Bridging Divides, Transcending Borders: The Current State of the English Underground

By Stephen Hilt, Mayra Rosario Fuentes

Since our previous research in 2015, the English-speaking cybercriminal underground market has undergone significant transformations due to advances in technology, increased law enforcement efforts, and a growing convergence with non-English speaking forums.

To evade law enforcement scrutiny, English-speaking underground forums have started to merge with other language-based forums. This trend allows cybercriminals to operate in jurisdictions with more lenient regulations, creating a diverse and interconnected network of criminals. Telegram, in particular, has become a more predominant communication platform for cybercriminals, enabling secure transactions without exposing sensitive information like Bitcoin addresses or emails in open forums. We do not know yet how the arrest of the CEO and the changes in the Terms of Service and Privacy Policy will change how cybercriminals use Telegram. The platform hands over the IP addresses and phone numbers of users who violate its rules to authorities in response to “valid legal requests.”

The underground market now offers a wide range of sophisticated services, including phone and telecommunication scams, AI tools for enhanced operations, access as a service (i.e., compromised accounts), social engineering tactics, cryptocurrency mixers to launder funds, and cashout services to convert ill-gotten gains into legitimate currency. These services demonstrate the increasing complexity and specialization within the cybercriminal ecosystem.

Table 1. A list of services offered and their sample pricing

Figure 1. Full leaked databases are available for free

Cybercriminals are abusing AI technologies, such as generative AI, to create phishing content and bypass security measures. However, fully AI-generated malware has not yet been observed in the wild. Bulletproof hosting, VPNs, and proxies continue to provide infrastructure support for cybercriminals, ensuring anonymity and resilience against takedowns. These services enable the continuation of illegal activities while evading law enforcement efforts. Despite the closure of major marketplaces like Hydra and Incognito, new platforms have emerged to fill the void. However, trust remains a significant challenge in these markets, as users seek reliable venues for their activities.

In this research, we examine how the English-speaking cybercriminal underground has adapted to increased law enforcement scrutiny and linguistic diversification. We also explore the implications for cybersecurity practitioners and policymakers, emphasizing the need for a global approach to combat cybercrime.