There is no need to say that 2020 was ground-shaking. The pandemic affected just about all aspects of life in ways that we are only starting to understand. It tremendously impacted the cyber underground as well.
Nearly all of Cybersixgill’s research reports dealt directly or indirectly with the impact of COVID on the cyber underground. The months of the lockdowns brought an unprecedented spike in actors and posts in underground forums and platforms, peaking in April. In addition to the large volume of discourse about the virus itself (“Are we all going to die?”), threat actors openly expressed that the lockdown, fear of contagion, remote-working chaos, and stimulus cash all presented opportunities for financial windfalls.
Because of this, criminal activity rose in all areas; our reports documented a major surge in hacked gaming store accounts, compromised RDP credentials, money laundering services, and narcotics. Due to their rise in importance, videoconferencing, remote learning, ecommerce, and hospitals became more appealing targets.
While COVID is the central theme of the year, we told other stories as well. We investigated hacking against education, social media, eSports, and IoT devices. We reviewed vishing, election discourse, and the underground market for counterfeits. And we set out to understand just how many actors are active in dark web forums to begin with.
Altogether, this is a comprehensive body of work that affects nearly every major vertical. These reports demonstrate just how big the world of the dark web really is, the diversity of its threats, and how, through usage of our portal and API, a researcher can really get to know what’s out there.
In our recently published State of the Underground Report, we take a bird’s eye view on underground activity in 2020 and compare it with what we observed in 2019 and then we dared to make some predictions for 2021. Here are some highlights:
2020 by the numbers
The findings mentioned in the report include the following:
We identified 1,344,415 non-digital products posted for sale in underground markets in 2020, 223% of 2019’s figure.
We collected 50,156,373 forum posts and replies in 2020. This represents 153% of 2019’s figure. Forum posts peaked in April 2020. Some of this rise can be attributed to an increase of interest in cybercrime due to the effects and opportunities caused by the pandemic. It can also be attributed to boredom; actors were locked down, so they resorted to the dark web for entertainment.
The top 11 cybercrime forums hosted an average of 206,011 unique monthly users. This was 140% of 2019’s figure.
In 2020, we collected 364,978,045 chats from messaging platforms, an increase of 730% of 2019’s figure.
The number of compromised credit cards with CVV decreased by nearly 50% from 2019 (101,146,147) to 2020 (50,109,526). The number of dumps (cards without CVVs) rose to 134% (39,195,596 to 52,623,699).
The average selling price of a card with CVV in 2020 was $15.98, and of a dump, $22.18. Both prices represent an increase from 2019’s rates of $11.04 for a CVV and $10.51 for a dump.
Emotet, Mirai, and Zeus were the most-mentioned malware families in dark web forums.
CVE-2020-1895 had the highest DVE score of any vulnerabilities, registering a perfect 10 in October and November.
Looking ahead to 2021
If there is ever a time in which we ought to be too humble to make a prediction about next year, it's this year. But we’ll try. Looking ahead to 2021, we anticipate that the cybercrime underground will continue to grow.
It will grow in terms of activity and participation. The ongoing pandemic and economic crisis will motivate additional users to seek illicit financial gain. Some may turn to crime and fraud out of personal financial difficulties. Others, because the opportunities of pandemic cybercrime are too lucrative to refuse.
Opportunities for cybercrime will also continue to grow. Driven by social distancing, more of our daily routines are becoming digitized, including work, socialization, shopping, banking, and healthcare. Each one engenders an array of options for dark web actors to exploit, whether through hacking or social engineering. And as more actors meet and collaborate on the underground, attackers can grow their schemes in complexity and scope.
The underground will also continue to branch out from the traditional onion sites to messaging platforms. Especially in the wake of very effective law enforcement measures against credit card markets, actors may seek to set up shop on more bulletproof platforms.
Finally, we believe that the cyber underground could become the central arena for radical political discourse. The recent crackdown of hate speech and incitement by social media giants may drive the nexus of this discourse from Twitter to dark web forums and messaging platforms such as Telegram.
For more details on dark web activities in 2020 and what may lay ahead in 2021 read the full report.