All posts by Jack Hughes

Cambridge Cybercrime Conference 2025 – Liveblog

The Cambridge Cybercrime Centre‘s eight one day conference on cybercrime was held on Monday, 23rd June 2025, which marked 10 years of the Centre.

Similar to previous “liveblog” coverage of conferences and workshops on Light Blue Touchpaper, here is a “liveblog”-style overview of the talks at this year’s conference.

Sunoo Park — Legal Risks of Security Research

Sunoo discussed researchers receiving restrictive TOS clauses, and risk around adversarial scrutiny. Noting that it’s difficult to distinguish from malicious hacking, and we need to understand the risks. Sunoo highlights particular US laws that creates risk for researchers, sharing a guide they wrote for highlighting these risks. This project grew from colleagues receiving legal threats, as well as clients, wanting to enable informed decisions on how to seek advice, and also try to nudge public discussion on law reforms.

The CFAA was passed a long time ago, around the time of the Wargames film. Computer crime has changed a lot since then. They define computer to be pretty much any computer, where access is unauthorized or exceeds authorized access. One early case was United States vs McDanel, who found a bug in customer software and reported this to customers. This resulted in a legal case where customers were informed of a security flaw, due to the cost of fixing the flaw, but the government later requested the case be overturned. More recently, there was a case of a police database being accessed for a bribe, which was also under the CFAA.

Another law is the DMCA, which states that “no person shall circumvent a technological measure that effectively controls access to work”, and this may apply to captchas, anti-bot, etc.

Sunoo is starting a new study looking at researchers’ lived experiences of legal risk under US/UK law. It can be hard for researchers to talk openly about these, which results in little evidence to counter laws. Furthermore, there’s a lot of anecdotal information. Sunoo would like to hear from US/UK researchers relating to law and researchers.

Alice Hutchings — Ten years of the Cambridge Cybercrime Centre

The Centre was established in 2015, to collect and share cybercrime data internationally. They collect lots of data at scale: forums, chat channels, extremist platforms, DDoS attacks, modded apps, defacements, spam, and more. They share datasets with academics, not for commercial purposes, through agreements to set out ethical and legal constraints. The aim was to help researchers with collecting data at scale, and overcome challenges with working on large datasets. They don’t just collect data, but they do their own research too, around crime types, offenders, places, and responses.

Session 1: Trust, Identity, and Communication in Cybercriminal Ecosystems

Roy Ricaldi— From trust to trade: Uncovering the trust-building mechanisms supporting cybercrime markets on Telegram

Roy is researching trust and cybercrime, and how this is built on Telegram. Cybercrime markets rely on trust to function, and there is existing literature on this topic for forums. Forums have structured systems, such as reputation and escrow, whereas Telegram is more ephemeral, but still used for trading. Roy asks how trust established in this volatile, high-risk environment? Economic theory states without trust, markets can fail.

Roy starts by exploring the market segments found, looking at trust signals, and how frequently users are exposed to these trust systems. Roy notes chat channels can have significant history, and while trust signals exists, users may not be likely to find older trust signals easily. They built a snowballing and classification pipeline, to collect over 1 million messages from 167 telegram communities. Later, they developed a framework, for measuring and simulating trust signals. Findings showed market segments were highly thematic within communities, and trust signals. They used DeepseekV3 for classification, which detected trust signals and market segments with highest accuracy. They found an uneven distribution of trust signals across market segments. For example, piracy content is free so trust signals were low.

They find messages asking for use of escrow, or asking other to “vouch” for sellers. Some of these communities have moderators which would set rules around types of messages. After looking at the distribution, they ran a simulation to see how many signals the users were exposed to. Setup profiles of market segments, communities visited and messages read. They found 70% of users see 5 or less trust signals in their simulation, and all users see at least 1. Over time, these do evolve with digital infrastructure forming a larger peak. They note the importance of understanding how trust works on Telegram, to help find the markets that matter and can cause harm.

John McAlaneyPower, identity and group dynamics in hacking forums

John discussed work in progress around power structures and group dynamics in the CrimeBB dataset. He attended Defcon as a social psychologist, observing the interaction dynamics and how people see themselves within the large size of the conference.

