top of page
Search
  • Writer's pictureOleg

Russian Language Cybercriminal Forums - Steep Investments And Hefty Profits.


Chapter II. Russian language cybercriminal forums – not always underground but always aiming at generating maximum profits.

 

Welcome to the second part of this series of OSINT investigations about the Russian language cybercriminal ecosystem and forums. In the previous Chapter, we explored the origins of this ecosystem and uncovered how Russian language cybercriminal forums (RLCF) appeared, evolved and the current state they are in. If you have missed this part do not hesitate to read it because many methodological concepts, such RLCF categories, are discussed there and are useful for the understanding of this Chapter.

 

Our focus will now shift to the “underground” nature of RLCF and of their economic functioning. We will assess to which extent these communities are hard to access for an outsider, how their administrators protect them against attacks and understand how RLCF are monetized.

 

Next, in the third Chapter we will identify the most prominent RLCF, analyzing their pivotal role within the wider ecosystem, and examining their interactions with Telegram communities.

 

Finally, in Chapter IV, we'll delve into the geopolitical influences shaping these communities. Here, we'll analyze how recent global events and political dynamics have impacted the Russian language cybercriminal forums, providing a comprehensive understanding of their current state and potential future.


If you wish to discover the list of the 94 studied RLCF, you can find it here.

 

Insights of the second Chapter:

 

  • While the adjective “underground” is often used to qualify RLCF, it does not always reflect the reality. Indeed, a majority of RLCF can be found through common search engines, allowing even beginners to engage in cybercriminal activities. Hardly accessible RLCF do exist, but they are a minority.

  • RLCF's administrators must deal with frequent DDoS attacks and hacking attempts. To limit the impact of DDoS and exploitation of vulnerabilities, they mainly use well-known and studied Internet forum software packages and CDN such as Xenforo or Cloudflare.

  • RLCF are not only gathering places where threat actors can talk and conduct their business, they also provide a wide range of complementary but not less essential services. The most advanced communities offer services such as cryptocurrency mixers or Jabber (XMPP) servers.

  • Successful RLCF generate significant revenue for their owners. However, the challenging environment of cybercrime in which these forums operate complicates the task of forum management and obliges administrators to invest heavily in cyber security.

  • RLCF adopt diverse approaches to advertising and monetizing their forums, generally influenced by their specific activities and position within the ecosystem.

    • Drugs forums are aggressively advertising on the streets of the CIS countries, while established reputable niche hacker communities such as "XSS" or "Exploit" do not spend on advertisements.

    • Regarding revenue, selective communities in the Cybercrime category seem to primarily generate income through escrow and deposit services. In contrast, popular forums focusing on Drugs, Fraud, and Carding also generate substantial revenue by selling advertising space on their pages.


I) “Hard to Be a God” - and even harder to be a RLCF’s administrator.

 

To begin this Chapter, I want to share a story that, in my opinion, perfectly captures the burdens of RLCF’s administrators. In August 2022, The Record interviewed Mr. Mikhail Matveev[1], a prominent threat actor involved in at least eight ransomware groups and active to this date[2]. Known among others by the pseudonyms "wazawaka" and "Orange", the Russian national explained the unanticipated challenges associated with the development and maintenance of a cybercriminal forum that he had to deal with.

 

Figure 1. Photos of Mr. Matveev. Source: Federal Bureau of Investigation.

 

In 2021, Mr. Matveev was a prominent member of the Ransomware as a Service (RaaS) group “Babuk”. The main feat of arms of “Babuk”, and paradoxically one of its last ones, was the hacking of the Metropolitan Police Department in April 2021[3]. Fearing the repercussions of this attack, the group disbanded supposedly after internal disputes between affiliates and Mr. Matveev eroded the gang’s cohesion. In a parallel development, May 2021 saw major Russian language cybercriminal forums, worried by the repercussions of DarkSide's ransomware attack on Colonial Pipeline in the US, publicly banning RaaS-related topics to shield themselves from Western intelligence and law enforcement agencies (this was a temporary deception as we will see in Chapter III).

 

Figure 2. In May 2021, the administrator of XSS forbids any topics and discussions related to ransomware on his forums.

