top of page
  • Writer's pictureMark van Vuuren

Cybercriminals Attacking Each Other Gives Defenders Access to Inside Info

First published by Heimdal Security

Threat Actors Settle Conflicts in Arbitration Rooms

Researchers discovered a new sub-economy linked to cybercriminal activity: hackers scamming each other for millions of dollars.

This practice led to the apparition of arbitration rooms in forums to settle conflicts. And these rooms proved to be full of valuable information for cybersecurity experts about threat actors and their tools.

Details About the Findings

To document the phenomenon of scammers scamming scammers, researchers at Sophos examined three cybercrime forums: two Russian-language forums – Exploit and XSS – and one English-language forum – BreachForums.

Only on these three platforms, cybercriminals scammed each other for at least $2.5 million in the last year. This is such a growing trend that forum administrators enabled arbitration rooms where users can report attacks.

“Criminals are actively using arbitration rooms of popular cybercriminal forums to complain about each other, with claims ranging from $2 to $160,000”, according to Cyber News.

The motives behind scammers attacking each other range from financial to personal quarrels, rivalries, and a desire to demolish reputations.

One of the biggest surprises came when we dug into that imitation Genesis site. With some detective work, we uncovered nineteen other sites all created by the same person or group, all imitating criminal marketplaces, and all intended to trick users into forking over a $100 ‘activation fee.’

How This Could Be Useful for Cybersec Experts

Cybercriminals use various techniques in these attacks: fake data leaks, typosquatting, phishing, backdoored malware, blackmail, impersonated accounts, and fake marketplaces.

Arbitration is a type of alternative dispute settlement used to resolve differences without resorting to judiciary courts. To use it, hackers have to present proof of the attack they suffered.

“Because forum rules demand proof to support scam allegations, wronged threat actors will often happily post screenshots of private conversations and source code, identifiers, transactions, chat logs, and blow-by-blow accounts of negotiations, sales, and troubleshooting,” Sophos shows.

This is why arbitration rooms can be a source of valuable information for researchers and law enforcement.

This hidden sub-economy isn’t just a curiosity. It gives us insights into forum culture; how threat actors buy and sell; their tactical and strategic priorities; their rivals and alliances; their susceptibility to deception – and specific, discrete intelligence about them.
8 views0 comments


bottom of page