Previous work in identity asked if hacking forums members considered themselves to be a “hacker” and resulted in discussions around the term and labelling. Other previous work looked at themes of what was spoken about in forums, such as legality, honesty, skill acquisition, knowledge, and risk. Through interviews, they found people had contradictory ideas around trust. They note existing hierarchies of power within forums, and evidence of social psychological phenomenon.

Within existing research literature, John found a gap where theories had not been explored necessarily in the online forum setting. They ask if there are groups forming on hacking forums in the same way as other online forums? Also, how does the structure of these groups differ? Are group dynamics different?

He was initially working with a deductive approach for thematic analysis. “Themes do not emerge from thematic analysis”, rather they are exploring what is currently discussed. He is not looking to generalise from thematic analysis, but rather looking into BERT next to see if they are missing any themes from the dataset.

He suggests the main impact will aim to contribute back to sociological literature, and also try to improve threat detection.

Haitao ShiEvaluating the impact of anonymity on emotional expression in drug-related discussions: a comparative study of the dark web and mainstream social media

Haitao looked at self-disclosure, emotional disclosure, and environmental influence on cybercrime forums. They ask how different models of anonymity across chat channels and forums vary, and which different communications styles emerge? They identified drug-related channels and discussions for their analysis, and took steps to clean and check dataset quality. The project used BERTopic, for embedding messages to be used in clustering, then plotted these to visually identify similar topics. To further explore the topics, Haitao used an emotion classifier to detect intent. They found high levels of disgust, anger, and anticipation in their dataset.

Session 2: Technical Threats and Exploitation Tactics

Taro TsuchiyaBlockchain address poisoning

Taro introduces a scenario of sending rent, where the victim seems to make an error selecting a cryptocurrency address. This turns out to have been a poisoned address. Taro aims to identify address poisoning, to see how prevalent this is, and measure the payoff. They identify attack attempts with an algorithm to match transfers with similar addresses in a given time range.

They detect 270M attack transfers on 17M victims, estimating a $84M USD loss. They found loss was much higher on Ethereum, and this lookalike attack is easily generalisable and scalable.

They bundled these into groups, considering two are the same if, they are launched in the same transaction, and they use the same address to pay the transaction fees, or they use the same lookalike address. Clustering found “copying bots”, who copy other transactions for front-running. The attack groups identified are large but heterogenous, and the attack itself is profitable for large groups. Furthermore, larger groups tend to win over smaller groups. Finally, they model lookalike address generation, finding one large group is using GPUs to generate these addresses.

They give suggestions for mitigating these attacks, by adding latency for address generation, disallow zero-value transfers, and increase wallet lengths. They also want to alert users to this risk of this attack.

Marre SlikkerThe human attack surface: understanding hacker techniques in exploiting human elements

Marre is looking at human factors in security, as this is commonly the weakest link in security. Marre asks what do hackers on underground forums discuss regarding the exploitation of human factors in cybercrime? They look at CrimeBB data to analyse topics discussed, identify lexicon used, and give a literature review of how these factors are conceptualised.

They create a bridge between academic human factor language (“demographics”) to hacker language (“target dumb boomers”), and use topic modelling to identify distribution of words used in forum messages.

What were their results? A literature review found a lot of inconsistencies in human factors research terminology. Following this, they asked cybersecurity experts about human factors, and created a list of 328 keywords to help filter the dataset. Topic modelling was then used, however the results were quite superficial, with lots of noise and general chatter.

Kieron Ivy Turk — Technical Tactics Targeting Tech-Abuse

Ivy discussed a project on personal item tracking devices, which have been misused for stalking, domestic abuse, and theft. Companies have developed anti-stalking features to try to mitigate these issues. They ran a study with the Assassins Guild, provided students with trackers to test the efficacy of these features. Their study found nobody used the anti-stalking features, despite everyone in the study knowing there was a possibility they were being stalked. At the time of the study, the scanning apps only tended to detect a subset of tracker brands. Apple and Google have since created an RFC to try to standardise trackers and anti-stalking measures.

