{
	"id": "55673744-be9c-4f7a-a688-408977fc8a01",
	"created_at": "2026-04-06T00:21:03.471662Z",
	"updated_at": "2026-04-10T03:29:40.186228Z",
	"deleted_at": null,
	"sha1_hash": "80f8b4feb22cdae87198c1dc9f6391e21e092f73",
	"title": "Russian Language Cybercriminal Forums – Analyzing The Most Active And Renowned Communities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1643810,
	"plain_text": "Russian Language Cybercriminal Forums – Analyzing The Most\r\nActive And Renowned Communities\r\nBy Oleg\r\nPublished: 2024-02-08 · Archived: 2026-04-05 22:27:54 UTC\r\nChapter III. Exploring and comparing prominent Russian language cybercriminal\r\nforums.\r\nWelcome to the third part of this series of OSINT investigations about the Russian language cybercriminal\r\necosystem and forums. In the first Chapter, we explored the origins of this ecosystem and uncovered how Russian\r\nlanguage cybercriminal forums (RLCF) appeared, evolved and the current state they are in. In the second Chapter\r\nwe assessed the “underground” nature of RLCF and of their economic functioning.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 1 of 25\n\nToday I would like to discover with you what I believe to be the most prominent RLCF and analyze their place in\r\nthe wider Russian speaking cybercriminal ecosystem. We will try to assess the sizes of the audiences of the most\r\nprominent RLCF and identify what kind of \"goods and services\" are being traded on these forums.\r\nIf you have missed the previous Chapters do not hesitate to read them because many methodological concepts,\r\nsuch RLCF categories or their levels of activity are explained there and are indispensable for the understanding of\r\nthis Chapter.\r\nIf you wish to discover the full list of the 94 studied RLCF, you can find it here.\r\nInsights of the third Chapter:\r\nCurrently, reputable RLCF are the primary platforms for threat actors engaging in commercial activities or\r\nseeking to purchase goods and services from other threat actors they do not trust. Although Telegram plays\r\na significant role for cybercriminals, it faces inherent limitations, such as the absence of a trustworthy\r\nescrow and arbitration system.\r\nDespite the different nature of the studied RLCF, like carding or drug selling forums, there are notable\r\nsimilarities and connections between these communities. Common elements include the presence of\r\nbulletproof hosters and anonymous cryptocurrency exchange services, which link the entire ecosystem.\r\nWhile some RLCF boast massive communities, overall the number of highly skilled and proficient threat\r\nactors is relatively small, likely numbering in the several thousand. Conversely, RLCF focused on low-level fraud schemes, basic carding technics, or drug sales tend to attract larger communities.\r\nThe Russian speaking cybercriminal ecosystem is well structured, with major communities gathering\r\ndifferent types of threat actors:\r\n“XSS” and “Exploit” stand as the core of the high-level cybercriminal underground focusing on\r\nhacking and malware. The reputation of “Exploit” has nevertheless suffered from repeated rumors\r\nabout its control by law enforcement. The majority of threat actors present on these forums usually\r\ntarget non-Russian speaking countries.\r\n“LolzTeam” is a learning place for wannabe cybercriminals and more importantly a workforce pool\r\nfor infostealer distribution. However, the aggressive monetization policy implemented by\r\nmoderators of this forum since the spring of 2023 has had a negative impact on the standing of this\r\nRLCF and has reduced the presence of infostealer Malware as a Service (MaaS).\r\n\"WWH-Club\" is a large market specializing in carding services and is known as an educational hub\r\nfor this illicit craft. Like \"LolzTeam\", albeit for different reasons, the monetization policy of\r\n“WWH-Club”'s staff has led to discontent among threat actors. They complain on other forums\r\nbecause access to arbitration is restricted to users with paid membership plan. Users of this forum\r\ntarget both Russian speaking countries and the rest of the world.\r\nFraud-oriented RLCF like \"DarkMoney\" or \"Probiv\" share similarities with other RLCF, as they\r\nattract threat actors specializing in fake document and financial fraud services. However, the\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 2 of 25\n\nquantity and quality of these services are more extensive. Additionally, threat actors on these forums\r\noften target their own countries (former Soviet Union).\r\nDrugs-focused RLCF like \"RuTor\" primarily operate within the former Soviet republics and\r\npromote relatively low-level content from a technical perspective. Interestingly, \"RuTor\"’s staff\r\nencouraged its community to engage in carding attacks to help them earn money and even opened in\r\n2022 a dedicated section with tutorials about carding and other fraud schemes.\r\nI) Telegram – the new frontier for Russian speaking threat actors?\r\nBefore delving into an examination of major RLCF with high activity, let me recount an illustrative incident\r\ninvolving two renowned RLCF and a Telegram channel belonging to a MaaS. This incident underscores the\r\nenduring significance of prominent RLCF as public arenas for cybercriminal communication and collaboration.\r\nDespite Telegram's recent emergence as a vital tool in the cybercriminal landscape due to its leniency towards\r\nillicit activities[1], it cannot replace RLCF in the foreseeable future.\r\nLet's journey back to February 2023 to revisit a misadventure that happened to one of the most renowned MaaS,\r\nnamely, the Raccoon Stealer[2]. Since its launch, the group of cybercriminals developing this malware relies on\r\nTelegram for purposes including conducting transactions and providing customer support. Much like other clients\r\nof this MaaS, an individual operating under the alias \"hash_attack\" opted to initiate contact with the Raccoon\r\nStealer's team through Telegram. This engagement was aimed at procuring advertising space for \"hash_attack\"’s\r\nbruteforce service on the exclusive Telegram channel belonging to the Raccoon Stealer.\r\nHowever, this business transaction took an unfortunate turn, resulting in a discord between \"hash_attack\" and the\r\nRaccoon team. Frustrated by the situation, \"hash_attack\" decided to take a confrontational stance by publicizing\r\nthe dispute on one of the RLCF where he was present. Although, \"hash_attack\" had accounts on the majority of\r\nRLCF such as “XSS”, “WWH-Club” or “BHF”, where Raccoon Stealer’s representatives were also present, the\r\nthreat actor choose to open an arbitration thread on “Exploit”, which highlights the trust of this cybercriminal in\r\nthis community to help him solve his problem. \r\nFigure 1. The threat actor “hash_attack” opened an arbitration thread against Raccoon Stealer on Exploit.\r\n\"hash_attack\" raised allegations against the Raccoon team, claiming that they failed to refund him 3,000 dollars\r\nfollowing a disagreement concerning an advertising arrangement. Although the monetary value involved in this\r\ndispute may appear relatively inconsequential in comparison with the revenues generated by this successful MaaS,\r\nthe moderators of the \"Exploit\" forum deemed the refusal to return the funds as a potential scam attempt.\r\nConsequently, they took the step of banning the \"raccoonstealer\" account from their forum.\r\nIn a rapid sequence of events, the administration of the \"XSS\" forum, which maintains a cooperative relationship\r\nwith \"Exploit\" and even shares at least two moderators in common with this RLCF, chose to follow suit by\r\nbanning \"raccoonstealer\"’s account from their platform as well. This chain reaction underscores the\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 3 of 25\n\ninterconnectedness of some cybercriminal forums. After this harsh punishment Raccoon Stealer’s staff decided to\r\ngive back the 3,000 dollars to “hash_attack” but could not recover their accounts on these two prominent RLCF.