"We are all honorable men here, we do not have to give each other assurances as if we were lawyers."
― Mario Puzo, The Godfather
In the seedy depths of the dark web you will find an underground subculture brimming with criminal activity from drug and weapons trafficking to credit card dumps and zero-day procurement. As cybercriminals continue to become better and more methodical in their execution and concealment, studying how they operate can offer the "good guys" a treasure trove of knowledge that can be applied to protecting corporate assets. Ironically, the anonymity that seemingly protects criminals on the dark web can also be leveraged by security experts for stealthy infiltration and intel gathering. It's this cloak of obscurity that has helped provide the following snapshot of how the underground works including its unwritten rules and etiquette.
Joining Underground Forums
Forums and discussion platforms in the cybercriminal underground are aplenty, but the less publicized ones are where most of the big players share their knowledge and data.
Forum participation in most cases is free, except for some trade platforms where participation is costly, but only the serious big players with deep pockets trade there.
Most forums offer different levels of access, but typically even the lowest levels of access begin with a vetting process much like one might experience when trying to land a new job, enroll in college or join an exclusive club.
In the underground, candidates must provide profiles from other forums for the forum administration to inspect before they grant access. Administrators can also ask for a recommendation from existing forum members, and some forums use a system in which an existing member can provide a code that can be used to acquire limited access to the forum. In some cases, this code can also be purchased.
This access restriction is not just for show. Members of these forums put forth a lot of effort into keeping their anonymity as they conduct business and build a reputation within the community. Uninvited guests of unknown origin lurking in every corner would not be conducive for this type of environment to the thrive.
Rules of Conduct
So, how does order emerge from a place where lawlessness rules the day, nobody has a true identity and payments are made via cryptocurrencies?
Each of these platforms has its own set of rules, but all follow the same general guidelines.
A real example of such a set of rules:
1. Members are not allowed to engage in threatening behavior toward other members. This includes flaming. Also threats to steal accounts, dox, or swat. This includes any on-site material such as posts, PMs, or profiles.
2. No short, low-quality posts like "bump", "lol", "roflmao", "thanks" and any repeated characters to defeat the minimum character count.
3. Don't attempt to infect members with trojans, viruses, or backdoors.
4. No direct links to infected downloads in posts or profiles.
5. No posting of personal information that isn't yours. Privacy is to be respected here. This includes any passwords, logins or dumps.
6. Signature images can be no larger than 650x200 pixels and 500k size. Animated gifs should not be annoying.
7. You cannot ask for or offer reputation in posts, signatures, or PM. This includes encouragement like "rep is appreciated".
8. No adult images, adult links, or adult account trading.
9. Multiple accounts will not be allowed unless you are reporting your original account as hacked. Ban evading will result in the permanent closing of your old account and new accounts. No exceptions.
10. Advertising of competing sites is not allowed. This refers to any website with a hacker forum that's similar to HF or has a relatively similar forum structure. Advertising includes signatures, PMs, profiles, and posts.
11. No posting of fake programs.
12. No threads or posts for donation begging. This includes loan requests.
13. All blackhat hacking activity listed on that linked page is forbidden.
14. Read the violations for profile policies and rules in that help doc.
15. Any rules posted in the forums header must also be reviewed. Some forums have special policies that must be adhered to. Don't post in any forum without reading them.
16. Any marketplace type threads must be in the Marketplace area. A three-day posting ban and a warning is the penalty for wrong forum posting marketplace threads.
17. No advertising of Discord channels or usernames.
If the irony of these rules feels so thick you can cut it with a knife, you're not alone. Admonitions to not expose one's identity or infect fellow members with malware seem incongruous given the line of work these people are in, but rules like those are absolutely critical for operations to function.
Some rules, such as "don't con other members of the forum" are obvious enough. Others, such as disallowing multiple accounts/identities may seem curious in the context of an anonymous forum, but a member's alias is their identity and their reputation (more on that later). A member having multiple accounts leaves an opening for gaming the reputation system, creating fake conversations/reviews, and a multitude of other problematic situations.
One other rule worth noting specifically is that the forum administration has the final say on any matter regarding the rules and that being a member of the forum means accepting whatever verdicts they make. How open the administration is about how and why they make decisions is left to their discretion and may vary among forums.
A Community Based on Trust
The members are a self-organized society with an internal codex based on trust. Trust is built mainly on community contribution, voting points to build reputation and substantial commentaries. Helpful posts, published useful materials such as new exploit tutorials or novel infrastructure set ups and reliable offerings are likely to be appreciated by other members and raise one's reputation. Attempts to cheat or con other forum members, on the other hand, is not tolerated. Simply put, a good member is trustworthy.
Administrators and "trusted" members are the foundation of a forum – its dependable inner circle. Members can become section administrators with privileged access to particular areas, advisors or even guarantors. A guarantor is a trusted member nominated by the forum administration who helps facilitate trades among members. They essentially act as an escrow service by ensuring that one side is paid and the other will get everything it paid for.
The escrow service follows a straightforward process: The guarantor receives payment from the buyer and goods from the seller. They proceed to verify that the goods fulfill the terms of the deal, and then transfer the payment to the seller and the goods to the buyer. Everyone gets what is theirs and, in most cases, the guarantor receives a percentage of the deal for themselves.
