Cybercriminals are organizing research contests in cybercrime forums for the purpose of advancing their strategies and techniques, and possibly recruiting new talent, according to Sophos, a cybersecurity-as-a-service provider.
These contests may be meant to inspire new methods of attack and detection evasion by picking on the brains of other threat actors. These contests involve a considerable amount of prize money.
“The fact that users of criminal forums are designing, running, and participating in research contests suggests that they seek to foster innovation, especially with regards to new methods of attack and evasion,” Sophos said in a blog post.
“There is even evidence to suggest that these competitions act as a tool for recruitment amongst prominent threat actor groups,” said Christopher Budd, director of threat research, Sophos.
Criminal forum administrators, who are also threat actors, issue calls for article submissions on technical topics, complete with source code, videos, and/or screenshots. Winners are determined through voting by other forum users.
“However, the judging is not completely transparent as the forum owners and contest sponsors have their own votes on the matter,” Sophos revealed.
Contests focus on Web-3
Sophos X-Ops, a new cross-functional team linking SophosLabs, Sophos SecOps, and Sophos AI, monitored two prominent annual contests: one hosted by the Russian-language cybercrime forum Exploit, which offered an $80,000 prize in 2021, and another on the XSS forum, with a $40,000 prize pool in 2022.
“For several years, prominent members of the cybercriminal community have sponsored these events, including All World Cards and Lockbit,” Sophos said.
The cybersecurity company observed an increasing focus on Web-3-related topics, such as cryptocurrency, smart contracts, and NFTs, in the winning articles. These articles weren’t purely theoretical but had practical applications.
Failure to innovate
Sophos believes that cyber attackers tend to keep their best research private to maximize their profits in real-world attacks.
However, Sophos found that these contests failed to yield significant innovations. Instead, submitted articles mostly consisted of basic tutorials or guides with information already available to the public.
“Certainly, in our opinion, there was less original research compared to many prominent security industry contests and conferences,” Sophos said.