\r\nOn February 15, 2023, the prominent threat actor “Stallman”, who is the current administrator of the ransomware-centric forum \"RAMP\", initiated a discussion on the \"Exploit\" forum in support of the Raccoon Stealer team. Prior\r\nto this incident, \"Stallman\" has publicly endorsed Raccoon Stealer on multiple occasions, professing it to be his\r\npreferred information-stealing malware. In a personal effort to assist Raccoon Stealer in regaining access to both\r\n\"Exploit\" and \"XSS\", \"Stallman\" advocated on their behalf. Nevertheless, even this intervention proved\r\nineffective in achieving the desired outcome.\r\nFigure 2. The threat actor Stallman opened a thread on Exploit to ask its administration to lift the ban of\r\nraccoonstealer’s account.\r\nRaccoon Stealer’s reputation took a clear hit, as new accusations followed both on “XSS” and “Exploit”. Several\r\nusers claimed that Raccoon Stealer is stealing crypto wallet's information from the logs of its own customers and\r\nsending them directly to the developers of this malware, depriving thereby the cybercriminals who have purchased\r\nthis MaaS from a source of income. Without a presence on these forums, the Raccoon team was not able to defend\r\nitself against these accusations.\r\nFigure 3. Raccoon Stealer continued to operate and sell their malware on Telegram even after the ban on XSS and\r\nExploit in February 2023.\r\nEventually, after suffering a six-month absence from “XSS” and “Exploit”, Raccoon Stealer was allowed to return\r\nto these RLCF after making a deposit of 1 BTC (around 25,000 dollars in August 2023) on each forum[3]. It is\r\nnecessary to note that although some newspapers published somewhat misleading titles announcing the “return”\r\nof Raccoon Stealer after the end of the ban, this MaaS never stopped operating. Its development continued, and it\r\nwas always possible to purchase a subscription via its official Telegram channel. Thereby, the decision of the\r\nRaccoon team to accept the conditions of these RLCF suggests that a presence on these platforms is of substantial\r\nimportance for MaaS and other advanced threat actors.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 4 of 25\n\nFigures 4 and 5. “raccoonstealer” was allowed to return to “XSS” and “Exploit” in August 2023 after the group\r\nmade a deposit of 1 BTC on each of these forums. Auto translated from Russian.\r\nThese events underscore several noteworthy aspects that elucidate why, despite the emergence of Telegram and its\r\npopularity among threat actors, RLCF continue to be indispensable for conducting illicit activities.\r\nMajor RLCF are a source of legitimacy and lead generation: The decision made by Raccoon Stealer to\r\ninvest nearly $50,000 to regain access to \"XSS\" and \"Exploit\" offers a compelling insight into the\r\nimportance of these platforms for cybercriminals. Establishing a presence on prominent RLCF not only\r\ngrant legitimacy but also serves as a prime source for lead generation. Threat actors seeking to offer\r\nservices, distribute malware, or secure employment, recognize the pivotal role of these forums.\r\nMajor RLCF ensure security of transactions: Another crucial aspect to consider is that Telegram currently\r\nlacks a credible escrow system (for more details about the escrow system see Chapter II). Consequently,\r\nthreat actors and MaaS vendors seeking secure transactions often prefer to conduct their business through\r\nreputable forums that offer escrow services.\r\nThe longevity of major RLCF allows them to acquire and maintain a reputation: The reputation and\r\n(supposed) integrity of major RLCF, cultivated over time and through a proven track record, stand as a\r\npivotal differentiator with other RLCF and also Telegram groups and channels.\r\nAlthough prominent RLCF are essential to the Russian speaking cybercriminal ecosystem, we will discover that\r\nnot all major RLCF are equal. They occupy distinct niches, gather different types of threat actors, and vary in\r\nreputation and trustworthiness within the ecosystem. Understanding these distinctions is crucial for\r\ncomprehending the dynamics of the cybercriminal landscape.\r\nThe Russian language cybercriminal ecosystem exhibits a well-structured framework, characterized by the diverse\r\naudience and services prevalent on each forum. Our analysis will scrutinize the unique roles played by these\r\nforums, providing valuable insights into their significance within this intricate landscape.\r\nII) Key Russian language cybercriminal forums and their role in the ecosystem.\r\nYou may legitimately ask how exactly one can assess the role of a RLCF and compare it with another one, or how\r\nto determine which forums are the most prominent in their own area of specialization?\r\nTo address this question, I suggest utilizing objective indicators, such as the level of activity, the type and quantity\r\nof “goods and services” that can be found on these forums, along with more qualitative assessments like the\r\ncommunity reputation or the technical expertise of the userbase. To conduct this analysis, I preselected 8 highly\r\nactive and qualitative forums from 5 categories (see the methodology in the first Chapter – categories:\r\nCybercrime, Fraud, Carding, Other/Cybercrime and Drugs. Programming cybercriminal forums are excluded\r\nbecause none is presently highly active).\r\nExpanding the excerpt of studied RLCF to communities with a small userbase and lower activity, provided they\r\nhoused highly skilled threat actors, as exemplified by the ransomware-focused forum \"RAMP”, was also an\r\noption. However, I ultimately decided against this approach due to the niche nature of these communities. For\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 5 of 25\n\ninstance, “RAMP”, with an annual active userbase of approximately 300 members who posted slightly over 3,000\r\nmessages in 2023, serves as an illustration of the limited scope and engagement within such forums.\r\nIII) Quantitative analysis – how big is the user base of major RLCF?\r\nTo assess the “active user base” of major RLCF my first idea was to count members that have posted at least one\r\nmessage in 2023. This approach is, of course, questionable as some forum users can be active only in private\r\nmessages and would thus be excluded from my assessment. Furthermore, a single person can have several\r\naccounts and write messages from each one of them.\r\nAn alternative idea was to rely on the official forums’ statistics, namely the counting of registered accounts during\r\n2023. After exploring this assessment method, it appeared that it can be even more unreliable in some cases. For\r\ninstance, during the first half of 2023 the RLCF “Exploit” conducted a spring cleaning by deleting around 30,000\r\naccounts, which then represented over one third of the total number of registered members.\r\nI choose to cut the Gordian knot by selectively using both methods while remaining consistent and trying to\r\nprovide a reliable assessment of the activity of each studied RLCF.\r\nCommunities from within the Cybercrime, Carding and Fraud, categories, like \"XSS\", \"WWH-Club\" or\r\n“DarkMoney”, presented in the Table 2, are comparatively much smaller than the RLCF from the\r\nOther/Cybercrime and Drugs categories, such as \"LolzTeam\" and \"RuTor\", presented in Table 3. Thereby, in Table\r\n2 the size of the community was assessed via a counting of active users that have published at least one message\r\nin 2023. On the contrary, counting active users on forums with audiences exceeding several hundreds of thousands\r\nof active users, that are present in Table 3, was technically challenging and I decided to rather count the number of\r\nnew accounts registered in 2023. The magnitude of the discrepancy in the userbase sizes between the major RLCF\r\nfrom Table 2 and Table 3 is so significant that this difference of datasets is in fact almost irrelevant.