Darknet secrets: Who shares, who hoards, and why it matters

New research reveals how hacker status influences knowledge-sharing — and what it means for cybersecurity defenses.

It's been said there's honor among thieves, and anyone who's gained access to darknet hacker communities has likely seen some of that honor in action. These online forums mirror knowledge-sharing communities like Stack Overflow and Spiceworks, two sites for information technology workers looking to learn and share solutions. But, unlike traditional gathering sites, people go to darknet hacker communities to cause IT problems more than solve them.

This is why Assistant Professor of Information Systems Victor Benjamin teamed up with researchers Obi Ogbanufe and Dan J. Kim from the University of North Texas. The team examined hacker commentary in online communities and analyzed traits of the information and the folks who shared it. Their findings may help cybersecurity professionals take a more proactive approach to thwarting cybercriminals.

Intel inside

Like "intel" teams that monitor adversaries of nation-states, cyberthreat intelligence analysts are observers. They watch who's saying what in hacker forums, and they should, Benjamin says.

Proactive cybersecurity is more crucial now because the union of cyber and physical systems makes intrusion riskier than it used to be. "Twenty years ago, if someone hacked your computer, what happened? Maybe you lost some files, and it was a nuisance. In today's world, computers are embedded in everything, which means hackers have become a major public safety issue" Benjamin explains.

He's referring to all the computerized devices running smart grids, water systems, traffic management infrastructure, building HVAC equipment, and more. "Now that cyber-physical devices are roped into critical infrastructure, hackers can cause severe issues," he adds. "If you flood connected devices with network traffic or manipulate them to malfunction, it could cause massive disturbances."

Worse, AI makes it easier for cybercriminals to act. "Large language models are helping attackers automate their attacks," Benjamin says. "This means there's going to be a much larger scale of attacks, both in volume over time and all at once."

Benjamin points to another problem: Traditional cybersecurity is reactive. "You set up your defenses and wait for people to attack you," he notes. "Instead of waiting for attacks, can we learn about the hackers and anticipate the attacks?"

That was the goal of this research: to help those engaged in cyberthreat intelligence know which hackers might pose the most serious threats so that organizations can implement proactive security measures.

To evaluate the posts, this research team looked at both non-specific knowledge comments and malicious comments. Most knowledge-sharing research looks at sharing without separating what would have the greatest value or impact for readers. Given the potential harm of hacker discussions, this team focused on discovering who shared the most dangerous information.

In the study, general knowledge was the label used for knowledge that didn't specifically facilitate hacking. It could explain what SQL injections are and what they can do to an organization's database. Malicious comments provide solid information that can be directly used in executing a cyberattack. An example would be how to create SQL injections, which are damaging SQL statements inserted into input fields to do things like steal, corrupt, or destroy data, bypass authentication, or even take over a database.

In the know

Evaluating hacker chatter requires understanding hacker characteristics and issues.

First, people who operate within the darknet have at least some IT acumen because this part of the internet can only be accessed with specialized software, configurations, and, in some cases, authorization. Still, Benjamin says the value of comments within the cybercriminal community varies. There are experts, mid-grade developers, and "script kiddies," or folks so new to hacking they don't know how to develop their hacks, so they copy and execute other people's code.

In addition, many hacker communities run off a meritocracy or reputation system. Some forums even have labels indicating a participant's level of proficiency. In the forum Benjamin and his colleagues used for their research, hackers had what he called "a label of their social status. It's like an explicit measure. You're level one, you're level two, or something like that."

Since everyone has anonymized identities in hacker forums, people are only known by what they post online. "By sharing technical knowledge, you can accrue social capital with others in these communities," Benjamin says. "Maybe in the future, you can adopt a service from another hacker or sell one of your own. Or, you could gain access to more expert communities with more sophisticated hacking tools."

Another way hackers gain social capital is through betweenness centrality, a measure that social network researchers use to indicate how often a person acts as the bridge between other people and important knowledge. In other words, it's a measure of how much influence someone has over the flow of information or how much of a key player the person is. It's also a form of social capital.

Social capital — the currency gained by proving proficiency as a hacker — motivates much of the information flow. After all, knowledge-sharing communities are cooperative spaces where people help each other. However, hacking can also have some economic payoff, bragging rights, or other forms of reward, so hackers in these communities navigate the tension between being cooperative and being competitive. This is another factor the researchers examined because it explains why many hackers reduce their postings as they gain expertise.

Whose chatter matters?

The researchers found that, in general, hackers have different motivations to share information at varying levels of proficiency and social capital.

"People share when they're novices in the community to gain a reputation," Benjamin says. "When you're new to the community, you're probably not central to any conversation. You have no centrality, so you share a lot to integrate yourself into important discussions and build centrality." The team found that hackers with lower status were also likely to share more malicious knowledge initially, although that dropped off as status grew and the hackers became more competitive, which made them more likely to hoard valuable information.

The research team also found that as betweenness centrality increased, so did the sharing of malicious information. "From a betweenness perspective, you could argue that the first half of the knowledge-sharing life cycle is very self-serving. You share until you're known and then stop sharing," Benjamin explains. "But if someone prolongs their participation long enough, they'll get more ingrained in the community. They'll start sharing again to help the community itself, not just themselves."

In other words, those most likely to post malicious information in a darknet environment are those with high betweenness centrality and low status.

This finding, Benjamin notes, can help cybersecurity professionals prioritize the information they learn in those darknet forums. "If we understand knowledge-sharing behavior in hacker communities, we can understand which posts are credible and which aren't," he explains. "That can help us identify potential targets of attacks and the methods that might be used in that attack so we can better prepare cybersecurity defenses."