Chapter II. Russian language cybercriminal forums – not always underground but always aiming at generating maximum profits
‍

Our focus will now shift to the “underground” nature of RLCF and of their economic functioning. We will assess to which extent these communities are hard to access for an outsider, how their administrators protect them against attacks and understand how RLCF are monetized.  

Next, in the third Chapter we will identify the most prominent RLCF, analyzing their pivotal role within the wider ecosystem, and examining their interactions with Telegram communities. 

Finally, in Chapter IV, we'll delve into the geopolitical influences shaping these communities. Here, we'll analyze how recent global events and political dynamics have impacted the Russian language cybercriminal forums, providing a comprehensive understanding of their current state and potential future.

Insights of the first Chapter:

·     While the adjective“underground” is often used to qualify RLCF, it does not always reflect the reality. Indeed, a majority of RLCF can be found through common search engines, allowing even beginners to engage in cybercriminal activities. Hardly accessible RLCF do exist, but they are a minority.

·     RLCF's administrators must deal with frequent DDoS attacks and hacking attempts. To limit the impact of DDoS and exploitation of vulnerabilities, they mainly use well-known ands tudied Internet forum software packages and CDN such as Xenforo or Cloudflare.

·     RLCF are not only gathering places where threat actors can talk and conduct their business, they also provide a wide range of complementary but not less essential services. The most advanced communities offer services such as cryptocurrency mixers or Jabber(XMPP) servers.

·     Successful RLCFs generate significant revenue for their owners. However, the challenging environment of cybercrime in which these forums operate complicates the task offorum management and obliges administrators to invest heavily in cybersecurity.

·     RLCF adopt diverse approaches to advertising and monetizing their forums, generally influenced by their specific activities and position within the ecosystem.

o   Drugs forums are aggressively advertising on the streets of the CIS countries, while established reputable niche hacker communities such as XSS orExploit do not spend on advertisements.

o   Regarding revenue, selective communities in the Cybercrime category seem to primarily generate income through escrow and deposit services. In contrast, popular forums focusing on Drugs, Fraud, and Carding also generate substantial revenue by selling advertising space on their pages.

“Hard to Be a God” - and even harder to be a RLCF’s administrator

To begin this Chapter, we want to share a story that, in my opinion, perfectly captures the burdens of RLCF’s administrators. In August 2022, The Record interviewed Mr. MikhailMatveev[1],a prominent threat actor involved in at least height ransomware groups and active to this date[2].Known among others by the pseudonyms "wazawaka" and "Orange", theRussian national explained the unanticipated challenges associated with the development and maintenance of a cybercriminal forum that he had to deal with.

‍

‍

In 2021, Mr. Matveev was a prominent member of the Ransomware as a Service (RaaS) group “Babuk”. The main feat of arms of “Babuk”, and paradoxically one of its last ones, was the hacking of the Metropolitan Police Department in April 2021[1].Fearing the repercussions of this attack, the group disbanded supposedly after internal disputes between affiliates and Mr. Matveev eroded the gang’s cohesion. In a parallel development, May 2021 saw major Russian language cybercriminal forums, worried by the repercussions of DarkSide's ransomware attack on Colonial Pipeline in the US, publicly banning RaaS-related topics to shield themselves from Western intelligence and law enforcement agencies.

‍

On the contrary,Mr. Matveev, in possession of an Onion domain with a high traffic, previously associated with the defunct Babuk RaaS blog, perceived this evolving landscape as an opportunity. Our antihero was indeed one of the former affiliates ofDarkSide, seemed undeterred by law enforcement's actions and decided to start his own forum precisely focused on ransomware and initial access brokers. Called“RAMP” for Ransomware Anonymous Market Place, the forum was unveiled in July2021.

The launch of this project was anything but peaceful and straightforward. On the 22^nd of July 2021, a threat actor left a message on RAMP asking for a 5,000-dollar ransom and threatening that he will start a spam attack in 24 hours if his demands were not met. Mr. Matveev seemingly disregarded this demand, leading to an attack on the next day, where multiple fake members posted pornographic GIFs[4].

Before the attack, the user count stood at around 350, and over 100 messages had been posted, indicating considerable interest in this new exchange platform[5].However, by July 26, after cleaning up and rewriting the forum's FluxBB engine, only 59 members remained listed. New registrations to the forum were suspended until August, and the conditions for access were tightened.

