Exploring Malicious Hacker Communities: Background

The second of three posts from our guest author, Dr. Ericsson Marin focusing on the upcoming book: Exploring Malicious Hacker Communities.

Many individuals behind cyber-operations rely on online communities of hackers to achieve their criminal goals. Because those environments provide resources such as malicious code and knowledge (how-to), they are driving the democratization of cyber-attacks. This trend is generating a huge number of cyber-threats out there but is also coming with a price for threat actors: defenders can try now to understand their adversaries by following the footprints left behind. In other words, valuable insight into evolving cyber-threats or cyber-offensives can be generated well before malicious activity is detected on a target system.

HubSpot Video

One way to gain insight into this underground cyber world is to explore the prominent platforms where malicious hackers share content: forums and marketplaces. In both, hackers contribute with tutorials, malware/exploits, and general advice on topics related to criminal hacking. Nowadays, hacker forums and marketplaces are basically everywhere on the Web, and that includes its open parts, where sites are publicly accessible from any browser and might be indexed – the surfaceweb – or not indexed – the deepweb - by standard search engines, and its restricted parts, where sites are hosted on anonymous crypto-networks – the darkweb, being not indexed by regular search engines and not accessible by traditional browsers. When intelligence is mined from those places, answers might be provided for the following questions: which cyber-capabilities are available to an adversary?, what are their targets?, is there any software vulnerability being analyzed?, is there any individual or group of individuals receiving special attention?, is there any mass adoption of a particular malware/exploit?, how about the existence of malicious campaigns to recruit individuals? is there any cyber-attack being planned? The knowledge spread on these communities through not only assets but also through rich discussions allows for hacker knowledge to spread quickly. On the other side, defenders should have a similar velocity when building intelligence tools from this data. They should understand the culture of these communities and their topics to identify emerging threats.

Looking inside, hacker communities follow the principle of meritocracy and base a hacker’s reputation and social status on his/her skills and accomplishments. Clever hacks and innovation are rewarded with social recognition, which is also developed through sharing valuable content, such as successes, advice, or the general display of relevant knowledge on a consistent basis. These functions tend to cause reputable individuals to represent central nodes in social network graphs, as shown in Figure 1.

Figure 1. Social network of a now-defunct Tor-hosted (darkweb) forum, generated in early 2016.

Aside from the exchange of experiences with various kinds of weapons and drugs as well as pornography encompassing all ages, much of the so-called darkness is populated by privacy-conscious hosters. Regarding cyber-security content, the exchange of high-profile events (hacks, news, etc.), new techniques and tools (e.g., code at various degrees of maturity, that is, deployability – as illustrated in Figure 2), but also questions and help for assistance make up a large part of the content (see Figure 3).


Figure 2. Example of forum content, in which a genuine tool is shared for a data feed.


Figure 3. Example of forum content in which a question is posed whether a software vulnerability is exploited/exploitable.


With the more recent merging of forums and marketplaces observed in the past one or two years, vendors offer personally identifiable and other sensitive information accounts to e-commerce and payment service platforms, bank account and credit card information, and data leaks across all sites. More static content advertises hacking-as-a-service skills and rents out DDoS attacks at various time intervals, effectively communizing skills and technologies once available to only a few. Pure marketplaces offer products like keyloggers, skimmers, tools for capturing credit card information on point-of-sale devices and ATM, dumps, remote access Trojans (RATs), browser affecting tools, remote desktop protocol (RDP) tools, exploit kits, mobile phone, and Windows-affecting malware, password cracking, email hacking and phishing tools, botnets, and invitations to hacking groups and lists of new forums and marketplaces.

Popular reputable markets for cyber-criminals were TheRealDeal and, to some extent, AlphaBay. Both were hosted on Tor, though the latter was longer serving. TheRealDeal was purportedly arranged around a gifted Russian hacker and his accomplices who sold his products. Among those products were 0days (see Figure 4) and exploits of all kinds. It shut down in November 2016. The AlphaBay marketplace was not focused on cyber-criminals, but sellers offered a wide range of products between 2014 through summer 2017 when an international law enforcement effort shut it down together with other like sites. It was recognized to be the largest darkweb marketplace in 2015, with more than 200,000 registered users (vendors and buyers). Vendors offered everything from stolen digital content to e-commerce accounts, software licenses, tutorials of any kind, some malware, data leaks (dumps), and medicine. Figure 5 presents some hacking-related products and guides offered on the AlphaBay marketplace.



Figure 5. Examples of 0days exploits offered on TheRealDeal marketplace.



Figure 6. Example of hacking-related products and guides offered on the AlphaBay marketplace.


It is notorious how those environments offer rich information for the implementation of real cyber-threat intelligence-gathering systems. With a tool looking in the right place at the right time, defenders might be ahead of malicious hackers, protecting their assets before the infection occurs.

CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn why we have become the most accurate, peer-reviewed, predictor of weaponized exploits. 

About our guest author: Dr. Ericsson Marin is an assistant professor of Computer Science at California State Polytechnic University, Pomona. He is the director of the Cyber Adaptive Learning Systems Laboratory (CALSys Lab) with research that combines AI, Machine Learning, Social Network Analysis, and Cybersecurity. Currently, Dr. Marin is investigating proactive cyber-threat intelligence, where intelligence is mined from the darkweb to predict future cyber-threats against organizations. He has authored an excellent record of scientific publications, including two books on threat intelligence published by Cambridge University Press. His work has been acknowledged with best paper, best presenter, and travel grant awards, receiving a considerable number of citations. He also has had an impact in industry, presenting at cybersecurity industry and federal agencies conferences/meetings such as ONR, ISC2, and FBI, among others. Dr. Marin holds an M.S. from the Federal University of Goias, Brazil and a Ph.D. from Arizona State University.