Threat Intelligence

Cyber Criminal Ecosystems in the Deep Web

Pierluigi Paganini
March 22, 2016 by
Pierluigi Paganini


The analysis of black markets is essential to understand the evolution of phenomena in the criminal underground. The first aspect to consider when dealing with the criminal underground is its fragmentation, criminal organizations specialize their offer for the market they approach, in fact, security experts noticed significant differences between groups operating in different countries.

Black markets are the most important points of aggregation on the deep web for the cyber criminals, communities; they represent a privileged place where the criminal offer meets a demand even more specialized.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Security experts consider the Russian underground as the most prolific, at least concerning hacking and payment card frauds. Meanwhile, the Chinese criminal ecosystem is the most popular for everything concerning mobile frauds and it is focused on the provisioning of hardware for several illegal activities.

The Brazilian criminal underground is populated by young criminals specialized in products and services to hit online banking platforms and its users; this is not surprising because of the strong propensity of Brazilians in using the Internet banking.

Continuing our tour, we will approach the US market; that presents many similarities with that Russian one, other communities of interest are the Japanese one that is rapidly growing, and the German one that many experts consider a subsidiary of the Russian underground. The German criminal underground heavy relies on DarkNets; the most popular forums use mirrors on the Tor Network.

The researchers at TrendMicro, who analyzed illegal activities in the Deep Web have identified at least six different cybercriminal ecosystems operating in RussiaJapanChinaGermany, in the United States and Canada (North America), and Brazil.

The Russian underground is considered "a well-functioning assembly line," it is an ecosystem crowded by professional sellers that are competing by providing goods in the shortest amount of time and most efficient manner possible.

"Each country's market is as distinct as its culture. The Russian underground, for instance, can be likened to a well-functioning assembly line where each player has a role to play. It acts as the German market's "big brother" as well in that it greatly influences how the latter works. The Chinese market, meanwhile, boasts of robust tool and hardware development, acting as a prototype hub for cybercriminal wannabes. Brazil is more focused on banking Trojans while Japan tends to be deliberately exclusive to members." states the report.

Marketplaces like and Rescator that offer products and services for credit card frauds are very popular in the criminal underground worldwide.

The Russian underground hosts the most important black markets that offer escrowing services or "garants" on their products that make them an important aggregator for the criminal demand offering a privileged environment where to operate anonymously.

"Cybercriminals from every corner of the world take advantage of the anonymity of the Web, particularly the Deep Web, to hide from the authorities. Infrastructure and skill differences affect how far into the Deep Web each underground market has gone. Chinese cybercriminals, for instance, do not rely on the Deep Web as much as their German and North American counterparts do. This could, however, be due to the fact that the "great firewall" of China prevents its citizens (even the tech-savviest of its cybercrooks) from accessing the Deep Web. The fact that Germany and North America more strictly implement cybercrime laws may have something to do with their greater reliance on the Deep Web, too."

Figure 1 - Underground communities (TrendMicro Report)

The North American underground is the most open to novices. It is visible to both cyber criminals and law enforcement. Meanwhile, the Canadian underground is focused on the sale of fake/stolen documents and credentials (fake driver's licenses and passports, stolen credit card and other banking information, and credit "fullz" or complete dumps of personal information).

The Russian Underground

Security experts consider the Russian underground the most important ecosystem for online crimes, its operators offer every kind of illegal products and services. According to the experts at Kaspersky Lab, Russian criminal organizations have stolen roughly $790 Million over three years (from 2012 to 2015), more than $500 million of that is from victims located outside the Russian.

Individuals, private companies, and financial institutions across the world are the principal targets of Russian hackers. The researchers at Kaspersky estimated the losses by analyzing the information gathered from over 160 arrests of Russian-language speaking cyber criminals as well as data gathered during their investigations. Unfortunately, this data could represent only the tip of the iceberg, in many cases attacks are undetected and it is not easy to provide an estimation of the losses.

"With online financial transactions becoming more common, the organizations supporting such operations are becoming more attractive to cybercriminals. Over the last few years, cybercriminals have been increasingly attacking not just the customers of banks and online stores, but the enabling banks and payments systems directly. The story of the Carbanak cybergroup which specializes in attacking banks and was exposed earlier this year by Kaspersky Lab is a clear confirmation of this trend." reads the Kaspersky's report.

More than 1,000 individuals were recruited by the Russian cyber criminal organizations since 2012, most of them involved in the development of malware and the set up of a botnet.