Ivy has also been working on IoT security to understand the associated risks. They present a HARMS model to help analyse IoT device security failings. Ivy ran a study to identify harms with IoT devices, asking participants to misuse these. They ask how do attackers discover abusive features? They found participants used and explored the UI to find features available to them. They suggest the idea of a “UI-bounded” adversary is limiting, and rather attackers are “functionality-enabled”.

Ivy asks how can we create technical improvements in future with IoT?

Session 3: Disruption and Resilience in Illicit Online Activities

Anh V. VuAssessing the aftermath: the effects of a global takedown against DDoS-for-hire services

Anh has been following DDoS takedowns by law enforcement. DDoS for hire services provide a platform for taking control of botnets to be used in flooding servers with fake traffic. There is little technical skill needed, and is cheap. These services publicly advertise statistics of daily attacks they contribute to.

Law enforcement continues to takedown DDoS infrastructure, focusing on domain takedowns. Statistics of visitors following the takedowns found 20M visitors, and 34k messages were collected from DDoS support Telegram channels. They also have DDoS UDP amplification data, and collected self-reported DDoS attack data.

Domain takedowns showed that domains returned quickly, 52% returned after the first takedown, and in the second takedown all returned. Domain takedown appears to now have limited effect. Visitor statistics showed large booters operate a franchise business, offering API access to resellers.

Following the first takedown, activity and chat channel messages declined, but this had less impact in the second wave. Operators gave away free extensions to plans, and a few seemed to leave the market.

Their main takeaway is the overall intervention impact is short lived, and suppressing the supply side alone is not enough as the demand continues to persist in the long run. He asks what can be done better for interventions in the future?

Dalya ManatovaModeling organizational resilience: a network-based simulation for analyzing recovery and disruption of ransomware operations

Dalya studies the organisational dynamics and resilience of cybercrime, tracking the evolution and rebranding of ransomware operators. To carry out ransomware, they need infrastructure. This includes selecting targets, executing, ransom negotiation, payment processing, and victim support, and creating leak websites. They break this down further into a complex model, showing the steps of ransomware attacks. They use this to model the task duration involved in attacks, estimating how long it takes to complete a ransomware attack when learning. Following this, they create infrastructure disruption and observe how this process changes. They also model the disruption of members: what happens if they reassign tasks to others or hire a new person?

Marco WähnerThe prevalence and use of conspiracy theories in anonymity networks

Marco first asks what is a conspiracy theory? These all appear to have right-wing extremism, antisemitism, and misinformation. There are a lot of challenges around researching conspiracy theories: the language is often indirect and coded, however this is not a new phenomenon.

What is the influence of environmental and structural of conspiracy theories in anonymised networks? Marco notes this can be for strengthening social ties, and fosters a sense of belonging. Also, this may be used with ideological or social incentives.

Marco asks how we can identify these theories circulating in anonymised networks, and if these are used to promote illicit activities or drive sales? This could then be used to formulate intervention strategies. They took a data-driven approach looking at CrimeBB and ExtremeBB data to find conspiracies, using dictionary keyword searches and topic modelling. Preliminary research found prevalence of conspiracies was very low. ExtremeBB is a bit higher, but still rare.

They provide explanations for the low level of distribution. Keywords are indirect, and can be out of context when searching. Also, conspiratorial communications are not always needed to sell products. They are aiming to strengthen the study design, by coding a subsample to check for false positives, and use classical ML models. They find a dictionary approach may not be a good starting point, and conspiracies are not always used to sell products.

Cambridge Cybercrime Conference 2024 – Liveblog

The Cambridge Cybercrime Centre‘s seventh one day conference on cybercrime was held on Monday, 10th June 2024

Similar to previous “liveblog” coverage of conferences and workshops on Light Blue Touchpaper, here is a “liveblog”-style overview of the talks at this year’s conference.

