Lurking on underground forums has revealed insight into the methodology behind cyberattacker targets -- as well as what criminals say to do if, or when, they are caught.
Released on Monday, research conducted by the Digital Shadows cybersecurity team on dark web forums explored the discussions between black hat hackers and the exchanges made in how to avoid jail, what do to when they are on law enforcement radars, and the bullish nature of many when it even comes to the prospect of arrest.
In February, in an interview between a lone LockBit ransomware operator and Cisco Talos, the cybercriminal said that the "best country" to be in for this occupation is Russia, but "underappreciation and low wages drove him to participate in unethical and criminal behavior."
While trawling Russian-speaking underground forms, Digital Shadows was able to obtain further insight into this idea, in which law enforcement "will not care" if the US or EU are targeted -- but the moment any former Soviet Union nations are involved, they will "hunt you down."
When it comes to foreign travel, forum users believe this apparent peace deal only lasts as long as you don't cross the border. One poster said:
"[Cybercriminals] live peacefully in Russia, decided to go on holiday abroad -- and that's it, they don't even make it out of the airport without the cuffs on."
Operational security (OPSEC) practices are also widely discussed, with forum users exchanging ways to avoid arrest and stay anonymous. Numerous threads mention everything from virtual to physical security options, but one common topic of discussion, in particular, is widely debated.
Hard drive encryption or deletion is sometimes cited as a way to stop law enforcement investigations in their tracks. However, not every forum user is so sure, with one saying, "if it were all as simple as that then major cases would never be solved."
Early mistakes in criminal careers also appear to be causing some sleepless nights, with poor OPSEC when starting out being a difficult issue to remedy.
"Many a threat actor's downfall stemmed from poor OPSEC practices when they first decided to don the black hat, such as using a spouse's email address, forgetting to mask their IP, or letting their real name and address slip," the researchers say. "And once you realize your mistake, it might be too late."
In addition, discussions have taken place over collaboration. While many believe that other dark web forum users will "sell out" each other, others say that forging ties with others in the criminal industry can push threat actors up the pecking order.
Digital Shadows noted that allegations are flying thick and fast that English-speaking criminal forums and marketplaces are becoming little more than police honeypots. Some forum users said that "sooner or later," law enforcement will obtain information on them, and others relayed concerns over potential police violence on arrest.
Others appear, at least online, to have a rather bullish attitude to the prospect of prosecution at all. Laws worldwide are still catching up with the evolution of cybercrime, and for some, corrupting law enforcement and saving enough to pay bribes and avoid prosecution is a possibility.
As one forum user quipped, "a good lawyer knows the law, a better one knows the judge."
"Cybercriminals, just like the organizations they target, must always have one eye on their security practices," the researchers say. "There are so many things for them to worry about and ways they can slip up..It must be pretty tiring. Threat actors must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. "
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0