A well-known private hacking forum has recently become more inclusive, introducing a new platform to help newbie threat actors flourish and hone their expertise, research has found. The discovery is unique, as private hacker forums tend to be the exclusive province of elite cybercriminals.
Digital Shadows on Thursday published a report that takes a deep dive into CryptBB, an exclusive hacker forum that has been operational since 2017.
Initially, the site only accepted new members after a “rigorous application and interview process,” requiring that an applicant prove their skill and knowledge on a chosen area of expertise, “leaving no room for those who fail to meet the required standards,” researchers wrote.
However, the forum recently has taken steps “to be viewed as a platform for ‘all,’” by launching near the end of 2019 a designated space for what it called “newbies,” according to the report. These are hackers who failed the application process but still wanted to hone their skills and learn from not just one another, but also from more expert members of the forum.
“The real surprise was the identification of an application-only forum creating a dedicated subforum for failed applicants, or ‘newbies’, to converse, share insights, and learn from full-time members,” Alex Guirakhoo, threat research team lead at Digital Shadows, told Threatpost. “Historically, the only times we have seen exclusive (private) forums lower the parameters for entry are when they have allowed members willing to pay a set fee in order to bypass the application process (this was seen with the English-language forum KickAss and the Russian-language forum Exploit). The payment enabled the forum to gain more members but was also financially beneficial to the forum. In CryptBB’s case, they are using a dedicated subforum to share knowledge and help others for free. They might be doing this for site-traffic metrics, but the intent behind the scheme seems innocent enough and the forum likely feels it is a way to give back and help others to increase their skills/knowledge.”
Last month, CryptBB owners went a step further and also began to reach out on the dark web to try to recruit new hackers into the forum. Digital Shadows identified what is called a “subdread” dedicated to CryptBB on the dark web community forum Dread—which has a “far-reaching and loyal user base” — in early June, researchers noted.
“On this subdread, CryptBB proclaims itself to be an excellent forum for ‘newbie’ hackers, programmers, and carders eager to start on their journey while also remaining a private platform for ‘advanced’ members who can partake in quality discussions and share expertise,” researchers wrote.
Digital Shadows imagined a few reasons for this concerted effort to shift from a forum exclusive to expert hackers to one that is now inviting less experienced ones into the fold.
One could be to try to preserve and maintain some of the methods and strategies already used by more skilled hackers, researchers surmised. Historically, CryptBB has provided some dedicated services for members to offer, including RDP sales and “hackers for hire” services, they said. Earlier this year, the forum’s admin team also began offering penetration testing and bug-reporting services to marketplaces with an assurance of discretion and no “drama,” researchers reported.
Guirakhoo told Threatpost, “Whilst I cannot exactly say for sure the reasons for these latest activities to court new members, it is highly likely that the forum wants/needs additional members for future projects/work and the current range of skill sets of their current membership might be limited. The forum itself has historically been identified to offer bespoke services (e.g. marketplace pen-testing, RDPs, etc.) on other forums, indicating the forum acts as a collective rather than individual entities. This is in contrast to other forums where individual users usually offer specific services. Therefore, the forum admins may recognize a need to sustain a higher member count in order to maintain these services and ensure they are appropriately staffed.”
Another motive for the forum’s cultivation of less experienced hackers suggests that cybercriminals have feelings too, and might actually feel gratified by helping newbies hone their skills, researchers said.
“This may reassure the administration team that they are earning karma to mitigate past misdeeds or provide the sense that they are giving back to their community,” they wrote, adding that this “give back” behavior already has been observed on Russian-language cybercriminal forums in the form of charity campaigns.
Other reasons for the move might be less altruistic. More established members of the forum might want to bolster their own reputation and profile in the cybercriminal scene by passing on knowledge to less experienced hackers, as well as recruit future members to “empower the community as a whole,” researchers noted.
Those behind CryptBB also might want to use the newbie forum to expose itself to a wider audience, as an exclusive forum doesn’t garner as much activity and participation as one with a lower barrier to entry. The forum faces competition in terms of sustaining its membership and activity from another called Torum, which is “more fluid” and has a higher activity level, researchers said.
“Creating a dedicated section for novice users improves CryptBB’s image within the cybercriminal scene and encourages other users to participate,” they wrote.
Finally, CryptBB admins may actually be trying to learn from experience by loosening requirements for entry into the forum, researchers noted.
Out of all the forums launched around the same time, CryptBB is the last one standing. That’s because disgruntled hackers from now-defunct contemporaries, such as KickAss and 0day, became frustrated and began to blab about the forums on other active platforms. This invited unwanted attention from law enforcement and dissent within leadership ranks, among other problems.
Overall, the move will “likely increase forum participation in the long-run and therefore establish the forum as a staple in the hacking and carding scene,” according to Digital Shadows.
“This, combined with the various services currently being offered to external parties, clearly demonstrates the administration team’s desire to ensure the forum stands the test of time,” researchers wrote.