22 Illicit Cybercrime Sources to Monitor in 2026

This article was updated on April 6, 2026 and originally published on January 18, 2023.

An effective cyber threat intelligence strategy requires monitoring a wide range of illicit sources to understand the external threats facing your organization. As threat actors shift where they gather data and share playbooks, Flare helps you stay current on the top illicit communities worth watching.

For each community below, we outline what researchers can expect to find and why it deserves a spot on your watchlist.

1. Russian Market

Launched as an autoshop for stolen credentials, Russian Market has grown into one of the most active marketplaces for stealer logs and infected devices. The platform primarily caters to buyers seeking access to browser-stored data and compromised endpoints.

Researchers can find:

• Large volumes of stealer logs and credential dumps
• Bot listings with device fingerprints and metadata
• Pricing structures and geographic indicators
• Malware family identifiers and campaign patterns

Monitoring Russian Market helps identify compromised accounts, understand credential-theft trends, and prioritize incident response actions.

2. Genesis Market

Genesis Market became infamous for selling complete browser fingerprints, “bots,” that allow attackers to replicate victims’ digital identities. Its sophisticated interface and pricing model made it a preferred venue for advanced fraud operations before multiple law enforcement takedowns disrupted its infrastructure in 2023. However it became operational again soon afterwards.

Researchers can find:

• Browser fingerprint and bot listings
• Pricing and subscription models
• Indicators tied to known stealer malware families
• Historical dataset references for cross-correlation

Tracking Genesis Market offers visibility into how attackers weaponize session hijacking and credential data for stealthy account takeovers.

3. Exploit

Known originally as Hack-All, Exploit is one of the oldest continuously running Russian-language cybercrime forums. Over time, it became a go-to alternative for users displaced from other sites. By mid-2025, as XSS destabilized, Exploit absorbed many migrating users.

Researchers can find:

• Sales of stolen personal information and credit card dumps
• Account credentials and exploit proof-of-concepts
• Ransomware toolkits and botnet services
• Forum discussions revealing evolving TTPs

Despite frequent rumors of infiltration, Exploit remains one of the most active and historically significant forums in the Russian-speaking underground.

4. BriansClub

Named after its long history in the carding scene, BriansClub focuses on the sale of stolen payment cards and identity data. Despite periodic law enforcement seizures, it has repeatedly resurfaced under new domains.

Researchers can find:

• Dumps of payment card information and PII
• References to breached retail and financial entities
• Market volumes and seller rankings
• Distribution data used in fraud mapping

Monitoring BriansClub can alert financial institutions to compromised card data before large-scale fraud occurs.

5. Exodus Marketplace

Exodus Marketplace is an invite-only underground platform selling stealer logs and bot access. Its curated listings and tiered membership system appeal to professionalized cybercriminal groups.

Researchers can find:

• Stealer log listings and bot counts
• Pricing per device or dataset
• Advertisements tied to known malware campaigns
• Actor behavior across connected forums

Security teams can monitor Exodus Marketplace to gain visibility into how threat groups monetize browser data, enabling them to identify active distribution networks.

6. ASAP Market

ASAP Market has evolved into one of the largest international dark web marketplaces, hosting listings for both physical goods and cybercrime-related services. Its geographic segmentation makes it a notable hub for regional threat monitoring.

Researchers can find:

• Listings for digital goods and stolen data
• Vendor performance and transaction reviews
• Shipping or escrow details indicating country-specific activity
• Cross-market linkages to other illicit platforms

Tracking ASAP Market helps detect regional fraud trends and identify emerging cybercriminal vendors.

7. We The North

We The North is a Canadian-centric marketplace focusing on digital goods, stolen data, and financial fraud tools. It primarily serves local actors seeking domestic trade channels.

Researchers can find:

• Fraud listings specific to Canadian banks and institutions
• Digital product sales with local payment methods
• Vendor and buyer reputations
• Cross-border transaction footprints

For analysts tracking regional threats, We The North highlights localized cybercrime economies and national fraud patterns.

