It makes sense that those of us who work in the field of threat intelligence often approach the dark web primarily as a place where criminal schemes take shape.
But to understand how the dark web works and the role it plays in the cybercrime ecosystem, sometimes it’s worth remembering that neither the major underground forums nor the users who frequent them are monolithic. And while these forums certainly play a key role in driving cybercrime, sometimes they function as tools for people to communicate. Content posted on the dark web can even “go viral” in a way that resembles regular social media platforms.
With that in mind, I’d like to share some surprising discoveries I recently made about a particular series of posts within underground forums, which can help us understand some of the dynamics of conversations on the dark web.
The first of these posts caught my eye while researching for a report about abuse of digital payment platforms on the deep and dark web. What stood out as strange to me was the post’s peculiar disclaimer:
Now, I’m a cybersecurity researcher, not a federal investigator, but I highly doubt that an FBI agent who comes across this post will say, “Well, I thought we finally caught them in the act of money laundering, but now they say they aren’t doing what their post says that they’re doing.” I also hesitate to believe that any judge would say, “Clearly, all of the evidence points to the fact that you are involved in a criminal conspiracy, but the post says that you deny association, so have a nice day.”
Being curious, I decided to dig a bit deeper. While a typical person knows how pointless this disclaimer is, maybe the actor who posted it believes it might protect them. And maybe other actors saw a disclaimer like this on another post and decided to use it themselves.
I queried for “In case of an investigation by any federal entity or similar” in Cybersixgill’s investigative portal. I found many results, and they were pretty interesting: The earliest one was from June 8, 2017 – three years earlier than the post that I had found first – and it included the same disclaimer, almost verbatim:
Both posts appeared in the same popular dark web forum, which we will refer to as Forum_X. In fact, over 90% of the posts that we discovered with this disclaimer were from Forum_X.
When viewed on a timeline, posts containing this disclaimer began to pick up in November 2019. But then, in the beginning of May this year, they spiked: There were 868 just in the first week of the month.
What’s going on? What triggered such a staggering spike?
Cybersixgill automatically aggregates data leaks and alerts customers in real time.
I focused my search on posts from the beginning of May. I noticed that several of them directly addressed the FBI in their titles:
Many actors commented on these posts. A few asked if they were under investigation, to which others answered in the affirmative, but even more, actors simply copied the disclaimer.
Another actor asked if the FBI is “preparing for an attack/investigation.” One actor responded “Yes,” presumably sarcastically, while another posted a facepalm emoji. Without understanding the irony, a third actor wrote, “I am actually a new member here but i will go ahead and clear myself in a Post, so i dont get into trouble”
Many more wrote on the thread with this disclaimer. In the 22nd and final post, someone wrote what was becoming clear – that this was all just a bad joke.
But not everyone got the memo. Over the following days, this disclaimer exploded. All of a sudden, everyone was including it in posts. Some undoubtedly were in on the joke, while others were probably not.
Bringing it all together
Our investigation into an odd legal disclaimer on a dark web forum showed that it was around for several years before an explosion of mentions. In our understanding, the mentions spiked because of a real fear among many forum participants that there was an active FBI investigation, but then died off just as quickly as more and more actors realized that it was a joke.
In this, we can learn something interesting about the nature of dark web forums and their users.
Dark web forums attract a whole range of users. Some of them are advanced actors, providing or offering very specific goods or services, while others are new and inquisitive.
Real-world identities are hidden, so it’s difficult to know if you’re talking to an expert hacker, a curious fifteen-year-old, or a government actor. All messaging takes place in text (not everyone is fluent in English), so it’s hard to understand intent and tone, especially sarcasm fully. And since the subjects being discussed are illegal, there’s also an element of paranoia among forum participants – nobody wants to end up in prison.
Finally, actors are constantly jockeying between one another to prove that they’re l33t h4x0rs (elite hackers) by “owning” n00bs (newbies/beginners). One can separate the pros from the novices by spreading a rumor and seeing who gullibly follows. That way, the pros can identify one another to continue their schemes, while (they hope) avoiding any actual investigations by governmental or other authorities.