In the first blog of our series on dark web developments in 2023, we take a look at hacking forums and dark web marketplaces to see how the landscape has changed over the past 12 months, which sites disappeared, and the new entrants that have taken their place.
markets and forums in 2023
A lot can happen in a year in cybersecurity, and 2023 was no exception. This series of blogs is a retrospective of some of the top trends, changes and continuities observed by Searchlight Cyber’s Threat Intelligence team, covering areas such as cybercriminal forums and marketplaces, threat actor motivations, malware, ransomware, initial access brokers, vulnerabilities, and social engineering techniques. The platforms, tools, actors and insights featured in this series are based on intelligence gathered from Searchlight’s extensive deep and dark web dataset.
This first blog looks at developments on dark web forums and marketplaces in 2023. This year was a turbulent one for dark web marketplaces, with some of the major players falling into extinction either as a result of law enforcement action or by their own volition. But first we’ll look at cybercriminal forums, where there was a flurry of activity thanks to the disruption of BreachForums (which continues, cockroach-like, in spite of some major hiccups).
hacking forums in 2023
In this section we take a look at some of the most notable deep and dark web forums of this year, plus some new entrants that could cut through in 2024.
BreachForums, an underground forum that has seen multiple iterations and changes in ownership, continues to be one of the most well-regarded English language forums serving cybercriminals across the world – in spite of a rocky year. The forum is frequented by initial access brokers, database vendors, malware developers, spammers, programmers looking to learn new techniques, and everything in between.
The forum was taken over in 2023 by its current administrators (aliases ShinyHunters and Baphomet) from Conor Brian Fitzpatrick (alias pompompurin) after he was arrested by U.S. law enforcement in March. Fitzpatrick, in turn, had originally taken over the forum and rebranded it to BreachForums from its original name, RaidForums. After an initial tricky period and a string of copycats (see “New Forums” below), the latest iteration of BreachForums has now reclaimed its position as the top destination for leaked database trading, At the time of writing this blog BreachForums has over 150,000 posts and 45,000 registered users.
Exploit is one of the longest-running forums on the dark web – active since at least 2005 – and continued to be heavily utilized by cybercriminals in 2023. The forum generally caters to Russian-speaking actors but accepts English speakers as well, with threads and posts often being posted in both languages. Reputable actors active on this forum are often very sophisticated, acquiring a portfolio of positive reviews over the years. Although discussions about ransomware are banned, multiple ransomware-as-a-service (RaaS) operators are still active on the forum to purchase initial accesses or coordinate with partners. The forum is used for all cybercriminal types, but a particularly large population of initial access brokers have been observed, especially in the “Auctions” section of the forum.
Sharing a lot of similarities with Exploit, the XSS cybercrime forum also attracts a mixture of threat actors – from simple hacking tool developers to ransomware operators. Even the administrators consider the forum to be “friendly” to Exploit. A considerable number of users operate accounts on both forums, with XSS having a lower entry barrier because it is free to create an account. The forum has been active since at least 2004 and we expect to see it grow further in 2024, two decades on from its inception.
The RAMP cybercrime forum is also considered “friendly” to Exploit and XSS, with one key differentiating factor. The forum widely accepts discussions about ransomware and seeks to welcome actors speaking languages other than English and Russian. RAMP has been making an effort to translate key components into Mandarin to attract Chinese threat actors but their presence remains limited so far. The forum sees less activity than XSS and Exploit, largely due to the cost of obtaining an account.
Some new forums joined the underground scene in 2023, including BlackForums, a blackhat forum that specializes in database leakage and contains discussions about malware and tools. The forum remains comparatively small with just over 2,500 members but is noteworthy for partnering up with the ThreatSec hacktivist group.
Ransomed forum was a project of the RansomedVC ransomware-as-a-service operation, a group who gained attention in September after claiming to have hacked Sony. Allegedly aimed at actors looking to join the ransomware scene, Ransomed appeared on the dark web in October 2023, with more than 200 members joining the board in the first weeks. The forum strongly resembled the interface of RAMP and had several sections dedicated to sale of access, malware, ransomware, and databases. During its time online, staff members of Knight, Qilin, qBit and other ransomware gangs advertised their affiliate programs, looking for new partners. Despite this initial buzz, the forum was ultimately short-lived, with RansomedVC offering to sell their cybercrime assets – including a ransomware builder, domains and social media accounts, and alleged access to corporate networks – before taking a month-long hiatus and returning with plans for a new project named Raznatovic.
Some forums tried to capitalize on the temporary demise of the BreachForums after the admin pompompurin’s arrest, however they did not last long. The admin of the Exposed forum (alias Impotent) tried to prove the forum’s legitimacy by leaking the RaidForums’ user database. Another, PwnedForums, also used a very similar interface to BreachForums but was quickly taken offline, after failing to attract many users in its short life span. At the end of 2023, neither of the aforementioned forums are accessible anymore.
OnniForums was launched in early 2023 and claims to already have 10,000 members. The forum caught the underground’s attention when an alleged database containing user information of BreachForums members was posted. Nowadays, the forum is aimed at database leakers, malware developers, and drug users.
Dark Web Marketplaces in 2023
This year saw a number of notable dark web marketplaces fall into extinction. These are some of the most notable stories of 2023.
The Genesis market was one of the most respected browser fingerprint autoshop marketplaces out there until it was taken down by law enforcement in April 2023. Genesis offered a unique product consisting of “bots”, which allowed attackers to virtualize a victim’s browser using the stolen browser fingerprints, access credentials, and cookies. Although the market reappeared using its dark web site soon after the surface web site was taken offline, customers remained reluctant to keep using it as it was suspected of being a law enforcement “honeypot”. The market was allegedly sold to a new owner but is no longer accessible at the time of writing.
Another notable departure from the scene was the ASAP market, which has been active since at least 2020. It had catered to illicit drugs and psychedelics vendors, as well as offering stealer logs and payment card information. In an unusual move, the market administrators decided to retire. They announced their plans to close the marketplace on the dark web forum Dread in July 2023, and subsequently shut down the marketplace. You can read our in-depth report on the closure of the ASAP market here.
Tor2Door is yet another marketplace that shut down during 2023. It remains unclear whether this was an exit scam or the result of law enforcement activity. Listings on the marketplace had included drugs, fullz, stolen and counterfeit items, gold bars, payment cards and much more. You can read our in-depth report on the closure of the Tor2Door market here.
Several alternatives remain for those looking to continue their business in 2024 with marketplaces like Bohemia, Archetype, Darkmatter, Incognito and many others happily taking the influx of both customers and vendors affected by closures. It appears that customers’ general trust in such marketplaces has decreased due to recent disruption but, with limited alternatives of doing business with illegal products in a more secure way, it’s unlikely we’ll see sales on dark web marketplaces cease anytime soon. For those interested in digital products – like stealer logs – RussianMarket and 2Easy are the most popular alternatives to Genesis, having already proved their capabilities.