Dark Web – Justice League
Over the past few weeks the FBI, Department of Justice (DOJ), Interpol, and other international law enforcement agencies have worked together to incarcerate and indict ransomware threat actors. Through this effort, millions of dollars in ransom payments have been recovered.
When it comes to the rule of law, access to justice for all and a fair trial are both fundamental in any democratic society. But what if the Dark Web community has its own justice system that believes in the same values?
Every day there are dozens of cases all over the Dark Web that escalate to this underground justice system and patiently wait for the high-ranking authorized cybercriminals (usually members of a forum administration) to solve the dispute and assign a winner and loser.
Much like the United States judicial system, this whole process begins with a dispute between two opposing sides. For example, the threat actor purchased compromised network access but then discovered that the same access was previously sold to another entity. Now the threat actor demands recourse in the form of a refund, but the seller is not willing to comply with this request. And thus, the higher dark web virtual court is brought into the picture.
These courts are not just for Russian threat actors, but each ecosystem in terms of language and culture may have its own version of “Court” or “Arbitrage” forums.
It is important to note, that as of May 2021 all the ransomware-related topics, affiliation, arbitrages, sell/buy ransomware-related things are banned by the courts themselves. The timing of this is interesting, considering the ransomware activity for large ransoms was heating up around this time with Colonial Pipeline and JBS Meat.
Dark Web Court 101 – Proceedings
To initiate the process, the accuser must open a thread in a dedicated sub-forum that usually has the title “Court” or “Arbitrage” and provide the following details:
- Brief of the claim
- The nickname of the defendant including the link to his profile
- Defendant’s contact information (e.g., Telegram, Jabber, or email address)
The plaintiff will submit qualified evidence, including any chat logs, screenshots, cryptocurrency transactions, and similar relevant information.
When the arbiter is assigned to the case, the cross-examine phase is started and the defendant has a right to present their counterclaim.
Like in real litigation processes, the trial can end with different verdicts. In a case that the defendant is innocent or there is not enough material for a hearing, the case will be closed with no money or currency exchanging hands.
However, if the arbiter convicts the defendant, the guilty cybercriminal has a specific amount of time to comply with the verdict or the criminal will be banned from future activity on the underground forum.
Justice For All
Since the inception of one of the major Russian-speaking cybercrime forums, a total of over 600 threads with requests for arbitrage have been created. The cybercrime community treats every case equally without prioritizing more complex cases with higher compensation demand. The median case is considered between a few hundred and up to a few thousand USD as a request for compensation.
For the transparency of the process, every forum member has a right to comment and participate in the virtual hearing process. While they have the right to participate, these regular forum members do not act as grand jury and have no influence on the process.
Justice is for all when it comes to the Dark Web Court, without any language, cultural separations, or barriers.
High Profile Arbitrages
Sometimes the situation gets hot when the defense is not another unknown cybercriminal, but a ransomware gang representative of high stature.
In April 2021, two Conti ransomware affiliated cybercriminals (operator and pentester) were sued for $2 million for violations associated with an agreement regarding hacking and encrypting networks of a U.S.-based school.
However, after almost one and half months trial, which included revealing internal chat logs and correspondence with the affected victim, the claim was rejected with a straight and forward arbiter’s argument.
In October 2021, Conti ransomware was sued again for $12k, but the arbitrage was quickly declined because, as stated earlier, ransomware related topics are banned and have not been welcomed on major cybercrime forums since May 2021.
But this is not the only two cases of ransomware gang affiliates being sued. The cybercrime court system has seen other high-profile arbitrages against REvil and Netwalker, where the highest financial claim goes up to over $20 million.
Sometimes It Gets Personal
In several cases, the scammed person is so angry that they decide to handle the incident on a more personal level, where money is not a factor anymore. The well-known tactic of punishment (as part of the drumhead trial) that is widely used by cybercriminals is identity de-anonymization.
For example, in the screenshot below the threat actor leaked the scammer’s full identity including physical address, social media profiles, phone number, and even his relatives’ information.
What Did We Learn?
Due to the layer of anonymity between the underground community users, the cybercrime ecosystem implemented this virtual court feature that serves as an insurance element in case “something will go wrong”.
Over the last decade, thousands of cases were examined and the proper verdicts given.
The threat actors understand that if they provide untrustworthy products or services, they will be held accountable and find their nickname on the arbitrage thread title. In the event of losing the case, they will lose their reputation and will need to start a “career” all over again.
But just like the justice system of the physical world, this too has some loopholes. If the defendant disappears, the affected side remains without any solution or compensation.
We are continuing to see cybercriminals push for accountability from their counterparts and look for a fair and just trial to determine who is right and who is wrong.