
Darknet secrets: Who shares, who hoards, and why it matters
New research reveals how hacker status influences knowledge-sharing — and what it means for cybersecurity defenses.
There is a saying that there is honor among thieves, and anyone who has gained access to darknet hacker communities has likely witnessed some of that honor in action. These online forums mirror knowledge-sharing communities like Stack Overflow and Spiceworks, two sites for information technology workers looking to learn and share solutions. But, unlike traditional gathering sites, people go to darknet hacker communities to cause IT problems more than solve them.
This is the reason why Assistant Professor of Information Systems Victor Benjamin collaborated with researchers Obi Ogbanufe and Dan J. Kim from the University of North Texas. The team examined hacker commentary in online communities and analyzed traits of the information and the folks who shared it. Their findings may help cybersecurity professionals take a more proactive approach to thwarting cybercriminals.
Understanding cyberthreat intelligence
Like "intel" teams that monitor adversaries of nation-states, cyberthreat intelligence analysts are observers. They watch who's saying what in hacker forums, and they should, Benjamin says.
Proactive cybersecurity is more crucial now because the union of cyber and physical systems makes intrusion riskier than it used to be. "Twenty years ago, if someone hacked your computer, what would happen? You might lose some files, and it would be a nuisance. In today's world, computers are embedded in everything, which means hackers have become a major public safety issue," Benjamin explains.
He's referring to all the computerized devices running smart grids, water systems, traffic management infrastructure, building HVAC equipment, and more. "Now that cyber-physical devices are roped into critical infrastructure, hackers can cause severe issues," he adds. "If you overwhelm connected devices with network traffic or manipulate them to malfunction, it could lead to significant disruptions."
Worse, AI makes it easier for cybercriminals to act. "Large language models are assisting them in automating their attacks," Benjamin says. "This means there's going to be a much larger scale of attacks, both in volume over time and all at once."
Benjamin points to another problem: Traditional cybersecurity practices are primarily reactive. "You set up your defenses and wait for people to attack you," he notes. "Instead of waiting for attacks, can we learn about the hackers and anticipate the attacks?"
That was the goal of this research: to help those engaged in cyberthreat intelligence know which hackers might pose the most serious threats so that organizations can implement proactive security measures.
To evaluate the posts, the research team examined both general knowledge comments and malicious comments. Most knowledge-sharing research looks at sharing without separating what would have the greatest value or impact for readers. Given the potential harm of hacker discussions, this team focused on discovering who shared the most dangerous information.
In the study, general knowledge was the label used for knowledge that didn't specifically facilitate hacking. It could explain what SQL injections are and what they can do to an organization's database. Malicious comments provide solid information that can be directly used in executing a cyberattack. An example would be how to create SQL injections, which are damaging SQL statements inserted into input fields to do things like steal, corrupt, or destroy data, bypass authentication, or even take over a database.
Understanding hacker characteristics
Evaluating hacker chatter requires understanding hacker characteristics and issues.
First, individuals who operate within the darknet possess at least some IT knowledge because this part of the internet can only be accessed with specialized software, configurations, and, in some cases, authorization. Still, Benjamin says the value of comments within the cybercriminal community varies. There are experts, mid-grade developers, and "script kiddies," or folks so new to hacking they don't know how to develop their hacks, so they copy and execute other people's code.
Additionally, many hacker communities operate on a meritocracy or reputation system. Some forums even have labels indicating a participant's level of proficiency. In the forum Benjamin and his colleagues used for their research, hackers had what he called "a label" of their social status. It's like an explicit measure. You're level one, you're level two, or something like that."
Since everyone has anonymized identities in hacker forums, people are only known by what they post online. "By sharing technical knowledge, individuals can accumulate social capital with others in these communities," Benjamin says. "Maybe in the future, you can adopt a service from another hacker or sell one of your own. Or, you could gain access to more expert communities with more sophisticated hacking tools."
Another way hackers accumulate social capital is through betweenness centrality, which is a measure used by social network researchers to indicate how often a person acts as a bridge between others and important knowledge. In other words, it's a measure of how much influence someone has over the flow of information or how much of a key player the person is. It's also a form of social capital.
Social capital, which is the currency gained by demonstrating proficiency as a hacker, drives much of the information flow. After all, knowledge-sharing communities are cooperative spaces where people help each other. However, hacking can also have some economic payoff, bragging rights, or other forms of reward, so hackers in these communities navigate the tension between being cooperative and being competitive. This is another factor the researchers examined because it explains why many hackers reduce their postings as they gain expertise.
Identifying important contributions in hacker communities
The researchers found that, in general, hackers have different motivations to share information at varying levels of proficiency and social capital.
"Individuals tend to share information when they are novices in the community to build their reputation," Benjamin says. "When someone is new to the community, they are likely not central to any ongoing conversations. You have no centrality, so you share a lot to integrate yourself into important discussions and build centrality." The team found that hackers with lower status were also likely to share more malicious knowledge initially, although that dropped off as status grew and the hackers became more competitive, which made them more likely to hoard valuable information.
The research team also found that as betweenness centrality increased, so did the sharing of malicious information. "From a betweenness perspective, you could argue that the first half of the knowledge-sharing life cycle is very self-serving. You share until you're known and then stop sharing," Benjamin explains. "However, if an individual continues their participation long enough, they will become more integrated into the community. They'll start sharing again to help the community itself, not just themselves."
In other words, those most likely to post malicious information in a darknet environment are those with high betweenness centrality and low status.
This finding, according to Benjamin, can assist cybersecurity professionals in prioritizing the information they gather from those darknet forums. "If we understand knowledge-sharing behavior in hacker communities, we can understand which posts are credible and which aren't," he explains. "That can help us identify potential targets of attacks and the methods that might be used in that attack so we can better prepare cybersecurity defenses."
Related stories
Dark web 101: What's there and why the government can't shut it down
Wade through the waters of the dark web and you'll find drugs, hitmen, and all sorts of disturbing imagery. But it's also a haven for privacy advocates.
Where AI and disinformation meet
ASU business professor says cyber adversaries will look to midterm elections to stir the pot with voters.
Divisive, demoralizing bots are winning, so big tech needs to think bigger
Facebook and Twitter need to crack down on fake accounts, argues Professor of Information Systems Victor Benjamin. It's getting harder to tell the difference between what's real and what's fake, he says, and online conversations are being drowned out by misinformation.
Keystroke cops: Prof outlines framework for fighting cybercrime
Information systems professor has created the Darknet Identification, Collection, Evaluation with Ethics (DICE-E) framework, appropriately pronounced “dicey,” to help researchers understand and prevent cybercrime.
Latest news
- Musical instruments would get more expensive under Trump's tariffs
Increased prices could limit who learns to play an instrument, says an ASU supply chain expert…
- Why wealthy Americans work
An ASU economist's research shows that the affluent don't work for more stuff, but for better…
- ’Big league’ or big illusion? Study calls time on splashy stock market anomalies
In his latest research, an ASU professor invents a stock market anomaly to expose the shaky…