Threat Intelligence

Pricing Policies in the Cyber Criminal Underground

Pierluigi Paganini
October 7, 2014 by
Pierluigi Paganini


Underground markets are places on the Internet where criminal gangs offer a wide range of illegal products and services. Black markets are crowded places where single individuals or criminal organizations could acquire or rent products and services at very competitive prices. Like any other market, in black markets the relationship between supply and demand determines the price of the products. A growing number of highly specialized sellers are offering their wares, and the huge offer is causing the drop in prices.

Underground markets offer a wide range of products, from drugs to hacking services. In this post we will focus on products and services specific to the cybercrime ecosystem. The most interesting markets for this kind are the Russian underground and the Chinese market. Together we will try to analyze their offers, exploring how sellers are customizing their offer based on their origin.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

In 2012, TrendMicro security firm published the study "Russian Underground 101," which provided a brief summary of the cybercriminal underground and shed light on the basic types of hacker activity in the region.

TrendMicro experts have published various reports on the topic, providing detailed data related to products and prices for the above markets. The black markets explored are all characterized by a thriving economy which can guarantee handsome profits for a growing number of sellers.

The Russian underground

In April 2004, Max Goncharov published a second study on the Russian Underground, titled "Russian Underground Revisited", one year after the previous report "Russian Underground 101″. Goncharov analyzed in detail the offer of services and products in the most prolific black market, the Russian underground.

Cyber security experts noticed a significant increase in the Russian underground forums in respect to the previous year. Among the most popular Russian marketplaces, the researchers include and, which counted dozens of thousands unique members.

The Russian underground market offers a huge quantity of solutions, toolkits are becoming more available and cheaper on the black market, and in many cases they are offered free of charge, making it easy for cyber criminals to arrange illegal activities.

Cyber criminals are increasing the use of the Deep Web, which provides the optimal environment to offer illegal solutions and services preserving the anonymity of sellers and buyers. Experts have assisted in the creation of a large number of hacking forums based in hidden services in the Tor Network. Those marketplaces specialized in the commercialization of stolen credit/debit card data, hacking services, and malware customization.

Security experts date the creation of a structured Russian cybercriminal underground to 2004. It was initially used as a place on the Internet where groups of criminals exchanged information with their peers. Over the years, the same forums were used by criminals to advertise their products as crimeware kits. Selling models such as malware-as-a-service and hacking-as-a-service have begun to spread in the cyber criminal ecosystem, facilitating the entry of new groups of criminals, even without high computer skills.

The Russian underground market is characterized by a specialized vertical offer. Instead of selling every kind of solution, sellers prefer to concentrate their efforts in the designing and provisioning of high quality products/services like file crypting services, traffic direction systems (TDSs) and distributed denial-of-service (DDoS) tools.

Security experts consider the Russian underground market to be mainly focused in selling TDSs and offering traffic direction and PPI services.

Figure 1 - Traffic direction systems (TDSs) - TrendMicro

"In fact, traffic-related products and services are becoming the cornerstone of the entire Russian malware industry, as buying Web traffic can not only increase the cybercriminal victim base, sifting through the traffic stored in botnet command-and-control (C&C) servers can also help threat actors find useful information for targeted attacks," states the report.

Web traffic is considered a precious commodity for cyber criminals. It is the main ingredient in the majority of illicit activities such as the spread of malware through compromised web sites.

With the increase of the dimension of the markets, the logic of the business requests the provisioning of new services. For example, to ensure the safety of the transactions, sellers and buyers use escrows or "guarants" third parties.

The escrows maintain the buyers' money until the purchase is completed. They have to verify that the solutions offered properly work and that buyer completed the payment for it.

"When buying and selling stolen credit card credentials, for instance, an escrow checks several numbers to confirm their legitimacy before handing the payment the buyer gave him for safekeeping to the seller. Escrows usually get 2‒15% of the sales price for their services, depending on the agreement between buyers and sellers and other circumstances," said Goncharov in his report.

In the most popular black markets, groups of criminals are adopting the model of sale known as malware-as-a-service, in which a seller offers malicious code, customization services and control infrastructure for rent.