\r\nThe results I've uncovered closely resemble the data presented by Searchlight Cyber in the spring of 2023[4].\r\nHowever, it is important to keep in mind that the methodology employed by this company for their analysis\r\nremains undisclosed. Therefore, I encourage readers to view these numbers as indicative rather than precise\r\nmeasurements.\r\nTable 2. *Methodology: a user is considered as active in 2023 if he has published at least one message.\r\nThe observations of Tables 2 and 3 provide some insights about the sizes of each community, nevertheless this\r\napproach does not tell us anything about who “inhabits” these RLCF. This stresses the necessity of adopting a\r\nmore comprehensive evaluation strategy that encompasses both quantitative and somewhat qualitative factors to\r\ngain a deeper understanding of RLCF’s roles within the cybercriminal landscape.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 6 of 25\n\nIV) Focus on commercial threads – a combination of qualitative and quantitative analysis.\r\nAn approach, which offers a more detailed and somewhat qualitative perspective, involves the analysis of new\r\ncommercial threads published in 2023. Counting the threads where threat actors engage in selling or buying\r\nsomething is an effective way of gaining insight into the specialization of each community, facilitating\r\ncomparisons between them.\r\nHowever, it is essential to note that this approach doesn't consider older, yet active commercial threads created\r\nbefore 2023. Assessing these threads would require individually verifying whether the thread creators still engage\r\nin trading the offered goods or services, a task beyond the scope of this analysis. Additionally, this approach\r\ndoesn't provide insights into the quality and complexity of the items or services being sold.\r\nAfter gathering the commercial threads, they were organized into eight distinct trade categories for analysis. The\r\nfigures presented bellow, while informative, should be regarded as indicators and not as a perfect representation of\r\ncommercial activities within the forums. Please note that content related to drugs, arms, or violence was\r\ndeliberately excluded from this study, even though these crafts represent the core activity of RLCF like “RuTor”.\r\nHacking: threads related to the sale of malware, information-stealers distribution, databases, accesses to\r\ncorporate networks, pentest, DDoS, hash cracking, sales of stollen accounts;\r\nBanking fraud: commercial threads that involves an activity focused on banking fraud with stolen credit\r\ncards and the proceeds of this malicious craft;\r\nFraud services: commercial threads related to the sale of fake documents, lookup services, SIM cards\r\ntrafficking, phone calls, spam services;\r\nFinancial services: threads where threat actors sell money and cryptocurrency laundering services, cash in\r\nand cash out services, fake identities for tax fraud;\r\nHosting services: threads where threat actors sell virtual private servers, proxies, and other hosting related\r\nservices including bulletproof servers and domains;\r\nOther services: commercial threads with content related to Social Media Marketing (SMM – sale of fake\r\naudience, likes and comments on platforms such as YouTube), web development, etc.\r\nAdditionally, two other categories were established to account for uncategorized commercial content, including\r\nmaterial that forum members were unsure where to post, as well as job posting and job searches. These categories\r\nhelp encompass content that doesn't neatly fit into the predefined trade categories.\r\nTable 4. *For the RLCF RuTor, drugs, violence, and human trafficking related content were not counted.\r\nTable 5. *For the RLCF RuTor, drugs, violence, and human trafficking related content were not counted.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 7 of 25\n\nBased on the statistics presented in Tables 2, 3, 4 and 5, one can make several observations. Even the most active\r\nRLCF, with communities focusing on Hacking, gather only several thousand active users. Conversely, RLCF\r\npopular among drug consumers and younger individuals tend to amass large audiences primarily focused on low-level content and fraud schemes. Even though not all members of advanced threat groups are directly present on\r\nRLCF, it is intriguing to consider that the significant damage inflicted by Russian speaking ransomware groups,\r\nmalware developers and distributors or carders, could be predominantly caused by a relatively small number of\r\nindividuals.\r\nMoreover, the analysis of Tables 4 and 5 reveals several findings. Remarkably, there has been an evolution in the\r\ndrugs forum \"RuTor\" since 2022, as it has expanded by introducing carding and fraud sections. However, overall,\r\nit becomes clear that commercial threads (excluding drug sales) are not abundant, even on forums with massive\r\ncommunities such as \"LolzTeam\" or \"RuTor\" (see Tables 2 and 3). This observation reinforces the argument made\r\nin Chapter I, that RLCF categorized under Other/Cybercrime and Drugs are only marginally involved in the same\r\nillicit activities as forums categorized under Carding, Cybercrime, or Fraud and are not necessary to attract the\r\nsame type of threat actors.\r\nA closer examination of threads in the jobs category supports this assessment. The employment opportunities\r\noffered on RLCF like “RuTor”, and to a lesser extent “Probiv” or “DarkMoney”, are primarily low-level technical\r\nroles focused on tasks like malware distribution and fraud schemes. In contrast, job advertisements on \"Exploit\" or\r\n\"XSS\", involve more technically sophisticated roles, with threat actors capable of creating advanced malware or\r\nexecuting complex network penetration tasks.\r\nHowever, there are also similarities and connections among all the studied RLCF. A review of Tables 5 and 6\r\nhighlights the consistent presence of Financial and Hosting services across all RLCF. In fact, a detailed\r\nexamination of hosting and cryptocurrency laundering services reveals that the same actors engaged in providing\r\nthese services actively participate on all major RLCF.\r\nTable 6. *Threat actors that are openly claiming to sell bulletproof hosting services and that were active at least\r\nonce from December 2022 to March 2023.\r\nAn in-depth analysis of hosting and cryptocurrency laundering services is planned for the current year. What can\r\nalready be mentioned is for example the presence of the \"AudiA6\" crypto exchange service across a minimum of\r\n44 RLCF. This account offers an anonymous money and cryptocurrency exchange service and has been active for\r\nover ten years (see Figure 6). In the realm of bulletproof hosting services, it is worth noting the case of a service\r\npromoted under the pseudonym \"Quahost,\" which is documented across a minimum of 31 RLCF and has\r\nmaintained its operations for over fifteen years (refer to Figure 7).\r\nFigure 6. AudiA6 mentions on XSS all the RLCF where he deposited money as a warranty. Auto translated from\r\nRussian.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 8 of 25\n\nFigure 7. An advertisement of Quahost’s bulletproof servers on LolzTeam from 2018.\r\nTo conclude we can already state that each of these communities plays a distinct role and has its own place within\r\nthe broader cybercriminal ecosystem. Though RLCF are qualitatively and quantitatively different, each of them is\r\nnonetheless important in its own manner for the whole ecosystem. For instance, \"LolzTeam\", which mainly\r\nfocuses on low-level cybercriminal content, serves as a starting point for many young Russian speaking\r\nindividuals who begin their cybercriminal activities on this forum, notably by joining traffers[5] teams.\r\nV) Qualitative analysis of major RLCF.\r\nIn the upcoming sections, I will present a qualitative analysis of significant RLCF. We will briefly delve into\r\nvarious prominent communities, assessing their reputation, the technical knowhow of their members, and the\r\nnature of the trade occurring within these forums.\r\nA) “XSS” and “Exploit”: The backbone of the high-level Russian speaking cybercriminal ecosystem.\r\nEstablished in 2004 and 2005, \"XSS\" and \"Exploit\" stand as among the oldest and most esteemed RLCF. These\r\nforums draw in a larger number of technically proficient cybercriminals compared to other RLCF and serve as\r\nsignificant hubs for illicit services and employment opportunities related to hacking and malware.\r\nTable 7. *Methodology: a user is considered as active in 2023 if he has published at least one message.\r\n1) XSS – The “place to be” for high-level threat actors.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 9 of 25\n\nFigure 8. XSS staff in January 2024.\r\na) The origins of a veteran RLCF – from DaMaGeLaB to XSS.\r\n\"XSS\" is among the oldest Russian language cybercriminal forums and has a rich history. According to \"toha\", the\r\ncurrent administrator of \"XSS\", the forum was launched towards the conclusion of 2004 under the domain\r\n\"winux.net.ru\". It was then a personal project of the first administrator of the forum, the threat actor \"Winux\".\r\nLatter on he was joined by the threat actors \"Great\" and \"Одинокий Волк\" (\"Lonely Wolf\"), who became joint\r\nadministrators[6].\r\nFigure 9. Archived version of the forum that will later become XSS.\r\nBetween 2006 and 2018 the forums was known under the name \"DaMaGeLaB\" and was accessible via the\r\ndomains \"damagelab.org\" and \"damagelab.in\". At that time, one of the administrators of “DaMaGeLaB” was the\r\nBelarussian threat actor Mr. Sergei Yarets, operating under the alias \"Ar3s\"[7]. Mr. Yarets was arrested for his\r\nengagement in technical support for the loader Andromeda, which was considered as one of the largest botnets on\r\nthe Internet at that time. He was rapidly released in 2018, which sparked rumors about a possible cooperation\r\nbetween Mr. Yarets and law enforcement agencies after he supposedly shared significant information about other\r\nmembers of the Andromeda team[8].\r\nFigure 10. Screenshot of DaMaGeLaB from 2006.\r\nAfter the arrest of \"Ar3s\" in November 2017, the forum was shortly under the control of the threat actor\r\n\"Chococream\" until its closure. The downfall was not definitive and a new iteration of the community appeared in\r\n2018.\r\nFigure 11. On the 21st of November 2018, the new administrator of XSS announces the reboot of the DaMaGeLab\r\nforum under the new name XSS. Auto translated from Russian.\r\nThe revival of the forum was made possible through a backup of “DaMaGeLaB”, which was generated back in\r\n2015. This backup was reportedly handed over or sold by Mr. Yarets to his longtime acquaintance, a threat actor\r\nknown as \"toha”, which allowed him to relaunch the forum under the new name \"XSS\" in November 2018[9].\r\n“toha” is also known in the cybercriminal community as the former owner of another renowned RLCF called\r\n\"Exploit\". It is believed that the collaboration between \"toha\" and Mr. Yarets began on \"Exploit\", where \"toha\"\r\nappointed Mr. Yarets as a moderator.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 10 of 25\n\nInterestingly, it appears that \"toha\" drew inspiration for the name \"XSS\" from the domain xxs.ru, which was\r\nassociated with an older Russian forum called Web-Hack.ru, dedicated to hackers and information security\r\nexperts. This forum was managed by an individual known as \"Terabyte\" from 2001 to 2010[10], and \"toha\" served\r\nas a moderator there as well.\r\nAccording to revelations from the researcher \"3xp0rt\", the real identity of \"toha\" could be Mr. Anton Avdeev, and\r\nit is alleged that this threat actor resides in Russia[11]. (Editor’s note, 2025: The true identity of “Toha” was\r\ndisclosed after his arrest in Ukraine on July 22, 2025. He was identified as Anton Gannadievich Medvedovskiy,\r\n38, a resident of Kyiv. Anton Avdeev was a moniker).\r\nFigure 12. The researcher 3xp0rt is exposing Russian threat actors since the beginning of the Russian invasion of\r\nUkraine.\r\nb) Access to XSS and particularities of this RLCF.\r\nIn the present day, accessing the content of “XSS” necessitates registering an account, a process generally\r\nstraightforward unless registrations are temporarily closed. A restricted section exists, accessible exclusively to\r\ndesignated members. Currently, the forum stands as one of the most active cybercriminal communities, offering\r\nautomated escrow services to its users. Notably, it distinguishes itself by possessing an XMPP server that serves\r\nits community under the domain \"@thesecure.biz\".\r\nFor its own safety, the administration of “XSS” prohibits on engaging in any activities or selling data that could\r\nnegatively impact the former Soviet countries, except the Baltic States.\r\nc) XSS: a forum attracting high-profile threat actors.\r\nWhile \"XSS\" stands as one of the most significant RLCF, its community size and message volume are relatively\r\nmodest when compared to other Russian language cybercriminal forums. The forum's prominence lies in several\r\nkey aspects, including the presence of high-profile threat actors, its robust knowledge base, and the perceived\r\nintegrity of its administration. This last factor holds paramount importance in the cybercriminal realm because\r\nadministrators of such communities must inspire trust by impartially investigating disputes and ensuring a\r\nminimum level of protection and anonymity for their members.\r\nRenowned threat actors, including public representatives of ransomware gangs and administrators from other\r\nRLCF, maintain a presence on \"XSS.\" Some of the most notable figures include affiliates of the LockBit, ALPHV\r\nor other ransomware groups, as well as the current owner of the \"RAMP\" forum, the threat actor \"Stallman\". Their\r\nparticipation on \"XSS\" serves both their operational needs and enhances their reputation within the cybercriminal\r\necosystem. \"XSS\" plays a substantial role for these threat actors because it serves as a platform for promoting\r\naffiliate programs, sell illicit services and malware, and of course, for communication with fellow cybercriminals.\r\nAdditionally, it serves as a vital space for dispute resolution and the initiation of disinformation campaigns against\r\nrival actors.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 11 of 25\n\nFigure 13. Examples of arbitration threads opened on XSS. Auto translated from Russian.\r\nOne of these disinformation campaigns occurred in January 2022[12] and targeted the threat actor “KAJIT”, who\r\nwas then the administrator of the RLCF “RAMP”. This dispute can be considered without exaggerations as\r\nanthological. It involved the representatives of the Ransomware as a Service (RaaS) LockBit, who accused\r\n“KAJIT” to be an infiltrated police agent. “LockBitSupp” got the upper hand as “KAJIT” got banned and the\r\n“XSS”’s administrator advised “KAJIT” to sell his forum “RAMP” to the threat actor “Stallman”, because no one\r\ntrusted him anymore.\r\nFigure 14. Stallman, the present administrator of RAMP, refutes the accusations of LockBitSupp against KAJIT\r\nand reaffirms that RAMP is not under the control of police. Auto translated from Russian.\r\nd) XSS: an important illicit services and job market.\r\nAs displayed in the Table 8, the commercial threads advertised on “XSS” in 2023 illustrate that it is an all-round\r\ncybercriminal community, gathering carding specialists, initial access brokers, MaaS developers and other\r\ncybercriminal specialists. These categories encompass a large panel of cybercriminal activities that can be\r\ncomplementary.\r\nFor example, on “XSS” a cybercriminal can purchase a clean Cobalt Strike license, buy 0-day vulnerabilities,\r\ncustomized malware or subscribe to a MaaS and acquire an obfuscation service to evade antiviruses. To hosts their\r\nCommand-and-Control servers (C2) cybercriminals can choose from a large inventory of bulletproof hosters.\r\nEventually, once their activity has been monetized, threat actors can clean their cryptocurrencies or dirty money\r\nby contacting laundering services present on the forum.\r\nFigure 15. The threat actor johndoe7 is selling Cobalt Strike licenses. Auto translated from Russian.\r\nFigure 16. The threat actor backdoorseller is ready to sell a RCE exploit for 25,000 dollars.\r\nFigure 17. The threat actor hackerGPT is ready to buy a 0-day exploit for up to 500,000 dollars.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 12 of 25\n\nFigure 18. Example of MaaS and other services sold on XSS.\r\n“XSS” and “Exploit”, although separate forums, closely cooperate in enforcing their rules. If a member is found to\r\nbe involved in scams or rule violations on one forum, the other is likely to ban him as well, especially if a\r\nconnection between his accounts is evident, such as having the same username or identical contacts. This\r\ncooperation is partly explained by the forums' shared history and the presence of moderators who serve on both\r\nplatforms, like \"Quake3\" and \"weaver\". In January 2024, there was a highly publicized instance of this\r\ncooperation when \"Exploit\" also banned LockBit's representative account from the forum after he had been\r\ninitially banned on \"XSS”[13].\r\n2) Exploit – A selective but successful high-level RLCF.\r\nFigure 19. Staff members of Exploit.\r\na) Origins of one of the oldest and famous RLCF.\r\nLaunched around April 2005 under the name “Hack-All”, “Exploit” is another veteran RLCF. The forum changed\r\nits name after the control over the domain hack-all.net was purportedly stolen in 2006 [14], then the forum moved\r\nto the new domain exploit.in[15] and officially rebranded in February 2006. The forum also belonged to the threat\r\nactor “toha” until he allegedly sold it to “well known and trusted partners” in May 2018.\r\nFigure 20. The first version of Exploit forum (then named Hack-All) in May 2005[16]. Auto translated from\r\nRussian.\r\nb) Rumors running around Exploit – Under the control of law enforcement?\r\nThe transfer of “Exploit” to new management in 2018 stirred a significant amount of criticism and skepticism,\r\nprimarily due to the undisclosed identities of the new owners. Speculations and rumors about a potential takeover\r\nby Russian or Ukrainian security services began to spread and have periodically resurfaced.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 13 of 25\n\nFigure 21. Exploit in 2024.\r\nThe rumors about the control of “Exploit” by law enforcement started to spread after the forum’s XMPP servers\r\n(@exploit.im) encountered unexpected and unexplained technical problems during the summers of 2018 and\r\n2019.\r\nAccording to the Russian hacker Mr. Andrei Sporov, aka “Sp0raw”, “Exploit” was infiltrated by the Security\r\nService of Ukraine at least from 2015[17]. Indeed, the hacker claimed back in 2019 that “Exploit”’s moderator\r\nand then hoster “Whost”, was collaborating with the Ukrainian police after his arrest[18]. These allegations are\r\nunverifiable, but a substantial part of the cybercriminal community trusts them[19].\r\nFigure 22. The threat actor Whost tried to plead, to no avail, that he has nothing to do with the FBI. Exploit\r\nmembers believed that although Whost was arrested in Ukraine, the FBI was behind the operation. Auto translated\r\nfrom Russian.\r\nThe most recent wave of rumors regarding “Exploit”'s control by law enforcement agencies emerged amid the\r\nRussian invasion of Ukraine in October 2022. Pavel Sitnikov, a pro-Russian individual and the administrator of\r\nthe Telegram channel \"Freedom Fox\", specializing in cybercrime-related topics, asserted that “toha” had sold\r\n“Exploit” to the Security Service of Ukraine[20]. Following a public denial by “toha”, Mr. Sitnikov subsequently\r\nretracted his accusations. It is essential to acknowledge that these assertions may be a part of a disinformation\r\ncampaign, and there are also unsubstantiated claims suggesting Russian Federal Security Service involvement in\r\ncontrolling \"Exploit\".\r\nc) Access methods to Exploit and particularities of this RLCF.\r\nSince 2018 and the arrival of the new owners, several changes have been made. The new administrators have\r\nimplemented a registration fee of $100 to all new users to deter potential scammers and inexperienced threat\r\nactors from joining ($200 in 2024). However, newcomers can get a free membership if they hold administrative or\r\nmoderator roles on other \"friendly\" forums or can demonstrate that they have knowledge in a field related to\r\nmalware, software development, or hacking.\r\nAdditionally, \"Exploit\" has two closed sections: the \"1st Access Level\" and \"2nd Access Level\". The \"1st Access\r\nLevel\" is password-protected, and a user can obtain the password after posting 50 messages. The \"2nd Access\r\nLevel\" is accessible only to trusted and verified members who have been endorsed by forum members with access\r\nto this restricted level and by administrators.\r\nSimilarly to “XSS”, the targeting of countries with Russian speaking populations is heavily restricted[21].\r\nFigure 23. First level password requirement.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 14 of 25\n\nd) Exploit – a key place for high-level cybercrime.\r\nFigure 24. Lockbit’s representative account on Exploit before it was banned on the 31st of January 2024. The\r\nthreat actor used as a profile picture the photo of the cybersecurity expert Mr. Jon Dimaggio.\r\nVery much like “XSS”, “Exploit” is an important hub for advanced threat actors such as ransomware gangs,\r\nmalware developers and initial access brokers. The same actors as on “XSS” can be found under identical or\r\ndifferent handles on “Exploit”. The relative selectivity of this RLCF facilitates the development of advanced\r\ncontent and gives its members access to a knowledge base.\r\nFigure 25. Exploit features sections dedicated to providing knowledge on various valuable topics for hackers.\r\nAuto translated from Russian.\r\nFor instance, a substantial quantity of malware source code is freely available for members. Threat actors can then\r\nadapt the code to their own needs and develop new malware. The builder of the LockBit Black 3.0 or Babuk\r\nransomwares, the source code of stealers, botnets and RATs are shared and discussed on “Exploit”. Detailed\r\ntutorials about the exploitation of vulnerabilities in web applications or different types of software can also be\r\neasily found.\r\nFigure 26. A threat actor published a reverse analysis of the Amadey loader. Auto translated from Russian.\r\ne) Exploit: a key illicit services and jobs market. \r\nAs shown in the Table 9, with a total of over 12 thousand topics created during 2022, “Exploit” is a key public\r\nplatform for cybercriminals. Auctions, job advertisements, spam distribution, and stolen logs are the most\r\nwidespread topics on the marketplace. Some themes related to banking fraud are nevertheless restricted on\r\n“Exploit” which explains why no category reserved to carding exists on the marketplace.\r\nThe \"Auctions\" section of “Exploit” is mainly filled with corporate access for sale. These accesses are belonging\r\nto a variety of companies, from very small ones to huge multibillion transnational firms. Less frequently threat\r\nactors put up for auction stolen databases or banking information.\r\nFigure 27. Auctions on Exploit are mainly composed of topics linked to the sale of access to companies’\r\ninfrastructure, databases, credit cards dumps and fake documents. Auto translated from Russian.