Measuring Cybercrime as a Service (CaaS) Offerings in a Cybercrime Forum

The emergence of Cybercrime-as-a-Service (CaaS) is a critical evolution in the cybercrime landscape. A key area of research on CaaS is where and how the supply of CaaS is being matched with demand. Next to underground marketplaces and custom websites, cybercrime forums provide an important channel for CaaS suppliers to attract customers. Our study presents the first comprehensive and longitudinal analysis of types of CaaS supply and demand on a cybercrime forum. We develop a classifier to identify supply and demand for each type and measure their relative prevalence and apply this to a dataset spanning 11 years of posts on Hack Forums, one of the largest and oldest ongoing English-language cybercrime forum on the surface web. Of 28 known CaaS types, we only found evidence for only 9 of these in the forum.We saw no dramatic shifts in these offerings over time, not even after major underground marketplaces were being seized by law enforcement. Around 16% of first posts of the threads in the ‘Market’ section of the forum offers CaaS, whereas only 3% is focused on product-type criminal offerings. Within the types of CaaS, ‘bot/botnet as a service’, ‘reputation escalation as a service’ and ‘traffic as a service’ categories make up the majority (over 60%) for whole period in terms of both supply and demand. At least half of each CaaS offerings directs potential buyers to an instant messaging app or private message for transacting privately. In sum, we find that forums do in fact provide a channel for CaaS supply and demand to meet, but we see only a fraction of the CaaS landscape and there is no evidence in our data for the supposed growth of CaaS over time. We reflect on the implications of our findings for developing effective disruption strategies by law enforcement.