Competitions on cybercriminal forums in Runet promise prize money of up to 80 thousand dollars. All this happens almost openly, and then the winners are hunted by hacker communities. Have you ever heard of this Polichinelle secret?
I won't give you any links just in case. And I don't recommend visiting these sites if you don't have good antivirus programs. But if anyone didn't know about this story, wellcome.
So, there is XSS (formerly Damagelab), a Russian — language hacker forum created to share knowledge about exploits, vulnerabilities, and malware. Similar to the English-language forum Altenen, mainly engaged in carding. And then there is Exploit — another similar forum, which at first glance is not very popular (topics regularly gain several hundred views). Nevertheless, exactly two years ago, he announced a contest for "articles about cryptocurrencies" with a prize pool of $80,000.
As a person who has written about cryptocurrencies, I can say that articles there usually cost about five hundred times cheaper
And there is only one secret: the "articles" that users ask for are guides or at least personal stories about the scam of blockchain users. Writers, if they have certain talents, can earn very good money, because such "literary competitions" are held quite regularly.
Screenshot from the winning author's text
Intruders can be very resourceful, especially when they hear the smell of money nearby. And they also approach this task creatively. One hacker on the forum wrote a 50-page essay on how to invest in cryptocurrency and sell it at the right time to make a profit. Another person compiled a guide on how to create a fake version of the site blockchain.com, which can be used to steal usernames and passwords. Another article, cryptically titled "Elegantly raising dads on Lavender," contained instructions explaining how to get money out of people who pay to watch webcam models perform.
You can imagine that the geniuses of the cybercrime world participate in these competitions. But their level can be judged at least by this fact. The 2021 Exploit Winner Text is just the right guide to Cloning blockchain.com. How to create and distribute a common phishing site, of which there are millions on the Internet. For the brilliant discovery that such sites work, the author received more than ten thousand dollars. 84 users voted for it.
In any case, these forums create a rather unusual collection of documents from the era. Cybercriminals try to make money by betting on their ideas, technical skills, or writing abilities. This is one of the most unusual aspects of Russian-language forums for online attackers. We can say that this is part of their history: such "writing talent contests" among cybercriminals have been held in Runet for more than fifteen years. Like some kind of "Ragged hot water bottle", only for hackers.
Medical history
If you follow the history of such forum competitions, you can see that they began almost immediately after the launch of Exploit in 2005. True, the first competitions seem almost innocent in their essence-compared to what these forums organize today. Then they were designed simply to "strengthen the community" of the forum. For example, in February 2007, Exploit participants were invited to take part in a quiz that included questions about the forum's history. The questions were in the style of: "What was our first domain?" or " Did the site design change?"
These first competitions are characterized by the lack of a specific goal and a small scale. If now the prize pool is tens of thousands of dollars, then in the 2000s a maximum of 50 WMZ was offered for a win. This situation is repeated in other Russian-language cybercrime forums, such as XSS.
Today's contests usually require a demonstration of real skills and technical knowledge. Participants are often required to submit original articles containing videos, screenshots, or source code. But in the beginning, the main idea was "creating a community". So, in January 2008, Exploit held a contest in which the user who stayed on the forum the longest and posted messages in a certain topic won 25 WMZ. In October 2007, participants were offered the opportunity to guess how many registered participants were on the forum, on a specific date.
Creativity was also valued in these early competitions. In November 2008, a contest for the best original desktop wallpapers was held. In March 2012, a prize of 50 WMZ was offered to the user who submitted the best hand-drawn image of what constitutes an "exploit". The biggest prize of those years was in a contest from December 2010, where users were asked to create an image that would best show what "Runet" is. The winner could win an iPad.
In December 2015, the Exploit administrator organized a contest for writing the best article on the topic "Using SI and NLP tools to install software on a user's computer". The winner received $ 1,000, and for the second and third places — consolation prizes of $ 200. After that, annual winter competitions on similar topics were born. The Exploit contest in December 2016 included a list of established topics that users could write an article on. This includes topics such as "malware", "phreaking", and "hacking". The prize pool was $ 2,000. In 2019, the rules were tightened, they began to make requirements for uniqueness, and the prize pool was already $10,000.