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 15 of 25\n\nThe “Job” section contains hundreds of topics created by cybercriminals looking for malicious code developers\r\nand of threat actors searching for an employer and advertising their capabilities. The “Other” section includes\r\naround a thousand threads with different tools such as parsing scripts, log checkers, antidetection browsers, and\r\nlookup services. The “Access” section is small because on “Exploit” most transactions related to corporate\r\naccesses are rather occurring in the “Auctions” section.\r\nFigure 28. A threat actor with a 1 BTC deposit advertises his coding capabilities. Auto translated from Russian.\r\nAlthough not as famous as “XSS” or “Exploit”, who almost acquired a worldwide mediatization thanks to the\r\npresence of major ransomware threat actors, other RLCF play a central role in the cybercriminal ecosystem and\r\nneed to be briefly mentioned.\r\nB) LolzTeam aka “social engineering” forum – the realm of traffers and young cybercriminals.\r\nAs previously mentioned, RLCF within the Other/Cybercrime category were not originally created exclusively\r\nfor cybercriminal activities. In fact, most of these forums began as discussion platforms for gamers and teenagers.\r\nHowever, their administrators recognized that permitting cybercriminal activities to flourish on their forums could\r\ndraw a larger audience and generate additional revenue. The undeniable leader among these forums is\r\n\"LolzTeam\", not only because of its vast community but also due to the pivotal role it plays in the broader Russian\r\nlanguage cybercriminal ecosystem.\r\nThe success of \"LolzTeam\" has motivated other threat actors to establish their own versions of this community in\r\nan attempt to attract a similar audience. An example is the \"Lozerix\" forum, launched in 2021. \"Lozerix\" even\r\nendeavors to replicate the structure and appearance of \"LolzTeam\" but is currently far from achieving the same\r\nlevel of success. Another case is the RLCF “Mipped” that is very lowly active comparatively to “LolzTeam” and\r\nvery active comparatively to “XSS” or “Exploit”. A qualitative analysis of this forum, primarily centered around\r\nvideo game hacking and cheating, suggests that \"Mipped\" is uninteresting for further discussion in this paper.\r\n1) LolzTeam – a giant community that marginally focuses on cybercrime.\r\nEstablished in 2013 by Mr. Grisha Sutchkov, \"LolzTeam\" also known as \"Zelenka\", is currently one of the most\r\npopular Russian language forums. Boasting a community of approximately 250,000 daily visitors, the forum has\r\nessentially evolved into a kind of social network for teenagers. While the vast majority of members of this forum\r\nare uninvolved in any illicit activity, a minority of cybercriminals specializing in various forms of low-level fraud,\r\ntraffic generation (traffers) and accounts theft is active on this board.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 16 of 25\n\nFigure 29. LolzTeam in 2024.\r\nAccording to official statistics, 65% of “LolzTeam”’s members originate from Russia, 20% from Ukraine, and the\r\nremainder from other former Soviet republics such as Belarus[22]. The majority of visitors fall within the 16 to 25\r\nage range, which aligns with the forum's primary thematic focus. “LolzTeam” primarily delves into topics related\r\nto competitive video games, cheating tools, and in-game items (character attire, weapons, and other items\r\ncommonly referred to as \"loot\" in English).\r\nLately the reputation of this RLCF among cybercriminals has suffered from the aggressive monetization policy of\r\nits administration that targets MaaS sellers.\r\nFigure 30. Official activity statistics of LolzTeam – May 2023.\r\nBlue line - number of daily visitors. Green line - number of daily views.\r\n2) The inception of a “social engineers” (fraudsters) community inside LolzTeam.\r\nSince its inception, in addition to the development and sale of goods and services related to video games, the\r\ncommunity gradually began selling stolen Steam and social network accounts. This shift towards hosting a\r\ncybercriminal community began around 2016 when the forum's administration started publishing tutorials on how\r\nto steal social network accounts and conduct small-scale fraud schemes. Contrary to “XSS” or “Exploit” targeting\r\nRussian speakers is an accepted and widely popular activity for threat actors active on “LolzTeam”.\r\nVarious fraudulent methods, such as the notorious \"Antikino\" technique, are frequently discussed and popularized\r\non this board[23]. This method involves extorting money from a victim by convincing them that they are\r\npurchasing a cinema ticket for a first romantic date. Typically, the victim has met an attractive individual on a\r\ndating app and, at their proposal, agreed to a first date at the cinema. After asking his victim to purchase tickets on\r\na fake cinema website, the charming individual ceases all communication. The manipulation of victims through\r\nvarious forms of social engineering constitutes a substantial part of illicit activity within “LolzTeam”.\r\nFigure 31. Blog posts published by the administration of LolzTeam in 2016. Auto translated from Russian.\r\nTo bolster the development of the sale of legitimately owned or stolen accounts, an entirely separate marketplace\r\nwas created by “LolzTeam”’s administration[24]. In February 2024, reportedly 282,999 social networks and\r\ngaming platform accounts are for sale on the marketplace belonging to “LozlTeam”. The most popular ones are\r\nSteam, Vkontakte, Telegram and TikTok accounts.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 17 of 25\n\nFigure 32. Allegedly, 282,999 stollen and legitimate accounts are for sale on the dedicated marketplace belonging\r\nto LozlTeam in February 2024. Auto translated from Russian.\r\n3) LolzTeam - Traffer’s realm.\r\nBeyond these minor frauds, more dangerous activities involving the sale of infostealers and advertising of traffers\r\nteams have appeared on “LolzTeam”. \"Traffers\" are cybercriminals seeking to distribute malicious software, often\r\nby exploiting well-established YouTube, Instagram or TikTok accounts with an important user base. Typically,\r\nthey will post attractive content, such as an advertisement for a “free Photoshop license” with URLs in the\r\ncomment redirecting to a malicious website or a file infected with infostealer malware.  For instance, a stolen\r\nYouTube account with 172,000 subscribers was put up for sale for approximately 550 dollars on “LolzTeam” and\r\ncould have been used precisely for this purpose.\r\nFigure 33. A threat actor was selling in March 2023 a compromised YouTube account with 172,000 subscribers for\r\n550$.\r\nOur observations lead us to conclude that “LolzTeam” plays an interesting role in the Russian speaking\r\ncybercriminal ecosystem for recruiting traffers and assembling dedicated teams. This lead generation activity is\r\nsubsequently leveraged by other cybercriminals who, for example, purchase logs or develop infostealers.\r\nPresently, an entire section is dedicated to this type of activity, with numerous teams recruiting new traffers and\r\noffering to educate beginners.\r\nFigure 34. Traffers teams recruiting new members on LolzTeam. Auto translated from Russian.\r\nFigure 35. A traffer’s team recruiting new members on LolzTeam. Auto translated from Russian.\r\nThe barrier to entry in this cybercriminal activity is in fact very low as detailed manuals, explaining what a\r\ntraffer’s job is and how to do it are freely available on the forum[25].\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 18 of 25\n\nFigure 36. A detailed tutorial explaining how to become a successful traffer that was shared on LolzTeam. Auto\r\ntranslated from Russian.\r\n4) LolzTeam – an important hub for beginner fraudsters and wannabe cybercriminals.