Deterring activity on hacking forums: Can we?

What if we all just promised not to do cybercrime?

I have recently written a dissertation - entitled “Deterring activity on hacking-focused cybercriminal forums” - for my final year of university, and not only that but I've even more recently gotten a first for said dissertation. If this doesn't qualify me to talk about this topic then it at least gives me the ego boost to do so anyway.

More or less, this article (and a future one - stay tuned!) will be that dissertation, but publishing it here frees me from the shackles of the tone required for a piece of academic writing. We'll start with a bit of context to explain what, exactly, I mean by hacking forums. Then we'll look at ways law enforcement aims to deter activity on these sites, as well as evaluating how successful (or unsuccessful) they are at achieving this. The fabled future article will go into the practical part of the dissertation: the research I carried out myself through a survey and my own recreation of a hacking forum, plus the results I got.

Spoiler alert: turns out university computer science students do not sign up in droves for in-person interviews. But I digress.



What is hacking?

Hacking is one of those words that doesn't really mean anything. It's broadly synonymous with cybercrime, until someone starts asking annoying questions like “is it hacking to cause zero damage to any computer systems, nor access anything without permission, when what you're doing with said legitimate access is scamming a pensioner online out of their life savings?”

In the UK, legislation deals with this problems by defining two things beneath the heading of “cybercrime”:

  • Cyber-dependent crimes - those which target computer systems and can only be carried out by these systems. For an example, see the ransomware attacks against M&S. When we talk about hacking, this is usually what we mean.
  • Cyber-enabled crimes - those which can be carried out offline, such as fraud and scams, but that can be increased in scale through the use of computer systems. It's not uncommon for hacking forums to have sections dedicated to these actions too.
We have ourselves a rectangle-square situation: all hacking is cybercrime but not all cybercrime is hacking.



What are hacking forums?

I refer specifically to hacking forums, ie, those used to discuss malware, denial-of-service (DOS) attacks, ransomware attacks, and similar. Whilst acknowledging that these sites can host discussions on other topics (particularly online fraud), it differentiates these forums from those that focus on other cyber-enabled crimes, like drug marketplaces.

Hacking forums aren't the focus of law enforcement efforts just because they're platforms where users sit around and talk (or rather, argue) all day. Many of these sites are also used to sell data stolen in hacks or breaches, sell stolen credit card information, share malware source code, and offer any number of cybercrime-related services.

Some of these forums can only be accessed through the dark web, whilst others can be accessed through both that and the clear web. The clear web simply refers to the regular internet which you, reader of this article, are on right now. The dark web refers to the parts of the internet that require specialist software or authorisation to access, for example, by using the Tor browser. It's important to note that the dark web is not by itself illegal, nor does a site being hosted on it make said site illegal, but the anonymity it offers means many sites focused around illegal activities are hosted on the dark web.



So, what do we do about them?

Perhaps the most obvious answer to “How do we stop activity on hacking forums?” is to ensure there are no hacking forums online to be active on. But does that actually work as an approach?

Well...

One approach to doing this is by taking these websites down. Great!... unless the forum is hosted by a company based in a location where its contents aren't illegal. Even if, for the sake of argument, we say a given forum is based in a convenient jurisdiction, the website takedown process is a vast and many-headed beast. Various participants (targeted organisations, commercial bodies, law enforcement, industry regulators, etc) can jump through several hoops to have a website taken down, only for it to pop back up again with a slightly different name in a few weeks time, if the request is carried out at all. One study found that over 14% of websites taken down during a monitoring period in 2019 were released back onto the market, and sometimes even re-purchased by the same owners who'd had them initially. It's also entirely possible that taking down hacking forums drives the users and operators of them further underground, into locations harder to monitor.

Okay, so, getting rid of these websites is a bit of a game of whack-a-mole. What if we just threaten to bring the whole weight of the law down on anyone who visits one?

First of all: good luck finding them! As mentioned, many hacking forums are hosted on the dark web, which is inherently anonymous. A not-insignificant amount of effort can be required to track down the user behind the screen, requiring specialist knowledge and skills, and usually international cooperation too. You can imagine that trying to arrest the operator(s) of prominent Russian hacking forum XSS is not likely to happen in the current geopolitical climate.

More than this, we have little evidence that threats of punishment actually work. One specific line I read in my research has stayed with me:

“For example, although some research reports that punishment severity decreases intentions to violate information security policies, technology misuse, and computer abuse (D'Arcy et al. 2009; Cheng et al. 2013), other studies find this effect in the USA only (Hovav and D'Arcy 2012), while still others do not observe this relationship at all (Hu et al. 2011).” - Deterrence in Cyberspace: An Interdisciplinary Review of the Empirical Literature, David Maimon

Uh-oh!

