Cybercriminals Create Their People’s Court on the Dark Web

Criminals on the dark web have created underground court systems for resolving disputes involving failed payments, product problems and misrepresentations of services, according to a recently released study.

Researchers at threat intelligence firm Analyst1 recently analyzed the operations of several major cybercrime forums on the Dark Web and found that at least two of them have informal court systems where criminals can file complaints and resolve disputes with peers. analyst1's research shows that dozens of cases from the Dark Web are posted to these courts every day, waiting for forum administrators to resolve disputes.

Jon DiMaggio, chief security strategist at cybersecurity firm Analyst1 and author of the study, said the unofficial judicial system is designed to seek justice for criminals who believe they have been defrauded.

The court sits mainly in Russian-language online forums on the Dark Web, an encrypted network inaccessible to traditional search engines such as Google. On sites similar to the online message forum Reddit, only trusted persons can see cases, which typically last a week.

A typical case involves a ransomware group accused of tricking hackers by not paying for services or by selling access to a target company's online infrastructure, which is not as vulnerable as claimed. An anonymous forum moderator acts as a judge, hearing complaints, asking for evidence such as chat logs and payment information, and then making a ruling. In some cases, they may involve awarding damages, which are typically transferred through the forum's payment system.

DiMaggio says these cases move quickly - open and closed, often within a week - and you'll usually see the whole process completed. Sometimes huge settlements are sought, up to $1 million, but rarely the full amount. Damages average less than $20,000. In one particular forum, he noted that there are three to six ransomware-related cases per month.

DiMaggio noted that ransomware and other hacking groups fund online justice forums to make their partners in crime seem more trustworthy. Hackers may also believe a ransomware group is more trustworthy if they see it paying restitution through the court system. When they want to hire hackers, they want the best hackers to work for them, and there is a lot of competition in ransomware.

In recent months, most cybercrime forums have banned all ransomware-related topics, transactions and arbitrations as law enforcement increasingly publicizes ransomware attacks. Online judicial forums tell parties not to use the term "ransomware" when bringing and discussing their cases. It has become more difficult for law enforcement to find these cases online.

While ransomware courts are relatively new, most of them meet on Russian hacking forums that have existed for years. Similar courts do not appear to exist in the dark web world of other countries, which have much smaller ransomware communities.

While companies can't do anything to stop ransomware courts, businesses should be aware of their existence. Just as in real legal cases, leaked information about companies can appear online during the "discovery" process in dark courts.

Analyst1 counted more than 600 topics related to cases brought to these courts. The amounts in dispute in these cases typically range from a few hundred dollars to a few thousand dollars, but a few cases have much higher amounts in dispute. For example, in April 2021, an operator and penetration testing organization affiliated with the Conti Ransomware Group was sued for $2 million for failing to honor an agreement involving the hacking and encryption of data in U.S. school systems. After a month and a half of "trial" proceedings, the case ended in favor of two Conti affiliates. But in many other cases, the perpetrators of the dispute won.

Analyst1 found that threat actors can sue each other for a variety of reasons, citing the example of a threat actor who may have purchased access to a compromised network from an access agent, only to discover that it had previously been sold to another threat actor. In this case, the threat actor would initiate action against the broker by providing details of the incident in a dedicated sub-forum (often called a "court" or "arbitration").

Here, the "plaintiff" will provide details of the claim, such as the broker's nickname, links to their contact information on services such as Jabber and Telegram, and evidence including chat logs, screenshots and other evidence involving the allegedly offending transaction. An arbitrator is then assigned to the case to review the details and hear counterclaims from the alleged violators. The hacking court gives each forum member the right to participate in the process, but only the arbitrator makes the final decision.

When the decision is in favor of the plaintiff, the "defendant" has a certain amount of time to make amends or face the prospect of being banned from any future activity on the forum. Typically, established cybercrime operators will deposit bitcoins into an escrow account as proof of their ability to pay for their services. When the dispute is resolved in their favor, the threat actor is paid from this account.

Threat participants operating in large underground forums are often quick to comply with underground court rulings because they want to protect their reputations.

Criminals work hard to build their reputations in these forums, which are where ransomware affiliates are recruited, where malware is sold, exploited and exploited, and even where hacking services are offered, DiMaggio said. Losing trust or being banned from a forum can have a huge negative impact on a threat actor's ability to operate in the cyber underground.

In some extreme cases, Analyst1 said, threat actors can reveal the true identities of cybercriminals who deceive them - including physical addresses, social media profiles and phone numbers.

Almost every cybercrime forum or community has a judicial system, or a "people's court," to handle disputes between criminals, said John Hammond, senior security researcher at Huntress. It's a strange kind of sportsmanship or code of conduct, where hackers, thieves and scammers aren't supposed to be at odds with each other. Usually the arbiter of the dispute will decide the verdict based on the evidence presented by the plaintiff, as well as the general opinion of the broader community on the forum. If found guilty, the defendant may be banned from the community, placed on a public wall of shame, and share their bad reputation among other underground groups.