Starting around 2015, all contests start to focus on writing and submitting articles and code. Special attention is paid to things that "will bring people easy money," according to research firm ReliaQuest. In this regard, prize pools are also rapidly increasing. The total prize pool for XSS in 2018 was $1,000, which was considered quite a solid figure. But by 2020, it has grown to $15,000. At the same time, of course, on such forums, no one describes their best things, the most promising hacks. Only if the authors are in a very difficult situation and need instant money themselves.
Texts are most often written in Russian, but sometimes forum participants translate them into English to show themselves to be "good members of the community".
One of the main differences between the early 50 WMZ contests and the current contests was the participation of the forum administration team. The first competitions were organized by individual participants, but now it is put on stream. Similar sites that do not run their own contests on behalf of the administration do not see such active community involvement. At least, according to the ReliaQuest researchers. So, the Russian-language hacker forum "Korovka "has not held an article contest since 2012, and the card forum" Omerta " generally sits without competitions. These forums, according to Realiaquest, are less successful because " members of these sites do not show that they are working for the benefit of the forum and other participants."
Helping to develop the forum is one of the main driving forces of the competition: cybercriminal forums need to attract and retain participants, and they want to present their site as a collection of" unique " articles, a valuable repository containing irreplaceable information. Big prizes for winning articles help to create this facade: it's impossible that so much money was paid for some nonsense, right?
One of the examples in one of the winning articles: how to prevent detection of Cobalt Strike
The last competition for XSS was held between March and July 2022. The total prize pool was $40,000 dollars, and the winner received $14,000. Forum participants were invited to submit articles on about half a dozen topics. This includes malware development, methods for bypassing antivirus and security products, methods for hiding malicious code, and social engineering techniques. The rules stated that "copy-paste = exclusion from the contest, with shame". The administration required articles to be longer than 7,000 characters and contain correct spelling and punctuation.
Meanwhile, the latest Exploit contest offered an even bigger prize pool — a total of $80,000 dollars. The Exploit rules stated that entries "must not be published anywhere else", must be "informative and voluminous", must include technical details such as code or algorithms, and must contain "at least 5,000 characters (excluding spaces)".
Examples of publications
Last contest Exploit in time, it was at the peak of cryptocurrencies. Therefore, the administration offered to send them exploits related to crypto, DeFi, NFT, wallets, smart contracts and all the like. In general, all the texts in the contest were about how to deceive crypto investors.
First place We have already discussed the results of this competition. Fake one Blockchain.com copied from the Github repository to collect user account data. The author explains how to configure the authorization procedure in a cloned site, and configure a reverse proxy server to bypass the CORS mechanism.
Second place: "ICO: Wild Hunt Cost: $0, profit: $742"
In second place is another relatively simple attack, this time targeting initial coin offerings( ICOs), fundraising for the launch of a new cryptocurrency. The author provides guidance on finding suitable ICOs (they should be small, but with about 20,000 views per month), and then gives instructions on using well-known tools, such as sqlmap, to find and exploit SQL injection vulnerabilities in order to extract user data and tokens from their database.
Third place: "Extracting private keys and wallets"
A guide to creating a phishing site and processing confidential data related to cryptocurrency (secret words, wallets, etc.) via Telegram.
Honorable Mention: "Squeezing logs dry"
The author talks about analyzing logs (presumably logs of Trojans such as Redline or Raccoon Stealer, which collect stolen cookies, tokens, and browsing histories) in order to find information specific to the cryptocurrency world.
Honorable Mention: "Bitcoin Price Peak: When and where to Exit Cryptocurrency?"
