Cybercrime Economy

Home , Adium, AIM (software), Gajim, ICQ, Kik Messenger, Nimbuzz

Cybercrime Economy

AN ANALYSIS OF CRIMINAL COMMUNICATIONS STRATEGIES

BY LEROY TERRELONGE III

CONTRIBUTIONS BY MAX ALIAPOULIOS Kingpin

Operations The cybercRiminal Finance Cybercrime ecosystem Economy Product Manager Botnet master Manager, Mule Ops Payment Systems SME An Analysis of Criminal Communications Strategies

Sr Developer Design/UI AV CI/Crypting QA Bulletproof Hoster Analytics Trafﬁc Herder

n the continuous game of cat and mouse Second, cybercriminal communities allow for between cybercriminals and the information the division of labor and, consequently, econo- security community, the criminals have long mies of scale for the cybercriminal ecosystem. Iunderstood that they can act much more Many cybercrime schemes depend on the Sr Loader Dev Sr Bot Dev Exploit R&D Redirect Ops Ad Broker SME Spammer eectively together than they can individually. actions of a cast of characters working in Image 1 - The cybercriminal ecosystem In addition, cybercriminals’ unrelenting drive to concert, including malware developers, cryptor conceal their activities presents countless writers, spammers, botnet masters, payment challenges for organizations seeking to protect card specialists, and cashers, among others. If Image 1: Depiction of the cybercrime ecosys- goods and services through online forums. Like themselves from cyber threats. Often operating cybercriminals were required to carry out their tem: The division of labor allows actors to any other community, cybercrime communities within the exclusive confines of the Deep & schemes on an individual basis, it would take specialize in domains for which they have a have rules (both explicit and implicit), enforcers Dark Web, cybercriminals are known to utilize them many years to develop the necessary comparative advantage or special talent, advanc- (moderators), an organizer (administrator), various tools to engage with one another and cross-domain expertise. The substantial ing the level of expertise in their particular area unique jargon, and varying barriers to entry. But, advance their tactics all while evading detec- resource expenditure required to obtain the of specialization beyond what could be accom- once they gain acceptance into the “club,” tion. In order to provide greater visibility into equipment needed to support a crime plished if each individual actor were responsible members have access to the institutional knowl- the interconnected nature of the cybercrime campaign would also serve as a barrier. In a for all elements of the cybercrime chain. In edge and resources aorded by the forum and economy, this paper examines the most cybercrime community, however, members addition, the barrier of entry is lower for new its members. common communication strategies and tools specialize according to their interests and participants because they can merely purchase used by cybercriminals across seven dierent talents; this allows them to reach higher levels the goods and services they need, as opposed Image 2 on following page: Screenshot of communities. of proficiency in just one link of the cybercrime to spending significant time and money building Darkode (now defunct), one of the most chain. They can then share this knowledge capacity themselves. well-known online forums and marketplaces for First, criminal communities provide a place for with other community members (for free or for malware, stolen data, credit card numbers, actors to collaborate by sharing tips and tricks pay), which raises the overall level of activity, The traditional meeting place for cyber actors, botnets, and malicious tools. The site was that help them defeat security measures and expertise, and eciency in the entire system. including cybercriminals, has been and contin- seized and many of its members were arrested evade detection. Indeed, criminal communities ues to be the online messaging board, or web in July 2015 as part of a coordinated internation- resemble research communities in that each forum. In many ways, these forums are the al law enforcement eort. member of the community can learn from the beating heart of the cybercrime economy. successes and failures of other members. Members meet, recruit additional support, buy Despite the central role of the forum for cyber- technical tools (e.g. malware), and sell their illicit criminal enterprises -- not to mention its crucial

2 3

function of bringing criminals together and maintain access to logs of their previous commu- allowing them to ﬁnd each other -- once crimi- nications. These forums are notorious for nals meet, they may choose to move their suddenly disappearing or experiencing unex- communications outside of the forum for a pected downtimes, during which criminals’ number of reasons -- even though the forums forum correspondence becomes temporarily or have native private messaging platforms. One permanently inaccessible. The causes for this reason for this behavior is that criminals can instability can be nefarious, as in the case of never be quite sure exactly who has access to “exit scams” wherein forum administrators close the backend of the forum on which they are the board and abscond with all the funds held in operating. Even in the unlikely scenario that a member’s accounts or in the forum’s escrow criminal could trust that the forum administrator service. Forums can also disappear or be had their best interests at heart, administrator disrupted during law enforcement busts when accounts can be compromised. Such a compro- ocers seize forum servers. Forums may also mise would put any unencrypted personal go down for more benign reasons, such as communications into the hands of an unknown instances where there is no longer enough and untrusted party. interest in maintaining the forum or if the administrators are no longer able to pay the hosting Another reason cybercriminals choose to fee. communicate outside of forums is so they can Image 1: Depiction of the cybercrime ecosys- goods and services through online forums. Like tem: The division of labor allows actors to any other community, cybercrime communities specialize in domains for which they have a have rules (both explicit and implicit), enforcers comparative advantage or special talent, advanc- (moderators), an organizer (administrator), ing the level of expertise in their particular area unique jargon, and varying barriers to entry. But, of specialization beyond what could be accom- once they gain acceptance into the “club,” plished if each individual actor were responsible members have access to the institutional knowl- for all elements of the cybercrime chain. In edge and resources aorded by the forum and addition, the barrier of entry is lower for new its members. participants because they can merely purchase the goods and services they need, as opposed Image 2 on following page: Screenshot of to spending signiﬁcant time and money building Darkode (now defunct), one of the most capacity themselves. well-known online forums and marketplaces for malware, stolen data, credit card numbers, The traditional meeting place for cyber actors, botnets, and malicious tools. The site was including cybercriminals, has been and contin- seized and many of its members were arrested ues to be the online messaging board, or web in July 2015 as part of a coordinated internation- forum. In many ways, these forums are the al law enforcement eort. beating heart of the cybercrime economy. Members meet, recruit additional support, buy Despite the central role of the forum for cyber- technical tools (e.g. malware), and sell their illicit criminal enterprises -- not to mention its crucial

Choice of Messaging Platform

Cybercriminals can choose from a wide variety stored, the jurisdiction in which the services’ of platforms to conduct their peer-to-peer (P2P) servers are located (can they be accessed by communications. This choice is typically law enforcement agencies?), the privacy policy inﬂuenced by a combination of factors, which of the service, the information collected from can include: users to set up an account on the service, etc.