Nevertheless, the misadventures did not stop there, after the vulnerabilities of the forums were fixed, RAMP was the target of permanent Distributed Denial of Service (DDoS)attacks, which required constant attention to limit their impact. Moreover, as new members joined the forum, the activity of some threat actors became disruptive for the community, which obliged Mr. Matveev to recruit and pay moderators. One of these moderators was the threat actor KAJIT, who became the next owner of the forum in the last months of 2021. Following his departure asRAMP's administrator, Mr. Matveev chose to undermine the forum for unknown reasons. He disseminated rumors through representatives of LockBit and BlackMatterRaaS, and the administrator of the prominent RLCF "XSS," suggesting that KAJIT was an agent of law enforcement.

‍

Mr. Matveev’s storyis quite illustrative of the common experience and problems that a RLCF’s administrator must think about and daily deal with. The Russian language cybercriminal ecosystem, as any other criminal community, is a highly competitive and aggressive environment. Mutual attacks, sometimes sponsored by rival forums, can target a forum’s infrastructure through hacking or DDoS attacks or its reputation through disinformation campaigns. It explains why in the case ofRAMP, this forum cost more to Mr. Matveev than what he earned from it.Nevertheless, as we are about to discover, not all RLCF struggle to navigate their challenging environments; some forums adapt and thrive.

A solid foundation fora successful RLCF

RLCF administrators constantly face the challenge of striking a balance between keeping their communities shielded from external threats by making them exclusive, and the need to draw sufficient active members to keep these communities vibrant. Consequently, while the majority of observedRLCFs are easily accessible to a wider audience, select and exclusive high-level communities depend on significant registration and escrow fees to ensure their financial viability.

Are RLCF really “underground” communities?

Although the term "underground" is commonly employed to describe cybercriminal forums, suggesting an element of concealment or difficulty in accessing them, this characterization does not entirely capture the actual state of most RLCF. Among the 94 identified active forums, 64 are accessible only via clear web links, and 26 are accessible both through clear web domains and the TOR network. Remarkably, the majority of RLCF are discoverable through conventional search engines like Google or Yandex. The primary challenge lies in following the frequent domain changes that many forums undergo.

RLCF that provide members the option to connect via aTOR link mostly do so to appeal to users seeking to maintain high operational security (OPSEC), rather than to conceal their community.

Until recently, the ransomware-centric forum "RAMP" was accessible exclusively via a TOR link, and new members were required to contribute a $500 fee for account activation. Although this fee still applies to new members without an established, reputable presence on forums like XSS or Exploit, a significant change occurred in April 2023. The RAMP's administrator created a clear web domain, presumably as a strategic move to broaden the userbase. Moreover, the current owners of this forum explicitly targeted potential Chinese members by including a Chinese translation of the forum.

‍

If an administrator of a RLCF wants to hide the content of his forum, he can employ various methods to restrict access. However, the decision to limit a forum’s accessibility is not universally applied, as it might adversely affect its popularity. Only certain exclusive communities tend to adopt this strategy, which can have several goals. Drugs RLCF are often accessible only through TOR links because their clear domain would be simply constantly banned by law enforcement. To help potential customers find them, Drugs RLCF owners create or rely on specific websites available in clear web and advertising “Darknet communities and marketplaces” by sharing their TOR links. A less radical, but still efficient, approach to access restriction involves concealing a forum’s content from non-members and impeding search engines from indexing the forum. Usually, the creation of a free account suffices for a threat actor to gain access to the forum's full range of information.

 As of January 2024, merely 10 forums require a payment for an account creation or to enable interaction with other users. This is the case of RLCF like "Omerta", "WWH Club", and "Coockie Pro". Conversely, free communities aiming to maintain a degree of selectiveness occasionally restrict new account registrations during specific periods. Lately, RLCF such as XSS have become very popular, especially after the closure of prominent English language forums in 2022 and 2023. This has attracted many new English-speaking users, which has worried the forum’s administration and the Russian-speaking members. The administrator of this forum chose to prevent an overwhelming surge of new members or individuals holding multiple accounts by opening the registration of new accounts only during short periods.

