An Executive’s Guide To The Cybercrime Underground

David Carmiel, KELA’s CEO

In recent years, the cybercrime underground has become increasingly sophisticated and profitable by preying on vulnerable organizations. As a result, security leaders must gain visibility into what happens in this underground network of illegal activity to protect their organizations from emerging threats and accurately assess their risks.

In this article, I will explore the current state of the cybercrime underground, including its definition, motivations, actors and methods. I will also provide recommendations for security leaders on defending their organizations against emerging threats.

Defining The Cybercrime Underground

The cybercrime underground is a term for virtual sites, methods, platforms and tools with which threat actors congregate and communicate to sell their ill-gotten gains and purchase criminal services and products.

Online forums are an illustrative example of where threat actors conduct illegal commercial activities. Forums provide an effective platform for threat groups, their peers and their potential customers to discuss tactics, technologies and procedures. These virtual venues allow criminals to recruit talent and engage in illegal commerce.

Online markets provide the means and methods necessary—such as advertising space, product descriptions, catalogs and shopping carts—to support the buying and selling of everything, from illegal drugs to stolen credentials to webmails or Slack. For example, automated shops, such as the recently seized Genesis and 2easy, make the purchase of nefarious services and stolen products as simple as the click of a mouse—including the data stolen from your organization.

Telegram and similar messaging apps are also popular among cybercriminals due to their end-to-end encryption and secret chats. These features allow criminals to operate in secret and avoid detection by law enforcement. Cybercriminals use these platforms to recruit new members, distribute stolen data and trade in stolen goods, including malware and hacking tools.

Why The Term "Dark Web" No Longer Fits

Before illegal marketplaces and automated shops existed, the term “dark web” was used to describe the use of an anonymous browser, most notably Tor, to facilitate interactions between criminals. Today, anonymous browsers are used for such benign activities as reading the news or scrolling social media. Using Tor is no longer an indication of illegal activity; instead, it reflects the growing desire shared by honest, hard-working people to remain anonymous as they navigate online.

As commercial activity on the internet has matured, the term cybercrime underground has become more accurate and descriptive than the overused and ill-fitting expression “dark web.” Cybercrime underground reflects the nature of all online criminal activity, not just the medium used to access or carry out illegal activities.

Over the years, the term "dark web" has been exaggerated to include misleading and untrue statistics

Rather than a dark and scary place where hired assassins lurk in the shadows, as it has been portrayed, the dark web—as the term used to describe the cybercrime underground—resembles any other financially driven market governed by the same rules of supply and demand.

The modern cybercrime underground explicitly dispels the stereotype of a hacker in a black hoodie hunched in front of a computer. For example, leaked internal conversations from the Conti ransomware gang illustrate that this group is highly organized and includes hackers, coders, testers, reverse experts, crypters, OSINT specialists, negotiators, IT support and human resources specialists. They use traditional marketing workflows to gain traction among their customers. They have complicated supply chains to move products and services through the ecosystem. They offer service tickets to provide a quality customer experience as they sell illegal products.

New And Emerging Threats And The Advantage Defenders Have

Cybercriminals are constantly evolving their strategies as threat actors and security teams who are defending their organizations play a perpetual game of cat and mouse. Society’s online adversaries must develop new methods and technologies to infiltrate systems, making it crucial for organizations to stay informed of the latest threats through cyber threat intelligence.

While it is true that the cybercrime underground is a place where threat actors congregate, shop and do business, this also presents an advantage for security practitioners. Knowing how criminals operate enables monitoring and analysis of their activity, potentially preventing attacks.

By understanding how the cybercrime underground works, defenders can view their organization and its defenses from the same vantage point as the bad guys and more accurately assess their organization’s risk.

Actionable Steps To Monitor The Cybercrime Underground

Organizations must also understand the cybercrime underground, learn from past breaches, identify their attack surface and educate their staff about cyber threats. It’s essential to make it difficult for cybercriminals to succeed by implementing cybersecurity best practices, establishing robust user authentication methods and reducing attack surface through technical and organizational measures. By understanding the evolving landscape of cybercrime and staying up-to-date with the latest trends, organizations can better protect themselves from becoming the next victim.

Then, in order to shore up your security strategy and stay ahead of the bad actors, which I have also written about in a previous article, it is important to consider leveraging threat intelligence data from underground sources, such as those provided by threat intelligence solutions. These sources can help you to identify potential risks before they become problems.

Once you have threat intelligence data, you should create a comprehensive plan to identify, prioritize and protect your most valuable digital assets. Utilize the resources available to gain insight into potential attack vectors and prevent malicious actors from exploiting any weaknesses you may have. As your plan develops, you can gather more critical insights from various sources. These data points may include cybercrime findings, threat alerts and threat actor reports, to name a few.


Effective cybersecurity requires understanding the cybercrime underground, and actively preparing for threats is vital. Cyber threat intelligence plays a significant role in allowing organizations to assess, predict and prepare for new attack vectors.

Knowing where and how criminals conduct business allows organizations to monitor and analyze much of their activity, and this information helps defenders assess their organization’s risk more accurately and protect themselves against attack.

The article was published on on May, 10th, 2023

Start Preparing Your Organization Today

Sign up for our Cyber Intelligence Platform free trial.