L. Jean Camp – Global Cyber Resilience Using a Public Health Model of eCrime (Keynote)

Who gets phished? This still hasn’t changed much in 20 years. We still don’t know how people are targeted, or even if they are targeted. People need to identify security indicators, domain names, etc., and this is hard. Current practice with warnings does not provide what people need. While people can learn how to use bad interfaces, we can’t expect people to pay attention all the time and without interruption. Expertise alone is not adequate: LastPass devs were phished. She looked at phishing factors, and asked how good each population was at identifying phishing and legitimate websites, finding familiarity and gender did not have a significant difference for phishing websites, but found familiarity was important for identifying legitimate websites. Later, they asked participants about security expertise. We tend to write warnings for ourselves (security experts), rather than for end users. They also compared risk perception across populations. Overall, they found computer expertise (positive) and age (negative) were the primary factors in identifying phishing pages. How can we learn from public health to provide more effective warnings which work for the wider general population?

Gabriella Williams – Beyond Borders: Exploring Security, Privacy, Cultural, and Legal Challenges in Metaverse Sexual Harassment

PhD researcher in digital identity and age assurance methods to mitigate against virtual harms. The virtual reality environment (metaverse) has new risks and harms, by creating a new environment with anonymity where people can be whoever they want to be. Gabriella asks if sexual harassment is a crime in the metaverse? There is no legal framework currently, and there are varying jurisdictions online. Metaverse has cultural issues, with standing close to someone, making unwanted contact, and inappropriate jokes. How can this be moderated? Lots of issues with collecting metadata on social interactions, biometric data, and security issues with over reliance on automation and threats to authentication and integrity. Their current research is looking at challenges around implementing age assurance, and how identities can be authenticated.

Bomin Keum – The Incel Paradox: Does Collective Self-Loathing Facilitate Radicalisation or Belonging?

What don’t we know and why don’t we know it? We have a hard time agreeing on what radicalisation is, but this is a process rather than instances of extremist violence. Online radicalisation is facilitated through anonymity, perceived strength in numbers, and too much information spread and absorbed quickly. Bomin considers the use of the Us vs Them framework: collectively constructed perception differentiating the in-group from the out-group. Incel communities show negativity within the group as well as out, which is different to other communities. The Us vs Them framework has “us” as self-directed victimhood with men deprived of their “right to sex” whereas the “them” refers to a perception of society giving “too much freedom to women”. What are the self and other narrative framings, and which topics are associated with self vs other narrative frames? Bomin compares 2019 and 2020 datasets around the start of the pandemic. Internal group themes have helplessness and victimisation, whereas outside has unfair advantages and shameful other. Collectively, there are narratives of community, violence, and vision. They note you can’t take discussions at face value, as the language used can be quite extreme and text-level analysis may not reflect intent. Also, there is some shifting from blame to mockery of others. Not all radical actors commit violence but can inform facilitators behind intensification. Applying theories to these communities can be questionable, due to the unique aspects of the communities, and needs further data-driven research to improve on theory.

Jason Nurse – Ransomware Harms and the Victim Experience

Supply chain issue with St. Thomas’ Hospital last week, where a supplier of hospitals was hit by ransomware, and a critical incident was declared in London. Focus in the media on the financial impact, but what are the other harms of this, on both individuals and society? Jason carried out a literature review, and ran workshops and interviews alongside harm modelling to explore effects. What do we know already from the literature, and what can we learn from individuals? Interviews were focused on people who were subject to a ransomware attack or had professional experience of supporting organisations affected by ransomware. This includes cyber insurance organisations, which are now a big player. Gathering qualitative data from interviews, and using thematic analysis. Findings show this is a serious risk for all organisations, including small businesses: “everything you relied on yesterday doesn’t work today”. Can also create reputational harm for organisations. Applying the idea of orders of harm: first-order are harms directly to the person or org, second-order are downstream orgs and individuals, and third-order are the economy and society. Implications include a loss of trust in law enforcement, reduced faith in public services, and normalisation of cybercrime. Other impacts include harms to staff: staff members having to deal with the situation, including overworking to resolve issues. Highlights potential correlations between burnout and cybersecurity issues. Next, Jason looks at how to model harms. They gather data on well publicised events and to establish relationships between harms. This finds many downstream harms: we can more deeply explore harms arising throughout society rather than just “the data was encrypted”.

