Characterizing Eve: Analysing Cybercrime Actors in a Large Underground Forum

  • Sergio PastranaEmail author
  • Alice Hutchings
  • Andrew Caines
  • Paula Buttery
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)


Underground forums contain many thousands of active users, but the vast majority will be involved, at most, in minor levels of deviance. The number who engage in serious criminal activity is small. That being said, underground forums have played a significant role in several recent high-profile cybercrime activities. In this work we apply data science approaches to understand criminal pathways and characterize key actors related to illegal activity in one of the largest and longest-running underground forums. We combine the results of a logistic regression model with k-means clustering and social network analysis, verifying the findings using topic analysis. We identify variables relating to forum activity that predict the likelihood a user will become an actor of interest to law enforcement, and would therefore benefit the most from intervention. This work provides the first step towards identifying ways to deter the involvement of young people away from a career in cybercrime.


Cybercrime Underground forums Social behaviour Criminal pathways 



We thank the anonymous reviewers for their insightful comments. We also thank our colleagues from the Cambridge Cybercrime Centre for access to the CrimeBB dataset and their invaluable feedback, and Flashpoint, for assistance relating to actors of interest. This work was supported by The Alan Turing Institute’s Defence and Security Programme [grant DS/SDS/1718/4]; and the UK Engineering and Physical Sciences Research Council (EPSRC) [grant EP/M020320/1].