 

On the contrary, Mr. Matveev, in possession of an Onion domain with a high traffic, previously associated with the defunct Babuk RaaS blog, perceived this evolving landscape as an opportunity. Our antihero was indeed one of the former affiliates of DarkSide, seemed undeterred by law enforcement's actions and decided to start his own forum precisely focused on ransomware operators and initial access brokers. Called “RAMP” for Ransomware Anonymous Market Place, the forum was unveiled in July 2021.

 

The launch of this project was anything but peaceful and straightforward. On the 22nd of July 2021, a threat actor left a message on "RAMP" asking for a 5,000-dollar ransom and threatened that he will start a spam attack in 24 hours if his demands were not met. Mr. Matveev seemingly disregarded this demand, leading to an attack on the next day, where multiple fake members posted pornographic GIFs[4].

 

Before the attack, the forum's user count stood at around 350, and over 100 messages had been posted, indicating considerable interest in this new exchange platform[5]. However, by July 26, after cleaning up and rewriting the forum's FluxBB engine, only 59 members remained listed. New registrations to the forum were suspended until August, and the conditions for access were tightened.

 

Nevertheless, the misadventures did not stop there, after the vulnerabilities of the forums were fixed, "RAMP" was the target of permanent Distributed Denial of Service (DDoS) attacks, which required constant attention to limit their impact. Moreover, as new members joined the forum, the activity of some threat actors became disruptive for the community, which obliged Mr. Matveev to recruit and pay moderators. One of these moderators was the threat actor KAJIT, who became the next owner of the forum in the last months of 2021. Following his departure as RAMP's administrator, Mr. Matveev allegedly chose to undermine the forum for unknown reasons, by disseminating rumors through representatives of LockBit and BlackMatter RaaS, and the administrator of the prominent RLCF "XSS", suggesting that KAJIT was an agent of law enforcement.

 

Figure 3. A threat actor is asking a ransom of 5,000 dollars from RAMP’s administrator.

 

Mr. Matveev’s story is quite illustrative of the common experience and problems that a RLCF’s administrators must think about and daily deal with. The Russian language cybercriminal ecosystem, as any other criminal community, is a highly competitive and aggressive environment. Mutual attacks, sometimes sponsored by rival forums, can target a forum’s infrastructure through hacking or DDoS attacks or its reputation through disinformation campaigns. It explains why in the case of RAMP, this forum cost more to Mr. Matveev than what he earned from it. Nevertheless, as we are about to discover, not all RLCF struggle to navigate their challenging environments; some forums adapt and thrive.

 

II) A solid foundation for a successful RLCF.

 

RLCF administrators constantly face the challenge of striking a balance between keeping their communities shielded from external threats by making them exclusive, and the need to draw sufficient active members to keep these communities vibrant. Consequently, while the majority of observed RLCF are easily accessible to a wider audience, select and exclusive high-level communities depend on significant registration and escrow fees to ensure their financial viability.

 

A) Are RLCF really “underground” communities?

 

Although the term "underground" is commonly employed to describe cybercriminal forums, suggesting an element of concealment or difficulty in accessing them, this characterization does not entirely capture the actual state of most RLCF. Among the 94 identified active forums, 64 are accessible only via clear web links, and 26 are accessible both through clear web domains and the TOR network. Remarkably, the majority of RLCF are discoverable through conventional search engines like Google or Yandex. The primary challenge lies in following the frequent domain changes that many forums undergo.

 

Usually, RLCF that provide members the option to connect via a TOR link mostly do so to appeal to users seeking to maintain high operational security (OPSEC), rather than to conceal their community. However, there are notable exceptions, such as Drugs forums and certain Carding communities. These groups often find themselves in the crosshairs of law enforcement, leading to frequent blocking of their domains, thereby necessitating the use of TOR for access and continued operation.

 

Until recently, the ransomware-centric forum "RAMP" was accessible exclusively via a TOR link, and new members were required to contribute a $500 fee for account activation. Although this fee still applies to new members without an established, reputable presence on forums like "XSS" or "Exploit", a significant change occurred in April 2023. RAMP's administrator created a clear web domain, presumably as a strategic move to broaden the forum's userbase. Moreover, the current owners of this forum explicitly targeted potential Chinese-speaking threat actors by including a Chinese translation of the forum.

 

Figures 4 and 5. Examples of access restriction. The RLCF Exploit, on the left side, does not allow non-members to see the content of the forum while LolzTeam is accessible without registration.

