The darknet community uses its own underground justice system to solve disputes that arise between one cyber criminal and another.

Crime and punishment for cyber criminals

In this underground justice system, a ‘case’ begins when two parties experience a disagreement. Analyst1 gave the example of a threat actor having purchased compromised network access from an initial access broker who had already sold that access to someone else. The buyer responded by asking for a refund, but the seller refused to fulfill their request.

The buyer can then choose to initiate action against the seller. First, they open a thread on a dedicated sub-forum. There, they provide details including a brief of the claim, the nickname of the defendant and the defendant’s contact information, such as their email address or Telegram profile. They must also provide evidence such as screenshots, receipts of cryptocurrency transactions and more to support their claim.

At that point, the accuser must wait for a forum administrator or other high-ranking authorized cyber criminal to accept the role of arbiter over the case. The assignment of an arbiter creates an opportunity for the defendant to present their side of the story and offer a counterclaim.

If the arbiter rules in favor of the defendant, then that’s as far as the case goes. There’s no need for reparations of any kind. But if the arbiter convicts the defendant, the party will be required to comply with the verdict. They have to compensate the accuser in a certain amount of time or risk being banned from the underground forum.

Over the course of the case, every forum member has the right to comment on the proceedings. But they serve no purpose other than bearing witness to the proceedings. They have no influence over the outcome of a dispute.

Cyber criminal laws: Avoid ransomware

Analyst1 noted that the cyber criminal justice system they observed has banned all cases involving ransomware-related topics and disputes since May 2021. It’s clear why when you look at what was going on with ransomware at the time.

Namely, following a security incident involving a pipeline company, the DarkSide ransomware group ceased operations. Someone seized control of its servers and drained them of the funds set aside for paying their affiliates.

XSS, a Russian cybercrime forum, announced around that time that it would no longer allow posts and threads pertaining to ransomware. Others followed suit. Exploit, another cyber criminal forum, announced that ransomware gangs could no longer use its threads to hire affiliates and/or advertise their programs, reported Bleeping Computer.

What this means to organizations

Cases in the cyber criminal justice system can help to provide insight into where digital attackers’ priorities lie. They show what attack techniques they might be using to target organizations.

In response, security teams might consider integrating darknet intelligence into their security programs. This can help organizations to anticipate emerging threats and protect themselves accordingly.