The anonymous actors of the underground are typically conceptualized as hooded figures in dark rooms, pounding away at their keyboard in a cryptic string of green zeros and ones. Although this stereotype is patently false (not everybody has a personal affinity for oversized hoodies), the shadowy nature of these actors is not untrue – after all, there is not much information about them that escapes the unknown.
This is no accident. The deep and dark web are hidden in a secret dimension behind our screens, intentionally designed to protect the identities of its users. All that we know of them is what they choose to share with us. This includes data – such as their usernames and posts – but also metadata – when and how often they post.
This information, though often overlooked, is highly valuable. It exposes the intricate dynamics that operate within the underground, telling stories that can help us understand the cybercriminal psyche. By examining when actors post and how often they do it, we might discern a connection between their post frequency, the lifespan of their cybercriminal career, and their preferred area of criminal activity.
Using Cybersixgill’s API, we compiled a list of forum actors operating in the five leading underground forums, collecting information about their post count and content over two half-year periods – H1 2018 and H1 2019. With this information in hand, we classified our actors into three distinct cohorts: (1) 1ps – those who authored a single post within a six month period; (2) 10ps – those who posted up to 10; and (3) Tops – the top posting actors with over ten posts over the six month time frame.
Of the 300,000 total actors active on these forums, we created a subset of 300, sampling 10 actors from each cohort in all 5 forums for both time periods. Using this dataset, we embarked on a deeper analysis, examining post patterns and trends to discover hidden clues and help us understand the elusive ‘anonymous’.
First, we performed a quantitative analysis, seeking to establish if a relationship exists between the post frequency and active lifespan of threat actors. By examining the post count of each actor over time (Q1 2016 – Q2 2021), we found a coherent correlation between the number of posts an actor writes in a given quarter and the length of time for which the actor remains active. The more posts the actor contributes, the longer the actor’s active lifespan. The overwhelming majority post very little, if at all, and are active for a very short period of time.
However, no clear pattern or trajectory emerged regarding threat actor activity over time. One might assume that threat actor activity trends manifest in a linear manner – starting out as a 1p “noob” until they gain the confidence and know-how to incrementally increase their contribution to forum discussions. This is not the case. Instead, activity trends appear entirely arbitrary, with no rhyme or reason behind the increase or decrease of a threat actor’s underground engagement.
Secondly, we examined the qualitative data, analyzing post content to determine the motivations and interests driving threat actor activity on the underground over time. For the actors classified 1ps, those with the longest activity lifespan were typically those with a far higher post-count in other periods, but were less active during our sample timeframe for unknown reasons. Similarly, the 10ps with the most longevity were those who had been active on the underground to varying degrees for multiple earlier quarters. Qualitative analysis of post content revealed that, for both 1p and 10p cohorts, the threat actors with the longest-lasting activity lifespan were those who had achieved professional success – skillfully graduating from consumers thanking others for their tools, to providers with increasingly sophisticated abilities.
Tops, on the other hand, displayed an entirely different pattern of behavior. In stark contrast to the financial motivations of their lesser-posting ‘forummates’, Tops appear driven by social incentives, posting not only as a means to advance criminal schemes but because the forums provide them with a sense of community and belonging.
Behind every forum username lies a unique individual with his or her own personal motivations for logging in, be it financial gain, political ideology, entertainment, socializing, or otherwise. Although the identity of the individual behind the username remains hidden, patterns in post count, when analyzed alongside clues in an actor’s posts, can provide critical intelligence regarding the actor’s present sophistication and future ambitions. The Cybersixgill actor page is a good place to start: it provides a snapshot of the actor’s activity, social network, and contact details, and then allows an analyst to peruse the actor’s posts in-depth. These insights, and what they enable us to infer about the underground, can inform us how to better protect our organizations against these nameless adversaries and remain one step ahead of the threat curve.
Download the full report to delve deeper into the secret cyber-lives of underground threat actors, where we examine the various factors that influence dark web activity and provide a framework for analysts to account for these elements while conducting investigations.