The research by Positive Technologies has shown that shadow forums have evolved into high-tech ecosystems with a well-organized economy. Participants see only part of the information, and access to closed sections requires building a reputation and passing through numerous checks. Complex cyberattacks are now available as products that can be ordered through Telegram bots without any special knowledge.
The complexity of countering such forums lies in their multi-layered structure and social organization. Newcomers do not have access to all data, and gaining status in elite sections requires time and effort. This shifts the focus of information security specialists from technical analysis to studying the social behavior of participants.
Experts from Positive Technologies investigated closed forums in the darknet and concluded that they have become high-tech ecosystems with a developed economy and a complex protection system. Their research is based on data from shadow forums, information from law enforcement agencies, and monitoring of hacktivist Telegram channels. Modern underground platforms represent a whole shadow market of services, making cyberattacks more widespread and accessible.
Unlike simple forums like phpBB, current communities create distributed systems with multi-layered architecture that match legal services in terms of security. It is important to note that these forums are constantly evolving, improving their characteristics based on the principle of natural selection. Closing one platform only leads to the emergence of a new one that takes into account the mistakes of its predecessors, creating a kind of arms race between cybercriminals and law enforcement agencies.
Modern platforms are hybrid systems, rejecting standard solutions and creating their own platforms. For example, the well-known English-speaking forum Dread was specifically designed to operate on the Tor network, making it more secure against hacks and analysis. Law enforcement agencies face difficulties as each new platform has its unique architecture.
Forums currently operate in several locations simultaneously, having hidden servers in Tor and regular websites on the open internet. When one domain is blocked, users quickly switch to backup addresses that are pre-published in Telegram channels. This distributed structure provides them with high resilience to blockages and surveillance.
Protection against bots and scanners has reached a new level. Complex captchas, javascript tasks, request speed limits, and hidden markers in HTML code for tracking information copying have been implemented on the forums. In case of suspicious activity, users are blocked or forced to undergo re-verification. This requires cybersecurity specialists to shift their focus from technical analysis to studying participant behavior.
An interesting feature of these communities is the multi-level access system. Newcomers can only see limited data, and to gain access to closed sections, they need to secure recommendations from veterans or pass an interview. This creates additional difficulties for law enforcement and researchers, who need to immerse themselves in the role for a long time to gain access to closed data.
The economic model of these forums has turned into a full-fledged industry. Most platforms have built-in guarantor systems for secure transactions, internal cryptocurrency wallets, and automated payments. Some forums offer arbitration services and escrow services with commissions. Bitcoin remains the primary currency, but for large transactions, Monero is increasingly chosen due to its anonymity. Platforms earn from service fees, selling VIP statuses, and paid access to exclusive sections, and on large forums, users' internal accounts can hold significant amounts, reaching hundreds of thousands of dollars in cryptocurrency.
The Economy of Shadow Forums: Transaction Schemes
The danger lies in the service models that these forums have created. The availability of complex solutions, including exploits and botnet rentals, allows attackers to scale their attacks with minimal personal involvement. Complex cyberattacks are now offered as ready-made products, significantly lowering the skill requirements for performers. Deep specialization and process automation make these threats relevant for companies of all sizes.
Many forums are integrated with Telegram and have their bots for automating processes. With their help, transactions can be made, notifications about new messages can be received, or even goods can be purchased without entering the forum itself. This creates a whole ecosystem where the boundaries between different platforms become blurred.
Administrators strictly adhere to security rules. They avoid direct access to servers, use VPNs and Tor, work through intermediary computers, and are cautious of actions that could reveal their identity. Even the slightest mistake, as was the case with the creator of Silk Road, who used personal email, can lead to arrest.
Interestingly, the community itself serves as an additional level of protection. Regular participants of the forum quickly notice strange behavior from newcomers and can identify an infiltrated agent by their manner of communication or inappropriate questions. There have been cases where, after the arrest of the administrator of a well-known forum, XSS moderators suspected that the platform had come under the control of law enforcement, publicly announced this, and created a new forum called DamageLib.
Forums do not exist forever. Sooner or later, they are closed by law enforcement, hacked by competitors, or they disband due to internal conflicts. But communities continue to live—they migrate to new platforms. Administrators prepare backup servers in advance, save backups of databases, and keep spare communication channels. When the main site is closed, a new address appears within a day, and most users move there.
A new trend is emerging—the creation of temporary forums that operate for only a few months and then close at their discretion. While the platform is new, law enforcement does not have time to infiltrate, and administrators avoid leaving traces. After closure, the former team opens a new forum after some time and invites trusted participants.
Researchers suggest that in the future, forums will become even more distributed and automated. Active use of artificial intelligence for moderation and participant verification, decentralized data storage systems, and integration with various messengers are expected. Elite communities will become even more closed, and temporary forums will become commonplace.
The main conclusion of the research is that underground forums have ceased to be chaotic formations. They are dynamically evolving platforms with their own rules, economy, and social structure. The technical and organizational resilience of these platforms significantly complicates counteraction against them. Understanding the mechanics of the shadow market becomes the basis for proactive protection capable of anticipating threats rather than merely reacting to incidents. Cybersecurity specialists need to continuously update their methods and quickly adapt to changes in this dynamically evolving environment.