The researchers at Kaspersky have identified at least five cyber gangs focused specifically on financial crimes; typically they are organized structures composed of 10 to 40 people, which are operating for at least two years.

"At least two of them are actively attacking targets not only in Russia but also in the USA, the UK, Australia, France, Italy and Germany." continues the report.

These organizations operate like regular businesses offering a large number of services and products. The Russian underground focuses its offer on hacking solutions and credit card frauds.

"All of these "products" and "services" are bought and sold in various combinations in order to enable four main types of crime. These types can also be combined in various ways depending on the criminal group:"

  • DDoS attacks (ordered or carried out for the purpose of extortion);
  • Theft of personal information and data to access e-money (for the purpose of resale or money theft);
  • Theft of money from the accounts of banks or other organizations;
  • Domestic or corporate espionage;
  • Blocking access to data on the infected computer for the purpose of extortion;

The experts observed that preferred currencies for transactions in Russian underground include Bitcoin, Perfect Money, and WebMoney.

The Russian cyber underground is an element of attraction for skilled hackers and wannabe cybercriminals; the ecosystem offers numerous job opportunities to participants.

Figure 2 - Financial Cybercrime Organization (Kaspersky Report)

Skilled hackers are recruited by Russian gangs for programming and virus, web designing for phishing pages, and testing. A category of individuals that is also requested are the cryptographers, which are hired as 'cryptors' for packing malicious code so as to evade malware detection.

"In general, employees involved in cybercrime can be divided into two types: those who are aware of the illegality of the project or the work they are offered, and those who (at least in the beginning) know nothing about it. In the latter case, these are usually people performing relatively simple operations such as copying the interface of banking systems and sites." states the report. "By advertising "real" job vacancies, cyber criminals often expect to find employees from the remote regions of Russia and neighboring countries (mostly Ukraine) where problems with employment opportunities and salaries for IT specialists are quite severe."

The most interesting studies on the Russian underground were published by the security expert Max Goncharov from TrendMicro.

The Russian underground is the privileged place to buy crimeware kits that are continuously updated by sellers to include new exploit codes. The Russian underground is composed of an impressive number of forums that offer products and services; these places are also advertised on forums in many other countries. Many forums are hosted on the Dark Web; security experts are observing a growing number of operators that prefer to use hidden services in the Tor Network to offer their products in one of the numerous black marketplaces and hacking forums.

In the Russian underground, it is quite easy to find sellers offering their products and services through the model of sale known as malware-as-a-service, that means they are available for rent. Russian hackers are specialized in the sale of Traffic Distribution Systems (TDSs) and traffic direction and PPI services.

Figure 3 - TDS (Trend Micro Report)

"In fact, traffic-related products and services are becoming the cornerstone of the entire Russian malware industry, as buying Web traffic can not only increase the cybercriminal victim base, sifting through the traffic stored in botnet command-and-control (C&C) servers can also help threat actors find useful information for targeted attacks." states the report published by Trend Micro.

Following the list of principal products offered:

  • Trojans
  • Exploits and Exploit Bundles
  • Rootkits
  • Traffic
  • Crypters
  • Fake Documents
  • Stolen Credit Card and Other Credentials meanwhile list of the most popular services includes:
  • Dedicated-Server-Hosting Services
  • Proxy-Server-Hosting Services
  • VPN Services
  • Pay-per-Install Services
  • Denial-of-Service Attack Services
  • Spamming Services
  • Flooding Services
  • Malware Checking Against Security Software Services
  • Social-Engineering and Account-Hacking Services

To better understand the offer of the Russian criminal underground let's give a look to the prices of the products.

Exploit kits are available for $500-$1000; meanwhile malware source could be paid from $800 up to $4000 depending on the type of malware, and the additional module included in the offer.

Prices for stolen credit card data are highly volatile and depends on the card origin, balance and expiration date. CVVs could go for $3 up to $25; a Card Dump is offered for a price included in $20-$60, and a Fullz (data + additional information like card holder's document) are offered for $25-$125.

Figure 4 - Russian Underground Price List (Trend Micro)

According to experts at Arbor's ASERT Team, a DDoS attack could be launched by renting a service called booter or stresser for nearly US$60 per day. Meanwhile, the cost of an entire week is $400. Cyber criminals operating the service also offer 10-minute test sessions to their clients.

Technically, these services could be sold as would-be legitimate tools for security professionals that need to test the resilience of their infrastructure to cyber attacks or their capacity to support a high-volume of traffic.

