The Weird, Big-Money World of Cybercrime Writing Contests

Cybercriminals can be inventive—especially if there’s money on the table. One hacker has penned a 50-page essay on how to invest in cryptocurrency and sell at the right time to make a profit. Another put together a guide for how to create a fake version of blockchain.com that could be used to steal people’s usernames and passwords. And another produced instructions—cryptically titled “Elegantly breed daddies on lavender”—explaining how to scam money from people who pay to watch webcam models perform.

The unusual collection of documents and tutorials were all produced by cybercriminals and hackers trying to win money for their ideas, technical skills, and writing ability. Once they finish their articles, they submit them to be judged in competitions on Russian-language cybercrime forums. These contests, which can pay out thousands of dollars, are one of the forums’ more peculiar aspects.

For more than a decade, Russian-language cybercrime forums—which largely exist for trading stolen data, touting new security vulnerabilities, and connecting criminals—have run contests allowing their members to make some extra cash and gain some kudos in the process. A new analysis by cybersecurity firm Sophos is shedding some light on how these contests run and how they’ve rapidly grown in size in the last few years. For those entering, there’s the potential of a decent payday: $80,000 USD was the total prize pot in one recent contest.

“You can tell some people put a lot of work into these,” says Christopher Budd, director of threat research at Sophos X-Ops. “Sometimes what people present isn’t necessarily the newest or most original stuff. But it’s stuff that is interesting or in some way has appeal to the audience.”

In the analysis, Sophos researcher Matt Wixey examined the most recent contests on the cybercrime forums Exploit and XSS. The forums’ administrators announce the contests and ask people to submit written articles. While the entries are most often in Russian, Budd says, sometimes forum members will translate them into English to be “a good community member.”

The most recent competition on XSS was held between March and July 2022. There was a general prize pot of $40,000—up from $15,000 the previous year. The Sophos analysis says the contest was general, with forum members being asked to submit entries on around half a dozen topics. Malware development, methods for dodging antivirus and security products, ways of hiding malicious code, and social engineering techniques were all included in the list.

Meanwhile, Exploit’s last contest offered more prize money—$80,000 in total—but was more specific, asking for entries on cryptocurrency attacks, thefts, and vulnerabilities in April 2021. One sub-genre of the theme was “security of working with cryptocurrencies, except for banal things.”

“It’s another way that the criminal world is mirroring and adapting and adopting best practices from the legitimate side of the business,” says Budd. He compares some of the processes and entries as akin to those of legitimate cybersecurity research conferences and events, such as Black Hat, Defcon, and Pwn2Own. Unlike cybersecurity researchers who find issues to make products and services more secure before sharing their research for others to learn from, the criminals are producing the work with malicious intent.