Finally, an intermediary solution is to create a select community inside the community itself. Currently, 4 RLCF feature exclusive sections accessible solely to the most reputable members, as determined by the administration and peer members. This is a practice observed on forums like "Verified," or "Exploit", where access is granted based on the reputation and standing within the community or a certain number of posted messages.

‍

‍

What are the RLCF made of?

The inherently sensitive and illicit activities conducted within RLCF necessitate a stringent approach to their own cybersecurity practices. The economic competition between forums and rivalry among cybercriminal communities is often the reason for mutual attacks. Therefore, a cybercriminal forum that falls victim to defacement, data theft, or becomes inaccessible after a DDoS attack, could face an erosion of credibility and trust among its members. Critical security breaches not only compromise the forum's operational integrity but also significantly diminish its standing within the cybercriminal community.

The choice of well-known Internet forum software packages on which RLCF are built is thus a key task. Xenforo, vBulletin or IPB are very popular because they provide a satisfactory user experience and most importantly, they are well studied by security researchers and hackers, which limits the risks of the discovery and exploitation of a 0-day vulnerability.

Threat actors are actively using the flaws of forum software packages to damage the reputation and disrupt the functioning of rival forums as it was the case during summer 2022, when the Drugs forum “RuTor” got hacked by its rivals from a marketplace called “Kraken”. Nevertheless, new weaknesses can be found not only in the Internet forum software itself but also in the plugins that are deployed on forums[6]. For instance, a vulnerable plugin caused a data leak on the forum “Exploit” in 2017.

‍

The content delivery network (CDN) is another tool ensuring the security and accessibility of RLCF as they are an essential component of protection against DDoS attacks.

‍

‍

‍

Other services provided by RLCF

Russian language cybercriminal forums are not only places where threat actors communicate or conduct business, but they also give them access to a useful working environment. For instance, all encountered RLCF offer to their members an escrow service. While we will delve into the specifics of an escrow system later, it's important to understand at this stage that it acts as a security mechanism. This system enables threat actors to confidently engage in buying and selling services and goods, with the assurance that the forum will refund them if the transaction does not proceed as expected. Naturally, this service is not complimentary; the fees are typically routed through the forum's Bitcoin wallets and retained until the transaction is successfully completed.

Another popular service offered by advanced RLCF is the possibility to create a Jabber/XMPP address (messaging service) that is hosted on the forum’s servers. Indeed, anonymity and confidentiality of communications outside forums are an important need for cybercriminals, Jabber messengers are one of the tools that helps cybercriminals to protect their exchanges. XMPP or Extensible Messaging and Presence Protocol is an open XML technology for real-time communication, it powers a wide range of applications such as the Jabber messenger. This messenger is still popular among Russian-speaking cybercriminals, although it was created back in 1999. The discovery in May 2023 of a remote code execution vulnerability in the TOX messenger, a decentralized communication tool very popular among Russian-speaking cybercriminals, has caused a revival in Jabber's popularity.

One of the weaknesses of the XMPP protocol and Jabber messenger is the necessity to possess or use a server through which the communication will transit. Thereby, cybercriminals must choose whether to set up their own server or to use an already existing one where logs are supposedly not registered. The most famous ones of these reportedly anonymous servers that belong to RLCF are @thesecure.biz and @exploit.im, belonging respectively to XSS and to Exploit. Overall, only 10 RLCF possess their own XMPP server.  

A more common occurrence is the presence of a link to an official Telegram channel. Since the rise of Telegram to prominence, almost half of RLCF have created an official Telegram channel. The latter can take several forms, the most sophisticated ones have a channel with several threads that looks like a real forum, less advanced Telegram channels belonging to RLCF simply possess a news feed and a chat.

‍

‍

Finally, in certain instances, some forums openly showcase their affiliations with other communities and marketplaces. These partnerships are often visible on forums via marketplace advertisements or through special threads linked to affiliated forums and websites. Additionally, some RLCF, like the carding-focused WWh-Club, incorporate financial services, including cryptocurrency mixers. Notably, prominent and sophisticated Drugs forums such as RuTor have developed a mobile application (Android and iOS) for their members to facilitate drug transactions. In a few exceptional cases, RLCF also offer unique tools like vulnerability and anonymity checkers, alongside file-sharing systems for their users.