Figure 5 - Booter advertising

The German Cyber criminal Underground

The German cybercriminal underground is the most advanced cybercrime ecosystem in the European Union, beating known markets as the French and Spanish. A recent analysis conducted by Trend Micro analyzed ten big crime forums, some of them holding a registered, active base between 20.000 and 70.000 users.

Figure 6 - Main black markets and forum in the German underground (Trend Micro)

The German underground isn't wide as the Russian one, but it offers a selection of its best product and services, that in the majority of cases are localized by smaller communities of hackers.

The offer of the German underground includes:

  • Malware (Trojans, bank-stealers, and backdoors)
  • Drugs
  • Bulletproof hosts(BPHSs), to used to store malware components, exploit kits.
  • Fake IDs
  • Hacked accounts
  • Crypting services

What does make the Germany cybercriminal underground the most advanced cybercrime in the entire European Union? The answer is Russia because both the German and the Russian underground forums are full of carding service banner ads. These ads are normally associated with Russian underground offerings but heavily advertised in German forums.

A good example is "", one of Russia's biggest stolen credit card marketplaces that are being advertised in the German underground, also "" but there are more.

The link between Russian Communities and the German ones is demonstrated by the numerous banner ads present in the German hacking forums that can help marketplaces widen their client bases.

Figure 7 - Banner ads present on the German forums and Black Markets

One of the most interesting services offered by German sellers is the Packstation service described in the report as a delivery method exploited by criminals, and that takes advantage of the German postal service.

"Most underground markets rely on droppers who cash in stolen credit cards and online accounts. There is no longer a need for droppers in the German underground. Users instead rely on the so-called "Packstation service" that takes advantage of the German postal service. This allows sellers to put goods sold in publicly accessible metal boxes for their buyers to pick up using their pTANs and access cards." States a report published by Trend Micro on the German cybercrime underground.

"The advantage of the "Packstation" resides in the fact that cybercriminals can easily perform "exchange of goods and payment. Users' addresses cannot be tracked though they need to apply for the service using a physical (home) address and a mobile phone number (which are easy to fake) so they can receive short messaging service (SMS) notifications along with their pTANs to claim their parcels."

Figure 8 - Packstation service (Trend Micro Report)

I have found very interesting the black market, which is hosted on the CloudFlare platform. The black marketplace has a complete offer that is frequently integrated with new services and products. Prices are highly volatile, but it is easy to note that they are greater than the ones for products in the Russian underground. It is likely that criminal organizations are trying to earn from the localizations of many products and services coming from the Russian ecosystem.

Figure 9 – German Plaza Underground Market (Trend Micro)

The main difference with the Russian market is the propensity of the German hackers in the use of Dark Web for their business. German cyber criminals exploit hidden service in Tor network to mirror their marketplaces that are available also on the Surface Web.

Sito Web Mirror su rete Tor Bizznza4vtgsdrgb.onion Gerpla4igmngtpgw.onion Gerpla4igmngtpgw.onion Crimenc5wxi63f4r.onion

The Chinese Underground

The Chinese criminal underground is the most important for the offer of tools and services to target mobile platforms.

In this specific criminal ecosystem, toolkits are becoming more available and cheaper, and some are even offered free of charge.

Cyber criminals could buy a crimeware kit for nearly 100 yuan ($15,00), and the selling of premium-rate phone numbers can be bought for 220,000 yuan ($33,900).

Premium service abusers can subscribe mobile victims to unwanted services. These malicious mobile apps are used by crooks to reply via text message on users' behalf, in this way victims are charged a subscription fee. To hide their activities, they also delete confirmation text messages.

Mobile spam campaigns are profitable activities for the criminal organizations considering that more than 80% of the Chinese netizens access the Internet through mobile devices.

Mobile spammers use to send unsolicited bulk text messages ("SMS spam") to victims' handset to advertise products or services or to spread phishing URLs and malicious pink pointing compromised domains.

Among the hardware devices traded in the Chinese forums to arrange mobile spam campaigns there are:

  • GSM modems: devices that can send and receive text messages. A 16-slot GSM modem is available for sale at approximately 2,600 yuan (US$400) and can send up to 9,600 text messages per hour.
  • SMS servers: low-cost piece of radio frequency (RF) hardware that can send out software-defined radio (SDR) signals in GSM frequency ranges. The cost for a server starts from 45,000 yuan (~US$ 6,934).
  • Internet short message gateways: devices that mobile network carriers provide to service providers to handle bulk-text-sending services. A similar device costs 300 yuan (~US$46) for 5,000 text messages and could go up to 2,800 yuan (~US$431) for 100,000 text messages.

