Down but not out: Russian crooks rally to new strongholds


Cybercriminals affiliated with the pariah superstate are setting up shop on other platforms after the recent shutdown of major illicit trading forums used by threat actors, analysis by Digital Shadows confirms.

Ever resilient in the face of adversity, Russian gangs are bouncing back from the high-profile dissolution of HYDRA and RaidForums, taken down earlier this month by authorities in Germany and the US respectively.

ADVERTISEMENT

“With HYDRA out of the picture, cybersecurity researchers have observed [cybercriminal] vendors relocating their activities exclusively to Telegram,” said Digital Shadows. “In addition, the established, Russian-language marketplace MEGA has a strong chance of emerging as the go-to marketplace for former HYDRA users because it also serves a diverse demand for illegal items.”

Like its predecessor, MEGA purveys a multitude of sins, including databases of harvested credentials, carding and counterfeit-related products, and off-the-shelf hacking software. Since last year, its user base increased by around 1,700, a figure Digital Shadows forecasts will continue growing in the wake of HYDRA’s demise.

From one forum to another

RaidForums appears to have a strong contender for a successor too, with BreachForums touted for the spot by a former member last month.

“Although still very much in its early stages, BreachForums has the potential to become a proper replacement for RaidForums,” said Digital Shadows, adding that at the time of writing, the site had more than 5,000 members and counting.

In further evidence of migration between platforms, some of the new usernames on BreachForums are identical to those used on Russian-language cybercriminal forums.

But with more than half a million users registered on RaidForums before its shutdown, the new platform has some way to go before it can emerge as the true successor.

“BreachForums has nowhere near the user base and popularity of RaidForums, but it has some advantages that could enable it to grow,” said Digital Shadows. These entail providing incentives to former RaidForums users, similar functionality and appearance to its predecessor, and having a reputable former RaidForums user as its administrator.

ADVERTISEMENT

Yet more to come

While RaidForums was noted for being an English-language platform that also attracted users from Russia, Digital Shadows warns that black-hat hackers from the Federation are also likely to turn to forums that only use their native language.

“While MEGA, BreachForums, and Telegram appear to be early favorites for adoption by some Russian cybercriminals, well-established Russian-language forums will likely see an influx of some of these displaced individuals,” it said.

Digital Shadows also cautioned that the law’s recent progress against threat actors would not prevent cybercrime from flourishing on these alternative platforms – perhaps like never before, as Russians feeling the effects of Western sanctions double down on their illicit activities.

“We may see increasing numbers of Russia-based cybercriminals compelled to pursue more financially motivated cybercrime in response to the sanctions’ effects on Russia’s economy,” it said.