  1. 1.
    Afroz, S., Garg, V., McCoy, D., Greenstadt, R.: Honor among thieves: a common’s analysis of cybercrime economies. In: eCrime Researchers Summit, pp. 1–11. IEEE (2013)Google Scholar
  2. 2.
    Allodi, L.: Economic factors of vulnerability trade and exploitation. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 1483–1499. ACM (2017)Google Scholar
  3. 3.
    Anderson, R., et al.: Measuring the cost of cybercrime. In: Böhme, R. (ed.) The Economics of Information Security and Privacy, pp. 265–300. Springer, Heidelberg (2013). Scholar
  4. 4.
    Antonakakis, M., et al.: Understanding the Mirai Botnet. In: Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, pp. 1093–1110 (2017)Google Scholar
  5. 5.
    Blei, D.M., Ng, A.Y., Jordan, M.I.: Latent dirichlet allocation. J. Mach. Learn. Res. 3(Jan), 993–1022 (2003)zbMATHGoogle Scholar
  6. 6.
    Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Security Symposium, Berkeley, CA, USA, p. 13 (2011)Google Scholar
  7. 7.
    Caines, A., Pastrana, S., Hutchings, A., Buttery, P.: Automatically identifying the function and intent of posts in underground forums. (in submission)Google Scholar
  8. 8.
    Chang, W., Wang, A., Mohaisen, A., Chen, S.: Characterizing botnets-as-a-service. ACM SIGCOMM Comput. Commun. Rev. 44(4), 585–586 (2014)CrossRefGoogle Scholar
  9. 9.
    Field, A.: Discovering Statistics Using SPSS, 2nd edn. SAGE Publications, London (2005)zbMATHGoogle Scholar
  10. 10.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of Internet miscreants. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (2007)Google Scholar
  11. 11.
    Garg, V., Afroz, S., Overdorf, R., Greenstadt, R.: Computer-supported cooperative crime. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 32–43. Springer, Heidelberg (2015). Scholar
  12. 12.
    Holt, T.J.: Subcultural evolution? Examining the influence of on- and off-line experiences on deviant subcultures. Deviant Behav. 28(2), 171–198 (2007)CrossRefGoogle Scholar
  13. 13.
    Hutchings, A.: Cybercrime trajectories: an integrated theory of initiation, maintenance, and desistance. In: Crime Online: Correlates, Causes, and Context, pp. 117–140. Carolina Academic Press (2016)Google Scholar
  14. 14.
    Hutchings, A., Clayton, R.: Exploring the provision of online booter services. Deviant Behav. 37(10), 1163–1178 (2016)CrossRefGoogle Scholar
  15. 15.
    Hutchings, A., Holt, T.J.: A crime script analysis of the online stolen data market. Br. J. Criminol. 55(3), 596–614 (2015)CrossRefGoogle Scholar
  16. 16.
    Karami, M., McCoy, D.: Rent to PWN: analyzing commodity booter DDoS services. Usenix Login 38, 20–23 (2013)Google Scholar
  17. 17.
    Lloyd, S.: Least squares quantization in PCM. IEEE Trans. Inf. Theory 28(2), 129–137 (1982)MathSciNetCrossRefGoogle Scholar
  18. 18.
    Lusthaus, J., Varese, F.: Offline and local: the hidden face of cybercrime. Polic.: J. Policy Pract. 1–11 (2017). advanced accessGoogle Scholar
  19. 19.
    Macdonald, M., Frank, R., Mei, J., Monk, B.: Identifying digital threats in a hacker web forum. In: International Conference on Advances in Social Networks Analysis and Mining, pp. 926–933. IEEE/ACM (2015)Google Scholar
  20. 20.
    Marcus, M.P., Marcinkiewicz, M.A., Santorini, B.: Building a large annotated corpus of English: the penn treebank. Comput. Linguist. 19(2), 313–330 (1993)Google Scholar
  21. 21.
    McMillen, D., Alvarez, M.: Mirai IoT botnet: mining for bitcoins? IBM Security Intelligence (2017).
  22. 22.
    Motoyama, M., McCoy, D., Levchenko, K., Savage, S., Voelker, G.M.: An analysis of underground forums. In: Proceedings of the ACM SIGCOMM Conference on Internet Measurement Conference, pp. 71–80 (2011)Google Scholar
  23. 23.
    National Crime Agency: Pathways into cyber crime (2017).
  24. 24.
    Noroozian, A., Korczyński, M., Gañan, C.H., Makita, D., Yoshioka, K., van Eeten, M.: Who gets the boot? Analyzing victimization by DDoS-as-a-service. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 368–389 (2016)Google Scholar
  25. 25.
    Nunes, E., et al.: Darknet and deepnet mining for proactive cybersecurity threat intelligence. In: Conference on Intelligence and Security Informatics (ISI), pp. 7–12. IEEE (2016)Google Scholar
  26. 26.
    Overdorf, R., Troncoso, C., Greenstadt, R., McCoy, D.: Under the underground: predicting private interactions in underground forums. arXiv preprint arXiv:1805.04494 (2018)
  27. 27.
    Pastrana, S., Thomas, D.R., Hutchings, A., Clayton, R.: CrimeBB: enabling cybercrime research on underground forums at scale. In: Proceedings of The Web Conference (WWW). ACM (2018)Google Scholar
  28. 28.
    Portnoff, R.S., et al.: Tools for automated analysis of cybercriminal markets. In: Proceedings of 26th International World Wide Web conference (2017)Google Scholar
  29. 29.
    Samtani, S., Chinn, R., Chen, H.: Exploring hacker assets in underground forums. In: International Conference on Intelligence and Security Informatics (ISI), pp. 31–36. IEEE (2015)Google Scholar
  30. 30.
    Sood, A.K., Enbody, R.J.: Crimeware-as-a-service: a survey of commoditized crimeware in the underground market. Int. J. Crit. Infrastruct. Prot. 6(1), 28–38 (2013)CrossRefGoogle Scholar
  31. 31.
    Soska, K., Christin, N.: Measuring the longitudinal evolution of the online anonymous marketplace ecosystem. In: Proceedings of the 24th USENIX Security Symposium (2015)Google Scholar
  32. 32.
    Spärck-Jones, K.: A statistical interpretation of term specificity and its application in retrieval. J. Doc. 28, 11–21 (1972)CrossRefGoogle Scholar
  33. 33.
    Sutherland, E.H.: White Collar Crime: The Uncut Version. Yale University Press, New Haven (1949)Google Scholar
  34. 34.
    Thomas, D.R., Clayton, R., Beresford, A.R.: 1000 days of UDP amplification DDoS attacks. In: APWG Symposium on Electronic Crime Research (eCrime). IEEE (2017).
  35. 35.
    Thorndike, R.L.: Who belongs in the family? Psychometrika 18(4), 267–276 (1953)CrossRefGoogle Scholar
  36. 36.
    Valeros, V.: A study of RATs: third timeline iteration (2018).
  37. 37.
    Vold, G.B., Bernard, T.J., Snipes, J.B.: Theoretical Criminology, 5th edn. Oxford University Press, Inc., New York (2002)Google Scholar
  38. 38.
    Zhang, X., Tsang, A., Yue, W.T., Chau, M.: The classification of hackers by knowledge exchange behaviors. Inf. Syst. Front. 17, 1–13 (2015)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Cambridge Cybercrime Centre, Department of Computer Science and TechnologyUniversity of CambridgeCambridgeUK
  2. 2.Theoretical and Applied Linguistics, Faculty of Modern and Medieval LanguagesUniversity of CambridgeCambridgeUK
  3. 3.Natural Language and Information Processing, Department of Computer Science and TechnologyUniversity of CambridgeCambridgeUK

Personalised recommendations