Threat Spotlight: Key Trends in Illicit Communities

A navy background with the white text "Key Trends in Illicit Communities"

Executive Summary

Over the years, we’ve been monitoring illicit communities on the clear web, dark web, and instant messaging platforms, and observing interesting trends.

  • Generally, the dark web marketplace ecosystem is stable, as it’s been a while since the last exit scam, and more centralized as AlphaBay continues to improve and release new features
  • Threat actors are active on messaging platforms like Telegram because it’s easy to use, convenient, reliable, anonymous, and feels risk free
  • Stealer malware contributed to a number of major breaches in 2022 (and may become an even larger problem in 2023)
  • The recently announced Russian draft could change the Russia-based threat actor landscape as people join the military or flee the country to avoid the draft 

These trends have also given us an idea of what to expect going into 2023. 

Check out our full webinar recording, Illicit Communities in 2022: Key Trends to Monitor for Illicit Communities on the Dark Web, Clear Web, and Telegram, and/or keep reading for the highlights.

What’s Happened in 2022 So Far

Malicious actors are increasingly spending more time on instant messaging platforms like Discord and Telegram instead of the more traditional dark web marketplaces.

Major events in 2022 include:

  • Site takedowns
  • Exit scams
  • Establishing market leaders
  • Surge of ransom blogs and malware blogs

What are Takedowns? 

Takedowns occur when law enforcement gains access to and shuts down a site’s underlying infrastructure. Sometimes, the investigators arrest market operators.

However, this is an eternal game of “whack-a-mole,” because after a takedown, different marketplaces pop up in its place and the threat actor population migrates to them.

Outlook for 2023

In 2023, ransomware and stealer logs will continue to grow as threats, and the state of the Russian invasion of Ukraine will also affect the illicit community landscape. 


This is lucrative for threat actors, especially with ransomware as a service becoming much easier to use. Authorities have been able to bust some ransomware groups, but they get replaced by other groups.

Recommendation: Keep up to date on ransomware blogs to stay current on recent attacks.

Stealer Logs

Infected device markets, which sell access to infected computers so buyers can gain access to compromised online accounts, are growing consistently on the dark and clear web.

These devices are for sale for as little as $10, and they can provide hundreds of unique logins stored in the browser. These can even sometimes bypass corporate 2FA authentication controls. This is dangerous, as stealer logs are often used as entry points for breaches. 

Russian Invasion of Ukraine 

The Russian invasion of Ukraine, and the recent draft announcement will impact the Russia-based threat actor environment. 

The draft seeks able-bodied Russian men, so there are people who are joining the military, or fleeing the country to avoid it. This could lead to Russia-based threat actors not contributing or visiting illicit communities and forums as much as before as they are in the military or in a different country and do not have the time or resources they previously had to visit the dark web. 

There is uncertainty about the activity level in illicit Russian markets and forums over the next year.

Prioritizing Monitoring Telegram

Threat actors are flocking to instant messaging platforms like Discord and Telegram. They are appealing because:

  • They’re easy to use: It’s simpler to share multimedia content or proof of compromise than it is to share on a dark web forum. It’s also more reliable than a forum that constantly changes hosting systems. Also, the strict privacy policies establish a sense of safety.
  • The interactions are “less permanent”: When people publish something on forums, it can be there forever and be a part of the public archives on the internet. However, for instant messaging platforms, there is the sense that since only people on the member list can see the message, the message will disappear within the flow of incoming messages. Cybercriminals can tend to be more talkative on these platforms and take some risks with opening up because they feel that there’s less data retention. 

Discord presents different challenges, like fast takedowns (so it’s harder to scale monitoring), keeping rooms up to date, and having enough data to pull from. It overall requires more manual effort to scan. 

Unless Telegram starts cracking down more heavily on groups’ activities, it will be a valuable platform to monitor.

How Flare Can Help

Flare enables you to automatically scan the clear and dark web for your organization’s leaked data, whether it be infected devices, technical data, source code, leaked credentials, or secrets on public GitHub repos. This approach enables you to proactively identify sensitive data leaks and prevent data breaches before malicious actors utilize them.

Flare allows you and your security team to: 

  • Get ahead of reacting to attempted network intrusions before they happen by rapidly detecting stolen credentials and infected devices for sale 
  • Cut incident response time by up to 95% and monitor around 10 billion leaked credentials
  • Understand your organization’s external data exposure (digital footprint) with proactive recommendations to improve your security posture based on real world, contextualized data

Want to see how Flare can monitor various illicit communities for your organization? Request a demo to learn more.

Share This Article

Related Content