Positive Technologies published the results of its research, showing that shadow forums have become true high-tech ecosystems. These platforms include guarantor systems, internal cryptocurrency wallets, and automated payment mechanisms. In some cases, users' internal accounts can reach hundreds of thousands of dollars. The primary currency is Bitcoin, while Monero is used for larger transactions.
The main threat is the accessibility of such platforms. The high degree of specialization among criminal groups and the automation of processes allow cyberattacks to be scaled with minimal human involvement. Complex cyberattacks have become available as ready-made products that can be ordered through a Telegram bot, even without possessing technical skills.
Challenges in countering such communities arise from their multi-layered access systems and social structure. Newcomers have access only to limited information, and to access elite sections, one must spend several months integrating into the community. This requires information security specialists to rethink their approaches and pay more attention to studying the behavior and social connections of participants.
Experts from Positive Technologies investigated closed forums on the darknet and concluded that in recent years, these platforms have become highly organized ecosystems with their own economy and complex protection systems. The research was based on data from shadow forums, information from law enforcement agencies, and monitoring of Telegram channels of hacktivists. Modern underground platforms are no longer just places for information exchange; they represent a full-fledged shadow market for services, making the launch of cyberattacks accessible to a wide audience.
While previously underground communities used simple platforms like phpBB, today they create distributed systems with multi-layered architecture that provide a level of security comparable to legal services. It is alarming that these forums continue to evolve through natural selection; each time law enforcement shuts down one platform, a new one emerges, taking into account the mistakes of the previous one.
Modern platforms are characterized by hybrid architecture. They abandon standard website solutions and develop their own platforms. For example, the well-known English-speaking forum Dread was created from scratch specifically to operate on the Tor network, making it more resistant to hacks and analysis. Law enforcement agencies must study the unique architecture each time.
Forums exist in multiple locations simultaneously: they have hidden servers on the Tor network, regular websites on the open internet, and numerous mirrors. If one of the domains is blocked, users quickly switch to another, as administrators pre-publish current links in Telegram channels or other backup communication channels. This distributed structure significantly enhances resilience to blocking and monitoring.
Protection against bots and scanners has also reached a new level. Forums implement complex CAPTCHAs, JavaScript tasks, limit request rates, and even use hidden tags in HTML code to track information copying. Upon detecting suspicious activity, such as a user opening hundreds of pages per minute, they are instantly blocked or required to undergo re-verification. This shifts the focus of cybersecurity specialists to studying the behavior of participants and their social connections.
An interesting feature of these communities is the multi-layered access system. Newcomers see only limited information, and to gain access to closed sections, they must earn a reputation, conduct several transactions, and receive recommendations from more experienced participants. Sometimes, an interview or solving a cryptographic task is required. This significantly complicates the work of both law enforcement and security researchers, who must spend a long time integrating into the role to prove their belonging to the community.
The economy of these forums has turned into a real industry, where many platforms have built-in guarantor systems for secure transactions, internal cryptocurrency wallets, and automated payments. Some forums have separate sections for arbitration and escrow services with fees. The main currency is Bitcoin; however, for large transactions, Monero is increasingly used due to its anonymity. Forums earn from fees for guarantor services, selling VIP statuses, and paid access to exclusive sections, while users can store significant amounts of cryptocurrency in their accounts.
The Shadow Economy of the Forum: Transaction Scheme
The service model created by these forums poses a particular danger. The availability of ready-made solutions—from exploits to botnet rentals—allows criminals to significantly scale their attacks, minimizing personal involvement. Complex cyberattacks become available commodities, sharply reducing the skill level required to organize them. The deep specialization of cybercriminal groups and the automation of criminal processes make the threat relevant for companies of any size.
Many forums are integrated with Telegram and have created their own bots for process automation. Through such bots, transactions can be conducted, notifications about new messages can be received, or even purchases can be made without visiting the forum itself. This creates a whole ecosystem where the boundaries between different platforms become blurred.
Forum administrators adhere to strict security rules, avoiding direct access to servers. They use chains of VPNs and Tor, work through intermediary computers, and try not to take actions that could reveal their identity. The slightest mistake, as in the case of the Silk Road creator who used personal email, can lead to arrest.
Interestingly, the community itself also serves as an additional level of protection. Regular forum participants closely monitor the behavior of newcomers and can recognize an infiltrated agent by their manner of speech or inappropriate questions. There was a situation when, after the arrest of the administrator of the well-known forum XSS, moderators suspected that the platform had been taken over by law enforcement and created a new forum, DamageLib.
The life cycle of forums is short-lived. Sooner or later, they are shut down by law enforcement, hacked by competitors, or they disband due to internal conflicts. Nevertheless, communities do not disappear. They migrate to new platforms, where administrators prepare backup servers in advance, make backups of databases, and keep spare communication channels. When the main site is shut down, a new address appears literally within a day, where most users transition.
A new trend has even emerged—the creation of temporary forums that operate for only a few months and then intentionally shut down. While the platform is young, law enforcement does not have time to infiltrate, and administrators leave no traces. After the shutdown, the same team opens a new forum after some time and invites verified participants.
Researchers suggest that in the near future, forums will become even more distributed and automated. Artificial intelligence will be more actively applied for moderation and verification of participants, decentralized data storage systems will become commonplace, and integration with messengers will expand. Elite communities will become even more closed, while temporary forums will become a daily reality.
The main conclusion of the research is that underground forums are no longer chaotic formations. They are dynamically evolving platforms with their own rules, economy, and social structure. The technical and organizational resilience of these platforms seriously complicates counteraction. Understanding the mechanisms of the shadow market becomes the basis for proactive protection capable of anticipating threats rather than merely reacting to incidents. Cybersecurity specialists must constantly update their methods and quickly adapt to changes in this ever-evolving environment.
