Scammers have scammed their fellow cybercriminals out of more than $2.5 million on three dark web forums alone over the last 12 months, according to Sophos researchers.
In a Black Hat Europe session, Sophos threat hunters detailed their investigation, which examined scams on two well-established Russian-language marketplaces, Exploit and XSS. They also looked at BreachForums, which launched in April 2022 after a Europol-led operation shut down the earlier version of the stolen-data souk, RaidForums.
And it turns out that scammers gonna scam, even in the criminal underground.
“We saw referral cons, fake data leaks and tools, typosquatting, phishing, ‘alt rep’ scams (the use of sockpuppets to artificially inflate reputation scores), fake guarantors, blackmail, impersonated accounts, and backdoored malware,” writes Sophos senior security researcher Matt Wixey, in the research posted today. “We even found instances where threat actors got revenge by scamming the scammers who scammed them.”
Scams on these three cybercrime forums are so prevalent that all of them have dedicated “arbitration rooms.”
Exploit, which has about 2,500 reported scams, has two: one for claims and another, the Black List, for confirmed scams. These have been around since the mid-2000s, along with closed Russian attacker forum XSS, which reported around 760 scams on its site, according to Sophos. XSS also keeps a “ripper list” that indexes scam sites.
“Exploit is the worst for scams, both in terms of numbers of reports and money lost to scammers,” Wixey writes. “It does have around twice as many members as XSS, and may also attract more scammers because of its reputation.”
Exploit’s open claims’ room lists 211 claims totaling $1,021,998, while its Black List cited 236 exploits that cost other crooks $863,324.
In one case, an Exploit user opened an arbitration claim in an attempt to negotiate with ransomware gang Conti about decrypting a company’s assets. Exploit admins, however, closed that claim because ransomware is banned on the marketplace, so apparently there are some standards.
Meanwhile, XSS, for comparison, reported 120 open claims valued at $509,901. BreachForums’ arbitration room, which has only been around since that market opened in April, lists 21 claims worth $143,722.
While higher-end scams on all three forums hit six figures — $160,000 on Exploit and XSS are the most lucrative — some victims on these sites have filed claims for as little as $2, according to Wixey. “Threat actors seem to be as indignant about having their money stolen as anyone else, no matter the amount,” he notes.
Perhaps unsurprisingly, the claims processes sometimes descend into name calling, insults and general chaos with the accuser accusing the accused of scamming. In some cases the alleged victims end up getting banned from the sites for being dishonest.
While banning is the most common punishment for ripping off fellow criminals on these forums, BreachForums also publishes banned users’ email address, registration, and last-seen IP address, thus leaving them open for doxxing, the research says.
However, Sophos also cites a few cases “involving serial scammers” who were banned, and simply created new profiles, paid another registration fee, and carried on with their criminal ways.
As Wixey notes: “If there’s a takeaway from all this, it’s that no user is immune; any trade on criminal forums involves an inherent risk of scams.” ®