‍

‍

‍

RLCF and their economic system – a costly investment for a potentially important reward

As you may have guessed, very few individuals would put so many efforts in the creation and maintenance of a cybercriminal forum if the goal of this activity was not profit generation. However, there are multiple methods to achieve this objective. We will explore the diverse monetization strategies employed by RLCF administrators. Grasping these strategies is crucial for understanding the economic foundations that support and propel financially successful forums, illustrating how they convert their illicit activities into financial profit.

A constraint of this study is the absence of precise data on expenses associated with advertisements, staff salaries, or infrastructure spending like hosting. Those costs are not transparently shared and tend to vary on a case-by-case basis, posing a challenge in acquiring accurate financial information for each RLCF. While bulletproof hosting providers openly disclose their rates for threat actors, the cost of their services for RLCF are specific and not disclosed. This variation is influenced by factors like the volume of traffic of each community, servers’ localization, and additional options, making a uniform evaluation challenging. Salaries of staff members are another unknown parameter as moderators can either be volunteers or paid employees.

On the contrary, sources of income of RLCF can be somewhat estimated and are sometimes openly discussed by their administrators. According to LolzTeam’s creator, his forum is presently generating an income of 15 million rubles per year ((close to $190,000 at the moment of the claim in April 2023). The administrator qualified this money as "gray" and claimed that he cannot report it to Russian tax services.

The price of glory – unavoidable spending and risky investments.

As the case of Mr. Matveev and his forum RAMP illustrates, the expenses associated with the maintenance and development of a cybercriminal community are significant. They include bulletproof hosting, DDoS and spam protection, forum engine technical maintenance, moderation and last but not least: time. Observation of other RLCF also suggests that costs related to content creation and advertisements can be substantial. Those last two categories are particularly important for new forums or for communities that need to compete to maintain the fidelity of their user base.

Advertisements - optional for dominant RLCF, critical for Drugs forums and new RLCF

The analysis of advertisements belonging to various RLCF indicates a diverse approach to advertising among Russian language cybercriminal communities. Not all of them invest in ads, and those that do, employ distinct strategies. Niche forums like “Exploit” or “XSS,” for instance, do not allocate funds for advertising as they are already famous and do not want to attract too much attention. In contrast, newer RLCF seeking to grow their community and reputation, such as the Carding forum “DarkClub,” are actively and aggressively promoting their activities.

A surprising phenomenon was observed as “DarkClub” started to publish adds on Telegram channels that have nothing to do with cybersecurity, which highlights the desire of some RLCF to attract new members outside of the hacking community. This strategy is also implemented by several Russian language Drugs forums who have decided to target potential customers by displaying their advertisements banners on the streets and billboards of Russian cities such as Moscow[7] and at the same time attract threat actors specialized in carding. After the death of several individuals paid by DrugsRLCF for deploying banners from the roofs of buildings, it seems that the new trend is now to use projectors to display advertisements.

The cost of buying advertisements on websites, Telegram channels, or other cybercriminal forums to promote a RLCF can be considerable. This was underscored by the FBI's arrest of the DeepDotWeb administrator, which disclosed that this individual earned over 8 million dollars from hosting links to marketplaces and cybercriminal forums on his website[8].

‍

‍

Content creation – a bonus for dominant RLCF, a critical investment for Drugs forums and new RLCF.

Several RLCF have created their own magazines about hacking or drugs consumption. Interestingly, the magazine of the Drugs forumWayAway looks very professional while from a designing perspective while the one belonging to XSS rather focuses on content quality and not so much on design.

Contests are another tool in the hands of community managers to attract new users or to retain the existing members. Drugs RLCF face a harsh competition and must permanently innovate to attract new customers and are often organizing games with money prizes or free Drugs. Cybercrime RLCF like XSS or Exploit also organize contests with several thousands of dollars asa prize for the best paper about hacking but their administrators usually find sponsors to finance the rewards for the winners. The last contest organized onXSS in November 2023 was sponsored for 20,000 dollars by a threat actor selling a Crypto Drainer.

‍

‍

Sources of revenues - the sinews of cybercrime.

