Security Experts:

Connect with us

Hi, what are you looking for?



A Look Inside the Bustling Cybercrime Marketplace

The Inner Workings of The Underground Cybercrime Marketplace

The Inner Workings of The Underground Cybercrime Marketplace

Underground Cybercrime ForumsCybercrime’s underground activity, much like a Middle Eastern bazaar, is a loud and boisterous market. Buying, selling, haggling and cheating all take place in these marketplaces. Each marketplace houses other specialized-markets of illegitimate goods. There’s the credit cards market, the bot rental market, another one for viruses, and one more for the credentials – to name a few. How do these markets operate and how are hacker transactions being performed?

The Bustling Marketplace

Part 12 in a Series on Cybercrime – Read Noa’s Other Featured Cybercrime Columns Here

Underground Forums – In this marketplace only the initial match between the buyer and the seller are performed. The remaining activity – all dealings and exchange of goods – occur outside the forum. To enter the forum, a user must first login. Like an evil eBay, “buy” and “sell” ads are posted on the forum’s message board. To keep things running smoothly, each forum has its own bouncer – the site administrator. This is the individual who manages the forum and its level of trustworthiness. It turns out there is some honor among thieves, as a reputation-based system is in place that relies on feedback from other forum users. A user who performed successful past transactions is considered reliable and thus has priority on the message board. However, a “ripper” – an individual who does not deliver the goods upon payment – may have its message moved back in the queue or is banished from the forum altogether. Of course, the site administrator has a stake in this priority-system and is constantly bribed to ensure good placing on the message board. Bribery comes in the form of a subset of the goods (a percentage of the stolen credentials for sale), or as commission on the sale of goods.

Internet Relay Chat (IRC) channels – The IRC channel is analogous to an exclusive party where matches as well as transactions all occur within a specific IRC channel. Yet, these “parties” are considered much more secretive than their forum counterparts. While forums are picked up by search engines, IRC channels are not indexed by the search engines. Rather, IRC channels are known by word-of-mouth. The IRC user connects to an IRC network via a server. Once connected, the participant chooses the particular channel of interest. It is assumed that in order to have gained the knowledge of an existing IRC channel, the user is a serious participant, not just a party-crasher. Yet, different channels also employ a reputation-based system similar to that found in the underground forum. Once the user joined the channel, she may hop to any public communication and chime into the conversation. If a “match” is made during that conversation, the individuals take this conversation elsewhere – to an IRC room. In this room all communications are private, negotiations take place and the contracts are sealed.

Instant Messaging (IM) – Much of the secretive communication takes place as private messages on IM, after a match on the underground forum is made.

Social Networks – Hackers are finding ways to promote their services, and what other better way to self-promote than Facebook? As shown in the screenshot, hackers use Facebook profiles and post information on their Walls advertising their goods. They may provide a sample of their goods, a price-list and even references to the underground market sites they actively engage in. An interested buyer can then connect to the seller via a private message.

Cybercriminals Advertising on Facebook

Common Marketplace Currencies

The buyer and seller also negotiate on the payment and currency. Online payment services may be used, and the current trend is to use Liberty Reserve and WebMoney. The latter is the Russian equivalent to Paypal. Yet, just as common are offline monetary transfers. Western Union and MoneyGram are the more frequently used services for such cash transactions.

Sealing the Deal

In all markets, usually just a single transaction is performed in order to complete the purchase. For instance, the simple sale of a bulk of stolen webmail accounts. However, things work slightly differently in the case of credit cards where an additional exchange of hands takes place. After a buyer obtains the credit cards, she now needs to re-enter the market-place – this time seeking an individual who knows how to cash out on the credit cards (for example, a plastic card manufacturer). In this case, the buyer of the stolen cards and the criminal who monetizes on the card, split their earnings 40%-60%. The higher percentage goes to the participant that took a higher risk – the one who cashed out on the cards.

Next Column – What are the Market Goods?

This column discussed the underground market scene. Next, we’ll discuss the different goods that are being exchanged and the trending prices for each type of commodity. Stay tuned as I discuss the fall of credit card numbers, and the rise of online credentials. I’ll also provide some advice on protecting your customer data from being traded in these underground markets!

Read More Cybercrime Columns in the SecurityWeek Cybercrime Section

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.