Cybercrime forums provide an outlet for threat actors to coordinate, exchange information, and conduct illicit trades. Often hosted on the dark web (but sometimes accessible via the clear web), these forums are hubs of malicious activity. The typical structure of a cybercrime forum sees a dedicated marketplace section that facilitates the sale of stolen credentials, ransomware-as-a-service, and malware while a separate section is reserved for general cybercrime discussions.
It’s no secret that Russia is a veritable capital of cybercrime activity. Recent analysis suggests 74 percent of ransomware revenue goes to Russia-linked threat actors. Beyond for-profit cybercrime, Russia also has a well-documented history of conducting state-sponsored cyber warfare.
From a threat intelligence standpoint, it’s beneficial to monitor cybercrime forums for mentions of your organization. Monitoring these forums can provide indications of an impending attack on your company or reveal user credentials for sale, whose accounts you can then preemptively reset before they get infiltrated. This article takes a look at the top Russian cybercrime forums worth keeping an eye on in 2023.
Top Russian Cybercrime Forums
Exploit.in
Exploit is one of the longest-running underground hacking forums, having been launched way back in 2005. As the name suggests, the site’s initial purpose was to provide a place for malicious actors to discuss working exploits for various vulnerabilities. Exploit naturally evolved to encompass discussions about other types of cybercrime activity, from social engineering techniques to tutorials on breaking cryptographic algorithms.
This forum is a predominantly Russian language forum with a marketplace section where cybercriminals trade in stolen credit card details, malware, and even zero-day exploits. Explicit also functions as a cybercrime news site. Interestingly, this forum is accessible via both standard Internet browsers on the clear web and via the dark web using the Tor browser.
To get access to and participate in forum discussions, threat actors either pay a $100 fee for automatic access or they can attempt to get free access on the condition that they’ve established a reputation on other ”friendly” forums. While these conditions technically make Exploit a closed forum, a $100 fee is unlikely to deter companies from registering fake accounts to monitor for threat intel purposes.
Exploit admins had to deal with a breach in 2021 that saw an intruder gaining Secure Socket Shell (SSH) access to a proxy server that protected the site from DDoS attacks. This breach of the forum formed part of a wider cluster of four breaches hitting various underground cybercrime forums within a short time span.
XSS.is
XSS is another closed Russian language forum that’s accessible on the clear web and dark web. Admins promise various security and anonymity features to protect registered users, including disabling IP address logs for all users and user actions and implementing encrypted private messages. There aren’t many barriers to registration on XSS—new users simply select credentials, input a valid email, answer a basic cybersecurity question, and await approval from the site’s admin.
Content on XSS relates to discussions and trades in credential access, exploits, and valuable zero-day vulnerabilities for which no security patches exist. Additional exclusive private sections on XSS require payment to access. Previously, XSS was extensively used to recruit affiliates for ransomware-as-a-service gangs, but forum admins banned ransomware topics in 2021.
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
This Russian cybercrime forum’s name stems from a type of web application vulnerability known as cross-site scripting. The site used to be known as DaMaGeLaB from 2013 until the arrest of an administrator in 2018, at which point it was rebranded as XSS.
RAMP Forum
The formation of the RAMP 2.0 (Russian Anonymous Market Place) forum in 2021 has an interesting backstory, having been launched on a domain previously used by the notorious ransomware gang Babuk.
The Babuk ransomware operation carried out ransomware attacks on Washington DC Metropolitan Police Department and The Houston Rockets basketball team. Babuk’s threat actors previously used this dark web onion domain for publishing stolen data when victims refused to cave into their ransomware demands.
A previous version of RAMP existed from 2012 to 2018 on a different domain, but it was more centered around buying and selling illegal products. Russian law enforcement closed the first iteration of RAMP down, but a new version emerged with a focus on cybercrime. Popular forum sections include a partner program for ransomware groups, a malware section, and another section dedicated to selling access to corporate accounts.
Registration for RAMP 2.0 requires being an active member of Exploit and XSS for at least two months. A good reputation on both forums is also essential to gain entry to RAMP. The forum’s language options have evolved from solely Russian to now include Mandarin and English.
Verified and Maza
Verified is a popular Russian language cybercrime forum that’s been around for over a decade while Maza is an elite Russian cybercrime forum on the scene since 2003. These forums are worth discussing together because of what happened to them in early 2021.
As part of a spate of attacks on a number of Russian cybercrime forums, both Verified and Maza suffered serious breaches. In the case of Maza, forum members logging in were greeted with a message about their data being leaked and the forum being compromised. Verified suffered a similar fate, with unnamed operators hijacking the forum.
Breaches and takedowns of cybercrime forums don’t necessarily mean they’ll permanently shut down. These forums often reemerge after a period of time. It is worth speculating whether the incidents that hit both forums drove the surge in recent adoption of Telegram groups as an alternative to traditional forums and marketplaces for cybercrime. Perhaps cybercriminals got spooked about members of those forums who had their usernames and email addresses made public.
Automated High-Risk Exposure Monitoring
Russian cybercrime forums and other dark web domains are useful resources worth monitoring for leaked credentials and indicators of targeted attacks. However, manually monitoring the top forums is a recipe for slow remediation and noisy threat data. And, most organizations lack the resources for cybersecurity analysts to track the ever-evolving forum landscape.
Flare’s dark web monitoring solution automates the monitoring of illicit forums and marketplaces. You also get real-time alerts if your company or assets are mentioned on the dark & clear web or if there is a high risk of account takeover detected.
