The Global Cyber Crime Underground, Part 1: What Are They and What Do They Sell?

Posted April 7, 2016

This is the first blog in a three-part series co-written by LookingGlass Cyber Threat Intelligence Group (CTIG) Senior Threat Analyst Emilio Iasiello and LIFARS Marketing Manager Michal Nemcok*. The series provides a high level overview of the global cyber crime underground and the biggest players in this space. Today we will be discussing the Chinese underground.

Cyber crime is projected to cost the global economy an astounding $445 billion. To put that amount into perspective, Russia’s national budget for 2014 was $440 billion. With those types of profits, it’s easy to see how cyber crime has been such a disruptive force to businesses worldwide, as well as why this “business” is so lucrative and why more and more criminals are becoming involved in the underground digital black market. Unlike what’s been observed in the past (and what many still believe), it’s no longer necessary to be a highly skilled hacker to execute the types of cyber attacks that yield substantive financial rewards. In many cases, all that’s needed is a credit card – everything else can be bought.

The global cyber crime underground is becoming increasingly more diverse as more and more international criminals are entering the arena, with some countries clearly leading the packs. In March 2016, Trend Micro released a white paper in which it determined that cyber crime exists in regional pockets, rather than a unified global enterprise. What’s more, even though there was overlap between regions, these markets distinguished themselves from one another by the types of goods and services being offered.

The further refinement of business operations indicates another evolution of these markets moving from competition based enterprises to ones catering to more selective clientele, which dovetails into many resorting to operating out of the Deep Web in order to evade law enforcement efforts. As such, customers may be more apt to obtain items from the regions of their specialization, intimating that the better markets may ultimately become the ones that focus on quality of product/service rather than quantity.


The Chinese cyber crime underground is one of the most prolific in the world and we’ve seen an increase in activity in the recent years. With the recent availability of tools such as leaked data search engines, it is now even simpler to discover and trade breached data, whether it be credit cards, PayPal accounts, poker accounts, bank accounts, personally identifiable information (PII), and everything in between. These include tools such as the SheYun search engine that has been specifically created to search leaked data, the CnSeu forum for trading leaked data, and others. These search engines are either completely free or very cheap to use, while providing a high return.

In addition to underground market’s usual offerings such as DDoS attacks and remote access Trojans, in the past year a new type of tool has emerged – a social engineering toolkit – an example of which is the Social Engineering Master. This particular tool was created by the Chinese cyber underground and contains a comprehensive toolset – everything from obtaining interesting information (MD5, PII, phone numbers) and data dumps, to templates for phishing emails, fake IDs, and much more. It also includes exploit kits, phishing websites, and Trojan downloaders. This is just one of many similar tools that further demonstrates how the cyber crime underground is modeling itself after its legal counterparts (aka legitimate marketplaces fueled by supply and demand practices) – making sure that the customer service and experience is at a high standard to promote use and generate more income for the creators.

Next week, we will discuss the notorious Russian and Eastern European cyber crime undergrounds.

*Michal Nemcok is the Marketing Manager at LIFARS, an international Incident Response And Digital Forensics firm. His background is in IT and IT security with focus on security-related marketing and content editing. He’s done extensive research into topics such as Hacking-as-a-Service and APT campaigns. He works directly with the Incident Response team to keep his hand on the pulse of the latest trends in real-world investigations.

Additional Posts

CIOReview Honors LookingGlass Cyber Solutions Among The 20 Most Promising Enterprise Security Companies in 2016

LookingGlass Cyber Solutions, the leader in threat intelligence and dynamic threat defense, today ...

2015-2016 Global Insights on Malware Infections [INFOGRAPHIC]

Every four seconds, a new strand of malware is born. More alarming, reports show that in the past ...