an English-language carding-based platform in 2013. After several cyberattacks, Altenen went offline in either late 2016 or early 2017, before the forum administrator resurrected the site in June 2018. Since then, the platform appears to have attracted users from across the globe and has experienced a steady increase in forum membership, though it has been described as a scam site by multiple users within the cybercriminal community.

RaidForums

RaidForums is a popular English-language cybercriminal forum, created in March 2015, that features content relating to an array of cybercriminal topics, including general hacking activity, vulnerabilities, cracking methods and tools, cryptography, and breach datasets. RaidForums appears to have recently increased its profile within the cybercriminal community, with several prominent threat actors from other prolific platforms, such as Exploit, creating accounts on the forum.

Nulled

Nulled is an English-language cybercriminal forum that first appeared in January 2015. The forum hosts content relating to various cybercrime topics, including penetration testing, coding and programming, reverse engineering, social engineering, and breach datasets. Since its creation, Nulled appears to have experienced a steady increase in users, and in April 2020, the forum administrator proclaimed that the forum had experienced significant COVID-19-related growth in membership.   

Cracked TO

Cracked TO is an English-language cybercriminal forum created in May 2015, and while unconfirmed, Cracked TO may have some connection or degree of collaboration with Nulled’s administration team. Cracked TO, like Nulled, purportedly experienced significant COVID-19-related growth in membership around April and May 2020. Cracked TO also hosts similar content to Nulled.

Cracking King

Cracking King is an English-language cybercriminal forum and created in September 2014. The forum hosts content mostly relating to breach datasets, cracking tools and tutorials, and configurations. Cracking King appears to have been highly active in its first few years, but its activity has decreased over the past two years.

Crimenetwork

Crimenetwork is a German-language cybercriminal forum hosting content related to an array of cybercriminal activity, including counterfeit documents, accounts, drugs, carding, malware, exploits, and social engineering. Security researchers named Crimenetwork as one of the top five German-language forums back in 2015, and it is the only forum out of that five that remains active. However, the forum administrator has been missing since around June 2019, and forum moderators have had to take charge of the forum during the administrator’s absence.

Exploit

Exploit has been a stalwart of the Russian-language cybercriminal underground scene since 2005. It is widely regarded as one of the most prominent Russian-language cybercriminal forums and sees users trading a wide range of high-value goods and services. The forum has sections for malware, network access sales, exploits, hacking, social engineering, cryptocurrency, spam, and social media.

XSS

XSS is a recent rebranding of the previously long-standing Russian-language cybercriminal forum DamageLab, which was one of the first Russian-language cybercriminal forums to be established. DamageLab, in its original incarnation, was closed when its administrator had a run-in with law enforcement. Now run by a former Exploit administrator, XSS is well regarded within the cybercriminal scene and features discussions and commercial activity in several fields, including malware, spam, exploits, vulnerabilities, carding, access sales, and credential databases. 

Website traffic statistics

Table 1: Website traffic statistics of selected cybercriminal forums

What new information can the numbers give us?

This new information reveals average time spent on most forums and visitor geography, says the team. But intricacies of specific forums show that metrics should be treated with a grain of salt. For instance, users on Exploit only spend an average of 07:52 minutes on the forum, according to the statistics. Yet, because Exploit is a fully gated forum, none of these visitors are random guest users, notes the team. While visitor geography can be distorted by using tools such as VPNs, the list of visitor countries still gives a good indication of the regions that visitors come from. The United States was the most popular country for visitors overall, not just on English-language forums; US visitors rank highly on Exploit and XXS. 

It's important to note that the statistics collected give no indications as to a forum’s content (a niche focus, naturally leading to a more selective membership and visitor numbers, or more generic, with wider appeal) or quality (highly skilled threat actors invited to join the site after proving their skills versus inexperienced “script kiddies).Secondly, advertisement revenue estimates do not show a forum’s actual economy. These sites can also earn money by requiring users to pay to register or upgrade their accounts to gain VIP access and charge commission on escrow services during transactions.The statistics also provide no reasons for the fluctuations in the Alexa rankings over time. Such changes could be regular, “seasonal” variations or down to the ongoing COVID-19 pandemic (as claimed by Nulled and Cracked TO). Similarly, Crimenetwork’s Alexa ranking doesn’t indicate that its significant rank drop in June 2019 is due to its administrator’s concurrent disappearance, says the research team. 

"The limitations of these figures highlight the importance of having the human in the loop -- an analyst observing these cybercriminal forums' behavior over time. Without sufficient context, the statistics could potentially provide a distorted image of the cybercriminal community. It seems that Alexa does not yet have the answer to everything," concludes the Photon Research Team. 

For the full blog and detailed findings, please visit https://www.digitalshadows.com/blog-and-research/alexa-who-is-the-number-one-cybercrminal-forum-to-rule-them-all/