The principal products offered in Russian undergrounds are:

  • Trojans
  • Exploits and Exploit Bundles
  • Rootkits
  • Traffic
  • Crypters
  • Fake Documents
  • Stolen Credit Card and Other Credentials

Meanwhile, the list of the most popular services includes:

  • Dedicated-Server-Hosting Services
  • Proxy-Server-Hosting Services
  • VPN Services
  • Pay-per-Install Services
  • Denial-of-Service Attack Services
  • Spamming Services
  • Flooding Services
  • Malware Checking Against Security Software Services
  • Social-Engineering and Account-Hacking Services

In the majority of cases, the prices for the products offered in the Russian underground have significantly decreased in the last three years. For example, the cost of Exploit kits decreased to zero while Crypter and Traffic volume prices were down by up to 75 percent in the last three years.

Figure 2 - Russian Underground Price List - TrendMicro

Figure 3 - Price list – Trend Micro

Even if the prices of almost every product and service sold in the Russian underground market have decreased in the last years, the black market is very profitable for both buyers and sellers.

"Cyber criminals, like legitimate business people, are also automating processes, resulting in lower product and service prices. Of course, 'boutique' products and services remain expensive because these involve specialized knowledge and skills to develop that only a few bad guys have," states the report.

The Russian underground is an example of a successful evolution of a criminal proposal.

Digital identity frauds

Within the numerous products and services offered in the Russian underground, tools and services for digital identity frauds and scam assume a relevant role. Digital identity is the result of several contributions, which includes our image, our profiles, our reputation, our attitudes, our social network credentials, and everything that could be used to identify us online.

Email accounts, social network accounts (e.g. Facebook, Twitter, LinkedIn), e-commerce account (e.g. Amazon, eBay) and credit card data are principal commodities offered in the Russia underground.

The Russian underground is the most prolific for the commercialization of stolen credit card data. Recently numerous individuals and organizations worldwide have been victims of card frauds. As explained in a past post on card frauds, the most common risky scenarios that expose users' data are:

  • Card "skimming" during a legitimate payment. Criminals use small electronic device dubbed a "skimmer" to swipe card data and store user's credit card information. Typically skimmers are placed in front of ATM card readers and used to intercept data about the transaction for payment at markets or in any commercial activity. The use of a skimmer is usually combined with the use of small keypads or hidden cameras to capture the user's PIN.
  • Phishing attacks, a threat that is becoming even more sophisticated and that is exploring new paradigms like social networking and mobile.
  • POS malware based attacks and malware based attacks in which criminals use malicious code to syphon payment data from Point of Sales and/or directly from the networks of the retailers and other victims.

Giving a look at the prices of credit card credentials offered on the Russian Black market, we can note a sensible decrease, especially for credit card data belonging to US citizens, and this could be justified by the huge amount of data available in various illegal forums.

Figure 4 - Credit card Credential Price List (TrendMicro)

The Russian underground is also the ideal place where members of criminal organizations could acquire a database containing a huge volume of credentials related to principal web services. This data could be used for financial frauds and also for cyber espionage purposes. For this reason, they are considered precious commodities and are within most searched goods.

In August 2014, experts at Hold Security revealed to have discovered the biggest database of stolen user names and passwords and email addresses, nearly 1.2 billion credentials and half a billion email addresses. The experts believe that the data was collected from the numerous data breaches that occurred all over the world in the last months and that hit around 420,000 websites.

Criminals were able to collect 4.5 billion credentials. Hold Security discovered many duplicates in the archive, but anyway it found that 1.2 billion of those records were unique and the archive included about 542 million unique email addresses. This is normal if we consider the bad habit to reuse the same credentials for different web services.

The bad actors who collected the amazing amount of data appears to be based in south central Russia, according to Holden. The expert also added that the cyber criminals do not seem to be connected to any government.

"The hacking ring is based in a small city in south central Russia, the region flanked by Kazakhstan and Mongolia. The group includes fewer than a dozen men in their 20s who know one another personally — not just virtually. Their computer servers are thought to be in Russia," reports the New York post.