The author-apparently desperate to get at least a few thousand dollars from the prize pool — writes a 50-page article (by far the longest article in the history of these contests) on how and when to sell bitcoins. He delves into the psychology of investing, the economics of cryptocurrencies, and market cycles. And it does not include any information specific to the field of cybercrime in the material. Nevertheless, he gets the fifth place for his work.
Last contest XSS It was more diverse: forum participants were invited to submit applications for about half a dozen topics. This includes information about malware development, anti-virus circumvention methods, ways to hide malicious code, and social engineering algorithms. A very popular topic was Cobalt Strike: three of the seven award-winning works were dedicated to this legal pentesting tool (threat emulation), which is often abused by attackers.
First place: "20 years of problems with payment acceptance"
The paper that won the XSS competition provides an overview of the vulnerabilities of electronic payment systems. It discusses the architecture of these systems and their typical vulnerabilities. Including:
- missing signature verification;
- attacks with increasing length;
- interception and modification of price and currency information;
- disadvantages of business logic;
- rounding, overflow, and negative number errors.
Two things are particularly interesting in this article: 1) it gives readers "homework", encouraging them to try out various attacks on their own; and 2) the XSS forum itself discusses a specific vulnerability, as a result of which users could, in fact, generate cryptocurrency out of thin air.
Second place: "Remote Potato Zero and Cobalt Strike"
A much more technical article based on the experience of the author who attacked the Active Directory environment. The author sought to improve his rights and claimed that Remote Potato in combination with Cobalt Strike is an effective tool for this in some environments. Especially if you use other tools, including Ngrok and Socat.
Third place: "How to disable Windows Defender (plus bypass UAC and upgrade to SYSTEM level)"
Guide to Manipulating privilege tokens to disable Windows Defender. In particular, the author describes how he gained administrative privileges with UAC bypass.
Fourth place: "Hide your Cobalt Strike like a pro!"
A deep technical dive into various ways to hide Cobalt Strike from detection. The author suggests methods such as using Tor and OpenVPN for TeamServer Cobalt Strike, DNSCrypt, Domain randomizer, and JARM randomizer. The author also provides a step-by-step guide to modifying the Cobalt Strike source code to obfuscate beacons.
Fifth place: "Cobalt Strike from A to Z"
Another article dedicated to Cobalt Strike, although not as extensive as its name would suggest. A forum member discusses using DLL interception in conjunction with Cobalt Strike.
Sixth Place: "Big-time Crypto Fraud"
Material on how to create smart contracts for the secret withdrawal of victim tokens. The author also examines various methods of distributing malicious contracts, including airdrops, Discord, email, and malicious advertising.
Overall, both XSS and Exploit forums received a similar number of articles in recent contests: 35 for Exploit (3 prizes, 5 honorable mentions) and 38 for XSS (10 disqualifications, 7 prizes).
Americans are in shock
"These weird Russians are running text contests among cybercriminals." There is a general consensus about this phenomenon abroad.
A lot of foreign companies in the field of cybersecurity have been raised on the research of what is happening at such forums. They study what is happening there and provide their own reports on it. You can find dozens of them on the Internet. Experts interviewed by Wired say that "This is another way that the criminal world is adopting the best practices of the legitimate side of business." And they compare these processes with legal conferences and cybersecurity research events, such as Black Hat, Defcon, and Pwn2Own. Only in this case, contests are held among online intruders.
A Sophos study showed that the content of applications for the latest "literary" contests was very broad in terms of the format of topics. At the same time, they note that for several years now there have been free and publicly available guides on how to do most of the things described in the winning articles. That is, many people just want to grab a part of the giant prize pool, sharing banal knowledge.
In one of the publications of the XSS contest, the author's experience in attacking the Microsoft Active Directory service and ways to hide hacker tools from Windows antivirus systems were described in detail, which interested researchers. Most of the articles discuss websites, payment systems, and cryptocurrencies. At the same time, only one (and not very popular) article was devoted to hardware. In it, the author wrote a guide to creating a hardware cryptocurrency wallet, including photos and CAD drawings. This was not related to cybercrime: instead, the person was trying to protect users ' bitcoins and other cryptocurrencies from attacks. Hence, apparently, the relatively low rating of the article.