8. XSS (XSS.is)

Successor to the original DaMaGeLaB forum, XSS is a major Russian-language cybercrime community dedicated to exploit trading, ransomware recruitment, and malware development.

Researchers can find:

• Exploit proof-of-concepts and vulnerability discussions
• Ransomware and initial access advertisements
• Actor recruitment threads for affiliate programs
  Tutorials on evasion and tooling development

XSS remains a vital hub for understanding ransomware supply chains and exploit trends across the underground economy.

9. DarkForums

Following the takedown of BreachForums, DarkForums became the primary refuge for displaced users. Its tiered membership system and subscription model emphasize the resale of breached databases and compromised credentials.

Researchers can find:

• Newly leaked databases and user dumps
• Subscription tiers granting access to premium leaks
• Seller reputations and moderator enforcement activity
• User migration trends from previous forums

By reviewing DarkForums, security teams can identify newly circulated breach data and actor migration patterns.

10. DamageLib

DamageLib evolved from older Russian-language hacking communities, emphasizing knowledge-sharing rather than direct commerce. Its content focuses on exploit development and malware engineering discussions.

Researchers can find:

• Hacking tutorials and exploit guides
• Discussions on code obfuscation and payload delivery
• Mentorship and peer exchange among developers
• Cross-links to active tool repositories

Following DamageLib provides insight into the technical skills fueling new attack tools before they enter the marketplace.

11. Leakbase

Leakbase is an English-language forum specializing in the sale and exchange of leaked databases. It operates on a subscription model granting access to continuously updated data collections.

Researchers can find:

• Database dumps containing PII and credentials
• Seller advertisements for private leaks
• Breach verification discussions and metadata
• Historical archives of past data sales

Watching Leakbase provides insight into how breach data circulates and which datasets attract repeat buyers.

12. BreachForums

Created as a successor to RaidForums, BreachForums became a key repository for data leaks and breach announcements until multiple takedowns disrupted its continuity.

Researchers can find:

• Large breach dumps and dataset links
• User posts verifying leak authenticity
• Actor interactions around data sales
• Infrastructure overlaps with other forums

By studying BreachForums, security teams can learn how leak communities rebuild and migrate following enforcement actions.
13. Duty Free

Duty Free operates as both a forum and Telegram channel (DutyNews) tied to pro-Russian hacktivist collectives. It blends cybercrime with ideologically driven operations.

Researchers can find:

• DDoS coordination messages and target lists
• Leaked data dumps and propaganda releases
• Actor recruitment and collaboration notices
• Cross-platform operational chatter

Monitoring Duty Free enables insight into the overlap between geopolitical influence operations and financially motivated cybercrime.

14. Best Hack Forum (BHF)

One of the oldest Russian-language hacking forums, BHF continues to host discussions and data sales focused on spam, credential cracking, and network intrusion.

Researchers can find:

• Credential lists and cracked accounts
• Spam and phishing toolkits
• Tutorials on social engineering and exploitation
• Historical leak reposts and seller activity

Since BHF remains an active legacy platform, security teams gain insight into the continuity of the Russian-speaking cybercriminal ecosystem.

15. Lolzteam

Lolzteam, also known as Zelenka, began in 2013 as a gaming and account-trading forum before expanding into a hub for cybercrime and fraud. Today, it hosts a wide range of discussions spanning account resale, malware distribution, and social-engineering tactics.

Researchers can find:

• Markets for gaming, social-media, and cryptocurrency accounts
• Infostealer logs and credential dumps targeting popular platforms
• Fraud tutorials, social-engineering scripts, and scam templates
• A well-organized escrow system and verified-seller network

Monitoring Lolzteam provides visibility into emerging fraud tactics and low-to-mid-tier threat actors, particularly those targeting consumer and gaming ecosystems.

16. Altenen

Altenen is a long-running carding and fraud forum originally launched in Arabic, later shifting to English to attract a wider audience. Known for its resilience despite repeated takedowns, the forum focuses heavily on financial data and access-as-a-service models.

