Underground markets may have originated in the time of Internet Relay Chats (IRCs), but the appearance of cryptocurrencies and anonymous communications like Bitcoin and Tor have allowed these markets to develop far past their genesis. Darknet forums are now a very efficient platform through which to conduct illegal business. Some forums are accessible only via the Tor network, while others are only accessible via traditional web browsing (clearnet). These forums offer a variety of real world and digital items, ranging from illicit drug sales, counterfeit items (passports, driver licenses, bank notes), and weapons, to services such as carding (credit card fraud), PII (personal identifiable information) fraud, 0 day exploits, botnet services, and bulletproof hosting.
Gaining access to some of these forums can be a complicated ordeal, and forums with more extreme vetting tend to have a higher quality of malicious activity. A user might have to compromise and deface a web site of the forum’s choice to gain a full profile, or create a new variant of ransomware. This is suspected to be a primary cause of the recent outbreak of ransomware. Due to the illicit nature of the content and services offered it’s not uncommon for a site to be populated with decoy users from both criminals and law enforcement personnel.
Below we’ll explore the terminology, services, and quality of some of the dark web’s more popular forums. Just don’t get any ideas…
The underground is filled with a heavy amount of jargon and slang that may be unfamiliar. Here are some common terms:
- Crypters - tools that encrypt malware in order to bypass detection by Antivirus engines
- Binders - tools used to trojanize a legitimate program with a malware sample
- Zero-Day exploits - techniques that exploit a previously unpatched vulnerabilities, used by attackers to gain unauthorized access to computing systems.
- "FUD" - "fear, uncertainty, and doubt" in the normal security world, in the underground forum world it means "Fully UnDetectable"
- "Rippers" - actors on forums identified as ripping off and scamming other users without delivering useful services or contraband
The table below shows a list of common underground marketplaces.
|Marketplace Name||Marketplace URL||Tor Site||Clearnet Site||Currency Used|
Sky-Fraud Underground Forum
Sky-Fraud is a Russian underground forum that has been in operation since 2014. Its user base consists of 26k active users all between Russian and English speaking languages.
Access: Free without vetting. This forum is easy for scammers, non-reputable members, law enforcement, and security researchers to access.
- Escrow services
- Bulletproof hosting services.
- PII (Personal Identifiable Information) and CC (Credit Card) data.
- Botnets, Exploits, and Malware.
- BlackHat SEO (Search Engine Optimization) and Web design.
- Payment Systems: BTC (Bitcoin), Paypal, Webmoney, Entropay
Trustworthiness/Quality: The data found in this forum seems to be low fidelity given the number of amateur hackers that operate on the site.
Lampeduza Underground Marketplace
Lampeduza is a Russian underground forum. This site was previously discussed in 2013 by krebsonsecurity when one of the forum members `rescator` was involved in the sale and distribution of breach related data of a large retailer. In addition, Lampeduza seems to be strongly related with the notorious carding forum `rescator[.]cm`, where credit card data related to the massive series of 2013 retailer breaches was offered for sale.
Access: $50 registration fee plus an invitation code
- Dump services
- Overall credit card fraud
- Anonymization practices
- Black Hat SEO (Search Engine Optimization)
Trustworthiness/Quality: Data offered in this marketplace seems to be of medium value, challenging prospective buyers with discerning which vendors are credible. The site offers a reputation system in which the user can voice any complaints and action can be taken against the vendor if needed. This is a common feature amongst many of the anonymous marketplaces.
Exploit.in is a Russian language based hacking forum that resembles the operations of other hacking forums such as Leakforums and HackForums. Exploit.in has been in operation since 2007, with around 35k total users. Some areas discussing non-criminal activities are readable by the public, including discussions on web-design, programming, and hardware. Other sections, like security and hacking, virology, anonymity, and marketplace, require a valid user account.
Access: Free, but need to be vouched for by an existing member who can communicate in the forum’s Russian internet slang. Due to a closed registration process, this forum is less polluted with fake accounts.
- Carding services
- Bulletproof hosting
- Malware distribution services
- Zero Day Software vulnerabilities
- Malware such as exploit kits, Trojans, and crypters
Trustworthiness/Quality: Much of the value derived from this marketplace lies in the relationships between highly-connected users. Many of the real users have multiple profiles on other forums. Out of the 35k total users on the site:
- 36 users are vendors.
- Only 1 user has an admin designation.
- Only 5 users are moderators.
- 54 users are verified users.
- 43 users are specialists.
This proportion of real, active accounts to non-active accounts is fairly common amongst forums. It is also compounded by the anonymity of the users. The blacklist complaint threads are useful for weeding out rippers, but this lead to a heavy turn over in vendors. Successful vendors appear to have strong relationships with one another in other forums or venues, allowing each them to vouch for one another. It is likely due to this high amount of turnover that the more interesting vendors seem to create a new profile with new contact information each time they offer new items for sale.
Leakforums surfaced on the hacking scene in 2011, and currently has 1 million users. This marketplace is an initial source of many leaks, and is useful for obtaining copies of well-known malware such as ORCA or Adwind. LeakForums specializes in leaks related with PII, social media accounts and the trade of paid hacker tools (Keyloggers, RATs, Crypters, and Binders).