ReliaQuest is concerned that these contests can help strengthen and create organized groups of cybercriminals. Prize money is often deposited by forum owners, but it is also sometimes provided by well-known cybercriminal gangs, such as All World Cards carders and the creators of LockBit ransomware. The XSS contest in 2022 was sponsored by an attacker using the nickname Alan Wake, who is associated with the Conti ransomware group. The message on the forum said that "If the sponsor likes your article, then after the contest ends, you will be offered a high-paying job in the Alan Wake team."
In general, as the researchers note, there were fewer innovations in the articles than they would have expected. Even the " top " articles often contained almost no new material and were just basic guides with almost publicly available information. In the opinion of Sophos, there were orders of magnitude fewer original studies than at many well-known competitions in the cybersecurity industry. It was clear that the participants mostly came not to exchange opinions and improve their skills, but for money.
"Winning or highly rated works tended to be either very simplified, with broad appeal, or focused on methods that could be quickly put into practice, even if these methods were not new. The fact that these entries were voted on by fellow authors may indicate that this reflects the preferences and priorities of the broader cybercriminal community."
Sophos says that perhaps the attackers simply do not want to publicly share best practices with each other. Instead, they keep their best research to themselves. Which makes sense if they think they can make more profit by using them in real attacks, rather than by participating in author contests.
Competitions on Runet criminal forums are a long-standing, though little-known feature of them, and most likely will continue in one form or another. But judging by the latest results, they are unlikely to be a hotbed for future breakthroughs and innovations.
Steal from a thief
It may surprise you, but semi-criminal forums themselves face a series of scandals and dramas.
So, in 2021, XSS, to the great dissatisfaction of users, banned and banned all topics promoting ransomware Trojans — in order to prevent unwanted attention to the site from law enforcement agencies. Prior to this, hacker groups selling ransomware (RaaS), such as REvil, LockBit, DarkSide, Netwalker, and Nefilim, regularly posted ads on XSS to attract new "partners"to their activities. After a series of international scandals that attracted the attention of the FBI, the owner of XSS, known simply as "Admin", published a post stating that topics promoting ransomware will no longer be allowed on the site, and all existing topics will be removed. A similar statement was made by the Exploit admins. REvil and other groups were extremely "outraged" by the situation, as stated on the forums. However, apparently, over time, they found other ways to expand their network.
And in 2022, there was a "stab in the back" on XSS in general: it turned out that some forum administrators themselves profited from cybercriminals sitting there (who would have thought!?). They scammed users who applied to them for arbitration for (seemingly ridiculous) amounts of $ 80-120. Or they were promised the status of a "verified seller" so that they could trade their malware, but they did not give it. And, of course, sloppy forum visitors could easily run into a virus that steals their bitcoin wallet data.
At the same time, not all users who contacted the forum admins eventually became their victims. Some were "immune." As the cybercriminals themselves admitted, just in case, they did not choose as victims Muslims and "big shots" of the forum, whose problems could become noticeable.
With the competitions themselves, they say, too, not everything was perfectly white and clean. In the last competition, Exploit had 35 entries, while XSS had 38. But XSS disqualified 10 of them, often without explanation. Contest winners are determined by a vote of forum participants, but site administrators can also choose winners, and according to cybersecurity firm Sophos, there are frequent complaints about vote rigging.
Both Exploit and XSS claim that they are absolutely democratically selecting the winners of the contest. Applications that meet the requirements (not disqualified) are put up for voting, in which all forum users are invited to participate. But the process, as expected, lacks transparency, and it is unclear how much weight individual votes have. There are opinions that as a result, the proxies of the admins themselves get fabulous prizes. So, the Exploit admin wrote on his forum that "since there are frequent cases of fraud and vote fraud... the final decision will be made by the forum team and I in particular; we will definitely take into account the results of the general vote."
Did you know about such contests? What do you think of them?