"There is a division of labor within the gang … Some are writing the programming, some are stealing the data. It's like you would imagine a small company; everyone is trying to make a living.

"Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites … And most of these sites are still vulnerable," said Alex Holden, confirming that many of the targeted websites are still vulnerable.

Russian criminals are also specialized in the offer of hacking services for the most popular web services. The offer includes the possibility to hack social networking and email accounts with various techniques that range from brute forcing to social network hacking.

In the following table are reported the prices for such services. In this case, the experts haven't seen a significant variation in the last years. These services are usually on demand and request an effort that is not negligible due to the continuous security improvements adopted by service providers to protect their customers.

Figure 5 - Hacking services offered in the Russian underground (TrendMicro)

The Chinese Underground

The Chinese underground is considered by security experts to be one of the most active marketplaces where it is possible to acquire any kind of products. Illegal activity is rapidly increasing in China. A recent report published by the security firm TrendMicro reveals that underground activity in China doubled between 2012 and 2013, both with regard to the number of participants and product and service offerings.

China is mainly known for the cyber espionage activities conducted by its government. The number of state-sponsored hacking campaigns disclosed every year is impressive. Numerous APT groups are tracked by principal security firms and western government agencies, but the report highlights that the politically independent cybercrime is growing in China despite the government censorship.

"The barriers to launching cybercrime have decreased. Toolkits are becoming more available and cheaper; some are even offered free of charge. Prices are lower and features are richer. Underground forums are thriving worldwide, particularly in Russia, China, and Brazil. These have become a popular means to sell products and services to cybercriminals in the said countries. Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online "shops" harder for law enforcement to find and take down," states Lion Gu in the report titled "The Chinese Underground in 2013".

Trend Micro CSO Tom Kellermann confirmed that cybercrime has likely tripled in respect to 2012. Law enforcement and security firms uncovered numerous cyber attacks targeting Chinese capitalists.

The experts have been continuously monitoring the Chinese underground market since 2011. They analyzed more than 1.4 million instant chat messages related to activities in the market for the popular instant messaging (IM) QQ app alone. QQ Groups is a feature of an IM service provided by Tencent, which allows users to easily manage multi chat groups.

Figure 6 - Popular QQ Platform

Analyzing the popularity of various products and services offered in the Chinese underground market the expert noticed the greatest interest for the three following products/services:

Figure 7 - Most popular mobile underground products - TrendMicro

The Chinese cybercrime mobile underground market is the most prolific segment of the Chinese black market and it is focused on the sale and rental of products and services for cyber attacks on mobile platforms, mainly Android.

For example, an annual license for RAT ranges in Chinese underground costs from $97 to $258, meanwhile criminals could rent DDoS toolkits for $81 per month. As reported in the table below, a DNS server attack cost only $323 and a 10 GB Syn packets per day goes for $161.

Figure 8 - Chinese Underground Market Offer (TrendMicro)

A look at Chinese Underground Mobile Market

The most interesting segment of the Chinese underground market is related to the offer to attack mobile platforms. The Asian black markets today are able to provide a large number of services and tools for illicit activities.

The analysis of the evolution of the Chinese underground market led experts to believe that the entry level to launch cybercriminal operations is lower than ever. Toolkits are becoming more available and cheaper, attracting a growing number of players from any part of the world. In some specific cases, malicious tools are also offered free of charge.

Chinese underground forums are extending their proposal exactly like other black markets (e.g. Russian and Brazilian markets), causing the decrease of prices and the distribution of a growing number of malicious code. A mobile crimeware kit is sold for nearly 100 yuan ($16,400) and the selling of premium-rate phone numbers can be bought from 220,000 yuan (£21,400).

The primary reason for the rapid explosion of the mobile underground in China is the diffusion of mobile technology in the country. Nearly 81% of Chinese Internet users went online using their mobile phone in 2013, and at the end of 2013 there were 500 million mobile Internet users in China

[source 1="China" 2="Internet" 3="Network" 4="Information" 5="Center" 6="(CNNIC)" language=":"][/source]

Mobile spam is one of most attractive activities for cyber criminals. Mobile spammers send unsolicited bulk text messages ("SMS spam") to victims' handsets to advertise products or services or to spread phishing URLs.

