The Weird, Big-Money World of Cybercrime Writing Contests

These contests are held on Russian-language cybercrime forums, and prizes of up to $80,000 are awarded to the winners.

Cybercriminals can be creative — especially when there’s money to be made. A hacker has written a 50-page article on how to invest in cryptocurrencies and sell them at the right time for a profit. Another post put together a guide on how to create a fake version of that could be used to steal people’s usernames and passwords. Another produced instructions – cryptically titled “Nurturing Daddy Gracefully on Lavender” – explaining how to scam money from people who pay to watch webcam models perform.

These unusual documents and tutorials are produced by cybercriminals and hackers trying to monetize their ideas, technical skills and writing skills. Once they have completed their essay, they submit it to be judged in a competition on a Russian-language cybercrime forum. These contests, which can pay out thousands of dollars, are one of the more exotic aspects of the forum.

For more than a decade, Russian-language cybercrime forums (primarily for trading stolen data, touting new security vulnerabilities, and connecting criminals) have held contests that allow their members to earn some extra cash and earn some honor. A new analysis by cybersecurity firm Sophos sheds light on how these contests work and how rapidly they have grown in size over the past few years. For entrants, there’s the potential for big prizes: $80,000 in total prize money for a recent contest.

“You can tell that some people put a lot of effort into these things,” said Christopher Budd, director of threat research at Sophos X-Ops. It appeals to the audience in a way.”

In his analysis, Sophos researcher Matt Wixey examines the latest contests on the cybercrime forum Exploit and XSS. Forum administrators announce the contest and ask people to submit written articles. While the entries are usually in Russian, sometimes forum members translate them into English to be “good community members,” Bader said.

Also Read:

The last XSS contest was held between March and July 2022. Total prize money was $40,000, up from $15,000 the previous year. According to Sophos analysis, the contest is widespread, and forum members are asked to submit entries on about half a dozen topics. Malware development, ways to evade antivirus and security products, ways to hide malicious code, and social engineering techniques are all included on the list.

Meanwhile, Exploit’s previous competition offered more prizes (a total of $80,000), but was more specific, requiring entries in April 2021 on cryptocurrency attacks, thefts, and vulnerabilities. A subgenre of the topic is “Using Cryptocurrencies for Security, Except for Mediocre Things.”

“It’s another way the criminal world mirrors, adapts and adopts the best practices of the legal industry,” Bard said. He compares some of the processes and entries to legitimate cybersecurity research conferences and events such as Black Hat, Defcon, and Pwn2Own. Unlike cybersecurity researchers who discover problems to make products and services more secure and then share their research for others to learn from, criminals create these works with malicious intent.

Criminal contests have their own rules to reduce opportunities for cheating, Bard said. Regarding exploits, the rules state that entries “must not be published elsewhere,” should be “meaningful and informative,” should include technical details such as code or algorithms, and be “at least 5,000 characters (excluding spaces).” That equates to around 1,000 words, or the approximate length of this WIRED article. The rules for XSS are similar — “copy-paste = fired from competition, disgrace” — but they require articles to be longer (at least 7,000 characters) and state that there should be “correct formatting, spelling, and punctuation.”

However, liars will still cheat. In the most recent competition, Exploit received 35 entries and XSS received 38 entries. But XSS disqualified 10 of them. Sophos said the winner of the contest was determined by forum members voting on entries, but webmasters could also pick winners, and there have been complaints of vote rigging.

Also Read:

These games have evolved and grown over time, Bard said. Contests on cybercrime forums started around 2006, according to previous research by cybersecurity firm Digital Shadows (later acquired by ReliaQuest). According to Roman Faithfull, a cyber threat intelligence analyst at ReliaQuest, these earliest contests were simple. “In the beginning, they were pretty low-key,” Faithful said. “They’re not always organized by forum moderators.”

Some of the earliest contests asked forum members to design logos and even offered small prizes to commenters with the longest account history on forum posts, he said. “As the forums have become more complex, the games in general have become more complex,” Faithfull said.

Since around 2015, these competitions, mostly held annually, have focused on writing and submitting articles and code, according to ReliaQuest researchers. “There’s a lot of focus on things that make people money,” he added. As this happened, so did the prize money: on XSS, the total prize money in 2018 was $1,000, rising to $40,000 in 2021, with the winner taking home $14,000. They’re in a very difficult situation and need some quick cash,” Faithfull said. “It’s very unlikely that you’ll see a ransomware group, or actually someone at a high level. “

Sophos research found that the entries in the last two competitions were quite broad. Some are more innovative, while others basically repeat information found elsewhere. The winner of the Exploit 2021 Crypto Competition created a clone of the website, which Sophos said was “relatively simple” overall. “Clone sites like these are often used like any other phishing or credential-stealing site,” the study said.

Other winning entries or entries that received honorable mentions in exploit competitions focus on initial coin offerings, guides to creating phishing sites to steal people’s cryptocurrency account details, and tutorials on creating cryptocurrencies from scratch. However, it is worth noting that there have been free public tutorials on how to do this for many years,” said the Sophos study.

Also Read:  A Clever Honeypot Tricked Hackers Into Revealing Their Secrets

An entry to the XSS Contest details the author’s experience attacking the Microsoft Active Directory service and hiding the hacking tool from the Windows antivirus system. The winning XSS entry, though, focused on vulnerabilities in electronic payment systems; it also highlighted a vulnerability in an XSS forum that allowed people to “effectively generate cryptocurrency out of thin air,” Sophos Research said. Only one article focuses on hardware. The author has written a guide for creating a hardware cryptocurrency wallet, which includes photos and CAD drawings. It’s not specifically targeting cybercrime, but instead attempts to protect people’s bitcoin and other cryptocurrencies from attack, the study said.

“Broadly speaking, these help us understand what the criminal underground is looking at,” Bard said, adding that he believes the main purpose of forum competitions is to encourage the community. Multiple cybercrime forums of various sizes are running at the same time, and if one forum has better conversations, technical information, and offers incentives, the chances of people keeping coming back are greater.

But these contests may also help foster more organized cybercriminal groups. Prize money for contests is usually offered by forum owners, but can also be offered by well-known cybercriminal gangs, including All World Cards and the LockBit ransomware group. The 2022 XSS competition was sponsored by a threat actor using the account of Alan Wake, which has been linked by some to the Conti ransomware group. “If your sponsor likes your article,” read one post, “you’ll get a high-paying job on the Alan Wake team after the contest.”

Categories: Security