Ease of use — All other factors held equal, cybercriminals, like any other user, prefer services that are simple, have a clean graphi- cal user interface (GUI), are intuitive to use, and are not “buggy”. They may also appreci- ate customizations and/or localizations that make it easier for them to use the tool. Such features may be especially appealing to speakers of less-common languages or those who use operating systems other than the commercially-popular Windows and OS X.

Country and/or language — Communication Image 3 - Secure Messaging Scorecard from the EFF platforms are sometimes promoted heavily, or Image 2 - Darkode Homepage even exclusively, to speakers of a particular language. When these platforms are the Image 3: The Electronic Frontier Foundation dominant communication medium for a developed a Secure Messaging Scorecard in function of bringing criminals together and maintain access to logs of their previous commu- language group, cybercriminals are likely to which it ranked the security/encryption practices allowing them to ﬁnd each other -- once crimi- nications. These forums are notorious for use them in their “civilian” lives to interact with of thirty-seven popular messaging applications nals meet, they may choose to move their suddenly disappearing or experiencing unex- friends and family. Indeed, this usage may along seven basic criteria: communications outside of the forum for a pected downtimes, during which criminals’ creep into their criminal endeavors as well. It number of reasons -- even though the forums forum correspondence becomes temporarily or is also worth noting that services may become Is data encrypted in transit? have native private messaging platforms. One permanently inaccessible. The causes for this unavailable in countries as a result of govern- Is data encrypted so the provider cannot reason for this behavior is that criminals can instability can be nefarious, as in the case of ment actions. For example, in December 2015 read it? never be quite sure exactly who has access to “exit scams” wherein forum administrators close and May 2016, the Brazilian government Can users verify contacts’ identities? the backend of the forum on which they are the board and abscond with all the funds held in banned WhatsApp for failing to deliver data Are past communications secure if encryp- operating. Even in the unlikely scenario that a member’s accounts or in the forum’s escrow requested as part of a criminal investigation. tion keys are stolen? criminal could trust that the forum administrator service. Forums can also disappear or be Is the code open to independent review? had their best interests at heart, administrator disrupted during law enforcement busts when Security and/or anonymity concerns — Is the security design properly documented? accounts can be compromised. Such a compro- ocers seize forum servers. Forums may also Messaging platforms have diering anonymity Has there been a recent code audit? mise would put any unencrypted personal go down for more benign reasons, such as and encryption capabilities that make them communications into the hands of an unknown instances where there is no longer enough less or more attractive to cybercriminals. Cybercriminals use similar criteria to inform their and untrusted party. interest in maintaining the forum or if the admin- Cybercriminals will evaluate platforms based choice of messaging platform1. istrators are no longer able to pay the hosting on the encryption protocol used (for instance, Another reason cybercriminals choose to fee. is it end-to-end?), where encryption keys are communicate outside of forums is so they can

1 https://www.e .org/node/82654 24 5 METHODOLOGY BACKGROUND ON THE TOP INSTANT MESSAGERS APPEARING IN THIS STUDY

To conduct this study, the authors relied on are positive or negative is not reflected in the ICQ — This messaging service ing, free video and audio calls, free file and mentions of social media platforms in the data results. Based on analysts’ observations, began in 1996 under the auspices screen sharing, paid calls to mobile and landline underground communities monitored by Flash- however, negative posts about messaging of Israeli company Mirabilis; it is numbers, paid text messaging, and paid call point. These observations were used as a proxy services are far less prevalent than other types considered to be the first forwarding, among others. While Skype for gauging interest in and use of these messag- of posts (e.g. positive reviews, or provision of stand-alone instant messenger service. AOL encrypts data in transit, the application does not ing services. The communities in this study are contact information). As such, the presence of bought Mirabilis in 1998 and controlled ICQ until provide end-to-end encryption, does not allow primarily composed of actors involved or this noise is unlikely to skew the results signifi- 2010, at which point the company sold ICQ to for verification of contacts’ identities, and does interested in financially-motivated cybercrime cantly. Digital Sky Technologies. Digital Sky Technolo- not secure past communications in the event (with the notable exception of Iranian actors). gies (now Mail.Ru group) is headed by Alisher that encryption keys are stolen -- otherwise Analysts started with a list of approximately 80 Usmanov, an Uzbek-born Russian businessman. known as “forward secrecy”. In addition, docu- Flashpoint analysts have observed that when instant messenger platforms/protocols, and This connection to Usmanov and the Mail.Ru ments leaked by former NSA contractor Edward criminals invite other community members to created filters for these platforms to query group played a significant role in ICQ’s contin- Snowden showed that the US National Security interact with them outside of the forum, they against Flashpoint’s Deep & Dark Web dataset. ued popularity among Russian-speakers and Agency (NSA) was able to collect Skype video often leave their contact information at the end In most cases, five instant messenger platforms citizens of countries of the former Soviet Union. calls through its Prism program, thereby poten- of the message (e.g. “ICQ: 9999999”) or accounted for 80 to 90 percent of the mentions The service’s heavy use in the cybercrime tially exposing Skype users’ communications to express a preference for the platform on which across an underground language community. ecosystem is likely due to the prominence of government surveillance. Skype has an estimat- they prefer to interact. Underground communi- Analysts then took the top 8 to 10 results and Russian-speakers in financially-motivated ed active user base of 300 million. ties also constantly discuss the merits of the compared them with each other to visualize the cybercrime activity, as well as the desire for dierent messaging services available and relative frequency of mentions of these instant speakers of other language communities to advise each other on which services are best to messenger platforms. interact with and learn from these actors. ICQ’s Jabber (XMPP) — The Extensible use. For this reason, comparing the number of oered features include group chats, video Messaging and Presence Protocol mentions of messaging services should provide It is worth mentioning that the messaging chats, stickers, free calls, file transfers, and (XMPP), more commonly known in a rough approximation of the relative popularity services Signal and Line presented extraordi- unlimited texting. As of the most recent informa- the underground by its original of these various services. nary challenges based on the ubiquity of these tion available, ICQ encrypts voice and video name, Jabber, is an open-source, Extensible words in English, as well as in programming calls, but does not encrypt written messages. Markup Language (XML)-based platform that This methodology, of course, has limits — not languages. Given the high degree of noise Users who wish to encrypt their communica- allows for the near-real-time exchange between every mention of a social media service associated with the results from these services, tions can use a third-party app that works with network entities. It was created in 1998 by indicates that the actor who posted the Signal and Line are not included in most results. the ICQ protocol via a downloadable plug-in. Jeremie Miler and has since been incorporated message uses this platform. It is certainly possi- Based on the results of our research, however, ICQ has an estimated active user base of 11 into social networking, instant messaging, voice ble that criminals are posting about and discuss- Signal and Line do not constitute a significant million users. over IP (VoIP), and file transfer services, among ing platforms that they themselves do not number of mentions in any language community others. Instant message users typically down- actually use. While this is plausible, however, in included as part of this research. load an instant messaging client with XMPP practice and in the aggregate, it is more likely Skype — Skype was founded functionality, such as Adium, Gajim, iChat, than not that the criminals are discussing in 2003 based on software Pidgin, or others. Certain XMPP clients (whether services they use or are interested in. written by Estonian develop- through additional plugin or by default) also ers. In 2005, eBay acquired Skype and later include the option for O-the-Record (OTR) It is also the case that some posts with mentions sold it to Microsoft in 2011. Since then, Microsoft messaging, which is a cryptographic protocol of messaging services are meant to dissuade has embedded the application in many of the that encrypts instant messages. By enabling others from using that platform (typically due to devices it sells, further increasing Skype’s OTR, users can communicate with end-to-end security concerns). Since only mentions are availability and cementing its presence among encryption, forward secrecy, and user authenti- counted, the nuance of whether these mentions the population. Skype allows for instant messag- cation. Criminals are drawn to this service