\r\nThe commercial threads published on “LolzTeam” in 2023, as shown in Table 11, highlight the presence of\r\ncybercriminal activities related to traffers, infostealers, and associated services like log parsing and crypto wallet\r\nverification. In contrast, sections dedicated to jobs and services focused on programming, phishing, and scripting\r\nare less popular and less technically advanced than on other prominent RLCF.\r\n5) Mr. Grisha Sutchkov at a crossroad?\r\nWhen he created “LolzTeam” in 2013 at the age of 15, Mr. Grisha Sutchkov did not expect his project to become\r\nas popular and successful so swiftly, nor that his forum will later become a hub for cybercriminals. These facts\r\nand the young age of Mr. Sutchkov probably explain why, contrary to other RLCF administrators, he openly\r\nshared a significant amount of personal information, eventually becoming a sort of celebrity within the\r\ncommunity he has created. Members of \"LolzTeam\" actively follow Mr. Sutchkov on social networks and have\r\neven created numerous memes featuring his photos.\r\nIn his interview in April 2023[26], Mr. Sutchkov seems to acknowledge that the income generated by his forum\r\ncould be seen at best as \"gray\" which puts him in a complicate position with his country’s authorities. The\r\nadministrator of “LolzTeam” may need to decide in the coming years between continuing to promote\r\ncybercriminal activities or exploring alternative monetization methods.\r\nSince 2022, there has been a noticeable decrease in content related to infostealers and traffers on \"LolzTeam\".\r\nThis may suggest that the administration has chosen to limit the amount of illicit content on the forum. Another\r\npossible explanation is the reported aggressive monetization approach targeting MaaS sellers on \"LolzTeam\".\r\nAccording to threads on other RLCF[27], infostealers developers have voiced concerns since May 2023 about\r\nbeing repeatedly scammed by \"LolzTeam\" moderators, who frequently close their commercial threads under\r\nvarious pretexts and request payments to allow them to pursue their activities on the forum. This situation has\r\nevidently had a detrimental impact on the reputation of \"LolzTeam\" among cybercriminals.\r\nFigure 37. Examples of photos and memes that can be found online with the search “lanskoy” on Yandex (one of\r\nMr. Sutchkov's handles).\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 19 of 25\n\nC) Banking fraud and carding RLCF.\r\nThere are numerous RLCF primarily specialized in carding, with approximately 20 active communities identified.\r\nHowever, their levels of activity vary. Nowadays, only about three forums are highly popular, namely “WWH-Club”, \"Club CRD\" and “CrdPro”, with the latter being mainly frequented by English speakers. These\r\ncommunities offer access to a wealth of knowledge about credit and gift card theft and fraud. Among them, one\r\nforum stands out - “WWH-Club” serves as a platform where cybercriminals can acquire skills related to credit\r\ncard data theft and learn how to profit from this illicit activity.\r\nTable 12. *Methodology: a user is considered as active in 2023 if he has published at least one message.\r\n1) WWH-Club – the king of carding.\r\nCreated in 2014, \"WWH-Club\" has evolved into one of the most active RLCF specializing in carding and banking\r\nfraud. Over the years, it has successfully built a substantial community and positioned itself as an educational hub\r\nfor threat actors looking to enhance their carding expertise. The forum's administration capitalizes on their\r\nknowledge by offering training courses to members willing to invest $1200 for a premium membership.\r\nThe forum's aggressive monetization strategy implemented in recent years, coupled with numerous[28] complaints\r\nabout their biased arbitration process accessible only to premium members[29], have adversely impacted its\r\nreputation and trustworthiness.\r\nFigure 38. WWH-Club in 2024.\r\nAccount creation on the forum is without charge; however, to gain full membership privileges, including the\r\nability to engage with the community by posting messages, new members are required to make a minimum\r\npayment of 100 dollars. In May 2023, the forum's administration reported a total membership of 353,000 users,\r\nwith approximately 112,000 members active within the past 72 hours. These figures appear to be inflated, possibly\r\nwith the aim of attracting advertisers. In March 2023, the same account stated that the forum had 540,000\r\nmembers and also that 112,000 of them were active in the last 72 hours.\r\nFigure 39. In March 2023, the administration of WWH-Club claims that the forum has 353,000 registered\r\naccounts and 112,000 active members during the last 72 hours. Auto translated from Russian.\r\nIn spring 2023, the staff of “WWH-Club” introduced a new satellite website, essentially functioning as a\r\nmarketplace. While the services and products offered are closely aligned with those available on the main forum,\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 20 of 25\n\nthe marketplace format is designed to enhance the user experience and generate greater value from the forum's\r\ncommunity. It appears that this idea did not work as intended because almost a year after its launch the\r\nmarketplace is less popular than the forum itself[30].\r\nFigure 40. In spring 2023, WWH-Club has launched its own marketplace.\r\nWhen it comes to the services that a cybercriminal can find on “WWH-Club”, the Table below shows explicitly\r\nthat these offers are heavily focused on the carding community. In total 8870 topics were posted in 2023, from\r\nwhich around 3799 in the section allocated to the carding activity itself. Quantitatively speaking, the second most\r\nimportant section titled “Everything else”, is dedicated to the sale of goods and services such as objects bought\r\nwith stolen credit cards, spam services, and other advertisements that users did not know where to categorize.\r\nOther sections like “Debit cards, ready-made wallets” are offering threat actors services to open banking accounts\r\nwith fake identity in different countries. These services as well include technic to extract the stolen money through\r\nbanking accounts – or as it is called in the jargon “to cash-out”.\r\nTherefore, a variety of services necessary to conduct a carding business, such as fake identification documents,\r\nbulletproof infrastructure or databases, are present on the marketplace. Between 2022 and 2023, there was a\r\ndecrease in the release of new commercial threads. Pinpointing the exact cause of this downturn is challenging,\r\nbut it may be attributed to the cybercriminal community on this forum consolidating around a smaller number of\r\nestablished threat actors and illegal services. Another possible factor could be the consequence of \"WWH-Club\"'s\r\nshift towards less appealing and more aggressive monetization strategies, discouraging some threat actors from\r\nadvertising their business their. Further analysis is necessary to understand the dynamics of this change.\r\nD) Fraud RLCF – a variety of services ranging from fraudulent schemes to cash-out and money laundering\r\nservices. \r\nAmong the 13 identified Fraud forums, 3 are presently highly active and popular. While these forums share some\r\nsimilarities, each strives to establish its unique identity. For instance, \"DarkMoney\" focuses on money laundering,\r\n\"Probiv\" specializes in lookups, and \"DarkSave\" is renowned, among other things, for selling counterfeit\r\ndocuments.\r\nOur observations indicate that these communities primarily attract cybercriminals engaged in fraud schemes\r\ntargeting CIS countries and that their reputation is fluctuant.\r\n1) Laundering dirty cryptocurrencies.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 21 of 25\n\nMultiple laundering and cash-out services can be found on “DarkMoney”. The cybercriminals behind these\r\nservices promise to clean the dirty cryptocurrencies and organize the cash-out either on a banking account, which\r\ncan also be purchased or created from scratches with a fake identity, or through an intermediary called a “drop”.