Ethan Thomas – Operation Brombenzyl and Operation Cronos

DDoS for hire continues to be a threat, enabling easy attacks against infrastructure, and these are targeted by site take downs and arrests. Finding a new way to provide a longer lasting impact, disrupting the marketplace. Using splash pages to deter users, and also creating law enforcement-run DDoS for hire websites. Some of the disguised sites were “seized”, others were “outed” as NCA controlled, and some are still running. Second operation is Cronos, again using deception but applied to ransomware attacks. Finding broad deterrence messaging doesn’t always work well, now there is focus on showing victims cases where cybercriminals did not uphold their promises.

Luis Adan Saavedra del Toro – Sideloading of Modded Apps: User Choice, Security and Piracy

What are modded apps, and why do users use them? Android users have the capability of installing any app they download from the internet, outside of the Google Play Store. Third-party stores have ads and user review features. Modded apps have unlocked pro features, such as a modded Spotify app to bypass ads and other paid features. Modded gaming apps have free in-app purchases. Luis found over 400 modded Android app markets, and crawled the 13 most popular, creating the ModZoo dataset. Most of these modded apps are games, and lots of duplicates across markets. None of the markets had any payment infrastructure. They discovered apps with changed code had added additional permissions and advertising libraries. Some apps with Ad IDs had been changed. 9% of those with modded code were malicious. iOS has misconceptions around jailbreaking. iOSModZoo has ~30k apps. iOSZoo is a dataset of ~55k free App Store apps. Most iOS modded apps are pirated copies of paid apps.

Felipe Moreno-Vera and Daniel S. Menasché – Beneath the Cream: Unveiling Relevant Information Points from CrimeBB with Its Ground Truth Labels

Looking at exploits which are shared on underground forums. The team used three types of labels: post-type, intent, and crime-type, which they used to complement their approach to tracking keywords, their usage, and different vulnerability levels discussed. They create a classifier for threats, so they can identify what is being discussed. They use regex to identify CVEs, and a function to identify language. They note the labels used were only available for one site, and later use ChatGPT to create more labels for posts. They find ChatGPT improves on existing labels.

Jeremy D. Seideman, Shoufu Luo, and Sven Dietrich – The Guy In The Chair: Examining How Cybercriminals Use External Resources to Supplement Underground Forum Conversations

“Guy in the chair” is the support network that “connects the dots”. They looked at underground forum conversations to identify what this support network is. Do people post URLs, do they advertise things, do they talk about other communications? What is the wider context? Past literature shows that forums work best as a social network, forming communities. Their project examines the use of offensive AI usage, presenting their data pipeline, which they use to clean data prior to using topic transfer models. Following this, they identified buckets of URLs. The majority of known links were other forums, code sharing, image hosting, and file sharing. Lots of the links had link rot. Future work will further explore the application of analysis methods used with archaeological count data to their dataset.

Anh V. Vu – Yet Another Diminishing Spark: Low-level Cyberattacks in the Israel-Gaza Conflict

Anh notes differing perspectives of cyberwar in the world media, with a strong focus on high-profile cyber attacks. However, what is happening with low-level cybercrime actors and the services supporting these attacks? They are using data from website defacement attacks and UDP amplification DDoS attacks, alongside collections of volunteer hacking discussions. They contrast the conflicts of Russia vs Ukraine and Israel vs. Gaza. Anh finds interest in low-level DDoS and defacement attacks dropped off quickly, although notes that these findings should not be confounded with state-sponsored cyber attacks.

Dalyapraz Manatova – Relationships Matter: Reconstructing the Organisational Structure of a Ransomware Group

Dalyapraz has been studying dynamics of cybercrime networks, thinking about these as a socio-technical complex system, with technical, economical, and social factors. Existing literature shows that eCrime has “communities”, with admins and moderators. When these communities are disrupted, they often move to other places. Participants often have different pseudonyms for who they are communicating with, e.g. as an administrator or to trade. However, these communities are more like organisations, with roles, tasks, scale, scope. Follows a similar structure to aaS services.