6 7

because it is free, secure, open-source (anyone 2000s following the introduction of competitors WeChat — Known in China as application. The messaging service was can review the XMPP and OTR and report (such as Google Chat), free and widespread Weixin, WeChat was launched in launched in 2009 by former Yahoo! employees vulnerabilities), and decentralized (anyone can SMS services, and social network sites. AIM 2011 by Chinese technology giant Jan Koum and Brian Acton and was acquired by run a Jabber server and the technology is not allows for instant messaging, group messaging, Tencent. WeChat oers free video Facebook in 2014. The service oers messag- controlled by any single entity). file transfers, and free text messaging. AIM does calls, group chats, broadcast messaging, and ing, group chats, video and voice calls, and file not provide end-to-end encryption, forward file transfers. Far more than a messaging transfers. WhatsApp worked with Open Whisper secrecy, or user authentication. AOL is also service, however, WeChat is also used to check Systems to start providing end-to-end encryp- Pretty Good Privacy (PGP) — Although not a believed to have participated in the NSA’s Prism news, play video games, shop online, pay bills, tion for the app in 2014; the service also messaging service, PGP was included in this program. Data on numbers of active users could book taxis, and conduct mobile payments. provides user authentication and forward study based on the popularity of encrypted not be found for AIM. WeChat encrypts messages in transit but does secrecy. The company’s provision of these communications in certain communities. Devel- not oer end-to-end encryption, user authentica- security and encryption features have put it at oped by Philip Zimmerman in 1991, PGP is an tion, or forward secrecy. In addition, there are odds with law enforcement, most notably in encryption program used to encrypt and Telegram — Created by Nikolai concerns surrounding allegations that the Brazil where it has been banned on multiple decrypt texts, emails, files, and disk partitions, and Pavel Durov, both of whom Chinese government has access to WeChat occasions for not complying with court requests as well as authenticate messages with digital are also known for launching VK, communications, particularly for users in China. to turn over users’ communications. signatures. To send a message to another user Russia’s most popular social It has an estimated 806 million active users, with PGP, two (or more) users must create public networking platform, Telegram is a cloud-based primarily in China. and private cryptographic keys and share the messaging service that was launched in 2013. Kik — Released in 2010, Kik is the public keys with each other. User A encrypts Once users sign up using their phone number, brainchild of university students in their message via User B’s public key and sends Telegram allows them to send messages, QQ — Also developed by Canada and has become very the message to User B who can then decrypt stickers, files, photos, and videos. One import- Tencent, QQ is another instant popular among teenagers in the the messaging with their private key. Given the ant feature of the service is the secret chat messaging service popular United States. Unlike many other messaging extra burden on users (swapping keys, manually feature. When secret chat functionality is among Chinese users. It was services, Kik users do not have to provide their encrypting and decrypting messages), sending enabled, users have end-to-end encryption, patterned after the ICQ instant message service mobile phone numbers, which helps users messages with PGP would generally seem to be user authentication, and forward secrecy. and was launched by Ma Huateng in 1999. QQ preserve a bit of anonymity in their interactions less attractive than using an instant messaging Messages can also be set to self-destruct after a oers chatrooms, games, online file storage, with the app. Some of Kik’s features include service with built-in encryption functionality. predetermined amount of time. Additional internet dating services, and virtual currency. messaging, file transfers, group chats, and video Furthermore, PGP is end-to-end encrypted but important features include channels that allow Like its sister company WeChat, QQ has been chats. The service claims 300 million total users, does not provide forward secrecy. In other administrators to blast messages to an unlimited criticized for being complicit in the Chinese but has not provided information on how many words, if users’ encryption keys become known, number of recipients. This combination of government’s alleged surveillance and censor- of them are active users. all of their previous messages can be decrypt- features has made the service attractive to ship initiatives. It does not provide end-to-end ed. jihadist groups, who use have been known to encryption, user authentication, or forward use Telegram to disseminate ocial statements, secrecy, but does encrypt data in transit. QQ claims of credit, videos, and propaganda. has an estimated 899 million active users, AOL Instant Messenger (AIM) Invite-only group chats also allow for curated primarily in China. — Originally part of the AOL distribution of materials. Flashpoint has previous- package, AIM was launched ly reported on jihadist use of Telegram in its as a standalone program in publication Tech for Jihad. Telegram has an WhatsApp — With over 1 billion 1997 and quickly became the dominant messag- estimated 100 million users. estimated active users around the ing program of the late 1990s and early 2000s. globe, WhatsApp is the most Usage of the service waned in the mid to late popular stand-alone messaging ICQ — This messaging service ing, free video and audio calls, free file and began in 1996 under the auspices screen sharing, paid calls to mobile and landline of Israeli company Mirabilis; it is numbers, paid text messaging, and paid call considered to be the first forwarding, among others. While Skype stand-alone instant messenger service. AOL encrypts data in transit, the application does not bought Mirabilis in 1998 and controlled ICQ until provide end-to-end encryption, does not allow 2010, at which point the company sold ICQ to for verification of contacts’ identities, and does Digital Sky Technologies. Digital Sky Technolo- not secure past communications in the event gies (now Mail.Ru group) is headed by Alisher that encryption keys are stolen -- otherwise Usmanov, an Uzbek-born Russian businessman. known as “forward secrecy”. In addition, docu- This connection to Usmanov and the Mail.Ru ments leaked by former NSA contractor Edward group played a significant role in ICQ’s contin- Snowden showed that the US National Security ued popularity among Russian-speakers and Agency (NSA) was able to collect Skype video citizens of countries of the former Soviet Union. calls through its Prism program, thereby poten- The service’s heavy use in the cybercrime tially exposing Skype users’ communications to ecosystem is likely due to the prominence of government surveillance. Skype has an estimat- Russian-speakers in financially-motivated ed active user base of 300 million. cybercrime activity, as well as the desire for speakers of other language communities to interact with and learn from these actors. ICQ’s Jabber (XMPP) — The Extensible oered features include group chats, video Messaging and Presence Protocol chats, stickers, free calls, file transfers, and (XMPP), more commonly known in unlimited texting. As of the most recent informa- the underground by its original tion available, ICQ encrypts voice and video name, Jabber, is an open-source, Extensible calls, but does not encrypt written messages. Markup Language (XML)-based platform that Users who wish to encrypt their communica- allows for the near-real-time exchange between tions can use a third-party app that works with network entities. It was created in 1998 by the ICQ protocol via a downloadable plug-in. Jeremie Miler and has since been incorporated ICQ has an estimated active user base of 11 into social networking, instant messaging, voice million users. over IP (VoIP), and file transfer services, among others. Instant message users typically down- load an instant messaging client with XMPP Skype — Skype was founded functionality, such as Adium, Gajim, iChat, in 2003 based on software Pidgin, or others. Certain XMPP clients (whether written by Estonian develop- through additional plugin or by default) also ers. In 2005, eBay acquired Skype and later include the option for O-the-Record (OTR) sold it to Microsoft in 2011. Since then, Microsoft messaging, which is a cryptographic protocol has embedded the application in many of the that encrypts instant messages. By enabling devices it sells, further increasing Skype’s OTR, users can communicate with end-to-end availability and cementing its presence among encryption, forward secrecy, and user authenti- the population. Skype allows for instant messag- cation. Criminals are drawn to this service

8 9 Language Group Specific Findings

RUSSIAN 1. ICQ (60.63%) SPANISH 3. Kik Messenger (13.44%) 2. Jabber (XMPP) (17.93%) 4. Jabber (8.21%) In 2012, the top eight instant messengers 3. Skype (16.93%) Compared to members of Russian-language 5. WhatsApp (7.07%) mentioned in the Russian underground were as 4. PGP (1.87%) underground forums, members of Spanish-lan- 6. Telegram (2.11%) follows: 5. Quiet Internet Pager (1.61%) guage underground forums tend to be less 7. PGP (0.98%) 6. Pidgin (0.42%) technologically sophisticated and less aware of 8. AOL Instant Messenger (0.86%) 1. ICQ (51.83%) 7. Tencent QQ (0.34%) issues pertaining to privacy and anonymity. 9. Threema (0.56%) 2. Skype (25.98%) 8. AOL Instant Messenger (0.26%) These characteristics are reflected in the mix of 10. Pidgin (0.5%) 3. Jabber (XMPP) (18.7%) instant messaging services mentioned across 4. Quiet Internet Pager (1.55%) Jabber and ICQ accounted for 78.56% of the the Spanish-language underground. The dramatic shift to mentions of ICQ likely 5. Pretty Good Privacy (0.74%) top instant messenger mentions. This observa- highlights Spanish-speaking cybercriminals’ 6. Pidgin (0.41%) tion is realistic given the heavy usage of ICQ by In 2012, that mix consisted of the following eorts to mimic the communication patterns of 7. PSI (0.41%) Russian speakers and the emphasis on anonymi- services: more sophisticated users in Russian-speaking 8. AOL Instant Messenger (AIM) (0.37%) ty and privacy provided by Jabber. communities. Flashpoint analysts have 1. Skype (48.76%) observed numerous instances of information Four years later, the landscape looked very By 2016, however, ICQ ceded ground to Jabber, 2. WhatsApp (13.64%) flows from Russian and English-language dierent. The 2016 breakdown of instant which moved into first place among the relative 3. Pidgin (7.23%) communities into Spanish-language communi- messenger mentions was as follows: mentions, and Telegram, which grew to occupy 4. ICQ (5.99%) ties. These flows take place through connectors a sizable share of the pie. This evidences a shift 5. Windows Live Messenger (5.58%) -- individuals active across a number of dierent 1. Skype (38.72%) in user preferences towards messaging 6. Jabber (XMPP) (6.4%) language communities who facilitate exchanges 2. Jabber (24.77%) platforms that are more secure, provide better 7. AOL Instant Messenger (AIM) (4.55%) of information between these otherwise siloed 3. ICQ (21.05%) anonymity, and are either decentralized or 8. Trillian (2.89%) groups. In the same way that analysts have 4. Telegram (7.26%) otherwise make it dicult for law enforcement 9. PGP (2.89%) observed that malware introduced on Russian 5. Viber (4.47%) to access logs of user activity. The breakdown 10. Nimbuzz (2.07%) forums typically take a few months to find their 6. WhatsApp (2.01%) for instant messenger mentions in 2016 was as way into Spanish language communities, it 7. Zephyr (0.85%) follows: Far and away, the service most often mentioned appears that usage of platforms is also 8. Pretty Good Privacy (PGP) (0.81%) was Skype, while the most popular services influenced by trends in more elite forums. 1. Jabber (28.3%) among the most elite Russian-speaking cyber- The most interesting changes over the four-year 2. Skype (24.26) criminals (ICQ and Jabber) are mentioned much The large volume of Kik Messenger mentions is period include the ascendance of popular 3. ICQ (18.74%) less frequently. more dicult to explain. The service is not messaging services Telegram and Viber to the 4. Telegram (16.39%) popular among elite cybercriminals from other top rang of instant messaging services used in 5. WhatsApp (3.93%) This distribution was starkly dierent during language communities, and given that Kik has the Russian underground. Mentions of Skype 6. PGP (3.79%) 2016. ICQ moved into the number one spot, existed since 2010 but did not rise in promi- grew significantly, while mentions of Jabber 7. Viber (3.01%) displacing Skype, and upstart Kik Messenger nence in the Spanish-language underground (XMPP) increased slightly and mentions of ICQ 8. Signal (1.58%) came to occupy a large share of the mentions until near the end of 2016, it is unclear what dropped precipitously, in part ceding ground to among Spanish-speaking users. In 2016, caused the sudden recent spike in popularity. other messaging services. mentions of instant message platforms were One potential answer could be the fact that Kik distributed as follows: (like ICQ and Telegram) facilitates group chats The story is even more interesting when we among members of the service. In light of the consider the distribution of mentions in elite 1. ICQ (51.5%) rather turbulent nature of Spanish-language Russian forums. In 2012, that distribution was as 2. Skype (15.11%) communities that appear and disappear sudden- follows:

10 11

ly and without warning, analysts have observed Since 2012, French actors have embraced the follows: other groups of threat actors. It could also be members forming groups on Kik and ICQ, likely use of Jabber, and this is reflected in the share the case that members of these communities in part for redundancy reasons should the main of mentions of this service during 2016. The 1. Skype (32.82%) have not felt the need to update their communi- forum go down. distribution of mentions for 2016 is as follows: 2. Windows Live Messenger (18.45%) cation practices because they have not felt 3. Jabber (15.73%) pressure from their host governments or local 1. Jabber (45.84%) 4. Yahoo! Messenger (9.45%) law enforcement agencies. FRENCH 2. PGP (40.11%) 5. ICQ (6.55%) 3. ICQ (8.49%) 6. Paltalk (3.82%) The distribution of mentions for Arabic language Many of the French-language cybercrime 4. Skype (2.18%) 7. Nimbuzz (3.73%) forums in 2016 was as follows: communities included in this study are very 5. Pidgin (1.3%) 8. AOL Instant Messenger (3.73%) conservative when it comes to their communica- 6. Tox (0.59%) 9. MSN Messenger (3%) 1. WhatsApp tion choices. Historically, they have tended to 7. AOL Instant Messenger (0.46%) 10. WhatsApp (2.73%) 2. Skype be very distrustful of instant messaging services 8. Telegram (0.31%) 3. AOL Instant Messenger and generally prefer to use email or the forum 9. Ricochet (0.29%) Overall, there does not appear to be a notice- 4. ICQ messaging system to send messages encrypted 10. WhatsApp (0.19%) able trend of using secure or anonymous 5. Yahoo! Messenger with Pretty Good Privacy (PGP) software. 11. Wickr (0.15%) messaging platforms based on the 2012 snap- 6. Jabber Indeed, most forums have a special field for shot. 7. Viber members to publish their public PGP key, some While some members of French communities 8. Palatal forums strongly encourage members to publish continue to insist on PGP as the only secure In 2016, WhatsApp leapt to the top of the charts 9. Windows Live Messenger their public key and encrypt their communica- means of communication, many have started to in terms of mentions on Arabic-language 10. Pretty Good Privacy (PGP) tions, and still other forums do not admit use Jabber alongside PGP to conduct their forums. Skype remained a close number two, member prospects who do not provide a public communications outside of the forum. Based on and interestingly, AOL Instant Messenger came PGP key. Some forums have even integrated Flashpoint’s long experience monitoring these in third with a much higher number of mentions CHINESE PGP encryption capability into the forum forums, the French-language underground is by than analysts would have expected. It is not messaging platform to make it easier for mem- and large the most security-conscious language clear what may have spurred increased discus- The Chinese-language instant messaging bers to send encrypted messages to each other. community in the Deep & Dark Web. Even sion of this particular messenger, especially market is dominated by Tencent in the form of novice members of French underground commu- since its popularity has been in decline since its two applications, QQ and WeChat. This Members of the French underground take their nities are indoctrinated very quickly into the approximately 2009. dominance appears to be reflected in the cyber privacy and anonymity seriously. This character- best ways to maintain their privacy, security, and domain as well. It is understandable that QQ istic is reflected in the distribution of messenger anonymity. In fact, those who do not comply are Interestingly, Arabic-language communities do would have a prominent position since it has services found in that community as far back as often ridiculed or refused membership in more not appear to exhibit the common trend of been around since 1999. However, only one 2012. The distribution is as follows: elite communities. The results of this study tend increased discussions pertaining to more year after its 2011 launch, WeChat had already to confirm those observations. sophisticated messaging systems. While it is garnered close to 10 percent of mentions in the 1. Pretty Good Privacy (58.62%) true that WhatsApp introduced end-to-end Chinese underground. The distribution among 2. Skype (16.55%) encryption in 2016, it is unclear whether this Chinese-language communities in 2012 was as 3. Jabber (14.48%) ARABIC feature played a role in shaping preferences follows: 4. Pidgin (10.34%) around the use of this tool and its rise to In 2012, Arabic-language forums were dominat- number one in the Arabic-speaking under- 1. QQ (88.39%) Of the four most mentioned services, all but ed by mentions of Skype and Windows Live ground. It is possible that the communities we 2. WeChat (8.62%) Skype are well-known for providing the option Messenger. Jabber, Yahoo! Messenger, and ICQ monitor are so isolated that they have not been 3. Skype (1.03%) of encrypted communications. were close behind. The 2012 distribution was as able to learn communication best practices from 4. Pretty Good Privacy (0.62%)