\r\nAn example of one of the many observed services on “DarkMoney” accepts for instance various cryptocurrencies\r\nand allows its clients to retrieve cleaned fiducial money in cash, in the currency of their choice, or to get the\r\nmoney on an account of a Russian or Ukrainian bank. Finally, multiple accounts explaining how to run a business\r\nwith dirty money and evade taxes can also be found on the forum.\r\nFigure 41. Cash-out service advertised on DarkMoney. Auto translated from Russian.\r\n2) Probiv - Finding information about anyone.\r\nThe Russian term \"probiv,\" which translates to \"breaking through\" something, is commonly used on RLCF to\r\nadvertise lookup services. One notable forum, aptly named \"Probiv,\" is recognized for its significant presence of\r\nthreat actors engaged in these activities. What sets these lookup services apart is that the cybercriminals\r\nadvertising them often have access to databases of States and companies. Such access is typically acquired\r\nthrough stolen databases or by recruiting insiders employed in law enforcement agencies, governmental bodies,\r\nbanks, or mobile phone operator companies.\r\nHaving an insider's assistance enables lookup service providers to obtain a wide range of information about\r\nindividuals from countries in the former USSR. Furthermore, threat actors interested in recruiting insiders also\r\ntarget online payment services, social networks, and instant messenger companies.\r\nFigure 42. A threat actor looking for insiders in various companies and administrations. Auto translated from\r\nRussian.\r\nSeveral cybercriminals do not hesitate to try to recruit insiders with access to international law enforcement\r\nagencies databases. Individuals with an access to Interpol and Europol databases are among the personnel that is\r\nlooked for. \r\nFigure 43. Example of a probiv service with access to Europol and Interpol insiders. Auto translated from Russian.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 22 of 25\n\nFigure 44. A threat actor searching for social networks employees.\r\nAs illustrated in Table 16, “Probiv” is also attracting threat actors specialized in the sale of fake ID, cash in and\r\ncash out services and automobile-related fraudsters. The job sections mainly advertise employment and job\r\nsearches related to “drops”. Drops are real or fake people ready to give all their official documents to open bank\r\naccounts or to accomplish various tasks such as retrieving money or drugs for the real owner in exchange of a\r\ncommission.\r\nFigure 45. Example of “drop” service advertised on Probiv. Auto translated from Russian.\r\nE) Diversification drugs RLCF.\r\nRLCF focusing on the promotion and sale of Drugs are highly active and successful communities. Forums such as\r\n“WayAway” generate substantial revenues thanks to advertisements and partnerships with drug dealers. Due to the\r\nobvious nature of the trade ongoing on these forums we will not provide any details, nevertheless some interesting\r\ntrends can be succinctly highlighted.\r\n1) RuTor’s diversification strategy - development of carding and other malicious activities.\r\nSince the start of 2023, we have observed that “RuTor” has initiated diversification in its activities, opening or\r\nenhancing sections dedicated to carding and various malicious schemes.\r\n“RuTor”'s administration has not only launched a carding section but has also introduced sections for money\r\nlaundering, hacking, and fake documents. This illustrates the intention of the owners of this RLCF to expand the\r\nforums' userbase and potentially increase the purchasing power of drug consumers.\r\n“RuTor”'s administration has invested in the development of carding activities through the publication of tutorials\r\nand manuals. More than 91 threads have been published in the tutorial subsection, and forum members are\r\noffering to teach carding techniques for a fee. The mission of the threat actor and moderator \"Princess\" is to\r\ndevelop this section and create content, highlighting “RuTor”'s financial commitment, as moderators do not\r\nprovide their services for free.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 23 of 25\n\nFurthermore, the presence of a section dedicated to hacking, database leaks, and traffic generation underscores the\r\nforum’s diversification. Currently, the hacking and malware offerings advertised on this RLCF differ from those\r\non top forums like “Exploit” or “XSS”, by focusing on low-level content such as hacking social network accounts\r\nand DDoS services.\r\nTo assess the long-term consequences, it is essential to monitor the evolution of Russian-language drug forums in\r\nresponse to these developments.\r\nFigure 46. A carding section on the Drugs RLCF RuTor.\r\nFigure 47. Hacking and DDoS sections are also present on RuTor.\r\nTable 17. Drugs related topics were not counted, please note that they constitute the majority of commercial\r\nthreads on RuTor. Source: CybercrimeDiaries.com\r\nI hope that you found this Chapter informative and insightful. If you wish to engage in discussions\r\nregarding any of the subjects explored in this blog post, please feel free to reach out to me via Twitter/X or\r\nLinkedIn.\r\nIn the upcoming and final Chapter, we will delve into the analysis of how geopolitical events have\r\ninfluenced RLCF and their communities.\r\nThis blog post is also available on my company's blog (OWN).\r\nSources:\r\n[7] “«Если прибыли ФБР, Интерпол и отдел „К“, что-то у них на меня есть». Тот самый хакер из Речицы\r\nвпервые говорит о своём деле,” dev.by, accessed January 21, 2024, https://devby.io/news/hacker-from-rechitsa.\r\n[20] “Telegram: @freedomf0x - Свежий Слив, Свежей Справки По Форме 1. По Переданной Нам\r\nИнформации Из Киевского DC (От Души Парни), Сливают в СБУ Инфу Из 18 Центра ФСБ РФ.,” 2024,\r\nhttps://t.me/freedomf0x/18183.\r\n[23] “Авторская статья - Антикино от А до Я (популярная мошенническая схема в 2019),” Форум\r\nсоциальной инженерии —  Zelenka.guru (Lolzteam) https://zelenka[.]guru/threads/1057828/.\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 24 of 25\n\n[27] “Арбитраж - Как Заработать На Audi A7 - Lolz Scam - Ланской,” XSS.is (ex DaMaGeLaB), May 14,\r\n2023, https://xss[.]is/threads/87960/.\r\nSource: https://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communiti\r\nes\r\nhttps://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities\r\nPage 25 of 25\n\nFigure 15. The Figure 16. The threat actor johndoe7 threat actor backdoorseller is selling Cobalt is ready Strike licenses. to sell a RCE Auto translated exploit for 25,000 from Russian. dollars.\nFigure 17. The threat actor hackerGPT is ready to buy a 0-day exploit for up to 500,000 dollars.\n   Page 12 of 25  \n\nFigure 31. Blog To bolster the posts published development of the by the administration sale of legitimately of LolzTeam owned or stolen in 2016. Auto translated accounts, an entirely from Russian. separate marketplace\nwas created by “LolzTeam”’s administration[24].  In February 2024, reportedly 282,999 social networks and\ngaming platform accounts are for sale on the marketplace belonging to “LozlTeam”. The most popular ones are\nSteam, Vkontakte, Telegram and TikTok accounts.    \n   Page 17 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybercrimediaries.com/post/russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities"
	],
	"report_names": [
		"russian-language-cybercriminal-forums-analyzing-the-most-active-and-renowned-communities"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434863,
	"ts_updated_at": 1775791780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80f8b4feb22cdae87198c1dc9f6391e21e092f73.pdf",
		"text": "https://archive.orkl.eu/80f8b4feb22cdae87198c1dc9f6391e21e092f73.txt",
		"img": "https://archive.orkl.eu/80f8b4feb22cdae87198c1dc9f6391e21e092f73.jpg"
	}
}