Researchers can find:

• Credit-card dumps and fullz data sets
• Tutorials and guides for bank fraud and account takeovers
• Phishing kits and stealer malware for credential harvesting
• User reputation and membership tiers tied to transaction history

Observing Altenen helps analysts identify financial-fraud trends, track credential-based attack patterns, and map connections across carding networks.

17. WWH-Club

WWH Club, active since 2014, caters primarily to financial-fraud operators and carders. Despite multiple law-enforcement actions against its leadership, the community remains active, offering a mix of tutorials, stolen data, and illicit service exchanges.

Researchers can find:

• Payment-card and personally identifiable information (PII) dumps
• Fraud training courses and step-by-step “carding school” guides
• Marketplaces for financial data and remote-access tools
• Evidence of organized collaboration between seasoned fraudsters

Tracking WWH Club allows fraud and intelligence teams to track the tools, services, and data sets circulating within established financial-crime communities.

18. DarkNetArmy Forums

DarkNetArmy Forums (DNA) emerged in 2022 as a multilingual cybercrime community with both clearnet and Tor access. It quickly gained traction for offering malware tools, stolen credentials, and access to compromised systems.

Researchers can find:

• Malware loaders, remote-access trojans, and cracked builders
• Bulk credential lists and OpenBullet configuration files
• Advertisements for DDoS services and bulletproof hosting 
• Threat actor collaborations across English, Russian, and Arabic posts

Watching DarkNetArmy Forums gives researchers early insight into malware distribution, account-access trading, and threat-actor collaboration across regions.

19. Dread

Dread launched in 2018 with a Reddit-like structure, fostering a community-driven forum for darknet market discussions and threat coordination.

Researchers can find:

• Trading of stolen usernames, passwords, and other sensitive information
• Coordination and discussion of ransomware operations
• Distribution of malware tools and proof-of-concept exploits
• Updates and intelligence on darknet markets 

Checking Dread helps security teams track community sentiment, emerging ransomware activity, and shifts in darknet market dynamics.

20. Hackforums (HF)

Founded in 2007 by the admin “Omniscient,” Hackforums operates as a traditional forum covering a wide range of hacking topics, from beginner to advanced levels.

Researchers can find:

• Discussions of hacking techniques, system exploitation, and network security
• Sale and distribution of malware, RATs, and keyloggers
• Credentials, combo lists, and compromised accounts for sale
• Information about malware campaigns and botnet operations

Tracking Hackforums provides insight into lower- to mid-tier cybercriminal activity and the tools being adopted by a broad base of threat actors.

21. NoName057(16)

NoName057(16) is a pro-Russian hacktivist collective that coordinates DDoS attacks and public leak campaigns through Telegram. Its channel is both a propaganda outlet and an operational coordination hub.

Researchers can find:

• DDoS target lists and claimed attack results
• Leaked data from compromised organizations
• Political messaging and recruitment drives
• Cross-links to affiliated hacktivist groups

By tracking NoName057(16), security teams gain insight into the nexus between hacktivism and cyber operations, helping defenders anticipate politically motivated attacks.

22. RipperSec

RipperSec is a hacktivist group known for posting website defacements, data leaks, and claimed intrusions across multiple Telegram channels. The group’s multilingual content and global targeting make it notable for cross-regional activity.

Researchers can find:

• Announcements of website defacements and breaches
• Leaked data archives and credential dumps
• Actor commentary on exploited vulnerabilities
• Evidence of collaboration with other hacktivist groups

Monitoring RipperSec’s Telegram activity helps analysts track politically or ideologically motivated threat campaigns as they unfold in real time.

Monitoring a Shifting Landscape 

These illicit communities represent the most significant sources of threat intelligence for security teams in 2026, but it’s critical to remember that the landscape shifts constantly. Forums fragment after takedowns, marketplaces resurface under new domains, and Telegram channels appear and disappear daily. An effective monitoring strategy requires not just coverage of these specific communities, but also the ability to detect when threat actors migrate and where they go next.