Access: Free without vetting
- Malware including Njrat, Adwind, and Orcus (free for registered users)
- Serial keys for commercial programs (including MS Windows, MS Office, Antivirus engines)
- Stolen Credentials (social media accounts)
- Hacked databases (Streaming service database leaks)
- Cracked programs of well-known trojan programs (including Njrat, Adwind, Orcus)
Trustworthiness/Quality: The quality of the data found in this marketplace is very low, and the quality of the forum itself debatable. This is partially due to a high number of amateur criminals attempting to increase their profile but selling very low quality tools. This site also lacks the reputation system that the more mature markets like Alphabay and TheRealDeal have, which makes it harder for a potential buyer to trust in the vendor.
HackerForums Marketplace homepage
HackForums is one of the longest running hacking forums of the internet, and is notorious for housing a large number of amateur hackers. It was founded in 2006 and has approximately 600k total users. The forum covers several topics in information security such as hacking, programming, computer games, web design, and web development, as well as the sale of hacking tools and services. Hackforums was spotlighted this year after the MalwareHunterTeam noted a campaign that appeared to originate from here that used the ORCUS RAT. Krebsonsecurity published an additional article on the authors behind this malware as well.
Access: Free without vetting. This forum is prone to a high number of fake profiles, amateur criminals, scammers, and law enforcement personnel.
- Stresser services (e.g. DDOS (Distributed Denial of Service Programs)
- RAT (Remote Access Tools)
- Stolen Social Media accounts (including Facebook, Twitter, and YouTube)
- Crypters (tools that obfuscate malware from Antivirus engines)
- VPS (Virtual Private Server), VPN (Virtual Private Network), and hosting services.
Trustworthiness/Quality: Similar to LeakForums, the quality of the data found in this marketplace is very low. This is likely due to the lack of a reputation system or initial vetting of users. This marketplace is useful, though, for downloading a fresh copy of a given RAT builder to help build detection capabilities.
Although it has since been taken down, TheRealDeal was a dark web market that began with an emphasis on zero day exploits. This marketplace rose to the public's attention in 2016 after several data dumps that involved high-profile organizations. These dumps were offered by a single reputable member of this forum, peace_of_mind.
Access: Free without vetting. Many non-reputable members, security researchers, or law enforcement personnel are part of the marketplace.
- Counterfeit items (bank notes, passports, driver’s licenses)
- Stolen credit card data
- Hacked database dumps
- Illicit drugs (MDMA, LSD, pharmacy, cocaine)
- Exploits: FUD (Fully UnDetectable by antivirus engines), one-day (vulnerability that has been disclosed but not patched) and zero-day (vulnerability that hasn't been disclosed).
Trustworthiness/Quality: The quality of services in this marketplace is mixed. Each vendor's reputation can be determined by their rank as well as the feedback provided in their profile, which means that potential customers must do more research into each vendor. The marketplace also offers the multisig transaction method to provide additional security. There is also a more restricted forum that accompanies the Real Deal which hints at further illegitimate activities (although these activities are hard to verify).
The Alphabay market is a newer forum that has sustained considerable growth since its start in 2014. The Tor based market currently houses 240k users.
Access: Free without vetting. Its user base constitutes of a considerable number of suspected security researchers and non-reputable users.
- Dumps (databases containing credit card data), Bank drops, CVV (card verification value number) and CC (credit card) data
- Illicit drugs
- Counterfeit items (bank notes, passports, driver’s licenses)
- Courses on how to make money through illicit activities
- Malicious software: Exploits, Exploit Kits, botnets.
Trustworthiness/Quality: The quality of the products is varied. It's up to the potential buyer to ensure the vendor has the highest vendor level and trust level. The quality of Credit Card data and Personal Identifiable Information sold in this forum depends upon the vendor. Some of that data comes from compromised e-commerce sites as well as compromised point of sale terminals. Alphabay ensures transactions are secure and seamless by offering the multisig transaction method, and two factor authentication to access the marketplace.
Alphabay also offers what is called Digital contracts. Digital contracts are a system that utilizes the user reputation system to decrease the risk in transactions. Each contract has a cost of five dollars paid to the market admins, although the content of the contract is at the discretion of the users. Digital contracts don't necessarily eliminate scamming in its entirety, but do help to build trust among members. One interesting aspect of AlphaBay is that it allows users to access the marketplace programmatically via an API.
Underground markets offer a variety of services that are very attractive to criminals from all walks of crime. They provide a fascinating view of how underground economies operate to anyone that has access to a web browser and Tor. Most of the market places are of questionable value, but there are a few handfuls of reputable criminals operating within the forums. The most useful markets are extremely exclusive and hard to access, but the open markets offer an initial view into these communities.
About the Author
Luis Mendieta is a senior security researcher who enjoys poking inside malware and building automated systems to process threat data. He has 5 years in the security industry, focusing on intelligence and research. Currently at Anomali, Luis researches the latest malware families and builds tools that allows for faster analysis and processing. Previously, he has worked as a senior threat analyst at Verizon supporting cyber security incident response engagements with cyber intelligence capabilities. prior Verizon he worked at Terremak as SOC analyst 2 then moved up the ranks to become investigations analyst. Luis enjoys playing scenario paintball, running and outdoors.