March 27, 2024by Dov Lerner

State of the Underground 2024: Cybercriminal discourse is hiding in the shadows

Our new State of the Underground 2024 report sheds light on numerous cybercriminal trends in the underground based on activities throughout 2023. We wrote the report to give CISOs and their teams an understanding of where and how threat actors are concentrating their efforts so they can be better prepared to detect and mitigate threats and vulnerabilities.

One trend discussed in the report is the reduced amount of cybercriminal discourse on underground forums and messaging platforms. As the report states, Historically, we have seen threat actors transition from communicating on underground forums to messaging platforms, with Telegram becoming an important platform for malicious activity. In 2023 this trend took another turn, as activity in both areas has significantly declined.

Further, our report reveals some startling statistics:

  1. 31.6% decline in the number of posts collected from messaging platforms in 2023 vs 2022. The first decline recorded to date

  2. 43.3% decline in the number of posts collected from underground forums in 2023 vs 2022, the largest decline recorded to date

  3. 50.3% decline in the number of threat actors active on the top 10 underground forums in 2023 vs 2022, the largest decline recorded to date

  4. 26% decline in the number of posts on a prominent right-wing extremist forum, from 43 million in 2022 to 32 million in 2023.

  5. BreachForums, one of the largest underground forums, was seized and shut down in March 2023, causing a sharp drop in forum posts from March to April. It has since reopened under a new owner.

  6. Activity recorded on messaging platforms trended upward in the first 8 months of 2023. However, the total volume recorded during this period was still a reduction from 2022’s numbers

What has caused threat actors to stymie their underground chatter? And more importantly, where have they gone?

The drop in activity on right-wing extremist forums cited above might mean that many participants lost interest. However, it could also mean that many, fearing law enforcement monitoring, went deeper underground into closed platforms. To discover where and how threat actors are communicating, we’re continuing to leverage our covert access to closed forums and marketplaces.

Similarly, the takedown of notorious forum sites like RaidForums in April 2022 and BreachedForums (aka Breached) in March 2023, and the subsequent arrest of Breached’s founder, Conor Brian Fitzpatrick, may have intimidated many actors from communicating on sites where covert law enforcement officials may be able to find them.

Knowing that cybercrime presents a low risk for bad actors and can deliver highly lucrative rewards, we don’t suspect for a second that the drop in underground communications is a reflection of less cybercriminal activity. In fact, our report shows that while some forms of cybercrime have dropped (such as a reduction in the number of known exploited vulnerabilities recorded by the Cybersecurity and Infrastructure Security Agency (CISA) and a decline in the number of ransomware attacks in 2023), cybercrime is a continuous, critical threat to companies, government entities, and individuals around the globe. Furthermore, while we reported a reduction in the number of activities, we also reported an increase in the financial damage caused to targeted organizations by ransomware attacks and related activities.

It’s quite possible that underground hackers have gone back to more rudimentary modes of communication, potentially using burner phones and carrier pigeons. We’re continuing to monitor deep and dark web discourse daily to determine where cybercriminal discourse is taking place. 

In the meantime, we encourage everyone in the cybersecurity community to take extra precautions and leverage real-time, contextual threat intelligence to take a proactive approach to cyber defense – and make sure your non-cybersecurity counterparts are doing the same.

If you want to learn more about these and other findings, download the report to gain an in-depth understanding of the underground we face in 2024.

If you want to see a demo of Cybersixgill’s solutions and learn how we can help keep you a step ahead of the cybercrime underground, sign up for a demo of our products or contact us for more information. 

You may also like

SOTU-Ransomware blog thumbnail

April 17, 2024

State of the Underground 2024: Two ways to guard against the ongoing threat of ransomware

Read more
Access for Sale Blog-Thumbnail

April 16, 2024

Cybersixgill’s Access Currently for Sale - high-value intelligence just got even better

Read more
Change Healthcare Breach Blog Thumbnail

April 15, 2024

Change Healthcare Breach: Data in the Hands of a New Ransomware Group

Read more