news
October 4, 2021by Dov Lerner

For Business or for Banter: Who Roams the Dark Web? (and Why?)

Behind every underground forum username lies a unique individual with his or her own personal motivations for logging in. In Cybersixgill’s latest research, Forumology II: Journey of a Threat Actor, we discovered something interesting: a correlation between why an actor uses a forum and how often the actor posts. What does this mean? Let’s take a closer look.

One-timers

A tremendous number of actors only author one single post - ever - on underground forums. In our research sample group from five leading underground criminal forums, we found that approximately 15% of all actors were one-post wonders. Why would an actor contribute only once, never to post again?

Very often, these are actors that are simply dabbling, testing out the cybercriminal waters. Their one post might be a simple “thank you” to someone that shared compromised Netflix credentials, or they might be asking a basic question about how to find high-quality fullz identity packages.

However, many other one-post actors are actually skilled cybercriminals maintaining strong OPSEC. Meaning, in order to not leave any trail whatsoever, they will create a burner account, post a single time about a scheme (while looking for customers, suppliers, or partners), and then never use the account again.

Professionals

Professionals are on the forums to make money, and their posts are strictly business. These actors are careful, leaving no  personal details beyond the necessary contact information for conducting transactions.

Many professionals begin as novices, with smaller-scale schemes and post counts. As they begin to find success in their ventures, honing their skills and gaining experience, they may grow in sophistication and post frequency. Most mature professionals that we observed have post counts of around 10-50 posts per quarter-year.

For example, we analyzed an actor that first posted selling Best Buy gift cards in 2016.

Over the next four years, this actor advanced beyond these less-sophisticated, less-profitable attacks in a major way. By mid-2020, his post count rose to over 10 posts per quarter. During this time, he sold access to the cloud service of a “renowned game developer” for a substantial $25,000.

Most professionals are presumably aware that consistent posting over several years from the same account leaves a paper trail. But instead of prioritizing OPSEC, like many of the one-timers, these actors  are focusing on something else: building their reputation. This is essential for their continued success - if they develop a long history of successful transactions, then other forum members will know them, trust them, and even vouch for them in the future.

Socializers

Socializers are a very different breed. While many of them remain highly involved in cybercriminal activity, the vast majority of their posts are not criminal in nature. For these actors, the forums hold a personal significance, providing a sense of community and belonging. The underground  is to them what Facebook, Twitter, or Reddit are for others - a social network where they can connect to like-minded individuals. And, just like users on clear-web social media platforms, they often share (or even, overshare) personal details, opinions and anecdotes. For example, this actor opened up about his medical woes, posting about having suffered a heart attack a few days earlier:

While the professionals only post a dozen or so times per quarter, socializers might  post hundreds or even thousands of times. They represent the top users of the forums--a tiny group that accounts for a disproportionate number of posts, often with little to no intelligence value at all.

For socializers, forum participation is integral to their lives and even their identities. The same actor that shared about his heart attack boasts a canon of nearly 40,000 posts, including discussions of recipes and hobbies. At one point, he noted that he has spent 2-3 hours on the forum each day for 12 years:

Similarly, we examined another socializer on a different forum who authored nearly 3,600 total posts, which include musings about concerts, social media apps, and most recently, his diet. For him, forum participation is such a integral part of his life that he felt the need to inform his fellow forum-members that he would be taking a weeklong vacation, joking, “don’t miss me too much.”

This glimpse into why and how often actors post is clearly interesting, but how is it useful to analysts? In a broad sense, it shows that deep and dark web forums mean different things to different people. Some actors use forums in a purely utilitarian sense, simply as a means to attain their desired financial ends.  For others, forums are the foundation of their social identity, offering a promise of friendship and a sense of community.

More specifically, this line of research offers analysts another data point in their investigations of threat actors. When investigating an actor, it is worthwhile to examine how consistently the actor posts. Once, a few dozen times per quarter, or a few hundred? Are they strictly focused on cybercrime, or are they writing more broadly about their life, opinions, and the banal ideas that come into their heads?

Patterns in post count, when analyzed alongside the content in an actor’s posts, can reveal valuable clues regarding the actor’s motivation, present sophistication, and future ambitions. Using this intel, we gain a rare glimpse into the mind of the anonymous, allowing us to discern who’s out there.

Download the full report to delve deeper into the secret lives of underground threat actors, where we examine the various factors that influence dark web activity and provide a framework for analysts to account for these elements while conducting investigations.

You may also like

Nuclear Facility Threat Intelligence _part 2

December 03, 2024

Beyond Nuclear: Protecting Critical Infrastructure Through Intelligence

Read more
Rising Cybersecurity Threats to Nuclear Infrastructure

November 19, 2024

Nuclear Facility Threat Intelligence – The Sellafield Near Miss

Read more
A New Chapter

November 14, 2024

A New Chapter as Cybersixgill is acquired by Bitsight

Read more