The Weird, Big-Money World of Cybercrime Writing Contests

Cybercriminals can be inventive—especially if there’s money on the table. One hacker has penned a 50-page essay on how to invest in cryptocurrency and sell at the right time to make a profit. Another put together a guide for how to create a fake version of blockchain.com that could be used to steal people’s usernames and passwords. And another produced instructions—cryptically titled “Elegantly breed daddies on lavender”—explaining how to scam money from people who pay to watch webcam models perform.

The unusual collection of documents and tutorials were all produced by cybercriminals and hackers trying to win money for their ideas, technical skills, and writing ability. Once they finish their articles, they submit them to be judged in competitions on Russian-language cybercrime forums. These contests, which can pay out thousands of dollars, are one of the forums’ more peculiar aspects.

For more than a decade, Russian-language cybercrime forums—which largely exist for trading stolen data, touting new security vulnerabilities, and connecting criminals—have run contests allowing their members to make some extra cash and gain some kudos in the process. A new analysis by cybersecurity firm Sophos is shedding some light on how these contests run and how they’ve rapidly grown in size in the last few years. For those entering, there’s the potential of a decent payday: $80,000 USD was the total prize pot in one recent contest.

“You can tell some people put a lot of work into these,” says Christopher Budd, director of threat research at Sophos X-Ops. “Sometimes what people present isn't necessarily the newest or most original stuff. But it's stuff that is interesting or in some way has appeal to the audience.”

In the analysis, Sophos researcher Matt Wixey examined the most recent contests on the cybercrime forums Exploit and XSS. The forums’ administrators announce the contests and ask people to submit written articles. While the entries are most often in Russian, Budd says, sometimes forum members will translate them into English to be “a good community member.”

The most recent competition on XSS was held between March and July 2022. There was a general prize pot of $40,000—up from $15,000 the previous year. The Sophos analysis says the contest was general, with forum members being asked to submit entries on around half a dozen topics. Malware development, methods for dodging antivirus and security products, ways of hiding malicious code, and social engineering techniques were all included in the list.

Most PopularGearPS5 vs PS5 Slim: What’s the Difference, and Which One Should You Get?By Eric RavenscraftGear13 Great Couches You Can Order OnlineBy Louryn StrampeGearThe Best Portable Power StationsBy Simon HillGearThe Best Wireless Earbuds for Working OutBy Adrienne So

Meanwhile, Exploit’s last contest offered more prize money—$80,000 in total—but was more specific, asking for entries on cryptocurrency attacks, thefts, and vulnerabilities in April 2021. One sub-genre of the theme was “security of working with cryptocurrencies, except for banal things.”

“It's another way that the criminal world is mirroring and adapting and adopting best practices from the legitimate side of the business,” says Budd. He compares some of the processes and entries as akin to those of legitimate cybersecurity research conferences and events, such as Black Hat, Defcon, and Pwn2Own. Unlike cybersecurity researchers who find issues to make products and services more secure before sharing their research for others to learn from, the criminals are producing the work with malicious intent.

The criminal contests have their own rules to reduce the chance of cheating, Budd says. On Exploit, the rules say the entries “must not have been published elsewhere,” should be “meaningful and voluminous,” they should include technical details such as code or algorithms, and be “at least 5,000 characters (excluding spaces).” That equals out to around 1,000 words, or the rough length of this WIRED article. The rules on XSS are similar—“copy-paste = expulsion from the contest, in disgrace”—but they require articles to be longer (at least 7,000 characters) and say there should be “proper formatting, spelling, and punctuation.”

However, scammers are going to scam. In their most recent contests, Exploit had 35 entries and XSS had 38 entries. But XSS disqualified 10 of them. The winners of the competitions are decided by forum members voting on the entries, but the sites’ admins can also pick the winners, and there have been complaints of vote rigging, according to Sophos.

These competitions have evolved and grown over time, Budd says. Previous research from cybersecurity firm Digital Shadows, which has since been acquired by ReliaQuest, shows that contests on cybercrime forums started around 2006. Roman Faithfull, a cyber-threat intelligence analyst at ReliaQuest, says these earliest competitions were very simple. “At the start, they were quite low-key,” Faithfull says. “They weren't always organized by forum administrators.”

Some of the earliest competitions, he says, asked forum members to design logos or even offered a small monetary prize to the commenter on a forum thread who had the longest account history on the site. “As forums became more sophisticated, the contests in general became more sophisticated,” Faithfull says.

Since around 2015, the contests, most of which are held annually, have focused on writing and submitting articles and code, the ReliaQuest researcher says. “There's a lot of focus on stuff that will make people money,” he adds. As this has happened, the prize pots have increased too: On XSS, the total prize pot was $1,000 in 2018 and rose to $40,000 with $14,000 for the winner in 2021. “No one is going to put out their absolute best stuff into this unless they're in a really hard spot and need some quick cash,” Faithfull says. “You're unlikely to see a ransomware group, or really, someone really high up.”

Most PopularGearPS5 vs PS5 Slim: What’s the Difference, and Which One Should You Get?By Eric RavenscraftGear13 Great Couches You Can Order OnlineBy Louryn StrampeGearThe Best Portable Power StationsBy Simon HillGearThe Best Wireless Earbuds for Working OutBy Adrienne So

The content of the entries to the most recent two contests is reasonably broad, the Sophos research found. Some were more innovative, while others were essentially repeating information found elsewhere. The winning entry in Exploit’s 2021 crypto competition was the creation of the cloned blockchain.com website, with Sophos saying it is “relatively simplistic” overall. “A cloned site like this would typically be used like any other phishing or credential-harvesting site,” the research says.

Other winning entries or those getting honorable mentions in the Exploit competition focused on targeting initial coin offerings, a guide to creating a phishing site to steal people’s cryptocurrency account details, and a tutorial on creating a cryptocurrency from scratch. However, it is worth noting that there have been free and publicly available tutorials on how to do this for several years,” the Sophos research says.

One entry into the XSS competition detailed the author's experience attacking Microsoft’s Active Directory service and how to hide hacking tools from Windows’ antivirus systems. The winning XSS entry, though, centered on vulnerabilities in electronic payment systems; it also highlighted one vulnerability in the XSS forum that allowed people to “effectively generate cryptocurrency out of thin air,” the Sophos research says. Only one article focused on hardware. The author wrote a guide to creating a hardware cryptocurrency wallet and included photographs and CAD drawings. It isn’t cybercrime-specific, and instead tries to keep people’s bitcoin and other cryptocurrencies safe from attacks, the research says.

“These are good for helping us to understand what people in the criminal underground are looking at, broadly speaking,” Budd says, adding he believes the main purpose of the contests for the forums is to encourage community. Multiple cybercrime forums of different sizes are operating at any one time, and if a forum has better conversation, technical information, and offers incentives, then there’s a greater chance people will keep coming back.

But the contests may also help to feed into more organized cybercrime groups. The prize money for the contests is often put up by the forum owners, but it can also be provided by prominent cybercrime gangs—including All World Cards and the LockBit ransomware group. The XSS competition in 2022 was sponsored by one threat actor using the handle Alan Wake, which has been linked to the Conti ransomware group by some. “If your sponsor likes your article,” one post read, “after the end of the competition you will be offered a highly paid job in the Alan Wake team.”

About Matt Burgess

Check Also

Iranian Hackers Tried to Give Hacked Trump Campaign Emails to Dems

The week was dominated by news that thousands of pagers, walkie-talkies and other devices were …

Leave a Reply