It’s not just corporate IT and security budgets that are affected by COVID-19. The underground darknet economy is in a state of flux, too.

While some underground and cybercrime sites are eagerly recruiting and hiring moderators to help bring order and maintenance to notoriously unruly sites and their users, other fraudsters are struggling to keep their illegal schemes afloat, according to security researchers.

It’s difficult to find concrete statistics about how the cybercriminal underground and darknet economies work, but security watchers believe that these cybercriminal markets can fluctuate in much the same way as the legitimate above-ground economy. While some job skills remain in demand within these markets during the pandemic, others are struggling for relevance.

A report released June 18 by security firm Digital Shadows offers a glimpse of an underground economy in a state of transition, with some underground sites on a hiring spree due to demand. For instance, researchers found that an English-language cybercrime forum called Nulled was actively recruiting for two new “trial moderators” to help the current team cope with the site’s recent growth. 

The site administrator for Nulled also posted that the underground community was “growing rapidly during COVID-19,” according to the report. In April, a similar posting for moderator help was found on the English-language cybercriminal site CrackedTO, according to the report.

“Moderators are in demand right now because many forums are currently experiencing significant growth in membership numbers and activity levels,” Alex Guirakhoo, threat research team lead at Digital Shadows, told Dice. “These forums are attributing this increase to the coronavirus pandemic. It is likely threat actors have had more time as other real-life activity options have been restricted, or that individuals who have lost their jobs or earnings in real life are looking to cybercrime to make more money.”

Moderator Jobs Thriving

The Digital Shadows report finds that site moderators are typically in demand by large underground cybercriminal forums, since they perform a vital list of functions, including enforcing forum regulations, issuing warnings or bans against members following rule infractions, answering forum users’ questions, and sometimes ensuring payments are made.

The COVID-19 pandemic, which helped drive a wave of cybercriminal activity across the globe (according to the FBI), helped these darknet communities grow. This meant a boom in recruiting and hiring, as well as some underground sites growing and becoming even more unruly than normal.

“As with any forum, with new users you are going to deal with the same issues, lack of familiarity with the site and its rules, such as what you can and can’t do,” James Manning, an engineer at Panda Security, told Dice. “This can include posts and requests in the wrong place, inter-forum conflicts, egos, and power trips. If there is no user validation in place there may be an influx of spamming and malware that needs to be dealt with, as well. If you are running a marketplace through one of these forums you want to make sure you keep and attract users, and this requires maintenance.”

At the same time, COVID-19 has meant those with certain skills remain in demand, and they are coming to these sites looking for ways to make money or sell those abilities to others.

The skills most in demand right now include those with the ability to supply distributed denial-of-service (DDoS) functions, those who know how to develop malware and exploits, and those with certain, high-level programming skills, according to Digital Shadows.

It’s not only these types of underground sites that are thriving during troubled times. Beazley Breach Response Services, a unit of global insurance company Beazley, found that ransomware attacks increased 25 percent between the fourth quarter of 2019 and the first quarter of 2020, driven by attacks taking advantage of COVID-19. Since some ransom demands can run into the millions of dollars, these sophisticated hackers have likewise watched their operations grow.

The analysts note, however, that as the COVID-19 pandemic evolves and some sections of the global economy open up, the demands within the underground economy will change, too.

“Cybercriminals whose typical methods have been disrupted will likely be able to resume their previous work, provided they could stay afloat during the slowdown and their former customers return,” Guirakhoo said. “The forums that have seen coronavirus-related growth now face the task of persuading their new users to stay engaged on the site as real-life commitments begin to build up again and demand more of their time. Those users who have developed specific coronavirus-related threats and attack methods will need to adapt their methodologies and find a different context under which to attack.”

These Times Are A-Changin’

While Digital Shadows was able to trace an increase in hiring for moderators and more demand for certain skills, other parts of the underground cybercriminal economy have floundered since COVID-19.

This includes those bad actors who have targeted the global travel industry, since nearly all vacations and business trips stopped after March. In addition, those working as “money mules” who would collect ill-gotten cash on behalf of cybercriminals have seen their livelihoods stop since movement was restricted and many banks closed their branches.

In addition, those cybercriminals that relied on the global delivery system to deliver goods to their customers saw a decrease over the past few months. Still others were overcome by stress.

“There was even a rumor that one Russian-language cybercriminal forum, Migalki, had closed down because its Italy-based administrator had a breakdown due to so many family members dying from coronavirus,” Guirakhoo said.

Visit our COVID-19 Resource Center, which aims to provide the tech community with the best, most up-to-date information on the novel coronavirus.