In 2023, cybercrime forums remain a notorious platform for threat actors to engage in illicit trades, coordinate activities, and exchange information. These forums are typically found on the dark web, but they can also be accessed via the clear web. They are hotspots of malicious activity, with dedicated sections for the sale of stolen credentials, ransomware-as-a-service, and malware, as well as general discussions about cybercrime.
Russia is widely known as a hub of cybercrime activity, with recent analyses indicating that 74% of ransomware revenue goes to Russia-linked threat actors. Furthermore, Russia has a documented history of conducting state-sponsored cyber warfare.
From a threat intelligence perspective, it is crucial to monitor cybercrime forums for any mentions of your organization. This practice can provide early warnings of impending attacks or reveal compromised user credentials for sale. Taking preemptive action, such as resetting vulnerable accounts, can help to mitigate the risk of cyberattacks. In this article, we’ll explore the top Russian cybercrime forums that you should keep a close watch on in 2023.
Exploit.in
Since its inception in 2005, Exploit has been a prominent underground hacking forum, catering to malicious actors seeking to discuss working exploits for various vulnerabilities. Over time, the forum has expanded its scope to cover a wide range of cybercrime activities, including social engineering techniques and tutorials on breaking cryptographic algorithms.
Predominantly a Russian-language forum, Exploit features a marketplace section where cybercriminals trade in stolen credit card details, malware, and even zero-day exploits. The forum also functions as a cybercrime news site. What sets Exploit apart is that it is accessible via both standard internet browsers on the clear web and via the dark web using the Tor browser.
To gain access to Exploit, threat actors must either pay a $100 fee for automatic access or establish a reputation on other “friendly” forums. While these conditions make Exploit a closed forum, companies may still register fake accounts to monitor the site for threat intelligence purposes.
Exploit faced a breach in 2021 when an intruder gained Secure Socket Shell (SSH) access to a proxy server that protected the site from DDoS attacks. This breach was part of a wider cluster of four breaches that targeted various underground cybercrime forums within a short time span.
XSS.is
XSS is a closed forum that primarily caters to Russian-speaking cybercriminals. It can be accessed via both the clear web and dark web. The site’s admins claim to provide several security and anonymity features to protect registered users, including disabling IP address logs for all users, user actions, and encrypted private messaging. Registering on XSS is relatively straightforward; new users select their credentials, input a valid email address, answer a basic cybersecurity question, and await approval from the admin.
XSS mainly features discussions and trades related to credential access, exploits, and valuable zero-day vulnerabilities that lack security patches. Additionally, exclusive private sections on the forum require payment to access. Previously, XSS was notorious for recruiting affiliates for ransomware-as-a-service gangs, but the admins banned ransomware topics in 2021.
The forum’s name, XSS, comes from a type of web application vulnerability called cross-site scripting. Previously known as DaMaGeLaB from 2013, XSS underwent a rebranding after one of its administrators was arrested in 2018.
RAMP Forum
In 2021, the RAMP 2.0 (Russian Anonymous Market Place) forum was established on a domain previously utilized by the infamous Babuk ransomware gang for publishing stolen data when victims failed to pay ransom. The Babuk group had conducted ransomware attacks on The Houston Rockets basketball team and the Washington DC Metropolitan Police Department. The newly-formed RAMP 2.0 has a more cybercrime-focused agenda than the previous RAMP iteration, which mainly dealt with illegal product trades. It includes popular sections such as a malware section, a partner program for ransomware gangs, and a section for selling access to corporate accounts.
To gain access to RAMP 2.0, one must have been an active member of Exploit and XSS for at least two months and maintain a good reputation on both forums. Unlike its predecessors, RAMP 2.0 offers language options that include Russian, Mandarin, and English. The original RAMP version was shut down by Russian authorities between 2012 and 2018.
Verified and Maza
Verified and Maza, two longstanding Russian cybercrime forums, experienced significant breaches in early 2021 as part of a larger trend affecting multiple similar platforms. Maza, in particular, displayed a message to users indicating that the forum had been compromised and that data had been leaked. Verified, on the other hand, was hijacked by an unknown operator and has remained offline since. While such breaches and takedowns do not necessarily lead to permanent shutdowns, it remains to be seen whether either forum will reemerge in the future. It is possible that these incidents contributed to the recent popularity of Telegram groups as an alternative to traditional cybercrime forums and marketplaces, as some cybercriminals may have been concerned about their usernames and email addresses being exposed.
SAGA® Dark web monitoring from Munit.io
Automated monitoring of Russian cybercrime forums and other dark web domains is crucial for detecting leaked credentials and targeted attacks. However, manual monitoring is inefficient and resource-intensive for most organizations. To address this, Munit.io offers SAGA®, a dark web monitoring solution that automates the tracking of illicit forums and marketplaces. With SAGA®, you receive real-time alerts if your company or assets are mentioned on the clear or dark web, or if there is a high risk of account takeover. This helps to streamline remediation efforts and minimize noisy threat data.