Part 1

Forums in general

The forums in the dark web allow users to be anonymous while freely discussing diverse topics including drugs, illegal goods, and services, data leaks, hacking, child pornography, extremism, etc. Some forums are accessible without registration and the actual contributors are being more protective over their own identity, which makes tracking them harder. 

On the other hand, some forums are strictly guarded and the users are only allowed if they are active and contribute constantly. Some of the forums have restrictions where new members are being put to a test or are forced to pay a fee for access to them. Others need an invitation from fellow trusted members, etc. Those forums appear well protected from a security standpoint. Such underground spots form closed societies with trusted members, which makes the information shared there unique, exclusive, hard to obtain, and valuable for preventing data breaches and any other cybercrimes.

Underground forums suffering hacking attempts and breaches

At the beginning of this year, popular underground forums have been hacked, leading to their data being publicly distributed and available or even put up for sale on the web. There is no particular knowledge about the organization or the people behind those attacks.

The attacks have happened in this order:

  • January 2021  – $150,000 in crypto stolen and the entire user database being copied from Verified. The following note was posted by the admin of Verified.


The reaction from the Verified admin, which was to reset all user passwords and state the stolen funds are not that much, is pushing vendors away from Verified. The trust is further being corroded by rumors that not only was this an inside job but Verified has stolen even the private messages about the deposits and withdraws occurring in their platform. Those allegations remain unconfirmed but the trust in the platform is certainly declining. The data contained a total of 3,801,697 users including IP addresses.

  • 15 February  2021 – An administrator account was compromised and user monies were stolen from Crdclub.
  • 1 March  2021 – SSH access to an anti – DDoS server and an attempt to dump network traffic in Exploit. 
  • 4 March  2021 – Stealing user data and using an admin account to redirect visitors to a page notifying them about the leak in Maza. The following warning message was posted on the forum:

Maza’s data leak was not the biggest but the usernames there were connected with various platforms like ICQ, Skype, MSN, Yahoo, and AIM. Which led threat intelligence analysts to link the data to public social media accounts, linking the users to their real personas. The importance of this hack is in the fact that the Maza Faka forum launched in 2003, which makes it one of the oldest cybercrime platforms that remained active for almost two decades. The forum was mostly about stealing credit cards but continued to be a marketplace for all kinds of bank and financial frauds. The information leaked made 2000 sellers and buyers vulnerable and might reveal some of the oldest threat actors today.

  • 11 April 2021 – Access was gained to the complete database of the OG Users forum which was later used for the personal gain of the hacker.

The seller appeared in another forum:

This resulted in the collection of user records and private messages of around 350 000 forum members.

Such forums have good security and are tailored at protecting the anonymity of their users, yet after all that happened this year, no matter what were the intentions behind the hackings of those underground sites, users understood that they are not safe enough and may demand an explore new and safer ways of communicating. The idea is to move away from the use of any PII (for example emails to register), as they deteriorate anonymity.

More and more people are considering these events as the “end of the underground forums era”. 

 The place of Telegram in the underground world.

Underground forums connect sellers, buyers, and groups with common interests. The instability in those platforms forces users to explore new venues for the conducting of their illicit activities. Messaging applications such as Telegram, where the majority of those users are migrating to, is a good example.
Cybercriminals are not just yet moving away from forums for good but are rather using Telegram as a backup and a failsafe, which ensures them that they are going to remain connected with their cybercriminal peers.

Taking a sample of randomly selected posts in one of the biggest hacking forums shows us that having a telegram contact as a connection is a must now.

Following the same structure of post content and telegram account for contact in the posts below:

Tutorials on how to safely create a Telegram account are gaining popularity:

A new service is emerging by creating a close community that is paying for courses and manuals.

The tendency of forums to promote Telegram groups/channels, made and managed by the forum’s admins and rules, could be seen last year. 

Some bigger forums even created a button leading to their main group in Telegram:

Telegram gained popularity through promoting better encryption and safety for its users, which led to a lot of communities choosing this way of keeping in touch with each other. Being the 5th biggest messaging platform just behind two platforms owned by Meta (Facebook) and the other two widely used in China makes Telegram a better choice for hackers in terms of privacy.


Telegram groups can’t suffer from DDoS attacks directly, and infiltrating the admin account won’t affect users’ privacy of data, since admins can control only a very limited amount of settings for a given group.. To hack a group in the app means hacking the whole platform. That layer of protection makes the chats and users more secure. Despite all this, hackers using Telegram are facing other problems that we’ll explore in future articles.

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment