Content material warning: Due to the character of a few of the actions we found, this sequence of articles accommodates content material that some readers might discover upsetting. This contains profanity and references to medication, drug dependancy, playing, pornography, violence, arson, and intercourse work. These references are textual solely and don’t embrace pictures or movies.<\/em><\/p>\n Following on from the third chapter<\/a> of our five-part investigation into what cybercriminals do with their earnings<\/a>, we now study numerous types of enterprise and revenue era which can be, in threat-actor parlance, \u2018black\u2019 (unlawful).<\/p>\n We acknowledge that legality can fluctuate relying on jurisdiction. Nevertheless, the breadth and depth of those actions are such that we’ve to categorize them in some way, and utilizing the risk actors\u2019 personal classes is a logical if imperfect alternative.<\/p>\n We noticed a low-level fraud scheme involving the creation of a number of accounts to carry out \u201cduties\u201d beneath a distinguished firm\u2019s rewards program. The risk actor suggested utilizing an \u201cautomation extension\u201d to carry out the duties, and redeeming the earnings as reward playing cards. In addition they supplied recommendation on avoiding the detection of a number of accounts.<\/p>\n We noticed a number of threads referring to pyramid schemes and scams, together with:<\/p>\n Determine 1: A risk actor tries to recruit different customers to an \u201cassociates program\u2026[for] anybody who desires to generate income promoting well-liked academic merchandise\u201d<\/em><\/p>\n We famous a number of guides on creating \u2018CPNs\u2019 (Credit score Privateness Numbers) to ascertain artificial identities<\/a> (typically often known as \u2018ghosts\u2019) to use for loans and bank cards, purchase automobiles, and launder cash \u2013 or to promote to folks as a part of fraud campaigns.<\/p>\n Determine 2: A part of an in depth information on CPNs on a felony discussion board<\/em><\/p>\n One risk actor described a low-level scheme to fraudulently declare refunds from sports activities attire firms, by claiming that deliveries didn’t arrive. The consumer outlined the scheme, offering recommendation on:<\/p>\n Determine 3: A risk actor outlines a low-level refund rip-off<\/em><\/p>\n One other risk actor supplied a information to a low-level rip-off on Avito (a Russian labeled adverts market), whereby customers submit fraudulent listings, obtain cash from a purchaser, however don’t ship the merchandise and as an alternative get the customer banned from the platform. The submit contains recommendation on the scheme, the right way to create a sexy itemizing, and the right way to set a worth.<\/p>\n In a thread itemizing a number of concepts for cash laundering, a risk actor urged: \u201cRecruit (actual or pretend) escorts to ship you money of your individual cash after they declared their \u2018revenue\u2019 from intercourse work\u2026the prostitute concept is within the Canadian context since prostitution is authorized to promote, not purchase.\u201d One other concept from the identical consumer: \u201cFaux you’re a hooker your self.\u201d<\/p>\n In an analogous vein, a consumer claiming to be from Australia famous in one other thread that since prostitution is authorized there, that they had the concept of \u201cpretending to be an escort to scrub money.\u201d<\/p>\n Determine 4: A risk actor proposes pretending to be a male escort to launder cash<\/em><\/p>\n A risk actor urged making a \u201cjob web site for escort women\u201d \u2013 the place \u201csevere escort businesses\u2026even brothels\u201d can join with \u201cwomen who wish to go to enterprise, however there is no such thing as a ticket there for the prepare from the village or for the airplane to Dubai or anything.\u201d<\/p>\n Some customers picked minor holes on this plan (rivals, difficulties in promoting visitors to the location), with one arguing: \u201cWhy such a problem, if you happen to actually wish to do pussy, you make webcam studios.\u201d<\/p>\n Determine 5: A risk actor proposes making a \u201cjob web site for escort women,\u201d sparking a protracted dialogue about intercourse work<\/em><\/p>\n One consumer stated: \u201cI’ve the chance to arrange my very own brothel in Sochi\u2026the Sochi cops are negotiable and gained\u2019t take very a lot\u2026However it’s important to make investments a ton.\u201d<\/p>\n In the identical thread, we additionally noticed the next disturbing remark:<\/p>\n The ladies will have to be trampled down, instilled in them with the concept that they’re no one and nothing and solely beneath your safety can they in some way earn one thing. This can be particularly evident within the prostitution enterprise, the place the best and most conventional manner of controlling feminine staff is to make them drug dependent.<\/p>\n<\/blockquote>\n A risk actor sought a enterprise companion with \u201can energetic eBay vendor account\u201d as a result of they \u201chave a big provide of counterfeit gold and have been promoting it\u2026the issue is\u2026opening up new accounts.\u201d<\/p>\n Determine 6: A risk actor seeks assist promoting \u201ca big provide of counterfeit gold,\u201d which they declare to have already been doing for some time<\/em><\/p>\n A risk actor sought recommendation on the right way to pretend the nation of origin for cheaply purchased Chinese language items that they deliberate to promote on-line. Alongside comparable strains, we famous a scheme to create a web-based store and \u201cpromote excessive class fakes.\u201d Different customers suggested them to \u201cattempt to undergo moderation of merch as second hand\u2026they won’t ask for invoices.\u201d The identical consumer supplied in depth element on their very own experiences.<\/p>\n In by far probably the most weird thread we found, a risk actor claimed to have \u201cdiscovered some pharaonic and coptic monuments [i.e., Ancient Egyptian artifacts]\u2026solely two folks find out about its location. We wish to promote it, however we don\u2019t know the way\u2026to deal with the cargo and the proper place to promote in an public sale (black market).\u201d The consumer uploaded two photographs of what gave the impression to be a sarcophagus mendacity on bubble wrap.<\/p>\n Determine 7: A risk actor claims to have \u201csome pharaonic and coptic [sic] monuments\u201d that they wish to \u201cpromote in an public sale (black market)\u201d<\/em><\/p>\n Some customers expressed curiosity in buying; others beneficial technique of verifying age\/authenticity. One consumer claimed that that they had been to Egypt for the same job and will put the sellers in contact with a authentic purchaser \u201cwho will purchase it instantly after his knowledgeable confirms.\u201d<\/p>\n One risk actor said that \u201cwe’ve direct enterprise relations with an American firm that legally grows and sells marijuana within the US.\u201d The consumer famous that the enterprise is in search of lead turbines and buyers, with lead turbines getting 10% of revenue (\u201crevenue is often $1000-$4000 per day\u201d).<\/p>\n We additionally noticed a information on the right way to develop 25kg of hashish in 4 months. The consumer outlined prices, together with $7,000 for hydroponics, $1,500 for fertilizer, $12,000 to hire a home, and $1,700 a month for lighting. \u201cThe typical price of 25 kilograms of excellent grass wholesale is $50,000\u2026promoting is straightforward and protected\u2026by no means fascinating to the cops \u2013 in court docket you’ll have to show the actual fact of the sale.\u201d<\/p>\n Determine 8: A risk actor posts a tutorial on rising hashish, the gear wanted, and expenditure<\/em><\/p>\n As famous in the primary article<\/a> on this sequence, we famous an admission from a risk actor that they’ve given cocaine and capsules to cybercriminals, in change for stolen bank card particulars.<\/p>\n Determine 9: A felony discussion board consumer admits to giving cybercriminals \u201ccocaine or capsules\u201d in change for stolen bank card particulars<\/em><\/p>\n We noticed an in depth dialogue on tax evasion strategies, together with particular steerage on tax evasion versus cash laundering; utilizing \u201ca corrupt, overseas financial institution\u201d versus false reporting; hiring \u201cspecialised attorneys\u201d and extra.<\/p>\n Determine 10: A part of an in depth dialogue on tax evasion on a felony discussion board<\/em><\/p>\n One risk actor claimed to have an insider in a distinguished know-how agency, who beneficial investing huge cash after \u201cthe corporate made some main modifications\u2026they need to double their inventory worth in 12-16 months.\u201d<\/p>\n Determine 11: A risk actor claims to have an insider inside a distinguished know-how firm<\/em><\/p>\n One other risk actor suggested others \u201cto not gamble on the inventory market\u2026getting inside data is the one manner\u2026if hacking teams give a heads up on which firm\u2019s paperwork they\u2019re going to leak you should purchase put contracts on the corporate and revenue on inventory taking place.\u201d<\/p>\n In the identical vein, one other consumer requested about shorting shares of firms affected by ransomware assaults, and puzzled if ransomware operators have thought-about doing this. Most customers stated this was viable, though others had been extra uncertain (\u201cYou’ll appeal to regulatory authorities for insider buying and selling\u201d).<\/p>\n In the identical thread, risk actors additionally mentioned different varieties of assault (DDoS and web site defacements), together with their attainable impacts on inventory worth and whether or not it will be price shorting the inventory. A consumer urged utilizing web optimization, deepfakes, and AI-generated articles to drive down the inventory costs of attacked firms additional.<\/p>\n On one other thread, a risk actor claimed to \u201cpromote insider info effectively prematurely of the massive strikes out there for some cryptocurrencies. I often work with funding firms, however a few of you could have an honest quantity of cryptocurrencies, and I consider that I may be of nice assist to you.\u201d<\/p>\n Throughout our analysis, we famous many risk actors asking their friends what they need to make investments their cash in, and replies comparable to \u201cmake investments it within the enterprise that introduced you this revenue. It\u2019s apparent.\u201d Reinvesting in cybercrime could also be engaging to risk actors who’ve \u2018paid their dues\u2019 and profited \u2013 they will spend money on a brand new mission in a well-recognized discipline, and reap the rewards whereas being uncovered to much less threat.<\/p>\n We noticed a number of funding alternatives in in-progress\/in-development malware and campaigns, together with an funding alternative ($1,000-2,000) in an Android botnet, with the flexibility to steal bank card data, spam contacts, ahead incoming calls, launch customized apps, and intercept incoming SMS messages. A screenshot was included.