5. Windows Live Messenger (0.47^) this study. 10. MSN Messenger (1.92%) October 2015 that the Iranian Ministry of Informa- 6. Line (0.46%) tion and Communications Technology had 7. ICQ (0.14%) The near exclusive mentions of QQ and WeChat In 2016, Telegram became the undisputed blocked Telegram for refusal to collaborate in 8. FaceTime (0.09%) combined with their absence from other leader among messaging services in Iran, with spying on Iranian citizens. The incident is 9. AOL Instant Messenger (0.08%) language communities also suggests that the an estimated 20 million Iranians (one in four shrouded in mystery, however, as many Iranian 10. Miranda (0.05%) Chinese underground is relatively isolated from Iranian citizens) using the service. The reason Telegram users reported that they experienced 11. WhatsApp (0.04%) other language communities. While Flashpoint for Telegram’s success was two-fold. First, other no disruptions in the service, and a spokesper- analysts have observed limited instances of services that had been popular among Iranian son for Iran’s Ministry of ICT told Iranian media Over the last four years, mentions of WeChat crossover between Russian and Chinese users in recent years (such as Viber and social outlets that the government had taken no steps have gained considerably on mentions of QQ; communities, interactions on the whole media platforms Facebook and Twitter) were to block Telegram in the country. although it appears that QQ is still the most between Chinese and other language communi- blocked by Iranian authorities, making it more popularly discussed platform in the Chinese ties appear to be much more limited than dicult to access them inside the country. The second reason for Telegram’s success is its underground. The two platforms even managed interactions between French, Spanish, Portu- emphasis on encrypted communications. to further displace other platforms, collectively guese, English, Russian, and other language The Iranian government has discussed blocking Iranians are very conscious of the role that accounting for just shy of 99 percent of communities. Telegram on a number of occasions and has surveillance plays in their society. For example, mentions of instant message platforms in 2016. attempted to pressure the company to relocate after controversial results in Iran’s 2009 presi- The distribution in 2016 is as follows: its servers that handle Iranian trac onto Iranian dential election, many members of Iran’s Green PERSIAN/FARSI soil. Despite these tensions, the government Movement were arrested in light of suspicions 1. QQ (63.33%) has yet to make the decision to ban or block the that their mobile phone communications had 2. WeChat (35.58%) In 2012, members of Persian-language under- service. In fact, a number of Iranian newspapers, been monitored. 3. Skype (0.44%) ground communities most actively discussed politicians, and government ministries operate 4. WhatsApp (0.22%) Yahoo! Messenger and Nimbuzz. The popularity Telegram channels. In December 2016, howev- The results in this study conﬁrm Telegram’s 5. Jabber (0.31%) of Yahoo! Messenger makes sense given that er, administrators of Telegram channels with popularity in Iran. Telegram is by far the most 6. PGP (0.13%) Yahoo was the most popular email service in more than 5,000 members were informed they frequently discussed instant messaging platform 7. ICQ (0.1%) Iran with over 63 percent using the company’s must register with the Ministry of Culture and in the Persian-language underground; it eclipses 8. AOL Instant Messenger (0.08%) email service as their primary email account. Islamic Guidance by February 25, 2017, or face all other instant messaging platforms. The The factors behind the popularity of Nimbuzz prosecution. distribution for 2016 was as follows: Interestingly, cybercriminals in other language are less obvious; it is known to be widely-used groups tend to avoid messaging services that in India, but not particularly so in Iran. The Image 4: Telegram CEO Pavel Durov claimed in 1. Telegram (88.5%) are strongly suspected of collaborating with distribution of messaging service mentions in 2. Line (4.54%) their host governments, as is the case with QQ 2012 was as follows: 3. Skype (2.9%) and WeChat. In contrast, Chinese-speaking 4. Yahoo! Messenger (0.96%) actors embrace QQ and WeChat, but in their 1. Yahoo! Messenger (51.28%) 5. Viber (0.92%) communications employ specialized slang to 2. Nimbuzz (17.15%) 6. Kik Messenger (0.64%) evade the notice of censors and “hide” in plain 3. Skype (7.37%) 7. WhatsApp (0.64%) sight. While cybercriminals in many other 4. ICQ (5.45%) 8. Tennent (0.44%) language groups use specialized jargon in their 5. Kik Messenger (4.97%) 9. PGP (0.24%) communications, this jargon is not typically 6. AOL Instant Messenger (4.01%) 10. AOL Instant Messenger (AIM) (0.24%) meant to intentionally obfuscate their messages. 7. Pidgin (2.88%) In this regard, the Chinese-speaking under- 8. Jabber (2.72%) ground is unique among the language groups in 9. Windows Live Messenger (2.24%) ENGLISH

Across the English-language underground in 2012, Skype commanded a large majority of mentions while AOL Instant Messenger was less popular. The distribution of mentions across English-language communities in 2012 was as follows:

1. Skype (80.29%) 2. AIM (11.57%) 3. ICQ (3.25%) 4. Jabber (2.99%) 5. Kik Messenger (0.74%) 6. Xﬁre (0.56%) 7. Zephyr (0.32%) 8. Yahoo! Messenger (0.29%)

In 2016, Skype was still the leader among instant message services mentioned in English-language communities. However, Skype did cede ground to Jabber, ICQ, and Kik Messen- ger. In addition, numerous secure and/or encrypted chat messengers such as Telegram, Wickr, and WhatsApp joined the ranks of the most frequently discussed services. The distribution in 2016 was as follows:

1. Skype (62.94%) 2. Jabber (11.75%) 3. ICQ (9.81%) 4. Kik Messenger (5.63%) 5. Pretty Good Privacy (PGP) (3.68%) 6. AOL Instant Messenger (3.64%) 7. Telegram (1.54%) 8. WhatsApp (0.57%) 9. Wickr (0.24%) 10. Tox (0.2%) RUSSIAN 1. ICQ (60.63%) SPANISH 3. Kik Messenger (13.44%) 2. Jabber (XMPP) (17.93%) 4. Jabber (8.21%) In 2012, the top eight instant messengers 3. Skype (16.93%) Compared to members of Russian-language 5. WhatsApp (7.07%) mentioned in the Russian underground were as 4. PGP (1.87%) underground forums, members of Spanish-lan- 6. Telegram (2.11%) follows: 5. Quiet Internet Pager (1.61%) guage underground forums tend to be less 7. PGP (0.98%) 6. Pidgin (0.42%) technologically sophisticated and less aware of 8. AOL Instant Messenger (0.86%) 1. ICQ (51.83%) 7. Tencent QQ (0.34%) issues pertaining to privacy and anonymity. 9. Threema (0.56%) 2. Skype (25.98%) 8. AOL Instant Messenger (0.26%) These characteristics are reflected in the mix of 10. Pidgin (0.5%) 3. Jabber (XMPP) (18.7%) instant messaging services mentioned across 4. Quiet Internet Pager (1.55%) Jabber and ICQ accounted for 78.56% of the the Spanish-language underground. The dramatic shift to mentions of ICQ likely 5. Pretty Good Privacy (0.74%) top instant messenger mentions. This observa- highlights Spanish-speaking cybercriminals’ 6. Pidgin (0.41%) tion is realistic given the heavy usage of ICQ by In 2012, that mix consisted of the following eorts to mimic the communication patterns of 7. PSI (0.41%) Russian speakers and the emphasis on anonymi- services: more sophisticated users in Russian-speaking 8. AOL Instant Messenger (AIM) (0.37%) ty and privacy provided by Jabber. communities. Flashpoint analysts have 1. Skype (48.76%) observed numerous instances of information Four years later, the landscape looked very By 2016, however, ICQ ceded ground to Jabber, 2. WhatsApp (13.64%) flows from Russian and English-language dierent. The 2016 breakdown of instant which moved into first place among the relative 3. Pidgin (7.23%) communities into Spanish-language communi- messenger mentions was as follows: mentions, and Telegram, which grew to occupy 4. ICQ (5.99%) ties. These flows take place through connectors a sizable share of the pie. This evidences a shift 5. Windows Live Messenger (5.58%) -- individuals active across a number of dierent 1. Skype (38.72%) in user preferences towards messaging 6. Jabber (XMPP) (6.4%) language communities who facilitate exchanges 2. Jabber (24.77%) platforms that are more secure, provide better 7. AOL Instant Messenger (AIM) (4.55%) of information between these otherwise siloed 3. ICQ (21.05%) anonymity, and are either decentralized or 8. Trillian (2.89%) groups. In the same way that analysts have 4. Telegram (7.26%) otherwise make it dicult for law enforcement 9. PGP (2.89%) observed that malware introduced on Russian 5. Viber (4.47%) to access logs of user activity. The breakdown 10. Nimbuzz (2.07%) forums typically take a few months to find their 6. WhatsApp (2.01%) for instant messenger mentions in 2016 was as way into Spanish language communities, it 7. Zephyr (0.85%) follows: Far and away, the service most often mentioned appears that usage of platforms is also 8. Pretty Good Privacy (PGP) (0.81%) was Skype, while the most popular services influenced by trends in more elite forums. 1. Jabber (28.3%) among the most elite Russian-speaking cyber- The most interesting changes over the four-year 2. Skype (24.26) criminals (ICQ and Jabber) are mentioned much The large volume of Kik Messenger mentions is period include the ascendance of popular 3. ICQ (18.74%) less frequently. more dicult to explain. The service is not messaging services Telegram and Viber to the 4. Telegram (16.39%) popular among elite cybercriminals from other top rang of instant messaging services used in 5. WhatsApp (3.93%) This distribution was starkly dierent during language communities, and given that Kik has the Russian underground. Mentions of Skype 6. PGP (3.79%) 2016. ICQ moved into the number one spot, existed since 2010 but did not rise in promi- grew significantly, while mentions of Jabber 7. Viber (3.01%) displacing Skype, and upstart Kik Messenger nence in the Spanish-language underground (XMPP) increased slightly and mentions of ICQ 8. Signal (1.58%) came to occupy a large share of the mentions until near the end of 2016, it is unclear what dropped precipitously, in part ceding ground to among Spanish-speaking users. In 2016, caused the sudden recent spike in popularity. other messaging services. mentions of instant message platforms were One potential answer could be the fact that Kik distributed as follows: (like ICQ and Telegram) facilitates group chats The story is even more interesting when we among members of the service. In light of the consider the distribution of mentions in elite 1. ICQ (51.5%) rather turbulent nature of Spanish-language Russian forums. In 2012, that distribution was as 2. Skype (15.11%) communities that appear and disappear sudden- follows:

12 13

1. Skype (80.29%) 2. AIM (11.57%) 3. ICQ (3.25%) 4. Jabber (2.99%) 5. Kik Messenger (0.74%) 6. Xﬁre (0.56%) 7. Zephyr (0.32%) 8. Yahoo! Messenger (0.29%)

5. Windows Live Messenger (0.47^) this study. 10. MSN Messenger (1.92%) October 2015 that the Iranian Ministry of Informa- 6. Line (0.46%) tion and Communications Technology had 7. ICQ (0.14%) The near exclusive mentions of QQ and WeChat In 2016, Telegram became the undisputed blocked Telegram for refusal to collaborate in 8. FaceTime (0.09%) combined with their absence from other leader among messaging services in Iran, with spying on Iranian citizens. The incident is 9. AOL Instant Messenger (0.08%) language communities also suggests that the an estimated 20 million Iranians (one in four shrouded in mystery, however, as many Iranian 10. Miranda (0.05%) Chinese underground is relatively isolated from Iranian citizens) using the service. The reason Telegram users reported that they experienced 11. WhatsApp (0.04%) other language communities. While Flashpoint for Telegram’s success was two-fold. First, other no disruptions in the service, and a spokesper- analysts have observed limited instances of services that had been popular among Iranian son for Iran’s Ministry of ICT told Iranian media Over the last four years, mentions of WeChat crossover between Russian and Chinese users in recent years (such as Viber and social outlets that the government had taken no steps have gained considerably on mentions of QQ; communities, interactions on the whole media platforms Facebook and Twitter) were to block Telegram in the country. although it appears that QQ is still the most between Chinese and other language communi- blocked by Iranian authorities, making it more popularly discussed platform in the Chinese ties appear to be much more limited than dicult to access them inside the country. The second reason for Telegram’s success is its underground. The two platforms even managed interactions between French, Spanish, Portu- emphasis on encrypted communications. to further displace other platforms, collectively guese, English, Russian, and other language The Iranian government has discussed blocking Iranians are very conscious of the role that accounting for just shy of 99 percent of communities. Telegram on a number of occasions and has surveillance plays in their society. For example, mentions of instant message platforms in 2016. attempted to pressure the company to relocate after controversial results in Iran’s 2009 presi- The distribution in 2016 is as follows: its servers that handle Iranian trac onto Iranian dential election, many members of Iran’s Green PERSIAN/FARSI soil. Despite these tensions, the government Movement were arrested in light of suspicions 1. QQ (63.33%) has yet to make the decision to ban or block the that their mobile phone communications had 2. WeChat (35.58%) In 2012, members of Persian-language under- service. In fact, a number of Iranian newspapers, been monitored. 3. Skype (0.44%) ground communities most actively discussed politicians, and government ministries operate 4. WhatsApp (0.22%) Yahoo! Messenger and Nimbuzz. The popularity Telegram channels. In December 2016, howev- The results in this study conﬁrm Telegram’s 5. Jabber (0.31%) of Yahoo! Messenger makes sense given that er, administrators of Telegram channels with popularity in Iran. Telegram is by far the most 6. PGP (0.13%) Yahoo was the most popular email service in more than 5,000 members were informed they frequently discussed instant messaging platform 7. ICQ (0.1%) Iran with over 63 percent using the company’s must register with the Ministry of Culture and in the Persian-language underground; it eclipses 8. AOL Instant Messenger (0.08%) email service as their primary email account. Islamic Guidance by February 25, 2017, or face all other instant messaging platforms. The The factors behind the popularity of Nimbuzz prosecution. distribution for 2016 was as follows: Interestingly, cybercriminals in other language are less obvious; it is known to be widely-used groups tend to avoid messaging services that in India, but not particularly so in Iran. The Image 4: Telegram CEO Pavel Durov claimed in 1. Telegram (88.5%) are strongly suspected of collaborating with distribution of messaging service mentions in 2. Line (4.54%) their host governments, as is the case with QQ 2012 was as follows: 3. Skype (2.9%) and WeChat. In contrast, Chinese-speaking 4. Yahoo! Messenger (0.96%) actors embrace QQ and WeChat, but in their 1. Yahoo! Messenger (51.28%) 5. Viber (0.92%) communications employ specialized slang to 2. Nimbuzz (17.15%) 6. Kik Messenger (0.64%) evade the notice of censors and “hide” in plain 3. Skype (7.37%) 7. WhatsApp (0.64%) sight. While cybercriminals in many other 4. ICQ (5.45%) 8. Tennent (0.44%) language groups use specialized jargon in their 5. Kik Messenger (4.97%) 9. PGP (0.24%) communications, this jargon is not typically 6. AOL Instant Messenger (4.01%) 10. AOL Instant Messenger (AIM) (0.24%) meant to intentionally obfuscate their messages. 7. Pidgin (2.88%) In this regard, the Chinese-speaking under- 8. Jabber (2.72%) Image 4 - Telegram CEO, Pavel Durov on Twitter ground is unique among the language groups in 9. Windows Live Messenger (2.24%) ENGLISH