 

Table 1. Source: Cybercrime Diaries – January 2024.

 

If an administrator of a RLCF wants to hide the content of his forum, he can employ various methods to restrict access. However, the decision to limit a forum’s accessibility is not universally applied, as it might adversely affect its popularity. Only certain exclusive communities tend to adopt this strategy, which can have several goals. Drugs RLCF are often accessible only through TOR links because their clear domain would be simply constantly banned by law enforcement. To help potential customers find them, Drugs RLCF owners create or rely on special websites available on the clear web and advertising “Darknet communities and marketplaces” by sharing their TOR links and domains. A less radical, but still efficient, approach to access restriction involves concealing a forum’s content from non-members and impeding search engines from indexing the forum. Usually, the creation of a free account suffices for a threat actor to gain access to the forum's full range of information.

 

As of January 2024, merely 10 forums ask for a payment for an account creation or to enable interaction with other users. This is the case of RLCF like "Omerta", "WWH Club", or "Coockie Pro". Conversely, free communities aiming to maintain a degree of selectiveness occasionally restrict new account registrations during specific periods. Lately, RLCF such as "XSS" have become very popular, especially after the closure of prominent English language forums in 2022. This has attracted many new English-speaking users, which has worried the forum’s administration and the Russian-speaking members. The administrator of this forum chose to prevent an overwhelming surge of new members or individuals holding multiple accounts by opening the registration of new accounts only during short periods.

 

Finally, an intermediary solution is to create a premium community inside the community itself. Currently, 4 RLCF feature exclusive sections accessible solely to the most reputable members, as determined by the administration and peer members. This is a practice observed on forums like "Verified," or "Exploit", where access is granted based on the reputation and standing within the community or a certain number of posted messages.

 

Figure 6. Auto translation. Example of a closed section accessible only to select members of Exploit.

 

B) What are the RLCF made of?

 

The inherently sensitive and illicit activities conducted within RLCF necessitate a stringent approach to their own cybersecurity practices. The economic competition between forums and rivalry among cybercriminal communities is often the reason for mutual attacks. Therefore, a cybercriminal forum that falls victim to defacement, data theft, or becomes inaccessible after a DDoS attack, could face an erosion of credibility and trust among its members. Critical security breaches not only compromise the forum's operational integrity but also significantly diminish its standing within the cybercriminal community.

 

The choice of well-known Internet forum software packages on which RLCF are built is thus a key task. Xenforo, vBulletin or IPB are very popular because they provide a satisfactory user experience and most importantly, they are well studied by security researchers and hackers, which limits the risks of the discovery and exploitation of a 0-day vulnerability.

 

Threat actors are actively using the flaws of forum software packages to damage the reputation and disrupt the functioning of rival forums, as it was the case during summer 2022, when the Drugs forum “RuTor” got hacked by its rivals from a marketplace called “Kraken”. New weaknesses can be found not only in the Internet forum software itself but also in the forums' plugins [6]. For instance, a vulnerable plugin caused a data leak on the forum “Exploit” in 2017.

 

Figure 7. The RLCF RuTor was compromised by its rival Kraken during the summer of 2022.

 

The content delivery network (CDN) is another tool ensuring the security and accessibility of RLCF as they are an essential component of protection against DDoS attacks. Administrators mainly rely on Cloudflare CDN as one of the tools preventing the discovery of the real IP addresses of their forums.

 

Figure 8. Examples of discussions about DDoS attacks against Russian-language drugs forums and marketplaces.

 

Table 2. Source: Cybercrime Diaries – January 2024.


C) Other services provided by RLCF - Creating a working environment for cybercriminals.

 

Russian language cybercriminal forums are not only places where threat actors communicate or conduct business, but they also give them access to a useful working environment. For instance, all encountered RLCF offer to their members an escrow service. While we will delve into the specifics of an escrow system later, it's important to understand at this stage that it acts as a security mechanism. This system enables threat actors to confidently engage in buying and selling services and goods, with the assurance that the forum will refund them if the transaction does not proceed as expected. Naturally, this service is not complimentary; the fees are typically routed through the forum's Bitcoin wallets and retained until the transaction is successfully completed.

 

Another popular service offered by advanced RLCF is the possibility to create a Jabber/XMPP address (messaging service) that is hosted on the forum’s servers. Indeed, anonymity and confidentiality of communications outside forums are an important need for cybercriminals, Jabber messengers are one of the tools that helps cybercriminals to protect their exchanges. XMPP or Extensible Messaging and Presence Protocol is an open XML technology for real-time communication, it powers a wide range of applications such as the Jabber messenger. This messenger is still popular among Russian-speaking cybercriminals, although it was created back in 1999. The discovery in May 2023 of a remote code execution vulnerability in the qTOX messenger, a peer-to-peer communication tool very popular among Russian-speaking cybercriminals, has caused a revival in Jabber's popularity.

 

One of the weaknesses of the XMPP protocol and Jabber messenger is the necessity to possess or use a server through which the communication will transit. Thereby, cybercriminals must choose whether to set up their own server or to use an already existing one where logs are supposedly not registered. The most famous ones of these reportedly anonymous servers that belong to RLCF are @thesecure.biz and @exploit.im, belonging respectively to "XSS" and to "Exploit". Overall, only 9 RLCF possess their own XMPP server. 

 

A more common occurrence is the presence of a link to an official Telegram channel. Since the rise of Telegram to prominence, almost half of RLCF have created an official Telegram channel. The latter can take several forms, the most sophisticated ones have a channel with several threads, that looks like a real forum, less advanced Telegram channels belonging to RLCF simply possess a news feed and a chat.

 

Figures 9 and 10. RLCF often have their own Telegram channel.

On the left, the r0 programming forum created several sections in its Channel.

On the right, the official news channel of SkynetZone, a Fraud forum.

 

Finally, in certain instances, some forums openly showcase their affiliations with other communities and marketplaces. These partnerships are often visible on forums via marketplace advertisements or through special threads linked to affiliated forums and websites. Additionally, some RLCF, like the carding-focused WWh-Club, incorporate financial services, including cryptocurrency mixers. Notably, prominent and sophisticated Drugs forums such as RuTor have developed a mobile application (Android and iOS) for their members to facilitate drug transactions. In a few exceptional cases, RLCF also offer unique tools like vulnerability and anonymity checkers, alongside file-sharing systems for their users. An interesting case was monitored on the Dark2web forum that launched its own operating system supposedly focused on anonymity (see d2wos[.]net)[7].


Figure 11. Promotional post about the "D2W_OS" operating system, published on Dark2web in July 2023.


Table 3. Source: Cybercrime Diaries – January 2024.


Figure 12. Example of services, social network accounts and access methods to RLCF.

 

III) RLCF and their economic system – a costly investment for a potentially important reward.

 

As you may have guessed, very few individuals would put so many efforts in the creation and maintenance of a cybercriminal forum if the goal of this activity was not profit generation. However, there are multiple methods to achieve this objective. We will explore the diverse monetization strategies employed by RLCF administrators. Grasping these strategies is crucial for understanding the economic foundations that support and propel financially successful forums, illustrating how they convert their illicit activities into financial profit.

 

A constraint of this study is the lack of precise data on expenses associated with advertisements, staff salaries, or infrastructure spending like hosting. Those costs are not transparently shared and tend to vary on a case-by-case basis, posing a challenge in acquiring accurate financial information for each RLCF. While bulletproof hosting providers openly disclose their rates for threat actors, the cost of their services for RLCF are specific and variable. This price variation is influenced by factors like the volume of traffic of each community, servers’ localization, and additional options, making a uniform evaluation challenging. Salaries of staff members are another unknown parameter as moderators can either be volunteers or paid employees.

 

On the contrary, sources of income of RLCF can be somewhat estimated and are sometimes openly discussed by their administrators. According to LolzTeam’s creator, his forum is presently generating an income of 15 million rubles per year (close to $190,000 at the moment of the claim in April 2023). The administrator qualified this money as "gray" and told that he cannot report it to Russian tax services.

 

A) The price of glory – unavoidable spending and risky investments. 

 

As the case of Mr. Matveev and his forum RAMP illustrate, the expenses associated with the maintenance and development of a cybercriminal community are significant and success in not guaranted. They include bulletproof hosting, DDoS and spam protection, forum engine technical maintenance, moderation and last but not least: time. Observation of other RLCF also suggests that costs related to content creation and advertisements can be substantial. Those last two categories are particularly important for new forums or for communities that need to compete to maintain the fidelity of their userbase.

 

1) Advertisements - optional for dominant RLCF, critical for Drugs forums and new RLCF.

 

The analysis of advertisements belonging to various RLCF indicates a diverse approach to advertising among Russian language cybercriminal communities. Not all of them invest in ads, and those that do, employ distinct strategies. Niche forums like “Exploit” or “XSS,” for instance, do not allocate funds for advertising as they are already famous and do not want to attract too much attention. In contrast, newer RLCF seeking to grow their community and reputation, such as the Carding forum “DarkClub,” are actively and aggressively promoting their activities.

 

A surprising phenomenon was observed as “DarkClub” started to publish adds on Telegram channels that have nothing to do with cybersecurity, which highlights the desire of some RLCF to attract new members outside of the hacking community. This strategy is also implemented by several Russian language Drugs forums who have decided to target potential customers by displaying their advertisements banners on the streets and billboards of Russian cities such as Moscow[8]. After the death of several individuals paid by Drugs RLCF and marketplaces for deploying banners from the roofs of buildings, it seems that the new trend is to use projectors to display advertisements.

 

The cost of buying advertisements on websites, Telegram channels, or other cybercriminal forums to promote a RLCF can be considerable. This was underscored by the FBI's arrest of the DeepDotWeb administrator, which disclosed that this individual earned over 8 million dollars from hosting links to marketplaces and cybercriminal forums on his website[9].

 

Figure 13. the RLCF DarkClub advertises its activities even on Telegram channels that are unrelated to cybersecurity.


Figure 14. Advertisement belonging to the OMG marketplace and projected in St. Petersburg, Russian.

 

2) Content creation – a bonus for dominant RLCF, a critical investment for Drugs forums and new RLCF.

 

Several RLCF have created their own magazines about hacking or drugs consumption. Interestingly, from a designing perspective, the magazine of the Drugs forum WayAway looks very professional, while the one belonging to "XSS" rather focuses on content quality and somewhat less on appearance.


Figure 15. The latest issue of the magazine “Inception” of XSS.

 

Figure 16. An issue of the magazine of WayAway.


Contests are another tool in the hands of community managers to attract new users or to retain current members. Drugs RLCF face a harsh competition and must permanently innovate to attract new customers and often organize games with money prizes or free Drugs. Similarly, cybercrime RLCF like "XSS" or "Exploit" conduct competitions, offering substantial prizes, often amounting to several thousand dollars, for the best hacking-related papers. Nevertheless, these contests are sponsored by forum members and thereby are not financed by the forum itself; for instance, the latest contest held on "XSS" in November 2023 obtained a sponsorship of 20,000 dollars from a threat actor marketing a Crypto Drainer.

 

Figure 17. Auto translated. Contest organized by the administration and partners of WayAway.

 

Figure 18. In November 2023, "XSS" started a contest for the best hacking project or software.

 

B) Sources of revenues - the sinews of cybercrime.

 

The aforementioned expenses do not imply that all RLCF are owned by philanthropists ready to sacrifice their time and money on websites only for the benefit of the cybercriminal community. The most successful forums, with a huge active userbase and well organized teams, can generate substantial income for their owners. For example, the Drugs Forum RuTor was allegedly sold for $3 million in 2022, which shows how much money is going through one of the most successful RLCF specializing in drugs selling. Registration fees, status selling, escrow service, advertisements, training, deposits, and gifts from users are common sources of revenue for RLCF.

 

1) Income generation and monetization philosophy.

 

While the sources of revenue of RLCF are clear, it does not imply that all communities share the same philosophy and adopt the same monetization strategy. The identified RLCF can be positioned on a line between two archetypes with opposing views about income generation and its importance.

 

  • The first extremity depicts the archetype forum that claims to create just enough income to cover expenses. Extra money will supposedly not go into the administrator’s pockets but will be reinvested to develop the forum. Advertisements are sparse, and the administrator is not openly monetizing his knowledge about the members of the forum. Administrators of RLCF such as "Exploit" or "XSS" claim to be as close as it is possible to this idealistic archetype of management, although this should not be taken as granted. Analysis of cryptocurrency transactions associated with these forums reveals that thousands of dollars are being transferred through the BTC addresses of "Exploit" and "XSS".

