Ransomware isn’t just getting faster; it’s getting smarter. Attackers now move laterally within 48 minutes, on average—increasing the breakout time by 22%. This is quite a stark difference from the 8 hours and 12 minutes it takes security teams, relying solely on manual processes, to contain them. What’s fueling hackers’ rapid lateral movement?
Cybercrime forums. Despite law enforcement crackdowns, underground markets are thriving, with ransomware operators sharing tactics, selling exploit kits, and automating attacks. Even novice threat actors can now easily deploy sophisticated ransomware.
Escalation in cyber threats means organizations have less than an hour to detect, analyze, and contain threats before they spread—an incredibly short window for most security teams. Periodic scans and manual log analysis (which can take hours or even days) no longer suffice as adequate threat detection methods. Zero-trust methods, solid employee security awareness programs, and phishing-resistant authentication are just some of the things companies should be thinking about.
The era of “detect and respond later” is over. Organizations must implement strong access controls, automate defenses, and anticipate attacks to prevent devastating breaches. Leaders need to teach their teams to think like criminals—and use their methods for good.
The Rise of a Shadow Economy
The shadow economy—ranging from unreported waiter tips or cash-in-hand work to where stolen data, hacking services, and ransomware tools are bought and sold—is predicted to be worth as much as 10% of US gross domestic product.
Cybercrime is no longer the domain of lone hackers working in isolation. Instead, it has evolved into a sophisticated underground economy where criminals collaborate, share knowledge, market their products, and refine their techniques to maximize efficiency.
In April last year, 2.9 billion US citizens’ data was published on the dark web after a single breach of National Public Data. However, several months later, many of the victims were still unaware of their exposure. In the meantime, a threat actor who went by USDoD (selling the data on behalf of another threat actor, who went by sxul) put a purchase price on the database for $3.5 million, ready to be sold to anyone interested in exploiting full names, social security numbers, and even addresses of individuals’ relatives for ransom or social engineering attacks. This data would end up being released freely to the public.
Hidden in cybercrime forums and darknet marketplaces, cybercriminals exchange tools, services, data, and intelligence, making attacks more effective and scalable than ever before. This hidden world operates much like a legitimate business sector—except its goal is theft, disruption, and destruction. Understanding how these collaborations work is crucial to staying ahead in an ever-escalating cyber arms race.
A Marketplace for Digital Weapons
One of the most significant ways cybercrime forums have revolutionized attacks is by democratizing access to powerful hacking tools.
For instance, Malware-as-a-Service (MaaS) offerings have made accessibility to very complex malicious tools a small payment away. With a $150 per month license to the popular information-stealing malware family, RedLine, thousands of low-skilled cybercriminals were able to easily configure and distribute complex malware through its self-explanatory user interface (UI), all while the RedLine team maintained the intricacies of malware infrastructure alive.
MaaS providers like RedLine provide viruses to their users, and the users’ only responsibility is to convince victims to run the malware. Malicious users then simply log in to their accounts and view all of the stolen credentials, files, and extracted sensitive data—making a fortune reselling these stolen goods on cybercrime marketplaces.
Law enforcement is paying attention, recently disrupting the operations of RedLine specifically, and its associated malware, Meta, in Operation Magnus. Unfortunately, many SaaS-style information-stealing malware continue to operate with great success.
Last month (February 2025), a botnet (a network of infected devices used for attacks) of over 130,000 compromised devices, launched coordinated password-spraying attacks against Microsoft 365 accounts. It leveraged non-interactive user sign-ins—sign-ins performed by a client app or an OS component on behalf of a user—to avoid detection by traditional security controls.
Exploit kits further lower the barrier, providing ready-made tools to infiltrate systems with minimal effort. When a victim visits an infected site, the kit scans their browser and plugins (like Flash, Java, or Internet Explorer) for vulnerabilities. If it finds one, it injects malware—such as ransomware or an infostealer—without the user noticing.
Previously, attackers needed deep technical expertise to develop their own botnets, malware, or exploits. Today, anyone with money can buy or rent malicious software. These hacking tools function like legal software subscription models, offering user-friendly dashboards, customer support, and even updates to bypass new security measures.
The Power of Collective Intelligence
Beyond selling malicious tools, cybercrime forums serve as knowledge hubs where attackers refine their methods through discussion and collaboration. Tutorials, source code samples, and real-world case studies circulate freely, allowing criminals to perfect their strategies. When a new vulnerability is discovered, it spreads rapidly across these platforms, enabling attackers worldwide to exploit it before security patches can be deployed.
In May 2023, a critical SQL injection vulnerability was discovered in MOVEit Transfer, a managed file transfer software developed by Progress Software. Detailed information about this flaw, including exploitation techniques and tools, began circulating on dark web forums. This led to a surge in global attacks, affecting more than 60 million individuals and over 1,000 organizations, including high-profile entities like the BBC, British Airways, and several US government agencies.
Cybercriminals now work together extending their collective intelligence in structured roles, mimicking legitimate businesses to execute coordinated attacks. Some specialize in breaching networks, while others focus on laundering stolen assets or distributing malware. By pooling resources, they execute complex, multi-stage attacks that are more difficult to detect and stop. The level of coordination seen in modern cybercrime makes traditional, reactive security measures ineffective, defenders must anticipate attacks before they happen.
Staying Ahead in a Rigged Game
To counteract this growing sophistication, cybersecurity must evolve beyond basic defenses. Organizations and individuals need to think like attackers, anticipating threats rather than merely responding to them. Continuous threat exposure management—especially monitoring darknet forums—can provide early warnings of emerging attack methods. By applying behavioral analysis and AI-driven security solutions, leaders can detect anomalies that traditional firewalls and antivirus software miss.
Education is also key. Many cyberattacks still rely on human error, such as falling for phishing scams, downloading malicious content, or failing to update software. Training employees to recognize social engineering tactics can make a significant difference in an organization’s overall security posture.
Finally, breaking the cybercrime supply chain is essential. Governments and private cybersecurity firms must continue to collaborate and disrupt these underground markets, take down criminal infrastructure, and arrest key players.
Cybercrime forums have transformed hacking from a solitary endeavor into a thriving, collaborative industry. By providing easy access to malicious tools, sharing intelligence, and coordinating large-scale attacks, these platforms have made cybercrime more efficient than ever. To stay ahead, organizations must adopt proactive security measures, leverage threat intelligence, and strengthen cooperation between public and private sectors. In a digital world where attackers are always evolving, only those who anticipate the next move can truly stay ahead.
Nick Ascoli is a Senior Product Strategist at Flare and an experienced threat researcher who is recognized for his expertise in data leaks, reconnaissance, and detection engineering. Nick is an active member of the cybersecurity community contributing to open-source projects, regularly appearing on podcasts (Cyberwire, Simply Cyber, etc.) and speaking at conferences (GrrCON, B-Sides, DEFCON Villages, SANS, etc.)
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.