Digital Shadows explored four main themes via which threat actors’ personalities or real-life identities are expressed on cybercriminal forums, providing examples they've observed over the years. This first blog looked at gender and nationality, while the second in the series examined morality and forum dynamics.
Research has shown that one of the reasons for the continued success of cybercriminal forums (despite their outdated technology and ostensibly insecure public content) is the opportunity they provide for members to interact with other users and express their quirks and firmly-held opinions. Threads touching on cybercrime ethics or those focused on issues that divide a site’s users can generate popular and sometimes heated discussions.
While this may seem divisive, ultimately, says Digital Shadows, these conversations and users’ sense of involvement build forum communities and contribute to their longevity. At other times, it is the forum administration teams’ individual circumstances that determine a site’s success, reminding us that behind every cybercriminal platform is a real-life individual. Let’s look at how users have referenced morals on cybercriminal forums and how forum dynamics or politics have come to the fore.
Morals and charity
The Photon Research team has observed cybercriminals debating the moral dilemmas inherent in cybercrime.
In April 2020, for example, the administration team of the English-language forum CrackedTO banned posts relating to trading or sharing accounts for the video conferencing platform Zoom, amid media reports of a considerable rise in cybercriminals targeting this increasingly-used application. A threat actor operating on the English-language cybercriminal forum RaidForums claimed to have received a smishing campaign text message containing a malicious link impersonating a site that offered a “cure” for COVID-19. They stated, “while I don’t – and won’t – proclaim any holier-than-thou intentions, I personally feel these types of scams are a little out there in terms of exploiting fears of a pandemic.”
One user on the Russian-language forum Antichat had applied for paid coding work on a project organizing “cryptoattacks,” passed the interview tests, and was promised work and payment, but never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father’s cancer medication. Other forum members also claimed to have been deceived by the project organizer, sharing correspondence as proof. Ultimately, the Antichat administrators banned the project’s organizer and arranged a “whip around” among forum members, raising $700 for the medical treatment.
"Our objective manner of viewing cybercriminal forums as transactional platforms and our focus on identifying commercial activity that might target our clients leads us to forget that these sites function as businesses whose development depends on the people behind them. We talk about the reasons for some platforms’ longevity and try to find outside factors influencing sites’ successes. Then we read posts connecting these platforms’ trajectories with people," says the Photon Research team. "Sometimes politics leads to more significant problems – there has been speculation that the Russian-language forum Phreaker disappeared because of disagreements between its two founders."
On Raidforums back in May 2020, one of the forum moderators decided to publicly “out” the current forum owner, stating the owner was “bad” and announcing that they wished to become the new forum owner. The moderator even created a poll in which other forum members could vote either “yes” or “probably” on whether the moderator should become forum owner – out of eight votes, five users had voted “yes,” and three users had voted “probably.” Users had also expressed their support for the moderator in the thread. Only one user had commented saying that they did not support the moderator’s idea. There have been no public or official replies from the forum owner or other staff. The dispute might have been dealt with behind the scenes – at the time of writing, the forum owner remains the same, and the moderator remains a forum moderator.
As threat research analysts is important to remain objective, says the team, but it's also important to remember that sometimes, rational explanations cannot be provided for some of the actions or posts they see on these sites.
To read the full blog, please visit https://www.digitalshadows.com/blog-and-research/unpicking-cybercriminals-personalities-part-2-morality-and-forum-dynamics/