The aforementioned expenses do not imply that all RLCF are owned by philanthropists ready to sacrifice their time and money on websites only for the benefit of the cybercriminal community. The most successful forums, with a huge active userbase and well-organized teams, can generate substantial income for their owners. For example, the Drugs Forum RuTor was allegedly sold for $3 million in 2022, which shows how much money is going through one of the most successful RLCF specializing in drugs selling. Registration fees, status selling, escrow service, advertisements, training, deposits, and gifts from users are common sources of revenue for RLCF. Advertisements and partnerships creation (with cybercriminal marketplaces) are, according to our observations, the biggest sources of income for RLCF.

Income generation and monetization philosophy.

While the sources of revenue of RLCF are clear, it does not imply that all communities share the same philosophy and adopt the same monetization strategy. The identified RLCF can be positioned on a line between two archetypes with opposing views about income generation and its importance.

• The first extremity depicts the archetype   forum that claims to create just enough income to cover expenses. Extra money will supposedly not go into the administrator’s pockets but will be reinvested to develop the forum. Advertisements are sparse, and the administrator is not openly monetizing his knowledge about the members of the forum. Administrators of RLCF such as Exploit or XSS affirm  to be as close as it is possible to this idealistic archetype of     management, although this should not be taken as granted. Observations of cryptocurrency transactions going through the addresses of these forums     highlights that millions of dollars are transiting via the BTC addresses of Exploit and XSS.

• The second extremity represents communities held by openly financially motivated administrators whose objective is to squeeze as much income as possible from the forum and its userbase. RLCF like “RuTor”, “Darkmoney” or “WWH-Club” are closer to this archetype. Advertisements are present everywhere and the administrators do not hesitate to send advertisement emails to forum members.

‍

Sources of income.

Donations.

A symbolic source of income is money donation from members. It often occurs on RLCF that do not openly and aggressively monetize their community, or at least who display themselves as “communities focused on knowledge rather than on commercial activities”.

‍

‍

Registration fees.

Although not always significant, registration fees on the few RLCF, that limit access to their membership, are not to be discarded. Generally ranging from $50 to $500, these fees can provide an interesting income, especially if the forum attracts many new users. A rare case where the registration price was set to 1,000$ was also recorded.

To give you an idea of how much a renowned but still relatively small paid RLCF like Exploit can generate through registration fees we compared the number of members in January 2023 and in January 2024. In one year, the forum gained around 6,000 new accounts, which could bring 12,000 dollars if all these accounts were paid registrations.

‍

‍

Sale of premium statuses.

When a new member joins a RLCF buying a premium status can be important to highlight his standing or to facilitate a commercial activity. Prices of statuses can vary from $50 to over $1000 and grant various advantages such as the right to sell something or to be trained by the administration of the forum in a specific illicit craft.

An interesting case was observed on XSS where, since last year, it has been possible to purchase a special account for crawlers. Sold for $2000 a year, it is directly targeted at security researchers and threat intelligence companies. According to XSS’s administrator, the main idea behind this special crawler account is to allow researchers to gather data and scrap the forum without the fear of getting restricted or banned. It is unknown if anyone has purchased this type of account.

‍

‍

‍Deposits.

Along with the purchase of statuses, the deposit of an amount of cryptocurrency or money on forums, is another source of legitimacy and prominence for threat actors wishing to enhance their prestige and chances to attract new customers. A large deposit is raising the trust of potential clients as it guarantees that the administration will take this money to compensate a legitimately unsatisfied customer. This system is profitable for the forum owner because a commission is collected every time money is added or retracted. For instance, on XSS the commission for deposing money is 1% of the deposited sum, and 4% when the owner decides to retrieve it.

Another successful RLCF called LolzTeam is known for its impressive ability to generate revenue. According to the administrator of this forum, the various sellers present on the forum have deposited more than 65 million rubles in cryptocurrencies and in fiat currencies (around 830,000 dollars at the moment of publication of this interview, on the 2nd of April 2023) . It is useful to note that an 8% commission is taken at the moment of withdrawal of funds, this promises an interesting annuity for the forum.

‍

Escrow service.

