Discussions of underground forums can evoke imagery of a city’s shadowy back alleys, populated by faceless figures. Speaking in whispered undertones, they meet one another, collaborate in criminal schemes, and transact contraband and prohibited services.
But just how many actors are there altogether on these forums? Do dark web forums grow their membership slowly-but-steadily, or do they expand exponentially, like the hottest new scene? And how active are those forum members - does each actor post more or less the same amount, or is there a major gap between the most and least active actors?
These questions are important for analysts. Understanding a forum’s lifecycle and internal dynamics guides an analyst’s attention to the highest-value sources and actors.
To these ends, in our latest report we analyzed five extremely popular English and Russian-language underground forums from their inception to the end of 2020. We discovered that they indeed expanded their membership exponentially. One site’s growth did not hinder another’s growth, meaning, in our understanding, that the overall user base of the dark web is growing.
Despite similar trajectories, there was volatility from month-to-month. And some forums grew faster than others--compound monthly growth rates were 1 percent for the slowest-growing forum and 9 percent for the fastest.
But the largest spike in forum membership occurred in March-May, 2020. The user base of these dark web forums rose by 44% from January until their peak in the spring, and at their peak, they included a total of approximately 268,000 unique monthly users. The number of users reverted subsequent to that peak.
The peak in users is aligned with the coronavirus lockdowns. Prior Cybersixgill reports have noted a tremendous uptick in specific types of cybercrime on the underground during the COVID lockdowns. This includesgaming store accounts,compromised RDP credentials,money laundering services, andnarcotics. This research demonstrates that the number of participants in the cyber underground spiked at the time as well.
Why would coronavirus lockdowns lead to a massive increase in users of dark web forums? Some of these users were bored at home and decided to go exploring. Others may have been interested in turning to crime amid the economic shocks from the pandemic and the widely-covered proliferation of cybercrime targeting remote workers, such as ransomware and phishing.
Next, we examined the frequency of posts, determining that a small minority of users was responsible for the vast majority of posts. The top 20 percent of frequent posters generated 73% of posts (which is more or less in line with what’s known as the Pareto Principle). Only 2.1% of users wrote more than 50 posts in half a year.
In our understanding, there are several reasons why so many actors post so infrequently: less experienced actors may come to the forum to learn, so they are mostly observing but not contributing. Or perhaps they wanted to dip their toes but then lost interest. Meanwhile, more experienced actors may create “burner” accounts, posting from a new username each time in order to maintain good operational security
By examining the number of users and activity per user in forums over time, this exercise results in several indicators that could be used to diagnose a forum’s health. Automating analysis of these indicators can inform threat intelligence analysts which forums are on the rise.
Finally, we must emphasize that this research demonstrated that the overall user base of the underground is expanding. The COVID spike of users, correlated with the rise in cybercrime, proves this well: as the population of the dark web increases, so does broader criminal activity.