Open in app

Sign in

Write

Sign in

Dark Web Monitoring (Part 2)

Abdelkader BEN ALI
9 min readAug 24, 2020

--

This is the second part of the Dark Web Monitoring Series where I cover Dark Web Forums Monitoring in depth.

Through this article, I will explain to you why we focus on Dark Web Forums, what are the most discussed topics by analyzing Club2CRD and DWF forums, what are the communication & payment methods used by cybercriminals, the reliability of vendors and finally in-depth forum analysis methodology.

For those who haven’t read the first part of Dark Web Monitoring series, it is available here.

Important note!! The information provided in this article is for educational and informational purposes only.

Why Dark Web Forums ?

Dark Web forums are frequented by hundreds of thousands of active hackers and cybercriminals who discuss and share information about businesses, vulnerabilities, exploits, and more. So it presents a very interesting place to look for our compromised data and identify probable threats.

More than information sharing, many services are marketed on Dark Web forums such as hosting, hacking, and anonymizing services. Identifying these services and their providers is valuable. Let’s take the example of a provider who offers Bulletproof hosting, by identifying such a provider we can perform OSINT and identify all the hosted domains that will likely be malicious.

Dark Web Forums Categorization

In the Dark Web, there are a frequent number of forums which differ in the number of active users and the topics covered.

As a Dark Web researcher, I consider a forum interesting when there is a frequent number of active users and topics of hacking, fraud, anonymization and hosting are discussed.

Most discussed topics

To identify the most discussed topics, you need to take a look at several forums. Below is a list of Dark Web Forums:

  • Club2CRD (Members:159.576, Threads: 54.529, Posts: 321.584)
  • DWF (Members:3597, Threads: 931, Posts: 7.218)
  • Onionland (Members: 15.852, Threads: 9464, Posts: 28.107)
  • Jean Valjean Forum (Members: 298, Threads: 5913, Posts: 17.592)
  • CryptBB (Members: N/A, Threads: 568, Posts: 2 771)

Other interesting forums can be found on the web surface:

  • Altenen (Members:717.906, Threads: 539.749, Posts: 2.846.213)
  • Carding Forum (Members:188.814, Threads: 214.371, Posts: 478.174)

For the purpose of this article, I will show you Club2CRD and DWF forums.

Forum 1: Club2CRD

Club2CRD is a forum dedicated to carding, real shopping with dumps, dumps, pin cashout, ATMs hacking, trojans and keyloggers, hosting and anonimization, programming, among many other things.

Country: Russian.

Languages: Russian and English.

Access requirement: membership (by registration).

Creation Date: Jul 8, 2016.

Probable Founder: AQUA (he is the only administrator and the oldest member).

Forum Statistics:

  • Members: 159,576
  • Threads: 54,529
  • Posts: 321,584

Onion Address: http://crdclub4wraumez4.onion/

Surface Web Mirrors: https://crdclub.su, http://ww.crdclub.cc/

Membership Types: Administrator, Super Moderator, Moderator, Old Member, Senior Member, Member, Junior Member, vendor of: service.

User Ranking: Through a reputation attribute.

Club2CRD topics:

In Club2CRD there are several forum sections where different types of topics are discussed.

Note!! Four sections of Club2CRD forum will be covered in this article.

Verified services Section

This section is dedicated to vendors who want to sell services like CC dumps, hosting, spam, servers, DDoS, security services.

Based on the number of posts, CC and CVV services are the most sold.

Verified Services

Note!! Most of the services exist on the Surface Web, but they are marketed on Dark Web Forums.

Let’s check one of the services;)

In the screenshot below, a provider is marketing (in two languages) an anonymous VPN service called DeepWebVPN that saves no logs.

The verndor wants to attract cybercriminals who want to hide their location and make sure their activities will remain anonymous.

International Forum Section

This section is dedicated to discussions on news, job offers, carding, anonymity, hosting, hacking, etc.

Based on the number of posts, anonymity and security are the most discussed topics.

Forum for Russians Section

This section is similar to the international forum section but it is dedicated to Russians so it is in Russian.

Depending on the number of posts, cashing is the most discussed topic.

Forum for Russians

Freebie Section

This is an interesting section where users exchange CC numbers, credentials, Paypal accounts, free SMTP and personal information and even discuss the creation of hacking groups.

Below is an example of personal information taken from this section where a woman’s full name, date of birth, social security number, emails, bank account, vehicle model and addresses have been shared. By Having those information, anyone in this forum can impersionnate this woman !!

More than data sharing, some criminals even provide tutorials on how to commit crimes. In the example below, you will find a tutorial on fraud.

Forum 2: DWF

DWF (Dark Web Forums) is a forum dedicated to making money on the Internet, also sharing knowledge about carding forum , malware modification, hacking, Dark Web security,webmasters programming, cracking, among many other things.

Country: Not identified.

Languages: English only.

Access Requirement: Membership (by registration) + some sections require VIP subscription.

Creation date: January 30, 2020.

Founder: t0r (DWF FOUNDER is mentioned on his profile).