Other research points to the idea that potential cybercriminals don't believe law enforcement capable of following through on their threats and see them as lacking the ability to investigate cybercrime properly. Increasing the power of law enforcement is not the way to go, with those that are seen as overstepping their legitimacy also seen as having less authority.

It can be easy to read the news and think “something is fundamentally broken in our policing system”, but after reading papers by people who know more about the topic than I do, I learnt that actually we've known our current system doesn't really work for a while now.

Well, that's a long list of things that seem to not really work. Is there anything that does?

I have to be clear - arresting people does, in a fairly objective way, stop them from being active on hacking forums. But this process is costly and impractical if you tried to arrest every single user, no matter how infrequent, of a hacking forum, to say nothing of the open secret about how many of those users are researchers or law enforcement themselves. (And, also, look at those links above. Is giving more power to the police really the answer? Do you really think that's been the missing piece this whole time?)

But back on topic. Trying to take down websites can be a temporary fix at best. Arresting users tends to be unfeasible. What you find more often is that disruption is seen as a suitable alternative to either of those.

The good thing about “disrupting activity” on hacking forums is that, much like hacking, the word can mean whatever you want it to mean. Arrests are disruptions, so are asset seizures, so is sticking a cardboard cutout of a policeman in your shop window. For the purposes of this article, we can use “disruption” to mean “anything not already talked about.”

Strategies such as the Dutch Hack_Right and the UK's Cyber Choices aim to encourage young people who might be falling into cybercrime to use their skills for other, more legal, means. There is also a lot to be said for targeted warnings (although most of the evidence of their success comes from offline situations, with little research done into their effectiveness or otherwise in cyber spheres) - interventions that aim to get across to the recipient that their actions have a cost and a possible consequence. At this point in my reading, another line stood out to me:

“First, the intervention should highlight the costs of offending (e.g. to future career prospects) but avoid threatening language. Second, it is best to focus on the wrongfulness of the act, rather than the actor (e.g. avoid stigmatisation). Third, those delivering the intervention should take time to listen to the recipient, hearing their side of the story, and treat them fairly and respectfully.” — Cybercrime Prevention: Theory and Applications, Russell Brewer, Melissa de Vel-Palumbo, Alice Hutchings, Thomas Holt, Andrew Goldsmith and David Maimon

Turns out people listen more when you talk if you don't go in shouting and screaming and slamming them with decades of jail time. Wow.

These techniques, however, tend to focus on people only beginning to be involved in cybercrime. It might be reasonable to point out that a seasoned vendor of stolen databases will not be put off by someone telling them that doing so is illegal. The final approach I'll look at here, then, is degrading trust in hacking forums and thus increasing the effort and risk required to engage.

There are lots of ways to go about doing this, most of which target hacking forums that also function as malware and stolen data marketplaces (which is a lot of them!). Typically, they make use of undercover operatives both active on and monitoring these forums. You could “lemonise” the market, i.e. introduce quality uncertainty and ensure that users selling high-quality products/services at higher prices can't stand out from, and thus can't compete with, those selling low-quality ones at low prices. Another option is a Sybil attack, where fictional users are created and give each other positive feedback. When real users try to interact with them, believing them to be real, they end up being scammed out or receiving what they tried to buy. There are also a range of digital equivalents to the old “policeman cardboard cut-out” that work to remind visitors that they might well be being watched by law enforcement, with the aim of getting them to think twice before interacting. I mentioned, when discussing arresting key players on hacking forums, that the anonymity of these places is a major obstacle in the process. But that same anonymity can be used with great effect to break apart the chain of trust in a forum.

The first rule of deterring activity on hacking forums is to have fun and pretend to be someone else.



Finishing thoughts

The thing with giving a government or law enforcement agency the powers to restrict access to websites and to track user's activities online is that it quickly sets a dangerous precedent. I don't think anyone is arguing for their human right to use WannaCry, but if a body can define the illegal content that their population is unable to access then that's when you see online censorship growing worldwide . The solution to “people use the internet to talk about (and to actually commit) crime” is not, and should not be, “so let's do authoritarianism”.

To be clear, I'm not about to suggest we can stop all cybercrime ever by holding hands and agreeing to be friends. But when it comes to discouraging activity on hacking forums, there's a lot to be said for treating someone like a person whilst doing so.



Some suggested further reading

A. Hutchings, R. Clayton and R. Anderson, 'Taking down websites to prevent crime'. Can be found here

A. Hutchings and T. J. Holt, 'The online stolen data market: Disruption and intervention approaches'. Can be found here

D. Maimon, 'Deterrence in cyberspace: An interdisciplinary review of the empirical literature'. Can be found here

Comment Form is loading comments...