Dark Web forum activity increased 44% in spring 2020 from benchmarks in January, researchers have learned in a new analysis of the effects of COVID-19 on underground forums.
A team from cybersecurity firm Sixgill analyzed five underground forums, chosen for their high volume of messages, low barrier to entry, and importance, to investigate their number of users and activity. At their peak, these forums had a combined total of 268,610 unique monthly users, up from 82,421 in January. Their compound monthly growth rate ranged from 1% to 9.2%.
While the growth may be explained by the increase in the number of people sitting indoors with the lack of other things to do, Dov Lerner, head of security research at Sixgill, was surprised by the rise in the activity. The growth of one site has not hampered that of another, a sign that participation on the Dark Web is increasing.
“Everyone is stuck at home; people are bored and looking for something to do … I would have guessed that the number of [Dark Web] the actors would also increase, ”he said. “I didn’t expect it to increase by 44%. This number really stood out as something very, very striking.
Earlier reports from Sixgill detected an increase in certain types of cybercrime on the Dark Web during the same period of spring 2020, including the sale of game store accounts, compromised Remote Desktop Protocol (RDP) credentials , money laundering services and narcotics.
The forums are identified in the report as Forums A, B, C, D, and E. The researchers chose not to name the specific forums, but to say that they are “extremely popular” and specifically focused on cybercriminality. Four of the forums were English speaking; one was Russian. While Russian is a predominant language on the Dark Web, Lerner assumes that Russian-speaking forums may have a smaller volume of messages, or that Russian participants join large English-speaking forums.
These sites were general in nature and covered the gamut of cybercrime, with a range of information shared ranging from gaming tips to compromised software. “They all deal in one way or another with the heavier cybercrime,” Lerner says. “In general, I think it’s interesting how many topics coexist on these forums. These are very wide.
Forum activity was assessed in terms of the number of posts. Users were only counted if they had created at least one, because researchers could not determine how many registered users had not contributed. In the first half of 2020, 85% of participants wrote ten articles or less, and only 2.1% wrote more than 51 articles, according to the researchers. Most forum users barely participate: the 20% of the most active users account for almost 75% of all posts.
There are many reasons why users may post infrequently, Lerner says. Some less experienced participants might come to learn, so they observe but do not contribute. Others may have wanted to dip their toes in the basement, but then lost interest. Some users create “burner” accounts and post with a new username each time to maintain operational security.
All five forums analyzed grew exponentially, with the number of participants starting weak and increasing suddenly over time. Each has gone through different periods in which growth accelerated and growth varied from forum to forum. The 44% increase the researchers found is part of a trend towards higher overall participation, Lerner says. Many forums become popular through word of mouth as people share them with friends; from there, they can grow quickly.
Researchers are working to find out how long these forums last and what motivates their growth. COVID-related growth aside, he says a forum could become popular if it becomes known for a good or service in high demand. However, if something appears on one site, it can then be shared on others. While all of the evaluated forums are still active, two of the oldest – founded in 2006 – are now seeing their activity begin to stagnate.
Kelly Sheridan is Editor-in-Chief at Dark Reading, where she focuses on cybersecurity news and analysis. She is an enterprise technology reporter who previously covered InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered finance… See full bio