<\/p>\n We additionally famous:<\/p>\n Determine 12: A risk actor seeks funding to create their very own \u201cbotnet logs retailer\u201d<\/em><\/p>\n Determine 13: A screenshot of a Telegram phishing platform, included as a part of a pitch to potential buyers on a felony discussion board<\/em><\/p>\n We noticed a chance (ROI: 30% of revenue) to spend money on a year-old DDoS-related mission (the consumer insisted that this was not a rip-off, pointing to their fame and lack of arbitration complaints, and the truth that they had been keen to debate circumstances privately).<\/p>\n We noticed an funding alternative (ROI: 20% of every cashout) in sim-swapping. \u201cI’ve crypto logins and financial institution logins with cash, my final step is sim-swapping.\u201d<\/p>\n One risk actor proposed launching a crowdfunding platform on Tor \u201cfor gray\/black matters.\u201d Different customers gave the impression to be eager in precept, however famous that the platform would wish to each guarantee anonymity and forestall scams. One consumer urged sensible contracts as a attainable resolution.<\/p>\n Determine 14: A risk actor proposes a \u201cdarknet\u201d crowdfunding platform for felony actions, likening the precept to Kickstarter<\/em><\/p>\n A risk actor proposed a scheme whereby they would offer different customers with counterfeit US foreign money to launder, earlier than giving the OP a share. The OP urged $400 (4 $100 payments) to begin, later rising to hundreds. The counterfeit payments allegedly had a number of serial numbers, watermarks, safety strips, optically variable ink, and handed the \u201cpen check\u201d (a technique to detect counterfeit payments through a particular ink), however didn’t work in ATMs and wanted to be aged and handled earlier than use.<\/p>\n One other consumer outlined a plan for counterfeit payments, and supplied particulars on their digital and bodily OPSEC measures. The latter included:<\/p>\n Determine 15: A risk actor goes into vital element concerning their plan to distribute counterfeit payments<\/em><\/p>\n Lastly, we noticed a very disturbing thread, though it was (in all probability intentionally) very imprecise. A risk actor requested the cryptic query: \u201cHas anybody encountered or maybe heard of individuals being intimidated by voices? An individual is combined with some substance after which he begins to have extreme issues.\u201d<\/p>\n Determine 16: A risk actor posts an uncommon query on a felony discussion board<\/em><\/p>\n One other consumer responded:<\/p>\n You need to use a \u2018fact serum\u2019 (scopolamine or analogues, accessible on the darknet)\u2026the individual himself will quit all the things and let you know all the things. In actual life, I noticed a profitable theft utilizing scopolamine, the person did all the things he was requested to do \u2013 he took the paperwork and laptop computer out of the home, he withdrew cash from the ATM, he himself entered passwords in banking. Watch out about dosing.<\/p>\n<\/blockquote>\n Scopolamine (prescribed to handle, amongst different issues, nausea and vomiting attributable to movement illness or surgical anesthesia) is thought to have been used for theft<\/a>, and allegedly additionally to facilitate kidnappings and sexual assaults<\/a>.<\/p>\n Over the previous 4 articles, we\u2019ve explored a wide selection of enterprise pursuits, starting from the innocuous (digitizing VHS tapes and making a cell health app) to the downright felony (curiosity in working a brothel, counterfeit payments, rising hashish) and just about all the things in between. However what does this imply for the cybersecurity trade, regulation enforcement, and society as an entire?<\/p>\nKey findings of Half 4<\/h2>\n
\n
Fraud and theft<\/h2>\n
Bots<\/h3>\n
Pyramid schemes<\/h3>\n
\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image2_3be8ba.png\")
<\/a><\/p>\nArtificial identities<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image3_1033b0.png\")
<\/a><\/p>\nRefunds<\/h3>\n
\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image4_2b1e7f.png\")
<\/a><\/p>\nCategorized adverts<\/h3>\n
Intercourse work<\/h2>\n
Laundering<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image5_132f3b.png\")
<\/a><\/p>\nControlling prostitution<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image6_63656d.png\")
<\/a><\/p>\n\n
Stolen and counterfeit items<\/h2>\n
Counterfeit gold<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image7_7e2bed.png\")
<\/a><\/p>\nPretend items<\/h3>\n
Historic artifacts<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image8_619eed.png\")
<\/a><\/p>\nMedication<\/h2>\n
Hashish<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image9_42b114.png\")
<\/a><\/p>\nMedication and carders<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image10_8249b5.png\")
<\/a><\/p>\nTax evasion<\/h2>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image11_244d55.png\")
<\/a><\/p>\nInsider buying and selling<\/h2>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image12_7b3fe4.png\")
<\/a><\/p>\nReinvesting in cybercrime<\/h2>\n
Malware and phishing<\/h3>\n
\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image13_7e4e75.png\")
<\/a><\/p>\n![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image14_db7ff6.png\")
<\/a><\/p>\nDDoS<\/h3>\n
SIM-swapping<\/h3>\n
Crowdfunding<\/h3>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image15_f7b1b7.png\")
<\/a><\/p>\nCounterfeit foreign money<\/h2>\n
\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image16_279b80.png\")
<\/a><\/p>\nPotential assault<\/h2>\n
![\"A](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2025\/03\/image17_46750c.png\")
<\/a><\/p>\n\n