There may be no honor among cyberthieves. But at least a few appear to be abiding by a set of underground rules for sorting out differences among themselves over broken promises, unpaid dues, and ineffective malware.
Researchers from threat intelligence firm Analyst1 recently analyzed the workings of several major cybercrime forums and discovered at least two of them to have an informal kind of court system in place where criminals can file grievances and settle disputes with peers. Analyst1's research showed that dozens of cases from around the Dark Web escalate to these courts daily and wait for forum administration members to settle the disputes.
Analyst1 counted over 600 threads pertaining to cases that have been filed in these courts. The amounts at dispute in such cases typically ranged from a few hundred to a few thousand dollars, though a handful involved disputes over much higher sums. In April 2021, for instance, an operator and penetration testing outfit affiliated with the Conti ransomware group were sued for $2 million for not living up to an agreement involving the hacking and encryption of data of a US-based school system.
That case ended in favor of the two Conti affiliates after a "trial" process that lasted some one-and-a-half months. But in many other instances, criminals filing the disputes have won, says Jon DiMaggio, chief security strategist at Analyst1.
"It happens all the time," DiMaggio says. "The system would not work if the plaintiffs were not paid once the arbitrator makes a decision."
DarkSide in the Hot Seat
Earlier this year, researchers from Huntress Labs, also reported on criminal hackers having their own codes of conduct and a sort of underground court system for enforcing them. One case the company monitored involved multiple complaints against the operators of the DarkSide ransomware-as-a-service outfit from affiliates seeking payments for attacks they had carried out with the malware.
The complaints were filed when DarkSide abruptly ceased operations after US authorities and others identified it as the group behind the attack on Colonial Pipeline that triggered temporary oil supply shortages along the US East Coast. The claims were settled by administrators of the cybercrime forum where the complaints were filed, and money was paid to the "plaintiffs" from a DarkSide escrow account created for precisely such eventualities.
Analyst1 found that threats actors can file cases against each other for a variety of reasons. As one example, it pointed to a threat actor that might have purchased access to a compromised network from an access broker only to discover it has been sold previously to another threat actor. The threat actor in this case would initiate action against the broker by providing details of the incident in a dedicated sub-forum typically titled Court or Arbitrage.
Here the "plaintiff" would provide details of the claim, such as the nickname of the broker, a link to their contact information on services such as Jabber and Telegram, and evidence including chat logs, screenshots, and other transactions that involved the alleged violation. An arbiter is then assigned to the case to examine the details and listen to counterclaims by the alleged violator. The hacker's court gives every forum member the right to participate in the process, but only the arbiter makes the final decision.
When a decision is in favor of the plaintiff, the "defendant" has a set amount of time to make amends or face the prospect of being banned from any future activity on the forum. Typically, well-established cybercrime operators make a bitcoin deposit into an escrow account as proof of their ability to pay for service. Threat actors are paid from this account when a dispute is settled in their favor.
"No one will buy access to a potential compromised target or purchase malware if they see the seller/service operator went through arbitration and did not pay out once the arbitrator made their decision," DiMaggio says.
Analyst1, like other security firms, discovered that most cybercrime forums have banned all ransomware related topics, transactions, and arbitrages. The ban was put in place shortly after the Colonial Pipeline breach and appears to be in response to heightened law-enforcement activity targeting ransomware operators following the attack.
Reputations on the Line
Threat actors operating in large underground forums often are quick to comply with underground court decisions because they want to protect their reputations.
"Criminals work hard to build their reputation on these forums," DiMaggio says. "These forums are where ransomware affiliate recruiting takes place as well as malware sales, breach, and exploit access, and even hacking services are offered."
Losing trust or getting banned from a forum can have a huge negative impact on a threat actor's ability to operate in the cyber underground, he says. In some extreme cases, threat actors have exposed the true identities of the cybercriminals — including physical address, social media profiles, and phone numbers — that might have scammed them, Analyst1 said.
John Hammond, senior security researcher at Huntress, says practically every cybercrime forum or bulletin board has a sort of judicial system, or a "people's court" for handling disputes among criminals. "It's a strange sort of sportsmanship or code of conduct, where hackers, thieves, and scammers should not cross each other," he says.
Hammond says often the arbiter handling a dispute decides the verdict based on the evidence the plaintiff presents, as well as general opinion from the broader community on the forum.
"If found guilty, the accused can be banned from the community, placed on a public wall of shame, and have their bad reputation shared within other underground syndicates," he says.