Marilyne Ordekian – Investigating Wrench Attacks: Physical Attacks Targeting Cryptocurrency Users

Wrench attacks have been around since the start of Bitcoin, yet have received little academic attention. Marilyne gathered data on wrench attacks through Bitcoin Talk discussions and interviews. Incidents were reported across different areas, from 2011 to 2021. There were peaks of incidents, which coincided with bitcoin reaching an all-time high. Why? Potential reasons include financial gain, theft is easier than hacking, and no account transfer limits. They found that 25% of these incidents occurred during in-person meet ups. Are wrench attacks reported? No, they are underreported. They propose safety mechanisms for individuals, including not bragging, diversifying of funds, and digital safety practices. Also, they suggest existing regulations could be strengthened, such as improved KYC verification to consider the risk of wrench attacks. System design changes could include redesigning apps to hide balance amounts.

Mariella Mischinger – Investigating and Comparing Discussion Topics in Multilingual Underground Forums

Three Paper Thursday: Applying natural language processing to underground forums

Underground forums contain discussions and advertisements of various topics, including general chatter, hacking tutorials, and sales of items on marketplaces. While off-the-shelf natural language processing (NLP) techniques may be applied in this domain, they are often trained on standard corpora such as news articles and Wikipedia. 

It isn’t clear how well these models perform with the noisy text data found on underground forums, which contains evolving domain-specific lexicon, misspellings, slang, jargon, and acronyms. I explored this problem with colleagues from the Cambridge Cybercrime Centre and the Computer Laboratory, in developing a tool for detecting bursty trending topics using a Bayesian approach of log-odds. The approach uses a prior distribution to detect change in the vocabulary used in forums, for filtering out consistently used jargon and slang. The paper has been accepted to the 2020 Workshop on Noisy User-Generated Text (ACL) and the preprint is available online.

Other more commonly used approaches of identifying known and emerging trends range from simple keyword detection using a dictionary of known terms, to statistical methods of topic modelling including TF-IDF and Latent Dirichlet Allocation (LDA). In addition, the NLP landscape has been changing over the last decade [1], with a shift to deep learning using neural models, such as word2vec and BERT.

In this Three Paper Thursday, we look at how past papers have used different NLP approaches to analyse posts in underground forums, from statistical techniques to word embeddings, for identifying and define new terms, generating relevant warnings even when the jargon is unknown, and identifying similar threads despite relevant keywords not being known.

[1] Gregory Goth. 2016. Deep or shallow, NLP is breaking out. Commun. ACM 59, 3 (March 2016), 13–16. DOI:https://doi.org/10.1145/2874915

Continue reading Three Paper Thursday: Applying natural language processing to underground forums

From Playing Games to Committing Crimes: A Multi-Technique Approach to Predicting Key Actors on an Online Gaming Forum

I recently travelled to Pittsburgh, USA, to present the paper “From Playing Games to Committing Crimes: A Multi-Technique Approach to Predicting Key Actors on an Online Gaming Forum” at eCrime 2019, co-authored with Ben Collier and Alice Hutchings. The accepted version of the paper can be accessed here.

The structure and content of various underground forums have been studied in the literature, from threat detection to the classification of marketplace advertisements. These platforms can provide a mechanism for knowledge sharing and a marketplace between cybercriminals and other members.

However, gaming-related activity on underground hacking forums have been largely unexplored. Meanwhile, UK law enforcement believe there is a potential link between playing online games and committing cybercrime—a possible cybercrime pathway. A small-scale study by the NCA found that users looking for gaming cheats on these types of forums can lead to interactions with users involved in cybercrime, leading to a possible first offences, followed by escalating levels of offending. Also, there has been interest from UK law enforcement in exploring intervention activity which aim to deter gamers from becoming involved in cybercrime activity.

We begin to explore this by presenting a data processing pipeline framework, used to identify potential key actors on a gaming-specific forum, using predictive and clustering methods on an initial set of key actors. We adapt open-source tools created for use in analysis of an underground hacking forum and apply them to this forum. In addition, we add NLP features, machine learning models, and use group-based trajectory modelling.

From this, we can begin to characterise key actors, both by looking at the distributions of predictions, and from inspecting each of the models used. Social network analysis, built using author-replier relationships, shows key actors and predicted key actors are well connected, and group-based trajectory modelling highlights a much higher proportion of key actors are contained in both a high-frequency super-engager trajectory in the gaming category, and in a high-frequency super-engager posting activity in the general category.

This work provides an initial look into a perceived link between playing online games and committing cybercrime by analysing an underground forum focused on cheats for games.