Cybercriminal Undergrounds: Social and Economic Philosophies

Credit to Author: Trend Micro| Date: Thu, 09 Nov 2017 18:52:14 +0000

Cybercriminal undergrounds are formed with social and economic influences.

When you think of a hacker, what's the first thing that comes to mind? It might be a lone person typing away in a dark room, an image commonly represented in movies and television. However, the world of cybercrime is much more sophisticated than this. Attackers are forming groups to create larger threats and direct more organized breaches. There are also flourishing cybercriminal undergrounds across the world where hackers look to buy and sell a wide variety of items like personal information, malicious programs and tools to breach systems.

Cybercriminal undergrounds are direct reflections of the social and economic philosophies of their regions. Trend Micro has been closely following the global cybercriminal underground for years and has seen how they are affected by the geopolitical situations, cultural differences and economic structures. The offerings, accessibility and culture of regional underground economies are unique and directly tie to how the country or region functions as a whole. Let's take a closer look at the nefarious cybercriminal undergrounds and how they tie in to real-world society.

North America

The North American cybercriminal underground is by far the most accessible and visible out of all the other regions that have been studied. In some instances, underground site offerings are found in the Surface Web, advertised on forums and YouTube videos to draw in customers. While this visibility allows for greater profitability, it also makes underground sites more fragile and susceptible to law enforcement. Trend Micro research has found that cybercriminal sites can easily disappear, making them more difficult to track and take down. Drug-related activities and trade are at the core of these markets, but crimeware and data dumps are becoming more of a focus for the cyber front. The wide range of illegal products and services as well as the variety of customers embody the melting pot of North America and ensure there's something for everybody.

Cybercrime in North America and Brazil are more visible.Cybercrime in North America and Brazil are more visible.

North American law enforcement efforts are generally stronger due to the commitment to protect citizens from cybercrime. Trend Micro played a part in helping law enforcement agencies take down major botnet operations that served as the backbone to many cybercriminal schemes. Although shutting off cybercriminal undergrounds in this region can be challenging, we expect that these ongoing partnerships will lead to more arrests and takedowns in the future.


Socio-economic factors and a lack of law enforcement in Brazil have lead to an underground environment where individuals can receive quick returns at low risk. Brazilian cybercriminals operate through public forums and apps because law enforcement simply isn't able to handle this challenge. Publicly accessible platforms like Twitter, Facebook and YouTube are also leveraged for malicious activities. Banking malware is the biggest seller within this underground, as they can be widely dispersed. The Brazilian underground goes a step further to disregard authority by offering training to emerging cybercriminals. Offerings resembling online classes can equip an individual with everything required for a successful cybercriminal effort. The lack of capable enforcement means that cybercriminals are thriving and are emboldened to share their achievements, attracting future cyber actors.


When The Wall fell, organized cybercrime arose from the rubble and set in motion the cybercriminal activities that we're familiar with today. What started as a few curious hackers working together has grown into a significant crime operation with global functionality. Today, popular Russian underground forums can have up to 20,000 unique members. This is also the global center of malware creation, used for attackers locally, as well as outsourced to other regions including Brazil and Japan. The only limitation on attacks stemming from here is, "Don't attack Mother Russia." Everyone else is fair game.


The Chinese underground is at the forefront of cybercriminal technology, where leaps and bounds in the latest crimeware are not only made, but also tested. As with real-world technological innovation, the cybercriminals operating here lead the world in developing new malware and attack vectors. Chinese-speaking threat actors, regardless of their physical locations, abuse web apps to communicate. Leaked data is prevalently sold in the region, enabling participants to accomplish everything from fraud to extortion. As social engineering became the most prevalent means of victimization, the Chinese underground began selling tools and kits to take advantage of the growing trend. The more technology evolves in the real world, the more threat testing will take place here before spreading to other regional marketplaces.

"It's common for cybercriminals to readily hand out codes, malware and instruction manuals for free."

Middle East and North Africa

The Middle East and North African underground is empowered by the ideology of the "spirit of sharing" and sense of brotherhood in distributing crimeware. It's common for cybercriminals to readily hand out codes, malware and instruction manuals for free in the name of religion and comradery. This spirit is also reflected in the way that members plan and launch DDoS and website defacement attacks. However, while this underground is open to its players, it's more cautious. Potential customers are barred from window-shopping and buyers must register for a membership. This type of process will garner only serious clients and help cybercriminals remain more covert.

West Africa

Although there's no formal underground market within West Africa, the area is experiencing a surge of cybercriminal activity. Religion and a desire to extort Westerners drives a lot of the BEC activities that stem from this region, with a ceremony called sakawa fueling some of the efforts. Cybercriminals of West Africa come in two types: Those that rely on social media and have basic technical know-how, and those that are older and more technically adept. The enforcement is becoming more effective, with 30 percent of crimes reported leading to arrests of these malicious actors.


Daily life in Japan and its criminal underground are guided by law, discipline and traditions. Trend Micro's research found that Japanese cybercriminals ensure that only those "in the know" can access the sites and their wares. Hackers are increasingly using the deep web and gift cards to limit signs of illegal activity. Contraband, such as drugs and weaponry, within the underground is in direct contrast with the country's strict laws, putting these items in high demand for serious buyers. Interestingly, malicious actors respect the illegality of developing malware, and rely on imported malware samples from other regions, like Russia.

Societal and economic implications play a large role in a region's underground marketplace. To find out more just how much cybercriminals are impacted by their surroundings, dig into research from Trend Micro.