Forum Statistics:

  • Members: 3597
  • Threads: 931
  • Posts: 7,218

Onion Address: http://dwforumsmrcqdnt3.onion/

Surface Web Mirrors: https://darkwebforums.org/ (currently unavailable)

Membership Types: FOUNDER, ESCROW ADMIN, Administrator, SUPER Moderator, Verified Seller, Senior carder, Junior carder, VIP MEMBER, active carder, well-knowen carder, etc.

User Ranking: Through awards such as Active CC Poster Award, Hard Worker Award, Good Member Award and many more.

DWF Topics:

In DWF forum there are several forum sections where different types of topics are discussed.

Note!! Four sections of DWF forum will be covered in this article.

Premium Paid Section

This is a paid section where free paypal, credit cards, bank accounts and dumps are shared with VIP members (VIP membership cost: $40.00).

Carding Zone Section

This section is dedicated to sharing free credit cards and database dumps also for carding tutorials, tools, Fake ID and Passport and many more.

The majority of the content is hidden from non-VIP users. To see the hidden content, you must react and comment on the posts. (Tracking 😒)

Below is a verified Paypal account in Canada with Fullz taken from the Carding Zone section.

Below is an American Mastercard details also taken from the Carding Zone section.

Premium Accounts Section

This section is dedicated to sharing or selling premium accounts, for example Netflix and Spotify accounts.

Hacking & Cracking Zone Section

This section is dedicated to hackers to exchange knowledge, tools and even information on their victims.

Below, a hacker was able to compromise an MSSQL database and shared credentials.

Let’s quickly recap: We have found that many interesting topics are discussed on Dark Web forums such as Carding, Dumps, Hacking, Cracking, Hosting, Anonymization Topics.

Communication Methodes

Different methods of communication are used by cybercriminals in Dark Web forums, such as:

  • Jabber
  • ICQ
  • Telegram
  • Emails
  • Forum Private messages, etc.

Payment Methodes

Vendors on Dark Web forums accept different payment methods:

  • Bitcoin
  • Litecoin
  • Ethereum
  • DASH
  • Zcash
  • Credit card (Mostly compromised), etc.

Are vendors reliable?

The majority of vendors on Dark Web forums are scammers that offers non-existent services just to steal money from victim (someone looking for credit card dumps or premium accouts😋), it is for this purpose that a reputation attribute is associated with each member in the majority of forums.

when a member get scammed or identified a probable scammer, he should downgrade the reputation attribute of the scammer and report to administrators or moderators who have the priviledge to ban.

In known forums, vendor’s services must first be verified by administrators.

Below, a Club2CRD member discovered a scammer, so he warned mak (Super Moderator).

In-depth Forum Analysis Methodology

This is the most interesting section of the article where I will show you how to take advantage of the information available on the Dark Web forums.

The first step in dealing with each forum is to look for the presence of important topics (hacking, fraud, hosting, etc.) and identify what information is available about users. To be clear, I will continue to work on the Club2CRD forum.

If you visit Members List page, you will find valuable member information including username, member type, join date, last visit, number of posts, reputation and credits. If you click on a username, you can get more details about the member such as all posts, all threads started by him and his contact details (Jabber, ICQ, email and in some cases websites owned by him).

A lot of people are confused between threads and posts, so let me clear it up.

Thread is the initial starting post.

Post is a reply to a Thread or a reply to a post within a thread.

A clear example, a CC vendor willing to sell his dumps start a Thread “fresh and valid CC”. Someone interested replied to vendor thread “ i need to test first”. The reply is called Post.

Post and Thread analysis

Based on user’s posts and threads, we can identify his interests and look for our data. Additionally, we can identify relationships between members based on their posting interactions as it all starts with replies and ends with private messages or Jabber, etc.

User contact info

It is true that the use of communication methods such as Jabber and ICQ will guarantee anonimity, but as you know they are unique identifiers. So we can take the advantage of them to track users on other forums even when using different usernames.

To be clear, I designed the graphic below:

Suppose there are 2 users Mark and Paul in the Club2CRD forum. Mark started a thread to create a hacking group, Paul replied that he is interested in joining, then Mark responded to Paul telling him to get in touch privately. Based on their interraction we can create a COLLABORATION link between them.

Suppose we have analyzed the DWF and Club2CRD forums and found a match in the ICQ contact between user Jhon (in DWF forum) and user Mark (Club2CRD forum). We can therefore confirm that both profiles belong to the same cybercriminal.

Note!! The analysis process will not be manual !! everything will be automated.

The following article describes in detail the proposed crawling system.

Copyright © 2020 Abdelkader Ben Ali, All Rights Reserved.

Abdelkader BEN ALI is a cyber threat intelligence analyst @spiderSilk.
He is passionate about designing, developing and implementing customized python based tools and extending open source projects in order to simplify and automate security analysts daily tasks.

You can connect with him on LinkedIn, Twitter.

Threat Intelligence
Darkweb
Cybersecurity
Monitoring
Cybercrime

--

--

Abdelkader BEN ALI

Written by Abdelkader BEN ALI

126 Followers

Cyber Threat Intelligence Analyst @spiderSilk

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams