Some cybercrime forums on the dark web have virtual courtrooms where members can file complaints against each other, and the judge’s decision is in most cases accepted by the defendant, particularly those who want to maintain a good reputation.
Jon DiMaggio, former intelligence community agent and chief security strategist at threat intelligence firm Analyst1, has analyzed this underground justice system and noticed that “the cybercrime community treats every case equally without prioritizing more complex cases with higher compensation demand.”
DiMaggio told SecurityWeek that only two forums have these courtrooms — both have been around for more than a decade and they are both respected in the criminal community.
The court system is hosted on a sub-forum with the title “court” or “arbitrage” and any member can file a complaint. The complaint must include a brief description, the name of the defendant and their contact information, and the plaintiff can submit evidence to support their case, including chat logs, cryptocurrency transactions, and screenshots. Every member of the forum can take part in the virtual hearing, but the ruling is made by the forum’s administrators and commentators do not act as a jury.
One of the analyzed forums, a major Russian-speaking cybercrime marketplace, has more than 600 arbitrage threads, with requested compensation typically ranging between a few hundred and a few thousand dollars.
While many of these complaints have been filed against lesser known threat actors, some have targeted high-profile groups. Plaintiffs who filed complaints against operators of Conti, REvil and Netwalker ransomware sought to obtain millions of dollars. However, ransomware-related topics have been banned by these courts since May 2021, which is right around the time of the highly disruptive attacks targeting Colonial Pipeline and meat producer JBS. Law enforcement operations against ransomware operators intensified following these incidents.
DiMaggio says the accused party almost always pays up once the arbitrator has announced their decision.
“At least with Russian criminals, their ‘criminal code’ is significant and most seem to stand by it. It’s a much smaller criminal community than most people realize and even smaller when referring to ransomware criminals and affiliates,” the researcher explained. “It is cheaper, even in bigger payouts, to pay the amount awarded by an arbitrator than to lose trust of the community, creating a situation where no one will buy or participate in your service offering.”
In some of the cases won by the plaintiff, their compensation is taken from an escrow account.
“In some cases, with well-established criminals, they will provide a bitcoin deposit in advance of any work being done, which acts as an escrow account for awarding funds to partners in an effort to ensure the criminal is serious and to show there is money to be made,” DiMaggio explained.
Even if the compensation cannot be taken from an escrow account, the defendant is likely to respect the court’s decision and pay up in an effort to avoid damaging their reputation.
“Reputation is very important in the criminal underground and usually not worth burning over what to them is usually a small amount of money,” DiMaggio said. “[It] makes more sense to pay out arbitration when awarded, otherwise the overall financial impact will likely be far greater in loss revenue due the backlash of the criminal community participating on the forum.”
Cybercriminals who don’t accept the court’s ruling and refuse to pay up — some criminal hackers may choose to simply disappear after losing a case — will have their account banned. While they could return under a different alias, they would offer the same services, making it easy for other members to know who it is behind the new username.
“Most criminals won’t work with newly created accounts that do not have a history or reputation, as well,” DiMaggio said. “Both of these take time to build and if you are banned, it makes it very difficult to regain that trust.”
On the other hand, there are some cases where the “customer” is so frustrated that they decide to take matters into their own hands and attempt to dox the individual who has wronged them, making public their real name, physical address, contact information, social media profiles, and even their family’s information.