Check out Threat Flow, the Security Industry’s First Transparent Generative AI Application

Top Russian Cybercrime Forums in 2023

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "Top Russian Cybercrime Forums in 2023." There is white text underneath that which says "Learn More" with a light orange arrow pointing down.

Cybercrime forums provide an outlet for threat actors to coordinate, exchange information, and conduct illicit trades. Often hosted on the dark web (but sometimes accessible via the clear web), these forums are hubs of malicious activity. The typical structure of a cybercrime forum sees a dedicated marketplace section that facilitates the sale of stolen credentials, ransomware-as-a-service, and malware while a separate section is reserved for general cybercrime discussions. 

It’s no secret that Russia is a veritable capital of cybercrime activity. Recent analysis suggests 74 percent of ransomware revenue goes to Russia-linked threat actors. Beyond for-profit cybercrime, Russia also has a well-documented history of conducting state-sponsored cyber warfare

From a threat intelligence standpoint, it’s beneficial to monitor cybercrime forums for mentions of your organization. Monitoring these forums can provide indications of an impending attack on your company or reveal user credentials for sale, whose accounts you can then preemptively reset before they get infiltrated. This article takes a look at the top Russian cybercrime forums worth keeping an eye on in 2023.

Top Russian Cybercrime Forums

Exploit.in

Screenshot of forum with the title “Exploit.in” in the top left. The rest of the webpage shares a description about the site and forum, various projects, and sections about posts about hacking.
This snippet of the Exploit.in forum homepage screenshot shows an “About” section and different categories for posts about hacking.

Exploit is one of the longest-running underground hacking forums, having been launched way back in 2005. As the name suggests, the site’s initial purpose was to provide a place for malicious actors to discuss working exploits for various vulnerabilities. Exploit naturally evolved to encompass discussions about other types of cybercrime activity, from social engineering techniques to tutorials on breaking cryptographic algorithms. 

This forum is a predominantly Russian language forum with a marketplace section where cybercriminals trade in stolen credit card details, malware, and even zero-day exploits. Explicit also functions as a cybercrime news site. Interestingly, this forum is accessible via both standard Internet browsers on the clear web and via the dark web using the Tor browser. 

To get access to and participate in forum discussions, threat actors either pay a $100 fee for automatic access or they can attempt to get free access on the condition that they’ve established a reputation on other ”friendly” forums. While these conditions technically make Exploit a closed forum, a $100 fee is unlikely to deter companies from registering fake accounts to monitor for threat intel purposes. 

Exploit admins had to deal with a breach in 2021 that saw an intruder gaining Secure Socket Shell (SSH) access to a proxy server that protected the site from DDoS attacks. This breach of the forum formed part of a wider cluster of four breaches hitting various underground cybercrime forums within a short time span. 

XSS.is

Screenshot of forum with the title “XSS.is” in the top left. The rest of the homepage has different sections labeled under “Underground.” The background is white.
This snippet of the XSS.is forum homepage hosts different sections under the label of “Underground.”

XSS is another closed Russian language forum that’s accessible on the clear web and dark web. Admins promise various security and anonymity features to protect registered users, including disabling IP address logs for all users and user actions and implementing encrypted private messages. There aren’t many barriers to registration on XSS—new users simply select credentials, input a valid email, answer a basic cybersecurity question, and await approval from the site’s admin.

Content on XSS relates to discussions and trades in credential access, exploits, and valuable zero-day vulnerabilities for which no security patches exist. Additional exclusive private sections on XSS require payment to access. Previously, XSS was extensively used to recruit affiliates for ransomware-as-a-service gangs, but forum admins banned ransomware topics in 2021. 

Automate Your Threat Exposure Management

Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.

This Russian cybercrime forum’s name stems from a type of web application vulnerability known as cross-site scripting. The site used to be known as DaMaGeLaB from 2013 until the arrest of an administrator in 2018, at which point it was rebranded as XSS.

RAMP Forum

The formation of the RAMP 2.0 (Russian Anonymous Market Place) forum in 2021 has an interesting backstory, having been launched on a domain previously used by the notorious ransomware gang Babuk. 

The Babuk ransomware operation carried out ransomware attacks on Washington DC Metropolitan Police Department and The Houston Rockets basketball team. Babuk’s threat actors previously used this dark web onion domain for publishing stolen data when victims refused to cave into their ransomware demands. 

A previous version of RAMP existed from 2012 to 2018 on a different domain, but it was more centered around buying and selling illegal products. Russian law enforcement closed the first iteration of RAMP down, but a new version emerged with a focus on cybercrime. Popular forum sections include a partner program for ransomware groups, a malware section, and another section dedicated to selling access to corporate accounts. 

Registration for RAMP 2.0 requires being an active member of Exploit and XSS for at least two months. A good reputation on both forums is also essential to gain entry to RAMP. The forum’s language options have evolved from solely Russian to now include Mandarin and English.  

Verified and Maza

Screenshot of Verified forum. The background is navy The rest of the homepage has different sections labeled Notices, Services, Forum, and Main.
This snippet of the Verified forum homepage hosts different sections like Notices, Services, Forum, and Main.

Verified is a popular Russian language cybercrime forum that’s been around for over a decade while Maza is an elite Russian cybercrime forum on the scene since 2003. These forums are worth discussing together because of what happened to them in early 2021.

As part of a spate of attacks on a number of Russian cybercrime forums, both Verified and Maza suffered serious breaches. In the case of Maza, forum members logging in were greeted with a message about their data being leaked and the forum being compromised. Verified suffered a similar fate, with unnamed operators hijacking the forum. 

Breaches and takedowns of cybercrime forums don’t necessarily mean they’ll permanently shut down. These forums often reemerge after a period of time. It is worth speculating whether the incidents that hit both forums drove the surge in recent adoption of Telegram groups as an alternative to traditional forums and marketplaces for cybercrime. Perhaps cybercriminals got spooked about members of those forums who had their usernames and email addresses made public. 

Automated High-Risk Exposure Monitoring

Russian cybercrime forums and other dark web domains are useful resources worth monitoring for leaked credentials and indicators of targeted attacks. However, manually monitoring the top forums is a recipe for slow remediation and noisy threat data. And, most organizations lack the resources for cybersecurity analysts to track the ever-evolving forum landscape. 

Flare’s dark web monitoring solution automates the monitoring of illicit forums and marketplaces. You also get real-time alerts if your company or assets are mentioned on the dark & clear web or if there is a high risk of account takeover detected. 

Get your free Flare trial here. 

Share This Article

Related Content