A peek into the cybercriminals underground of Russian and Chinese hackers reveals sharp differences between the two communities in terms of interests and the way they run their businesses, often shaped by state laws and unwritten norms.

Over the past year, researchers at Recorded Future monitored the activity of various markets used for dealing with illegal content or tools employed for carrying out illicit activities.

They focused on Chinese and Russian communities and discovered that members of the two communities rarely mix on underground forums and are driven by different motivations.

Russian underground market

Contrary to what many people would think, most Russian cybercriminal communities are still reachable over the clearnet, with forums setting up servers in the Tor network as a backup in case of a takedown, and for users without VPN services.

Administrators resort to other methods to keep their forums up and running, and blockchain-based DNS is one of them.

On closed forums - completely private communities, access is possible upon showing the proving illegal service offered by the applicant, or if a current member vouches for them. Rippers are quickly banned and exposed for others to avoid.

Website exposing rippers, or kidalas

According to Recorded Future, the forums where Russian cybercriminals gather are well organized, and members are interested only in doing business.

They are carefully guarding their resources (read: malware source code) and adopt a money-making business strategy.

"Malicious programs on the underground, like banking trojans and loaders, are sold in the form of “builds,” which are similar to individual software licenses," Recorded Future explains.

A common practice is for the author of the malware to have full control of the source code. This not only ensures maximum monetization but also protects the property against competition creating derivative or similar malware.

The type of illegal content and services peddled on these forums is the same as always but adapted to modern times:

"Ransomware, loaders, trojans, exploit kits, installs, spam bots, web traffic, forged documents, money mules, banks accounts, and credit cards are all still present and accounted for," the report says.

However, some things have changed. For instance, large amounts of stolen data are now available via automated services, where carders can order the credit and debit card info they want without having to interact with another user.

Hosting services are the backbone for illegal services, so infrastructure that offers anonymity and is outside the jurisdiction of law enforcement, aka bulletproof and fast-flux hosting, is always in demand. Prices from a provider operating for over a decade are as little as $100 per month.

Chinese underground market

Chinese peddlers of malware and illegal services are in complete contrast with the Russians. First off, they do not enjoy the same level of access to tools and information because of the Great Firewall of China that controls that imposes web traffic restrictions.

Along with the language barrier, this isolates the Chinese underground communities from the rest of the world, creating more of a local market for lower-skilled hackers. Access to better tools is possible on sites hosted in Tor network by more advanced hackers, but access to them requires "jumping" the Great Firewall, a skill not many have.

A core difference from Russian communities is the fact that Chinese hackers encourage socialization and camaraderie. They help each other out and often share the source code of the tools they make for peer review purposes and in exchange for advice on how to improve it.

Encouraging replies on a Chinese underground forum

Because of government regulations, members of the underground forums face more challenges in doing their business. The ban on cryptocurrencies gives them fewer payment alternatives that may not hide their identity. 

AliPay and bank transfers are the generally accepted payment methods advertised by forums, while Russians moved to Monero and Bitcoin for some while, spurring the emergence of cashout services that make the exchange to fiat.

"Chinese forums are also usually not as compartmentalized as their Russian counterparts, and are more community focused rather than business focused," says the report.

As for the content for sale, the Chinese have different tastes and interests. Distributed denial-of-service (DDoS) tools and remote access trojans are in high demand, as are antivirus evasion techniques and penetration testing utilities. There is also a market for programming and hacking tutorials.

The proceedings from data breaches are kept within the Chinese community, most likely because of the language barrier and the domestic technology and services, which are more difficult to understand for an outsider.

Another product commonly seen on Chinese forums are virtual private network services, which is understandable given the online access restriction.

Since the government asked VPN providers to be licensed by Chinese officials, the advertisements for these services increased on underground forums. And once the ban came into effect in March this year, the activity saw a rapid increase, the researchers noticed.

Both Russians and Chinese hackers share the appetite for illegal activity, but for different reasons and purposes. The former is interested in making money, while the former seeks mostly to expand their knowledge and exchange products banned by the government.