Ddos 
A scam business process, where the term “neanderthal” refers to threat actors who consider themselves “mammoth shepherds” | Image: Trend Micro
The Russian-speaking cybercriminal underground remains a dominant force in the global cybercrime landscape. A recent report by Trend Micro, marking the 50th installment in their series on this subject, highlights the underground’s sophistication, resilience, and significant impact.
The underground operates with a well-structured hierarchy where reputation is currency, and trust is earned through both criminal experience and cultural assimilation. Trend Micro explains that:
“Cultural factors play a significant role… with many young individuals possessing enough knowledge to take on basic underground activities even before graduating.”
Strict forum rules and culturally specific CAPTCHAs act as filters to keep law enforcement and outsiders at bay. Newcomers must often prove past cybercriminal activity or exhibit knowledge of underground slang just to be accepted.
Roles are segmented:
- Administrators and moderators maintain forum integrity
- Sellers and service providers build brands based on credibility
- Buyers, watchers, and strangers interact peripherally
- Scammers exploit weak trust models, especially on unregulated platforms
Cybercrime, like any business, adapts to market forces and opportunities. Trend Micro identifies several emerging trends reshaping the underground:
- Phishing-as-a-Service and AI-Driven Fraud
Cybercriminals now offer phishing kits, credential-stuffing tools, and even AI-powered deepfake services. Trend Micro notes:
“The widespread availability of biometric data on social media, combined with AI-powered deepfake technology, has streamlined the creation of fake identities.”
- Web3 and Metaverse Scams
The underground exploits social media and Web3 platforms like Discord, Instagram, and TikTok, using automation and impersonation to deploy NFT scams, malware airdrops, and wallet drainers.
Despite its profitability, ransomware is a divisive topic within underground forums. Many platforms ban open discussion to avoid law enforcement attention. Yet ransomware operations thrive behind the scenes, supported by:
- Initial Access Brokers (IABs)
- Affiliate programs
- Off-market recruitment
“While discussions of ransomware payloads are generally avoided, supporting services — such as Initial Access Brokers selling access to compromised organizations — remain widely available,” the report states.
Recent leaks of ransomware source code have further fueled the growth of DIY ransomware variants.
A particularly concerning evolution is the integration of cyber and physical crime. Threat actors now offer:
- “Violence-as-a-Service”
- Targeted psychological harassment (psyops)
- Open-source intelligence (OSINT) and HUMINT operations
Trend Micro reveals:
“Cybercriminals increasingly offer services on behalf of physical crime groups… including SIM card blocking and threatening calls.”
This cyber-physical nexus suggests cybercrime has moved beyond screens and into real-world operations.
Geopolitical tensions—especially the ongoing conflict between Russia and Ukraine—have redefined the underground’s operational scope. Some forums have lifted the long-standing rule to never work in RU, targeting Russian assets amidst weakened law enforcement collaboration.
Meanwhile, state-aligned actors use cybercriminal services for strategic operations, merging hacktivism with espionage. Trend Micro also points to growing collaboration between Russian- and Chinese-speaking cybercriminals, particularly in exploit trading and talent recruitment.
This isn’t just a cybercrime ecosystem. It’s a shadow economy, complete with its own norms, rules, currencies, and innovation cycles.
“Effective cybersecurity goes beyond reactive measures — it requires a long-term, intelligence-driven strategy,” the report concludes.
Donate