The black market offers many solutions to take advantage the illegal practices, in the case of mobile spam most interesting products available in the various forum are:

  • GSM modem: A device that can send and receive text messages. A 16-slot GSM modem is available for approximately 2,600 yuan (US$430) each, can send up to 9,600 text messages per hour.
  • SMS server: A low-cost piece of radio frequency (RF) hardware that can send out software-defined radio (SDR) signals in GSM frequency ranges. The cost for a server is nearly 45,000 yuan (~US$7,400).
  • Internet short message gateway: A device that mobile network carriers provide to service providers to handle bulk-text-sending services. It costs 300 yuan (~US$50) for 5,000 text messages and could go up to 2,800 yuan (~US$460) for 100,000 text messages.

Figure 9 - Chinese Mobile Underground Products

Other products that are very popular in the underground market are the SMS forwarders. They are malicious codes specifically designed to bypass two-factor authentication mechanisms and steal authentication or verification codes sent via text messages. The offer is specifically for Android OS devices because they limit restrictions for code execution.

To advance the diffusion of Android malware in the Chinese market, there is the users' habit to download apps from Android third-party stores.

The price for the source code of an SMS forwarder is nearly $500. The malware is able to intercept incoming SMS from certain phone numbers, removing the intercepted message from the victim's device.

"They monitor text messages sent by certain phone numbers usually associated with online payment service providers and banks to intercept authentication or verification codes that they then forward to cybercriminals. Like premium service abusers, they also delete the text messages they intercept to hide traces of infection. If cybercriminals get hold of victims' usernames in certain sites, they can easily change passwords and take control of stolen accounts," states a report issued by TrendMicro.

Apple users are not immune. Spam services via Apple iMessage spammers could be acquired in a lot of 1,000 spam services for as little as 100 yuan ($16,400).

The mobile app development is probably within the most profitable businesses in these periods. Of course, it is crucial also to advertise the applications in the mobile stores to allow them to reach a wider audience, and the underground market has also a solution for this.

Another concerning phenomenon is the growing offer of boosting apps. App-rank boosting services are very easy to buy; to boost an iPhone app into the top five of Apple's China app store is 60,000 yuan (£5,800).


In this post we have analyzed in detail two of the most prolific underground markets, the Russian and the Chinese ecosystems, thanks to the report produced by principal security firms. In particular let me thank the colleagues at TrendMicro for the excellent research that they made on the topic

The first thing that we have to note is the difference between the two underground markets. Chinese groups are more available to the general public than Russians. Also communication channels adopted by Chinese criminals are rarely hidden.

The level of sophistication of solution and services proposed in both markets is high. For this reason, cyber criminals worldwide consider them a reference for the commercialization of illegal products and services.

While the Russian underground is mainly specialized in selling TDSs and offering traffic direction and PPI services, the Chinese underground is more oriented to mobile cybercrime. In both cases, cybercriminals have quickly adapted to technological developments and current trends.

Another element to consider is the rapid diffusion of model of sales like crime-as-a-service. The principal groups of sellers offer malicious codes and architecture for rent together with classic hacking services.

This model of sale is preferred by buyers because the criminals could easily arrange any kind of illegal activities without specific knowledge. "Customers" do not have to worry about running or maintaining malicious architecture typically used in such kind of activities.

My last reflection is related to the diffusion of hidden services hosted in anonymizing networks like Tor and I2P, which provide the presented product and services.

It is clear that the proposal of illegal products and services through the Deep Web is more oriented to specialized buyers and typically also the products offered are highly specialized. Hidden networks provide the excellent environment to cover illegal activities, but of course could reach a restricted audience.

"Cybercriminals are also making use of the Deep Web to sell products and services outside the indexed or searchable World Wide Web, making their online 'shops' harder for law enforcement to find and take down".

The security industry considers strategic the monitoring of the developments in the underground ecosystem. Through its monitoring, it is possible to anticipate trends
in the underground ecosystems and provide useful elements for investigations of law enforcement.


Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.