Movies and other popular media have always cultivated the image of one huge, homogenous global crime syndicate that controls everything behind the scenes—a dark underbelly of the law-abiding world that peddles everything from the blatantly illegal to the lawfully murky. But through our own in-depth forays into the cybercriminal underground, we found that the real underground scene is nothing like the popular Hollywood scenario.
In the six times that we’ve snuck into enemy territory, we found six completely different cybercriminal economies. Of course, they’re not that wildly disparate—they still share the same vital trait of being a den of cyberthieves, peddling their wares to one another as well as to those looking to start out. But their differences are distinct enough to highlight—not only to distinguish them but perhaps also help the industry identify where future cybercriminal attacks can start from.
That said, how do they differ?
First off: Identity. Each cybercriminal underground we’ve investigated has its own unique characteristics. The Russian underground, for example, has a very standoffish feel to it, where each participant in a “transaction” is fully aware that whoever they’re dealing with may be lacking in scruples (since they ARE cybercriminals, after all) and thus take precautions—like using escrows—from being double-crossed.
Second: Product/Service lineup. It’s easy enough to assume that each cybercriminal underground will offer the same kinds of products and services, and any differences would lie in the language they use. The truth is that each cybercriminal underground has its own set of "exclusive" offerings. Japan, for example, is the only cybercriminal underground that offers child pornography as a purchasable product. The North American cybercriminal underground, on the other hand, offers not only illegal drugs to customers, but also murder-for-hire services. The Chinese underground offers hardware designed to facilitate cybercriminal activities, like card skimmers that automatically send stolen information from skimmed cards through Short Message Service (SMS).
Third: Accessibility to newcomers. Just like getting inducted into the world of organized crime, getting into cybercrime is easier in some places and harder in others. In Japan, cybercriminal forums and pages are closed off to outsiders through passwords that involve specific cybercriminal jargon and obscure terminologies in their native tongue (Nihongo). This not only keeps foreigners out but also those in law enforcement. In contrast, the North American cybercriminal underground lays everything out in the open; product menus and price lists can be seen on the Surface Web, and even their how-to guides can be easily found on mainstream online media sites. It’s so open that anyone can go to YouTube right now and watch a tutorial on how to use a remote access tool (RAT).
Some more interesting highlights from each cybercriminal underground:
- Popular Russian underground forums can have up to 20,000 unique members.
- Cybercriminals who launder earnings using compromised corporate accounts get 50% of the sum laundered.
- Garants and escrows get 3–15% (or more) of the amounts they guarantee after transactions are concluded.
- Users in the Japanese underground are fond of using a secure communication service called "SAFe-mail."
- Despite the fact that people found in possession of materials related to child pornography can be fined up to US$8,351 and imprisoned in Japan since 2014, the country's underground remains rife with the illicit content.
- In the Chinese underground, cybercriminals can buy leaked data using forum coins or credit points that can be purchased on Alipay.
- An individual from Hangzhou was tried in the US for credit card fraud in February 2014 for instigating a successful spam run that cost card providers roughly US$808,855.
- Proof of the open, almost glasslike nature of the North American underground is the presence of how-to-use-RAT videos on YouTube.
- Murder-for-hire services are available in the North American underground. Having someone beaten can cost as little as US$3,000. Getting someone killed costs US$45,000.
- Crimenetwork.biz, the biggest German underground marketplace known for trading narcotics and crimeware, has 64,000 registered members (8,000 of whom are active) since its launch in 2009.
- Around 300 Russian and German underground forum users actively operated in both communities, leading us to believe that substantial collaboration between them occurs.
- Brazilian cybercriminals’ brazenness is manifested with their use of publicly accessible platforms such as Facebook, Twitter, and YouTube for malicious activities.
- Bank fraud remains a surefire way for Brazilian cybercriminals to make money. Ransomware, KAISER malware, that can bypass tokenization systems; keyloggers such as Proxy and Remota; and Domain Name System (DNS) changers remain underground mainstays.
- Most of the products and services offered—“secret” weapons; suicide/euthanasia kits; mailbox master keys; fake bills, receipts, car registrations, and checks; bank-account-opening services; and driver’s license points—answer a need in the real world.
- The French underground is not only well-hidden in the Dark Web, its players also operate under a shroud of extreme caution.
- French underground market players are not only wary of law enforcement agencies that implement stringent cybercrime laws, but even of players (forum/marketplace/autoshop administrators/members) who may be working with the former.
- There are two major types of West African cybercriminals—Yahoo boys and next-level cybercriminals.
- West African cybercriminals willingly share their technical know-how and best practices. They constantly communicate with one another and even work in tight-knit groups via email and social media.
- An ironic confluence of ideology and cybercrime characterizes the region, where a “spirit of sharing” and sense of brotherhood support crimeware distribution.
- Cultural pleasantries start and end murky business transactions. Ideology often influences what is sold and traded, motivating the criminal activities in forums and sites.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Exposed Container Registries: A Potential Vector for Supply-Chain Attacks
- LockBit, BlackCat, and Clop Prevail as Top RAAS Groups: Ransomware in 1H 2023
- Diving Deep Into Quantum Computing: Modern Cryptography
- Uncovering Silent Threats in Azure Machine Learning Service: Part 2
- The Linux Threat Landscape Report