Figure 10 - Hardware offered for sale in the Chinese Underground

Another hardware sold in the Chinese black marketplaces is the SMS forwarders, which are Android Trojans designed to steal authentication or verification codes sent via text messages.

Figure 11 - Chinese Underground Offer (Trend Micro Report)

This malicious software monitors text messages sent by certain phone numbers usually associated with online payment service providers and banks to intercept authentication or verification codes that they then forward to cyber criminals.

SMS forwarders, like premium service abusers, can hide their activity by deleting the text messages they intercept.

In the Chinese underground, it is possible to pay for spam services via Apple iMessage spammers that could be acquired in a lot of 1,000 spam services for as little as 100 yuan ($15,00).

In 2014, security experts at Trend Micro conducted a study to measure the popularity of various products and services offered in the Chinese underground market and they observed that the greatest interest was for the three following products/services:

The report published by the experts includes the price list for the above products, for example, an annual license for RAT ranges from $97 to $258. Meanwhile criminals could rent DDoS toolkits for $81 per month.

A DNS server attack cost only $323 and a 10 GB SYN packets per day goes for $161.

It is interesting to note some differences between Russian and Chinese underground; Chinese groups are more available to general public respect Russians peers. The communication channels adopted by Chinese criminals are rarely hidden.

The Brazilian Underground

The Brazil underground is becoming popular as the Russian and the Chinese one.

The principal actors in the Brazilian cybercriminal underground are unscrupulous youngsters, most of them are young and bold individuals with no regard for the law.

Unlike criminal communities in other countries, they do not rely so much on the anonymizing networks for transactions. They exhibit a blatant disregard for the law by the way they use the Clear Web, in particular, Brazilian criminals make a large use of popular social media platforms such as Facebook.

Operators in the Brazilian underground show a great expertise in the sale of online banking malware due to the large use of these banking serviced in the country.

According to a report published by Trend Micro, Brazil accounted in 2015 for 5% of the total number of online banking malware.

Actors in the Brazilian criminal underground can be classified into two main categories: developers, and operators.

The developers are individuals with an educational background that turn to cybercrime because it's a lucrative job. Usually, they are responsible for the design of new malicious codes. Developers typically don't use the deep web as their peers in other countries. Instead, they advertise their products through social media platforms like Facebook, Twitter, and YouTube and messaging platforms like Skype and WhatsApp. Developers are usually young students that are financially motivated.

"One such developer is the notorious 20-year-old Lordfenix2 whom we profiled in June 2015. This computer science student was able to build more than 100 banking Trojans that can bypass Brazilian banks' security measures. This has earned him a reputation as one of the country's top banking malware creators. He supposedly started developing his malware when he was still in high school and remains an active underground player to date." states the report published by Trend Micro.

The second group of actors in the Brazilian ecosystem is composed of the operators, which are individuals without specific educational background. They are the actors that buy the malware sold by the developers and use them to target the victims. They normally buy the malware from developers via crime-as-a-service model. Operators are the ones that normally law enforcement agencies catch, in opposite the malware developers that are hard to track down.

Which products and services can be acquired in the Brazilian underground?

One of the most popular products in the Brazilian criminal ecosystem is the ransomware, they are offered for sale at USD $3,000, and can use it to target almost every platform including Windows, Linux, Android, iOS, and OSX devices.

Sellers also offer modified Android apps that could be specifically customized to work as data stealer. Criminals use these apps mainly to steal login credentials or credit card info to resell on the black market. When dealing with malicious code specifically designed for the Brazilian criminal ecosystem, we must mention the KAISER malware that can bypass the authentication mechanisms implemented by the Sicredi's (a Brazilian credit union) through the time-based token system and steal login credentials. Many others financial institutions could be targeted by the same threat, including Banco do Brasil, Itaú, HSBC, Santander, and Bradesco.

Banking Trojan source codes are sold for around US$386 each, the offer allows buyers to modify their code according to their needs, they can obfuscate strings, customize the composition of payloads and add crypters and other solutions to evade the detection. Other products very popular are the Bolware kits and toolkits used to create Bolware that are offered for around US$155, the applications offered by cybercriminals are user-friendly and implements an easy to use control panel for monitoring and managing infections and malicious activities.

Figure 12 - Brazilian Underground Offer (Trend Micro)

The PII-querying services are offered for sale at US$6.81and allow criminals to access PII information included in archives like the vehicle registration plate database, or the CadSUS database (the Brazilian heath card system).

