Shifts in Underground Markets: Past, Present, and Future

According to an academic study on the cybercrime economy, cybercrime (which includes ransomware, sales of counterfeit goods, data theft, and others) generates around US$1.5 trillion in annual revenue. This widespread business outpaces top global revenue earners like Apple (US$260 billion in 2019), Saudi Aramco (US$356 billion in 2018), and Amazon (US$281 billion in 2019).

English and Russian remain the dominant languages in the cybercrime market. And although many markets have been taken down by law enforcement agencies, we found that some popular hacking and cybercrime forums were still operating at the start of 2020, namely: Exploit[.]im (forum moves around and also uses Exploit[.]in), Hackforums, Nulled, Raid Forums and Joker’s Stash. We also found that their membership numbers continued to increase.

The cybercriminal underground is not as separated by language as much as it was five years ago. We spotted overlapping posts and cross-market advertising in forums of different languages. Russian actors regularly participated in English and Arabic forums, while Spanish actors participated in English forums. It seems cybercriminals have adopted a more global view and found that advertising in multiple language forums is a must if they wanted to earn more money. Still, the cybercriminal underground economy remains diverse, and different markets carry unique goods and services for the country or region to which they cater.

Prices for different commodities have fluctuated since our 2015 reports on the Russian and English underground. In 2015, generic botnets started selling at around US$200 in Russian underground forums. Generic botnet prices today cost around US$5 a day, and prices for builders start at US$100. United States credit cards were sold at US$20 in 2015, but prices start at US$1 in 2020. High-balance credit cards are selling for over US$500 in 2020. Meanwhile, monthly crypting services dropped to around US$20.

The cost of some services and goods remained relatively stable. Ransomware has not changed— ransomware-as-service prices still start at US$5. Crypterlocker, which has been around since 2013, continues to demand a high price (around $100). Scanned document services, such as copies of driver’s licenses, passports, and bill statements, still start at US$5 — similar to the prices in 2015. Similarly, the price of remote access tools (RAT) did not change, starting at US$2 for malware-as-a-service (MaaS). NJRat, which has been around since 2012, continues to be found in multiple language forums for free. Online account credentials are still priced at around US$1. The price of spam services has not changed, but they are now sending SMS rather than emails.

One notable trend we observed is accessible MaaS services for RATS, crypters, botnets, and  ansomware. The MaaS service model delivers a complete package: infrastructure, support, and updates. These services are also affordable, with some MaaS offerings starting at around US$20 a month. There is virtually no pricing barrier, and the technical skills that buyers need to have to setup attacks have been greatly reduced.