Ripper.cc homepage
Ripper.cc homepage

Crooks lurking around the Internet's underbelly have created a service called Ripper.cc, a database of known and proven fraudsters.

Cyber-crime is like a tiny economy, and just like in the real world, there are crooks that don't engage in fair trades. Buyers and sellers of illegal products often dupe each other, withhold payment, or deliver fake products and services.

Fed up with all the scammers and fraudsters, somewhere last year, a group of hackers has assembled and put together a service called Ripper.cc.

Discovered by threat intelligence firm Digital Shadows, Ripper.cc launched in June 2016, when its authors announced the service through a topic on the Exploit.in hacking forum.

Ripper.cc launch topic on Exploit.in
Ripper.cc launch topic on Exploit.in (via Digital Shadows)

Since its release, the service appears to have become quite famous among crooks. Prior to Ripper's launch, criminals who engaged in the sale of illegal products used another service, called Kidala.info, to search and identify "rippers," a term used to describe scammers and fraudsters on underground hacking forums and Dark Web marketplaces.

Ripper.cc uses vetted and publicly known moderators

According to Digital Shadows, Ripper.cc's surge in popularity is owed in large part to the fact they invited the admins of several hacking forums to help moderate Ripper.cc's blacklists.

This smart and strategic move has allowed the service to gain instant credibility among a large portion of the underground hacking scene. Since hackers talk to each other, it didn't take long for the service to become quite popular.

Furthermore, Ripper.cc also launched features that competing services didn't offer, like Chrome and Firefox extensions to highlight ripper names in real time, and a PsiPlus plugin to alert Jabber/XMPP users that they're talking to a possible scammer.

Ripper.cc PsiPlus XMPP plugin
Ripper.cc PsiPlus XMPP plugin

These extensions provide hackers with real-time and easy to spot notifications that they can spot before they go through with transactions that eventually wouldn't pan out as expected.

Kidala or blacklists managed by individual cybercrime forums would generally require users to leave conversations and applications and search for a crook's name or contact details on their sites, a very time-consuming task. On the other hand, Ripper.cc's browser extensions provide instant feedback.

Ripper.cc Firefox plugin highlighting name of a known ripper
Ripper.cc Firefox plugin highlighting name of a known ripper

Further, anyone can submit "blacks" to the Ripper.cc database. Black is the term used to describe scams in the hacking underworld.

Ripper.cc submission form
Ripper.cc submission form

The more blacks a ripper collects, the more information admins gather in the scammer's Ripper.cc profile.

This information can include data such as profiles and usernames on various hacking forums, Bitcoin addresses, XMPP IDs, ICQ usernames, email addresses, and more.

With all the scammer's different personas gathered in one place, it's very hard to fool customers, unless the fraudster will be creating new profiles for each client or product he sells.

Suspicions still linger about Ripper.cc's credibility

"It's very nice," a hacker that goes by the name of Sl33k told Bleeping Computer in an encrypted chat. "But I'll never use their plugins. They could be hiding code to escape your VPN. Other than that... awesome."

Unlike other cybercrime businesses, Ripper.cc's author appears to be paying a lot of attention to his service and its reputation.

One of the reasons they managed to squeeze past Kidala and forum scammer blacklists is because those services are suspected of removing scammers from blacklists after paying a fee.

To avoid any shadow of doubt about their service, Ripper.cc appears to have open-sourced its code. Coupled with the open moderation model that uses third-party reviewers, Ripper.cc is set to become the Yelp for cyber-criminal activities.

More recent Ripper.cc updates include the translation of some of the site's interface into English, as the service prepares to launch more broadly.