Three of Russia’s top dark web forums for cybercriminals in 2023

Cybercrime forums provide a channel for cybercriminals to coordinate, exchange information and conduct illicit transactions. These forums are usually hosted on the dark web, but some are also accessible through the open web and are hubs of malicious activity. The typical structure of a cybercrime forum includes a dedicated marketplace section that facilitates the sale of stolen certificates, ransomware-as-a-service, and malware, while a separate section is reserved for general cybercrime discussions.

It is well known that Russia is a veritable capital of cybercriminal activity. Recent analysis has shown that 74% of ransomware revenues go to threat actors with links to Russia. In addition to cybercrime for profit, Russia has a well-documented history of conducting state-sponsored cyberwarfare.

From a threat intelligence perspective, monitoring cybercrime forums on the dark web can help monitor businesses for signs of impending attacks, or reveal user credentials for sale that can then be preemptively reset before their accounts are infiltrated. This ODN article presents the top three Russian cybercrime forums on the dark web to watch in 2023, and where businesses need to focus their monitoring.

Exploit.in

Exploit.in is one of the longest-running dark web hacking forums, having been launched back in 2005. As the name suggests, the original purpose of the site was to provide a place for malicious actors to discuss effective exploits of various vulnerabilities Exploit.in naturally evolved into a forum containing discussions on other types of cybercriminal activity, from social engineering techniques to tutorials on breaking password algorithms.

The forum is a predominantly Russian-language forum with a marketplace section where cybercriminals trade stolen credit card information, malware, and even zero-day exploits. exploit.in also serves as a cybercrime news site. Interestingly, the forum can be accessed both through a standard internet browser on the watching network and through the dark web using the Tor browser.

However, to access the forum and participate in discussions, threat actors either pay an automatic access fee of $100, or they can try to gain free access provided they have already established a reputation on other "friendly" forums. While these conditions technically make Exploit.in a closed forum, the $100 fee is unlikely to prevent companies from registering fake accounts to monitor threat intelligence.

The clearnet web address for Exploit.in is:

https://exploit.in/

The dark web address for Exploit.in is:

https://exploitivzcm5dawzhe6c32bbylyggbjvh5dyvsvb5lkuz5ptmunkmqd.onion

XSS.is

XSS.is is another closed Russian language forum that can be accessed on both the open and dark web. The administrators are committed to protecting registered users using a variety of security and anonymity features, including disabling all user logins and IP address logging of user actions and implementing encrypted private messaging. There are a few barriers to registering on XSS.is - new users simply enter a valid email, answer basic web security questions, and wait for approval from the site administrator.

Content on XSS.is involves discussions and transactions on credential access, exploits, and valuable zero-day vulnerabilities for which no security patches exist. other exclusive private sections on XSS.is require payment to access. Previously, XSS.is was widely used to recruit members for the ransomware-as-a-service gang, but the forum administrators banned the ransomware topic in 2021.

The Russian cybercrime forum takes its name from a web application vulnerability known as cross-site scripting. The site was known as DaMaGeLaB from 2013 until an administrator was arrested in 2018, after which it was rebranded as XSS.

The clearnet web address for XSS.is is:

https://xss.is/

The dark web address for XSS.is is:

https://xssforumv3isucukbxhdhwz67hoa5e2voakcfkuieq4ch257vsburuid.onion

RAMP 2.0

There is an interesting backstory to the creation of the 2021 RAMP 2.0 (Russian Anonymous Marketplace) forum, which was launched on a domain previously used by the notorious ransomware gang Babuk.

The Babuk ransomware operation carried out ransomware attacks against the Washington, D.C. Metropolitan Police Department and the Houston Rockets basketball team. Babuk's threats had previously used this dark web onion domain to release stolen data when victims refused to give in to their ransom demands.

A previous version of RAMP existed in a different domain from 2012 to 2018, but it revolved more around the purchase and sale of illegal products. Russian law enforcement shut down the first version of RAMP, but a new version emerged that focused on cybercrime. Popular forum boards include the Ransomware Group's partner program, a malware board, and another board dedicated to selling access to corporate accounts.

Signing up for RAMP 2.0 requires being an active member of Exploit and XSS for at least two months. Good standing on both forums is also essential to gain access to RAMP 2.0. The choice of language for the forums has evolved from simply Russian to now include Mandarin and English.

The clearnet web address for RAMP 2.0 is:

https://ramp4u.io/

The dark web address for RAMP 2.0 is:

http://rampjcdlqvgkoz5oywutpo6ggl7g6tvddysustfl6qzhr5osr24xxqqd.onion