14 15

1. Skype (80.29%) 2. AIM (11.57%) 3. ICQ (3.25%) 4. Jabber (2.99%) 5. Kik Messenger (0.74%) 6. Xﬁre (0.56%) 7. Zephyr (0.32%) 8. Yahoo! Messenger (0.29%)

Overall Findings

Across the English-language underground in SKYPE IS KING less-sophisticated communities. 2012, Skype commanded a large majority of mentions while AOL Instant Messenger was less Based on our findings, analysts observed that RUSSIAN-SPEAKING CYBERCRIMINALS ARE popular. The distribution of mentions across Skype is by far the most frequently mentioned TRENDSETTERS FOR OTHER CYBERCRIME English-language communities in 2012 was as messenger across the language communities in COMMUNITIES follows: this study. Skype was among the top five messengers in all of the language groups, and Russian-speaking cybercriminals are 1. Skype (80.29%) only in the French, Persian, and Chinese well-known for their prowess and universally 2. AIM (11.57%) language communities did Skype not constitute considered the most innovative and sophisticat- 3. ICQ (3.25%) a significant share of the most mentioned ed actors in the cybercrime ecosystem. For this 4. Jabber (2.99%) messengers. Microsoft’s bundling of Skype with reason, actors from other language communi- 5. Kik Messenger (0.74%) its devices has likely played a large role in the ties often emulate Russian cybercriminals in an 6. Xfire (0.56%) application’s popularity. attempt to raise their own levels of competency. 7. Zephyr (0.32%) A practical example of this phenomenon is the 8. Yahoo! Messenger (0.29%) CYBERCRIMINALS ARE INCREASINGLY INTER- number of mentions of ICQ across many cyber- ESTED IN ENCRYPTED COMMUNICATIONS crime language communities. Based on usage In 2016, Skype was still the leader among patterns of ICQ in the general population (where instant message services mentioned in Cybercriminals across the language communi- ICQ has fallen into disfavor except in the coun- English-language communities. However, Skype ties in this study moved from discussing messag- tries of the former Soviet Union), one would did cede ground to Jabber, ICQ, and Kik Messen- ing services with fewer encryption and anonymi- expect to see a commensurate drop in the ger. In addition, numerous secure and/or ty protections to more sophisticated applica- share of mentions across the cybercrime under- encrypted chat messengers such as Telegram, tions with these protections built-in. Services ground. In contrast, there was a general uptick Wickr, and WhatsApp joined the ranks of the that have become more popularly discussed in across a number of communities. Given that most frequently discussed services. The distribu- underground forums over the past few years there is no security rationale for increased tion in 2016 was as follows: include Jabber, Telegram, and WhatsApp. This mentions of ICQ (the service does not natively shift can be explained by a number of factors: oer end-to-end encryption), the most plausible 1. Skype (62.94%) explanation is criminals’ desire to model them- 2. Jabber (11.75%) Revelations of NSA surveillance that likely selves more closely to Russian-speaking crimi- 3. ICQ (9.81%) prompted more users to adopt more secure nals or adopt the technology to facilitate commu- 4. Kik Messenger (5.63%) communications practices nication with Russian-speaking actors. 5. Pretty Good Privacy (PGP) (3.68%) 6. AOL Instant Messenger (3.64%) The proliferation of encrypted communica- 7. Telegram (1.54%) tions apps, particularly in the wake of Edward 8. WhatsApp (0.57%) Snowden’s leaks 9. Wickr (0.24%) 10. Tox (0.2%) Information sharing by connectors in more sophisticated underground communities, who have transferred knowledge about secure communication practices to other

16 17 Business Risk Intelligence Analysis

The results of this study underscore the inter- Does an acceptable use policy address What measures exist to mitigate damages to connected, agile nature of the cybercriminal employee usage of third-party communica- brand reputation in the event that the organi- ecosystem. Regardless of their language, skills, tion tools such as those outlined in this zation receives public attention for ties to location, or aliation, cybercriminal groups tend report? cybercrime and/or other illicit behaviors? to share a strong desire to reap the beneﬁts of cross-community collaboration, information Is employee usage of such tools within Regardless of an organization’s size, industry sharing, and even mentorship. Such activities internal networks monitored and/or regulat- vertical, or location, cyber threats will continue necessitate consistent access to reliable means ed? to persist, grow more complex, and yield count- of communication, which is why the digital less challenges across all business functions. communication tools examined within this study Is internal network trac monitored for While even the most robust, well-equipped play such an integral role in facilitating cyber- personal application usage, abnormal down- security teams may never be able to detect and criminal behavior. In many instances, a cyber- loads, and other behaviors that diverge from protect against each and every threat proactive- criminal’s livelihood may depend on his or her what would be expected within a business ly, Business Risk Intelligence (BRI) derived from ability to communicate with peers while evading environment? the Deep & Dark Web can provide organizations third-party detection. As such, the decision to with additional visibility and critical insights to utilize one communication tool over others is Does the organization have ample visibility not only help address cyber threats but also not taken lightly and often inﬂuenced by numer- into the Deep & Dark Web to monitor for and inform strategic decisions and mitigate risk ous contextual social, cultural, and geopolitical address emerging cybercrime threats and across the enterprise. factors. trends?

For organizations seeking to address and For organizations involved in the production mitigate cyber threats, these insights can help and/or sale of tools similar to those examined in direct existing and future intelligence-led initia- this study, the potential implications may be tives while cultivating an increased understand- more substantial. The following questions can ing of the complex variables driving cybercrimi- provide additional direction and help these nal behavior. However, it is crucial to recognize organizations evaluate and address any that for some organizations, cybercriminals’ use relevant risks: of the aforementioned digital communication tools may have more substantial implications Do compliance regulations exist to address depending on the extent to which an organiza- cybercriminals’ and other threat actors’ use tion and its stakeholders engage with and/or of the organization's’ products to facilitate support such tools. illicit behaviors?

In order to evaluate the risks posed by cyber- If yes, how does the organization achieve criminals’ use of certain communication tools, and maintain compliance? organizations should consider and further analyze the relevancy and potential impact of In the event that law enforcement subpoenas the following questions: the communication records of cybercriminals or other threat actors, do formal policies and internal processes exist to minimize disrup- tion and ensure operational continuity?

18 19