 

  • The second extremity represents communities held by openly financially motivated administrators whose objective is to squeeze as much income as possible from the forum and its userbase. RLCF like “RuTor”, “Darkmoney” or “WWH-Club” are closer to this archetype. Advertisements are present everywhere and the administrators do not hesitate to send advertisement emails to forum members.

 

2) Sources of income.

 

Donations.

 

A symbolic source of income is money donation from members. It often occurs on RLCF that do not openly and aggressively monetize their community, or at least who display themselves as “communities focused on knowledge rather than on commercial activities”.

 

Figure 19. Example of a RLCF asking for money donation from its members.

 

Registration fees.

 

Although not always significant, registration fees on the few RLCF that limit access to their membership, are not to be discarded. Generally ranging from $30 to $500, these fees can provide an interesting income, especially if the forum attracts many new users. A rare case where the registration price was set to 1,000$ was also recorded.

 

To illustrate the potential earnings from registration fees for a well-known but comparatively small paid RLCF like "Exploit", I analyzed its membership growth between January 2023 and January 2024. In this one-year period, the forum added approximately 6,000 new accounts. Assuming all these were paid registrations, they could have generated about $1,200,000 in revenue.

 

Figure 20. Exploit requires new users to pay $200 to register an account if you are not fulfilling specific conditions.

 

Sale of premium statuses.

 

When a new member joins a RLCF buying a premium status can be important to highlight his standing or to facilitate a commercial activity. Prices of statuses can vary from $50 to over $2000 and grant various advantages such as the right to sell something or to be trained by the administration of the forum in a specific illicit craft.

 

An interesting case was observed on "XSS" where, since 2022, it has been possible to purchase a special account for crawlers. Sold for $2000 a year, it is directly targeted at security researchers and threat intelligence companies. According to XSS’s administrator, the main idea behind this special crawler account is to allow researchers to gather data and scrap the forum without the fear of getting restricted or banned. It is unknown if anyone has purchased this type of account.


Figure 21. Example of status prices and associated advantages on the carding RLCF WWH-Club.

 

Deposits.

 

Along with the purchase of statuses, the deposit of an amount of cryptocurrency or money on forums, is another source of legitimacy and prominence for threat actors wishing to enhance their prestige and chances to attract new customers. A large deposit is raising the trust of potential clients as it guarantees that the administration will take this money to compensate a legitimately unsatisfied customer. This system is profitable for the forum owner because a commission is collected every time money is added or retracted. For instance, on "XSS" the commission for deposing money is 1% of the deposited sum, and 4% when the owner decides to retrieve it.

 

Another successful RLCF called "LolzTeam" is known for its impressive ability to generate revenue. According to the administrator of this forum, the various sellers present on the forum have deposited more than 65 million rubles in cryptocurrencies and in fiat currencies (around 830,000 dollars at the moment of publication of this interview, on the 2nd of April 2023)[10]. It is useful to note that an 8% commission is taken at the moment of withdrawal of funds, this promises an interesting annuity for the forum.

 

Figure 22. Example of users putting money on their accounts on "XSS".

 

Figure 23. Example of commission prices on the deposit on "XSS".

1% when money is added and 4% when it is retrieved.


Escrow service.

 

All the observed RLCF offer an escrow service, typically charging up to 10% of the total transaction value. The service is designed to safeguard both sides in a deal by appointing the forum's administrator or another trusted member as a mediator. This intermediary plays a key role in confirming that both parties have adhered to the agreed terms. They possess the authority to issue a refund to the customer or safeguard the service provider's rights in the event of a transactional dispute. RLCF administrators often advocate for the use of their escrow service, increasingly making it a mandatory condition for members wishing to sell or buy anything on their forums.

 

Figure 24. Auto translated. Escrow service conditions on "Ufolabs". In this case the service is not automated, and the buyer needs to contact the administrator.

 

Sophisticated cybercrime forums, like "XSS" or "WWH-Club", feature fully automated escrow services, eliminating the need for administrators to personally oversee each transaction. The analysis of Bitcoin wallets utilized for escrow payments on these forums indicates that thousands of BTC have circulated through them, serving as a significant indicator of each forum's level of activity and financial throughput.


On the 25th of May 2023, the threat actor “nightly” allegedly sold on "XSS" a remote code execution (RCE) vulnerability affecting the qTOX messenger for 20 Bitcoins (close to $550,000 at that time). The forum likely earned $55,000 from its escrow service during that particular instance alone. Although not all transactions are this substantial, this example underscores the profitability of the escrow system for RLCF.

