Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Analyze Traffic Statistics of Popular Cybercrime Forums

Researchers at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, have analyzed the traffic statistics of several popular cybercrime forums and they have shared some interesting observations.

Researchers at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, have analyzed the traffic statistics of several popular cybercrime forums and they have shared some interesting observations.

The research was conducted after Altenen, an English-language carding forum, boasted about the site’s number of visitors and revenue based on data obtained from a web statistics and analysis service named HypeStat. The administrators of Altenen shared the information in hopes of attracting more users.

After seeing Altenen’s post, researchers at Digital Shadows decided to look at the traffic statistics of several popular cybercriminal forums, and compared the findings to their own perception of these websites.

In addition to Altenen, the researchers analyzed the English-langage forums RaidForums, Nulled, Cracked TO and Cracking King, the German-language forum Crimenetwork, and the Russian forums Exploit and XSS. The data was obtained from HypeStat and Alexa, and it included rank, unique daily visitors, visiting countries, traffic sources, and daily revenue estimates.

Cybercrime forum traffic statistics

While websites such as Altenen, Nulled, Exploit and XSS appear to have recorded increased traffic in the past 90 days — some of them used these statistics to promote their services — Digital Shadows pointed out that some of these forums may have used bots to manipulate the number of visitors and boost their ranking.

“Altenen’s drastic increase in rank, in particular, seems almost too good to be true, as none of the other forums we regard as popular, such as RaidForums, have experienced a similar increase during the same period,” Digital Shadows noted in a blog post.

The company also highlighted that traffic statistics don’t include visits from .onion domains and since these websites are likely visited by many through the Tor network, Alexa rankings don’t accurately represent the number of visitors.

Traffic data also shows that the average time spent by users on these forums ranges between 6 and 22 minutes. However, Digital Shadows experts believe this might not be very accurate either, as, for example, users apparently spend on average less than 8 minutes on Exploit, but since this is a fully gated forum, its visitors are not random guest users and they likely spend more than that on the site.

As for advertising revenue showed by traffic analysis services, the researchers believe they do not show a forum’s actual economy, as these websites can also earn money through paid memberships and commissions on each transaction.

Kacey Clark, threat researcher at Digital Shadows, told SecurityWeek that a key takeaway from this research is that website traffic metrics can be manipulated, including through the use of bots and VPNs, and some cybercrime platforms will use favorable traffic statistics data to gain more traction.

Clark noted that website traffic statistics have contextual limitations. “Context is critical when assessing forums. Numbers alone do not paint the full picture and do not provide an insight into the forum’s content and users, its true economy, or explain the fluctuations of visitor numbers.”

He explained, “Gaining an in-depth understanding of the cybercriminal underground demands a lot of manual labor over a long period of time; it cannot be acquired by querying website traffic metrics alone. Research like this highlights the need for the human-in-the-loop and the importance of combining a manual and automatic approach. Looking at big data can give a general oversight of what’s happening; however, without HUMINT, an array of important details and nuances will be lost.”

Related: Over 5 Billion Unique Credentials Offered on Cybercrime Marketplaces

Related: Collection of South Korean, U.S. Payment Cards Emerges on Underground Market

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.