All the observed RLCF offer an escrow service, typically charging up to 10% of the total transaction value. The service is designed to safeguard both sides in a deal by appointing the forum's administrator or another trusted member as a mediator. This intermediary plays a key role in confirming that both parties have adhered to the agreed terms. They possess the authority to issue a refund to the customer or safeguard the service provider's rights in the event of a transactional dispute. RLCF administrators often advocate for the use of their escrow service, increasingly making it a mandatory condition for members wishing to sell or buy anything on their forums.

Sophisticated cybercrime forums, like XSS or WWH-Club, feature fully automated escrow services, eliminating the need for administrators to personally oversee each transaction. The analysis of Bitcoin wallets utilized for escrow payments on these forums indicates that thousands of BTC have circulated through them, serving as a significant indicator of each forum's level of activity and financial throughput. On the 25th of May 2023 the threat actor “nightly” successfully sold on XSS a RCE vulnerability affecting the Tox messenger for 20 Bitcoins (close to $550,000 at that time). The forum made 55,000 dollars thanks to its escrow service just on that occasion. While most deals are not so important, this case highlights how profitable the escrow system can be for RLCF.

‍

Advertisement.

An illustration of the revenue potential for RLCF can be seen through the publicly accessible advertising rates of the Drugs RLCF "RuTor". The cost for advertisement banners on this forum varies, starting at $300 per month for a smaller banner, and escalating to $12,000 monthly for a banner placed in the most prominent forum's area. An assessment of the potential revenue generated by the 60 filled banners on RuTor's front page, through the counting of ads emplacements for which the prices are publicly available, suggests that only banners could bring at least 145,500 dollars every month to the forum’s owners. Additionally, the forum capitalizes on its registered users' email addresses; sending a promotional email to RuTor's entire userbase is priced at $700. In the spring of 2023, RuTor also organized an auction for ten partnership marketplace slots, with bidding for the top three slots starting at $15,000.

‍

‍

‍

“WWH-Club”, a successful RLCF specialized in carding, has managed to generate at least 919,708 dollars in advertisements and premium status revenue in 8 years. The presence of an account exclusively dedicated to the receipt of payments helps to assess the amount of revenue generated with adds. Interestingly, according to my observations last year in January 2023, the total generate revenue visible on this account was only 270,712 dollars, which means that the forum earned around 650,000 dollars in less than a year.

‍

‍

We hope that you found this Chapter insightful and that you learned some new things! Next time we will analyze the most prominent RLCF and understand what their place in theRussian language cybercriminal ecosystem is.

‍

This blog post is also available on our cyber analyst's website - cybercrimediaries.com.

------------

Footnotes

[1] “AnInterview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhereas There Is in Ransomware’ - The Record by Recorded Future,” accessed October 6, 2022, https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/.

[2] “Smokeand Mirrors: Understanding The Workings of Wazawaka,” accessed January 4, 2024, https://resources.prodaft.com/wazawaka-report.

[3] “RansomwareGang Leaks Data from Metropolitan Police Department,” BleepingComputer,accessed January 4, 2024, https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-metropolitan-police-department/.

[4] VXunderground, “RAMP, the forum started by Babuk ransomware group, has seen asurge of flooding and spamming.,” Twitter, accessed October 8, 2022, https://twitter.com/vxunderground/status/1418549368806912006.

[5] EfratDavid, “New Russian-Speaking Forum - A New Place for RaaS?,” Kela, July 28,2021, https://kela.local/new-russian-speaking-forum-a-new-place-for-raas/.

[6] @Leakinfo,“XenSploit - Генерация Вредоносных Плагинов Для XenForo,” Telegraph, March 27,2021, telegra.ph/XenSploit--Generaciya-vredonosnyh-plaginov-dlya-XenForo-03-27.

[7] “НелегальныйДаркнет-Маркетплейс BlackSprut Рекламируют На Московских Уличных Баннерах,”accessed February 26, 2023, https://www.securitylab.ru/news/536309.php.

[8] “DeepDotWebAdministrator Sentenced for Money Laundering Scheme,” January 26, 2022, https://www.justice.gov/opa/pr/deepdotweb-administrator-sentenced-money-laundering-scheme.

[9] LOLZTEAM Интервью | RaysMorgan | Подкаст с Основателем Форума | В Честь 10-Летия LOLZTEAM, 2023, https://www.youtube.com/watch?v=B6w8ic9aFpE.

‍