One other guiding principle of forums is to not trust a newly registered member trying to sell something. If one is a novice and trying to sell offerings, they should first contact a section administration, who will test the "product" to confirm its integrity. Any subsequent deals made should come with a guarantee.
Trusted or well-known members, on the other hand, typically close deals without a guarantor. Doing so, though, means their reputation is on the line with every deal.
Outside World Connection
Like any other community, the underground features regular banter: Members discuss techniques and methods among themselves, share tools and snippets of code, ask questions, and receive answers. With every piece of good advice or helpful tool, members can show their gratitude by awarding other members with reputation points.
But this is not a gated community:
Worldwide news is also discussed on these forums, as well as their effects on the underground life – anything from financial changes in BTC exchanges to new achievements from a security company. It worth saying that participants pay great attention to cybersecurity industry news, and especially to arrests of cybercriminals, which they often reference as a sad or unfortunate event and offer their condolences.
Topics are created to discuss arrests, and information regarding ongoing cases is shared. Participants typically engage in a "root cause analysis" discussion to understand where the arrests happened and the mistakes that may have led to their capture. These threads also serve as a general reminder for the underground community to always practice safety and security.
Despite the presence of simple, generally accepted rules, this ecosystem is not without turmoil. Occasionally two or more members find themselves in a conflict that must be resolved. The underground society provides a mechanism to deal with such issues: An arbitrator is nominated by trusted forum members. They examine the case and make a decision based on claims made and facts provided by both sides, similar to a court trial.
There is a pre-defined procedure for initiating such a process: The so-called prosecutor creates a new thread in the arbitration section of the forum and provides evidence supporting their claim. The arbitrator then informs the "defendant" of the claim and gives them some time to respond to the claim with their own side of the story and any evidence they can provide.
If the claim is found to be legitimate, the defendant and the prosecutor can reach an agreement whereby the defendant fulfills their obligation, and the case is closed. When the defendant refuses to fulfill their obligation, the arbitrator will mark the defendant as a "ripper/scam" and move this case to the black section where the defendant is found guilty.
From this point, everyone will know that the defendant is blacklisted. This will destroy the defendant's reputation, and it's likely that no one will deal with them again. Services exist where one can check whether a person was ever blacklisted. A common example of such a case is the well-known Kronos malware seller "VinnyK," who was banned because he did not fulfill his promises.
Forums may "compete" for activity, but like Las Vegas casinos banning a known cheater, they work in great cooperation on an administration level. If someone is blacklisted in one place, they will immediately be barred from the others. Thus, there is no doubt that being blacklisted has a very serious effect within the entirety of the underground community.
A complaint about a scammer on multiple forums
Another way to tarnish one's reputation on the underground is to show disrespect for other cybercriminals' content: publication of proprietary or in-use solutions will be met with a request for removal by the members, despite it being technically good and/or useful information, for example the source code of a tool not intended for publishing. A member posting such content and ignoring requests for removal will be faced with the wrath of the community in the form of reputation "down votes." Too many of these negative points will result in a ban on the platform.
A forum member posted links to the source code of still-in-use malware, in return he got negative reputation points and another member called him idiot.
As in any community, there are and have been users that still have their focus on scamming other members, making them widely notorious for it on many boards. The nicknames "w0rm"and "Abs0lem,"two users who double-crossed members of the community for several thousands of dollars, became synonymous with the word scammer. These actors reappeared on boards after being blacklisted with different nicknames but refused to recognize and repay their debts. The underground community reacted to this inappropriate behavior with its last resort to curb abusers: Both of them were doxed , and their profiles were made publicly available, attracting the attention of law enforcement agencies.
Doxing of user "w0rm" on an underground forum
Few, if any, dodgy dealings escape the attention of the underground community. In an earlier series of Trustwave SpiderLabs blogs, we talked about the Terror Exploit Kit and its seller, KingCobra. This was an interesting example of how the more veteran members of the community can quickly detect cons and put the perpetrators in their place:
Complaint thread about a crypting service run by the Terror exploit kit author.(https://www.trustwave.com/Resources/SpiderLabs-Blog/Underground-Scams--Cutting-the-Head-Off-a-Snake/)
Despite the decidedly illegal dealings that occur in the underground, it would be unfair to characterize the entire community as a source of evil. The Philanthropy Roundtable found that 71 percent of all U.S. charity incomes comes from individuals, and members of the underground community are also individuals with their own sets of principles and causes that they care about. Some forums conduct permanent fund-raising events for hospitals and orphanages, mainly centered around holidays and special events. Donations to some of these events have amounted to more than $7,000 USD. Funds raised have been directed toward advancements in pediatric surgery, donated to orphanages and used to purchase necessary equipment, supplies, and gifts for orphans.
The underground is far more than a secretive dank place for trading illicit goods and services, it's a full-fledged society where ironically an individual's reputation means everything and code of conduct dictates commerce.At the end of the day, security is a people issue, a cat and mouse game played between the White and Black Hats and much can be gained by studying the adversary. Sun Tzu famously stated "If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle."