Morado recently wrote about the resurgence of the popular cybercrime forum named BlackForums. However, shortly after I completed my analysis, and before the information could be properly disseminated, the founder, Astounding, abruptly left the project, leaving the forum dormant with little hope of revival. While BlackForums itself may no longer be relevant, its collapse illustrates a key aspect of cybercrime forums—their inherent transience.
Dark web forums are ephemeral in nature, often emerging and disappearing like fleeting shadows in the vast digital landscape. New platforms regularly pop up to replace old ones that have been taken down, frequently rebranding themselves to continue operations under a different guise. These forums serve as meeting grounds for cybercriminals, offering a marketplace for buying and trading illegal products and services. The offerings range from drugs and fake documents to stolen data and malware, accessible to anyone with a computer and the Tor browser. Most people will hear of this mysterious digital world and choose not to participate despite their curiosity. However, some people cannot resist the call, and its getting louder…
For instance, Silk Road, a notorious drug marketplace forum, was incredibly lucrative, facilitating approximately $1.2 billion in sales between 2011 and 2013. The financial incentives make starting a forum very appealing to criminals looking to get rich and gain notoriety in underground communities. While Silk Road attracted everyday users seeking illicit substances, forums dedicated to computer crime draw the attention of hackers of all stripes—red, blue, black, and gray hats alike. Whether for monetary gain, reputation building, or skill development, these forums provide a space for hackers to thrive.
Several notable computer crime forums, such as RaidForums and Genesis Market, have gained popularity among threat actors. However, these sites are transient, often operating for a limited time before being forgotten or supplanted by newer versions. Various factors contribute to their short lifespan, including attacks from rival forums or hackers, internal theft by operators, and, most prominently, intensified law enforcement efforts aimed at dismantling these platforms.
Law enforcement agencies have ramped up their crackdown on illegal forums, utilizing government funding and legislation like the Computer Fraud and Abuse Act (CFAA) to prosecute cybercriminals. These legal frameworks empower authorities to take action against those engaging in computer crimes, making it increasingly difficult for such forums to operate without the constant threat of exposure and closure. This can be seen in the case of BreachForums that has had two of its owners arrested since 2023. Both times the forum was seized by the Federal Bureau of Investigation (FBI), however, staff managed to regain control of the domain and infrastructure following each seizure. Most forums will not survive a seizure, or if they do, they do not survive for long. Whether you consider them lucky or skilled, the staff of BreachForums are constantly dealing with the looming threat of law enforcement action.
The fear of prison is more than enough to discourage most threat actors from creating forums, but some criminals do not seem to care and have created enough forums to fill an entire resume. Even with prior experience, a forum owner is not guaranteed to be successful even when everything suggests it should be. Highlighting this point is a relatively unknown hacker, or probably better fitting, a criminal developer named Astounding. With a few forum projects and even some ransomware development already under their belt, Astounding set out to create another forum after supposedly leaving the community for good. For some, the money, fame, and thrill of owning a forum is too much to leave behind.
BlackForums, reestablished by the hacker known as Astounding, is making a notable return to the cybercrime scene. Originally launched in 2023 and rebranded multiple times, including as BlackSec, BlackRose, and SparrowCorp, the forum is now operating under the name and domain BlackForums[.]ru. The forum has announced a partnership with the ransomware group BloodForge to develop a new RaaS known as BloodForge Onyx. With a new RaaS, nearly 100 users, and an array of sections including databases, leaks, and malware source code, BlackForums was positioning itself as a key player in the cybercrime forum community but ultimately failed. Like many other promising forums, this one fell victim to the transitory nature of criminal sites.
BlackForums, originally created in 2023 and an ex-member of the “Five Families”, is being revived by one of it’s previous owners, a hacker who goes by the name “Astounding”. After a dramatic exit from SecretForums that lead the community to believe they were dead, Astounding has re-emerged, alive and well.
The new version of BlackForums is available on Tor and on the clear web under the domain BlackForums[.]ru. As of August 30, the site has 86 registered users. There are currently 20 sections with over 100 posts, most of them being introductions, but it also includes databases, verified leaks, stealer logs, exploits, tools, and malware source code. The forum does not allow Russian leaks, not because it is pro-Russian, but because they do not want to deal with the Russian government as some of the staff, and the domain, are Russian.
The forum is still in its early stages with a small staff working to create new features and keep the site up after experiencing long down times in the week of September 2nd. It is not clear if this is due to attacks by other forums or issues with development. Staff and users speak of “beef” they have with other forums or users based on their personal interactions with them. This has lead to members of BlackForums attacking and even taking down competing forums. They attacked StressedForums and its owner on September 6 after StressedForums staff scammed a BlackForums member for $60 weeks prior. The feuds they have with other forums and hackers could lead to attacks on BlackForums which could be an explanation for their recent downtime. A list of the forum’s staff can be found below. Staff members include chat moderators, website developers, and hackers affiliated with other cybercrime groups. Helladrol is the moderator responsible for handling staff applications which can also be viewed on the forum. There are also other members that act as moderators for the group’s telegram chat not listed here.
Oddly enough, the forum also has a subscription section where users can purchase VIP or legendary subscriptions, and even moderator roles. This seems like a bad model for a cybercrime forum but the option to buy a moderator role for $250 exists nonetheless. It is not clear how long this feature will exist and may be a chance for security researchers to embed themselves in the forum before it gains more traction. The forum has also said that it will give users their ranks from BreachForums with proof, likely in an attempt to bring its users to their site.
BlackForums announced it will be joining forces with BloodForge, a Ransomware-as-a-Service (RaaS) group, to develop a new RaaS named BloodForge Onyx. The new group is going by the name “The Brotherhood” and has begun selling a limited number of licenses for $750 dollars each. The new RaaS supposedly has features like polymorphic code, network worming, and delayed encryption that allows for deeper penetration into systems prior to encryption. Astounding is a developer for the new ransomware and given their experience in developing for the GhostSec and Stormous ransomware groups in 2023, it is likely that the new RaaS will be highly capable.
Also known as BlackSec, BlackRose, and SparrowCorp, BlackForums has a history of rebranding and changing ownership. BlacForums originated in 2023 and was a prominent cybercrime forum that served as a major platform for trading stolen data and malware. The forum’s owner, Astounding, partnered with 4 other hacking groups to form the “Five Families.” The other members besides BlackForums were ThreatSec, GhostSec, Stormous, and SiegedSec. In January 2024, after nearly a year of operations, Astounding claimed to be diagnosed with an illness, so control of the forum was handed over to Luis G., also known as USDOD, who was later arrested. USDOD rebranded BlackForums as SparrowCorp.
In the same month, Astounding launched SecretForums as their "final" project, despite earlier claims they could not manage BlackForums due to health issues. SecretForums gained some traction but closed dramatically after Astounding announced a break for personal reasons. During this break, an admin named Lain falsely claimed Astounding had died. Lain and other staffers announced their departure and closure of the forum following this news. The SecretForums Telegram also posted a message claiming FBI seizure, though no independent confirmation was found. However, Astounding was alive and upon their return, they revealed they were not dead, announced a new BlackForums, and cut ties with SecretForums’ previous staff, doxing some of them after they attacked Astounding’s reputation and character.
The forum’s owner has relationships with multiple notable threat actors, including USDOD, ShinyHunters, and Baphomet. Based on findings from security researchers and threat actor telegram messages, it appears that BlackForums was initially being worked on by USDOD under the working name “Breach Nation” until his arrest when Astounding took over work as a solo developer and renaming it to BlackForums. The two have had a working relationship over the past few years often working in the same circles and even on the same projects.
Astounding has also claimed that BlackForums has a deal with Baphomet, the now arrested and ex-owner of BreachForums, and ShinyHunters, a threat actor group responsible for multiple high-profile breaches in 2024 and reviving BreachForums following its seizure by the FBI. According to the claim, the arrangement involves a mutual non-aggression pact and offers support to one another in times of need. This deal is no longer relevant following Baphomet’s arrest and ShinyHunters’ disappearance from the scene. Astounding was also a member of three “Five Families” groups. Astounding was the owner of BlackForums and a developer for both the Stormous and GhostSec ransomware. Astounding’s deal with ShinyHunters and Baphomet, Astounding’s relationship with USDOD, and the prominent groups Astounding has been affiliated with gives context as to the reputation of this mysterious character.
BlackForums is back online with nearly 100 users already. The owner has ties with notable threat actors and has held a prominent role in the cybercrime forum community for years, and are responsible for multiple prominent forums and ransomware strains. Given BreachForums recent seizure, the community’s uncertainty in its security, and efforts by BlackForums staff to attract BreachForums users, it is likely that BlackForums will gain more traction in the coming months. Furthermore, their partnership with BloodForge in developing a new RaaS will attract more cybercriminals to the forum as their name is tied to the ransomware. Organizations and security researchers should monitor BlackForums and its owner, Astounding, as they rise in the cybercrime landscape.
We wrote about this forum in the beginning of September, and since then Astounding has left the cybercrime community leaving BlackForums dormant with little hope of revival. Initially, members of the community speculated that Astounding was exit-scamming his RaaS known as bloodforge. Exit-scamming is a tactic used by operators on the dark web, where they suddenly shut down the service and disappear with users' funds, leaving customers without recourse. However, Astounding made sure to inform members of the forum and adjacent groups that this was not the case and expressed discontent with the community at large. This was similar to when Astounding was claimed to be dead, except now people are not so eager for his return. His already damaged reputation was slashed even more, likely beyond repair.
Control of the telegram group used by BlackForums was passed along to a few users after Astounding’s exit. While these users expressed interest in getting the forum up again, no serious discussions have taken place and the original chat was locked. Before the chat was locked, it was in a state of decay filled with spam posts and meme bots. No discussion of cybercrime or new plans for projects occurred and users mostly trolled the chat. A small number of users have migrated to an invite only channel but there has been no notable activity occurring yet.
To further bury any chances of a BlackForums revival, multiple staff members and developers also deleted their telegram accounts and no one has possession of the forums infrastructure. Those intimately involved with the project have disappeared and the domain has become unreachable.
This forums rising potential and its ultimate failure showcases the ephemeral nature cybercrime forums possess. They are constantly built and torn down, vying for dominance within the community. When giants like RaidForums collapse, countless threat actors scramble to fill the void and claim their share of the rewards. Meanwhile, low-level users continue to migrate from one site to the next as their favorite forums shut down, forever wandering the digital landscape in search of a new home for their illicit activities.
Tags
darkweb, cybercrime