Some cybercrime forums on the dark web have virtual courtrooms where members can file complaints against each other, and the judge’s decision is in most cases accepted by the defendant, particularly those who want to maintain a good reputation.
Jon DiMaggio, former intelligence community agent and chief security strategist at threat intelligence firm Analyst1, has analyzed this underground justice system and noticed that “the cybercrime community treats every case equally without prioritizing more complex cases with higher compensation demand.”
DiMaggio told SecurityWeek that only two forums have these courtrooms — both have been around for more than a decade and they are both respected in the criminal community.
The court system is hosted on a sub-forum with the title “court” or “arbitrage” and any member can file a complaint. The complaint must include a brief description, the name of the defendant and their contact information, and the plaintiff can submit evidence to support their case, including chat logs, cryptocurrency transactions, and screenshots. Every member of the forum can take part in the virtual hearing, but the ruling is made by the forum’s administrators and commentators do not act as a jury.
One of the analyzed forums, a major Russian-speaking cybercrime marketplace, has more than 600 arbitrage threads, with requested compensation typically ranging between a few hundred and a few thousand dollars.
While many of these complaints have been filed against lesser known threat actors, some have targeted high-profile groups. Plaintiffs who filed complaints against operators of Conti, REvil and Netwalker ransomware sought to obtain millions of dollars. However, ransomware-related topics have been banned by these courts since May 2021, which is right around the time of the highly disruptive attacks targeting Colonial Pipeline and meat producer JBS. Law enforcement operations against ransomware operators intensified following these incidents.
DiMaggio says the accused party almost always pays up once the arbitrator has announced their decision.
“At least with Russian criminals, their ‘criminal code’ is significant and most seem to stand by it. It’s a much smaller criminal community than most people realize and even smaller when referring to ransomware criminals and affiliates,” the researcher explained. “It is cheaper, even in bigger payouts, to pay the amount awarded by an arbitrator than to lose trust of the community, creating a situation where no one will buy or participate in your service offering.”
In some of the cases won by the plaintiff, their compensation is taken from an escrow account.
“In some cases, with well-established criminals, they will provide a bitcoin deposit in advance of any work being done, which acts as an escrow account for awarding funds to partners in an effort to ensure the criminal is serious and to show there is money to be made,” DiMaggio explained.
Even if the compensation cannot be taken from an escrow account, the defendant is likely to respect the court’s decision and pay up in an effort to avoid damaging their reputation.
“Reputation is very important in the criminal underground and usually not worth burning over what to them is usually a small amount of money,” DiMaggio said. “[It] makes more sense to pay out arbitration when awarded, otherwise the overall financial impact will likely be far greater in loss revenue due the backlash of the criminal community participating on the forum.”
Cybercriminals who don’t accept the court’s ruling and refuse to pay up — some criminal hackers may choose to simply disappear after losing a case — will have their account banned. While they could return under a different alias, they would offer the same services, making it easy for other members to know who it is behind the new username.
“Most criminals won’t work with newly created accounts that do not have a history or reputation, as well,” DiMaggio said. “Both of these take time to build and if you are banned, it makes it very difficult to regain that trust.”
On the other hand, there are some cases where the “customer” is so frustrated that they decide to take matters into their own hands and attempt to dox the individual who has wronged them, making public their real name, physical address, contact information, social media profiles, and even their family’s information.
Related: Why You May Not Need to Monitor the Dark Web
Related: The Case for Taking Down Dark Web Sites

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
