When it comes to cyberthreat intelligence, the dark web is a treasure trove of actionable insights about potential crimes in the works. So it makes sense that those of us who work in the field of threat intelligence often approach the dark web primarily as a place where criminal schemes take shape.

But to really understand how the dark web works and the role it plays in the cybercrime ecosystem, sometimes it’s worth remembering that neither the major underground forums nor the users who frequent them are monolithic. And while these forums certainly play a key role in driving cybercrime, sometimes they simply function as tools for people to communicate. In fact, content posted on the dark web can even “go viral” in a way that resembles regular social media platforms.

With that in mind, I’d like to share some surprising discoveries I recently made about a particular series of posts within underground forums, which can help us understand some of the dynamics of conversations on the dark web. 

The first of these posts caught my eye while I was doing research for a report about abuse of digital payment platforms on the deep and dark web. What stood out as strange to me was the post’s peculiar disclaimer:

Paypal holder

Disclaimer: In case of an investigation by any federal entity or similar, I do not have any involvement with this group or with the people in it, I do not know how I am here, probably added by a third party, I do not support any actions by the member of this group.

Now, I’m a cybersecurity researcher, not a federal investigator, but I highly doubt that an FBI agent who comes across this post will say, “Well, I thought we finally caught them in the act of money laundering, but now they say they aren’t doing what their post says that they’re doing.” I also hesitate to believe that any judge would say, “Clearly, all of the evidence really points to the fact that you are involved in criminal conspiracy, but the post says that you deny association, so have a nice day.”

Being curious, I decided to dig a bit deeper. While a typical person knows how pointless this disclaimer is, maybe the actor who posted it believes that it might protect them. And maybe other actors saw a disclaimer like this on another post and decided to use it themselves.

I queried for “In case of an investigation by any federal entity or similar” in Cybersixgill’s investigative portal. I found many results, and they were pretty interesting: The earliest one was from June 8, 2017 – three years earlier than the post that I had found first – and it included the same disclaimer, almost verbatim:

Sixgill’s investigative portal

Both posts appeared in the same popular dark web forum, which we’re going to refer to as Forum_X. In fact, over 90% of the posts that we discovered with this disclaimer were from Forum_X.

When viewed on a timeline, posts containing this disclaimer really began to pick up in November 2019. But then, in the beginning of May this year, they really spiked: There were 868 just in the first week of the month.

Forum X mention graphic

What’s going on? What triggered such a staggering spike?

Darkfeed Free Trial V1 - 750x80 - 1.1

I focused my search on posts from the beginning of May. I noticed that several of them directly addressed the FBI in their titles:

Sixgill’s investigative portal

Sixgill’s investigative portal

Sixgill’s investigative portal

Sixgill’s investigative portal

Many actors commented on these posts. A few asked if they were really under investigation, to which others answered in the affirmative, but even more actors simply copied the disclaimer.

Another actor asked if the FBI is “preparing for an attack/investigation.” One actor responded “Yes,” presumably sarcastically, while another posted a facepalm emoji. Without understanding the irony, a third actor wrote, “I am actually a new member here but i will go ahead and clear myself in a Post so i dont get into trouble

Sixgill’s investigative portal

Many more wrote on the thread with this disclaimer. In the 22nd and final post, someone wrote what was becoming clear – that this was all just a bad joke.

But not everyone got the memo. Over the following days, this disclaimer exploded. All of a sudden, everyone was including it in posts. Some undoubtedly were in on the joke, while others were probably not.

Bringing it all together

Our investigation into an odd legal disclaimer on a dark web forum showed that it was around for several years before an explosion of mentions. In our understanding, the mentions spiked because of a real fear among many forum participants that there was an active FBI investigation, but then died off just as quickly as more and more actors realized that it was a joke.

In this, we can learn something interesting about the nature of dark web forums and their users.

Dark web forums attract a whole range of users. Some of them are advanced actors, providing or offering very specific goods or services, while others are new and inquisitive.

Real-world identities are hidden, so it’s difficult to know if you’re talking to an expert hacker, a curious fifteen-year-old, or a government actor. All messaging takes place in text (and not everyone is fluent in English), so it’s hard to fully understand intent and tone, especially sarcasm. And since the subjects being discussed are illegal, there’s also an element of paranoia among forum participants – nobody wants to end up in prison.

Finally, actors are constantly jockeying between one another to prove that they’re l33t h4x0rs (elite hackers) by “owning” n00bs (newbies/beginners). By spreading a rumor and seeing who gullibly follows, one can separate the pros from the novices. That way, the pros can identify one another to continue their schemes, while (they hope) avoiding any actual investigations by governmental or other authorities.

Darkfeed Free Trial V1 - 750x300 - 1.2