 

Figure 25. Auto translated. The threat actor nightly allegedly sold an RCE vulnerability for the qTOX messenger for 20 BTC in less than 5 minutes.

 

Advertisement.

 

An illustration of the revenue potential for RLCF can be seen through the publicly accessible advertising rates of the Drugs RLCF "RuTor". The cost for advertisement banners on this forum varies, starting at $300 per month for a smaller banner, and escalating to $12,000 monthly for a banner placed in the most prominent forum's area. An assessment of the potential revenue generated by the 60 filled banners on RuTor's front page, through the counting of ads emplacements for which the prices are publicly available, suggests that only banners could bring at least 145,500 dollars every month to the forum’s owners. Additionally, the forum capitalizes on its registered users' email addresses; sending a promotional email to RuTor's entire userbase is priced at $700. In the spring of 2023, RuTor also organized an auction for ten partnership marketplace slots, with bidding for the top three slots starting at $15,000.

 

Figure 26. A wall of advertisements on the RLCF RuTor.

 

Figure 27. Advertisement prices on the RLCF RuTor.

 

“WWH-Club”, a successful RLCF specialized in carding, could have managed to generate at least 919,708 dollars in advertisements and sale of premium status in 8 years. The presence of an account exclusively dedicated to the receipt of payments helps to assess the amount of generated revenue. Interestingly, according to my observations last year in January 2023, the total generated revenue visible on this account was around 270,712 dollars, which means that the forum may have earned close to 650,000 dollars in less than a year.

 

Figure 28. The account of “Reklama” on "WWH-Club" was specially created to receive advertisement payment. On the left side, a screenshot from January 2023, on the right side, a screenshot from January 2024.

 

I hope that you found this Chapter insightful and that you learned some new things! Next time we will analyze the most prominent RLCF and understand what their place in the Russian language cybercriminal ecosystem is.

 

This blog post is also available on my company's blog (OWN).


Sources.


[1] “An Interview with Initial Access Broker Wazawaka: ‘There Is No Such Money Anywhere as There Is in Ransomware’ - The Record by Recorded Future,” accessed October 6, 2022, https://therecord.media/an-interview-with-initial-access-broker-wazawaka-there-is-no-such-money-anywhere-as-there-is-in-ransomware/.

[2] “Smoke and Mirrors: Understanding The Workings of Wazawaka,” accessed January 4, 2024, https://resources.prodaft.com/wazawaka-report.

[3] “Ransomware Gang Leaks Data from Metropolitan Police Department,” BleepingComputer, accessed January 4, 2024, https://www.bleepingcomputer.com/news/security/ransomware-gang-leaks-data-from-metropolitan-police-department/.

[4] VX underground, “RAMP, the forum started by Babuk ransomware group, has seen a surge of flooding and spamming.,” Twitter, accessed October 8, 2022, https://twitter.com/vxunderground/status/1418549368806912006.

[5] David, Efrat. “New Russian-Speaking Forum - A New Place for RaaS?” Kela, July 28, 2021. https://kela.local/new-russian-speaking-forum-a-new-place-for-raas/.

[6] @Leakinfo, “XenSploit - Генерация Вредоносных Плагинов Для XenForo,” Telegraph, March 27, 2021, https://telegra.ph/XenSploit--Generaciya-vredonosnyh-plaginov-dlya-XenForo-03-27.

[7] РЕЛИЗ D2W OS + Инструкция, 2023, YouTube. https://www.youtube.com/watch?v=DiTaZeFwfc8.

[8] “Нелегальный Даркнет-Маркетплейс BlackSprut Рекламируют На Московских Уличных Баннерах,” accessed February 26, 2023, https://www.securitylab.ru/news/536309.php.

[9] “DeepDotWeb Administrator Sentenced for Money Laundering Scheme,” January 26, 2022, https://www.justice.gov/opa/pr/deepdotweb-administrator-sentenced-money-laundering-scheme.

[10] LOLZTEAM Интервью | RaysMorgan | Подкаст с Основателем Форума | В Честь 10-Летия LOLZTEAM, 2023, YouTube. https://www.youtube.com/watch?v=B6w8ic9aFpE.

1,517 views
bottom of page