Underground arbitration system settles disputes between cybercriminals.
Blocked from legitimate courts, cybercriminals have set up their own system for settling disputes, handing over ultimate decision-making to senior underground forum administrators who have awarded claims totaling as much as $20 million.
A new report from Analyst1 details activities inside these underground systems and found more than 600 requests for mediation on just one Russian-language forum alone, tackling disputes ranging from missing affiliate payments to contract violations.
We want to know what your biggest cloud security concerns and challenges are, and how your company is dealing with them. Weigh in with our exclusive, anonymous Threatpost Poll!
“Over the last decade, thousands of cases were examined and the proper verdicts given,” the analysts reported.
How the Cybercrime Court Works
To file a complaint with the cybercriminal court in one large underground forum, the user is required to open a thread, and then provide the username of the defendant and their contact information, according to Analyst1:
“The plaintiff will submit qualified evidence, including any chat logs, screenshots, cryptocurrency transactions, and similar relevant information,” the report explained.
The defendant then can present their side of the claim, followed by a “cross examination” by the assigned arbiter, who is typically one of the forum operators or administrators, Analyst1 added.
“Like in real litigation processes, the trial can end with different verdicts,” the report said. “In a case that the defendant is innocent or there is not enough material for a hearing, the case will be closed with no money or currency exchanging hands.”
Failure to comply with the verdict will lead to the cybercriminal getting banned from the forum, the researchers said.
“For the transparency of the process, every forum member has a right to comment and participate in the virtual hearing process,” the report explained. “While they have the right to participate, these regular forum members do not act as grand jury and have no influence on the process.”
High-Profile Cybercriminal Court Disputes
There have been several high-profile squabbled settled by these cybercriminal courts.
Last May, Huntress noticed that DarkSide ransomware group affiliates were filing claims in these cybercrime forum courts for not getting paid for their work after their operations were disrupted in the wake of the Colonial Pipeline breach. At the time the Huntress characterized the forums as a “shady version of the People’s Court.”
In April, Analyst1 noticed two Conti affiliates were accused of violating an agreement when they breached and encrypted a U.S. school network and sued for $2 million. The report said the claim was ultimately rejected by the assigned forum arbitrator.
The researchers noted that amid the complaints, they’ve seen disputes settled against REvil and NetWalker that resulted in awards as high as $20 million.
“The threat actors understand that if they provide untrustworthy products or services, they will be held accountable and find their nickname on the [arbitration] thread title,” Analyst1’s researchers wrote. “In the event of losing the case, they will lose their reputation and will need to start a ‘career’ all over again.”
There’s a sea of unstructured data on the internet relating to the latest security threats. REGISTER TODAY to learn key concepts of natural language processing (NLP) and how to use it to navigate the data ocean and add context to cybersecurity threats (without being an expert!). This LIVE, interactive Threatpost Town Hall, sponsored by Rapid 7, will feature security researchers Erick Galinkin of Rapid7 and Izzy Lazerson of IntSights (a Rapid7 company), plus Threatpost journalist and webinar host, Becky Bracken.
Register NOW for the LIVE event!