Security Experts:

Connect with us

Hi, what are you looking for?



Money, Reputations at Stake in Dark Web Courtrooms

Dark web justice system

Dark web justice system

Some cybercrime forums on the dark web have virtual courtrooms where members can file complaints against each other, and the judge’s decision is in most cases accepted by the defendant, particularly those who want to maintain a good reputation.

Jon DiMaggio, former intelligence community agent and chief security strategist at threat intelligence firm Analyst1, has analyzed this underground justice system and noticed that “the cybercrime community treats every case equally without prioritizing more complex cases with higher compensation demand.”

DiMaggio told SecurityWeek that only two forums have these courtrooms — both have been around for more than a decade and they are both respected in the criminal community.

The court system is hosted on a sub-forum with the title “court” or “arbitrage” and any member can file a complaint. The complaint must include a brief description, the name of the defendant and their contact information, and the plaintiff can submit evidence to support their case, including chat logs, cryptocurrency transactions, and screenshots. Every member of the forum can take part in the virtual hearing, but the ruling is made by the forum’s administrators and commentators do not act as a jury.

One of the analyzed forums, a major Russian-speaking cybercrime marketplace, has more than 600 arbitrage threads, with requested compensation typically ranging between a few hundred and a few thousand dollars.

While many of these complaints have been filed against lesser known threat actors, some have targeted high-profile groups. Plaintiffs who filed complaints against operators of Conti, REvil and Netwalker ransomware sought to obtain millions of dollars. However, ransomware-related topics have been banned by these courts since May 2021, which is right around the time of the highly disruptive attacks targeting Colonial Pipeline and meat producer JBS. Law enforcement operations against ransomware operators intensified following these incidents.

DiMaggio says the accused party almost always pays up once the arbitrator has announced their decision.

“At least with Russian criminals, their ‘criminal code’ is significant and most seem to stand by it. It’s a much smaller criminal community than most people realize and even smaller when referring to ransomware criminals and affiliates,” the researcher explained. “It is cheaper, even in bigger payouts, to pay the amount awarded by an arbitrator than to lose trust of the community, creating a situation where no one will buy or participate in your service offering.”

In some of the cases won by the plaintiff, their compensation is taken from an escrow account.

“In some cases, with well-established criminals, they will provide a bitcoin deposit in advance of any work being done, which acts as an escrow account for awarding funds to partners in an effort to ensure the criminal is serious and to show there is money to be made,” DiMaggio explained.

Even if the compensation cannot be taken from an escrow account, the defendant is likely to respect the court’s decision and pay up in an effort to avoid damaging their reputation.

“Reputation is very important in the criminal underground and usually not worth burning over what to them is usually a small amount of money,” DiMaggio said. “[It] makes more sense to pay out arbitration when awarded, otherwise the overall financial impact will likely be far greater in loss revenue due the backlash of the criminal community participating on the forum.”

Cybercriminals who don’t accept the court’s ruling and refuse to pay up — some criminal hackers may choose to simply disappear after losing a case — will have their account banned. While they could return under a different alias, they would offer the same services, making it easy for other members to know who it is behind the new username.

“Most criminals won’t work with newly created accounts that do not have a history or reputation, as well,” DiMaggio said. “Both of these take time to build and if you are banned, it makes it very difficult to regain that trust.”

On the other hand, there are some cases where the “customer” is so frustrated that they decide to take matters into their own hands and attempt to dox the individual who has wronged them, making public their real name, physical address, contact information, social media profiles, and even their family’s information.

Related: Why You May Not Need to Monitor the Dark Web

Related: The Case for Taking Down Dark Web Sites

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.


Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.