Proxy keyloggers are other precious commodities; they are tools used to redirect victims to the attacker's page, like a fake bank page. Crooks use it to serve malware on the victim's machine and control it.

A "Remota" keyloggers are sold for US$511.61 including full support and weekly updates.

DNS changers are offered for sale on the market for around US$1279.02; crooks used it to redirect victims to a phishing page when accessing a target site or to a domain hosting an exploit kit. DNS changers found in Brazil during 2015 were mainly written in JavaScript.

One of the most interesting aspects of the Brazilian underground is the availability of training for criminal wannabes. Brazilian sellers offer all sorts of training courses, including malware development, managing botnets, and stealing credit card data, for around US$51.16 it possible to buy a programming training with online support via Skype.

The Brazilian underground offers bank fraud courses for aspiring cyber-criminals, the courses are very advanced and propose detailed information for beginners to the criminal activities. The courses start presenting the fraud workflow and tools necessary to arrange a cyber fraud. Some courses are arranged in modules that include interesting information on the illegal practices to cybercriminal wannabes that can also acquire interactive guides and practical exercises (e.g., simulating attacks). A 10-module course, for example, is offered for US$468, the operators also offer updates and a Skype contact service.

"What distinguishes the Brazilian underground from others is the fact that it also offers training services for cybercriminal wannabes," according to the whitepaper. "Cybercriminals in Brazil particularly offer FUD (fully undetectable) crypter programming and fraud training by selling how-to videos and providing support services via Skype. Anyone who is Internet savvy and has basic computing knowledge and skill can avail of training services to become cybercriminals. How-to videos and forums where they can exchange information with peers abound underground. Several trainers offer services as well. They even offer support when training ends." states the report published by Trend Micro.

Of course, products and services for payment card frauds are among the most commercialized commodities; it is quite easy to find stolen credit card credentials, Credit card number generators and so on.

Post Skimmers are normally sold for around US$2046.43, but very useful are credit card transaction approval services and training that assist crooks in using the stolen card in cash out activities.

Fake documents and counterfeit money are other products very popular in the Brazilian underground, priced depends on the type of document and its country.

Crooks can pay to get a new ID card or a new driver's license.

According to the author of the study of the Brazilian underground market, Trend Micro Senior Threat Researcher Fernando Merces, several factors have contributed to the growth of cyber-criminal activity in the country like limited resources assigned to law enforcement and the existence of a flexible underground market.

"For example, Brazil has a lack of concrete laws and limited law enforcement agency resources that address cybercrime in the country," he noted. "Additionally, the technological and consumer landscape in Brazil, which has a 50% Internet penetration rate, and a 69% credit card penetration rate, has made the country all too appealing for cyber criminals. However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training. The latter is highly notable as this is the most unique item in the market, which may not be found in other underground markets." explained Merces in a blog post.

Let me suggest you to read the full report published by Trend Micro; it is full of interesting data.

The North American underground

Differently from the other criminal underground market, the North American one isn't so hidden. Criminals in North America doesn't use the dark web.

The offer in this specific ecosystem is tailored for US and Canadian operators, most of the offerings (stolen accounts, products and services, and fake documents) are based in the US.

Like other black markets, in North America, it is possible to pay for several illegal products and services including weapons, drugs, hacking services, passports, bulletproof vests, and even money laundering services.

The most traded products in this underground are drugs that cover 62 percent of the market, followed by stolen card data dumps that account 16 percent and fake documents 4 percent.

Figure 13 - Drugs offered in the North America Underground (Trend Micro)

It is curious to see that it is possible to pay for a "murder for hire" which provides several options, for example, a simple beating goes for $3,000, or an "accidental death" for $900,000.

Crimeware covers 15 percent of the market and includes things like buying malware, hacking services. The American underground relies on forums solely dedicated to the sale of hacking tools like keyloggers, remote access tools, and botnets.

A keylogger will sell for $1-$4; a botnet can be sold for $5-$200, and a ransomware can be bought for $10 flat. Many sellers also offer other services such as DDoS attacks and crypting service.


In this rapid tour, we have analyzed the Japanese underground, which is considered a growing market but still limited in dimension.

The Japanese underground is mainly composed of members only bulletin board systems; the criminals make large use of special jargon to evade the authorities. This market is characterized by the attitude in accepting more unusual kinds of payment, including gift cards and forum points instead of bitcoins or cash paid via money transfer.

What to expect in the future?

The numerous successfully operations conducted by law enforcement will force criminal communities in migrating in the dark web. Principal communities operating on the surface web will be dismantled, and operators will search more safe places in the cyberspace.


Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.