Part 2

Past and recent big forums.

Underground forums and marketplaces are not constant. New forums are showing up, meanwhile, existing ones are being hacked, seized, or simply shutting down. When a forum has a large number of active users and has been around for a long time, it becomes more popular. Over time some online communities build more trust and have more users and traffic on the site. As a result, there is indeed a hierarchy, featuring 2-3 forums at the top holding all of the contents from smaller forums.

Leak Forums was one such example. In 2017, this was a very popular underground forum. Mainly used for the exchange of leaked databases.

The forum was influential at the time but closed soon after it removed its most popular section ”Leaks” in 2017 with little to no reason. Despite that it is still ranked 26th overall for the number of posts throughout all forums as well as third in the online communities category today.


Many individuals were curious about what happened at the time so conversations started appearing on other sites.

Shortly after, the traffic was redistributed across other popular forums from the same year. Discussions started to appear in most of them trying to figure out what happened. As a response, there have been heated debates regarding which platform should be used to replace LeakForums, as well as members disagreeing about their identities as sellers from the now-closed LeakForums.

For a forum to shut down isn’t rare, and we can anticipate it to happen to the current bigger communities sooner or later. RaidForums is the most popular hacking forum currently. But what if RF decided to actually retire?

One of the scenarios is yet again all smaller forums dividing the hacking public within them. The discomfort lies in the inability of known hackers and sellers from RF for example to prove their identity to the new forums. They don’t have a particular way of identification since this is contradictory to keeping their anonymity. Alternatively, this time another migration may occur.

Telegram migration.

As shown in the previous story, forums are adopting the idea of Telegram as a messaging service since it’s more chat-oriented and can be used for faster communication. Leading to greater communities being born and spread there. Users in forums are promoting their Telegram account, or sometimes even their Telegram groups.

For example the following user:

  As per examination and monitoring of Telegram a lot of unique content could be found, not only unknown methods and ideas, but unknown breaches and databases leakages even potential vulnerabilities. Most of the known sellers which are having their own groups in Telegram, and are sharing more data in the group than in the forums, giving more clues about a vulnerability or simply just answering faster. 

Telegram groups are also facing issues in the platform.

For example, the following message was seen on one of the hacking groups:

Admins in Telegram are well prepared for situations like that and are having backup channels/groups.

This particular group just continued in the backup group and the following communication was detected:

Some groups’ bots are being copy striked:

Or even the whole group:

Although there are issues affecting the use of Telegram, hackers are adapting fast and are using the following techniques to overcome the platforms’ copyright strike methods.

  1. Having back up channels or groups to just make the transition if something happens.
  2. As RF official group in Telegram is approaching the issue:

Using Telegram’s group features to automatically delete messages daily. Making them immune to the copyright strike since their group is not containing anything illegal as it is just deleted after 24 hours. Many groups are following this method to protect the group as a way of communication.

Users are using forums more and more as announcement boards for their channels and groups releasing just the information that they have specific data and encouraging the people that are interested in it to contact them through Telegram as they prefer to use it as the platform for communication. As their Telegram network is growing they rely less on forums and when one is pulled down they already have established connections with each other with verified identity behind each profile or group. Which may make Telegram the direction hackers may look at this time.

We already know that it’s not a rare occurrence for a big hacking forum to disappear without a warning, and this gives us the opportunity to try and predict what will happen after that. Seeing Telegram become more popular as a secondary chatting application and even the start of some communities outside of forums not just as a secondary app but the main place for communication helps us enforce that prediction that migration is happening and that Telegram is the place where people will go to when a forum ecosystem is left in the past. We are not sure if this is a temporary or permanent move of the platform as something new might happen that changes everything.

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment