Department of Computer Science and Technology

Cambridge Cybercrime Centre: Sixth Annual Cybercrime Conference, 22 June 2023

The Cambridge Cybercrime Centre's sixth one day conference on cybercrime on Thursday, 22nd June 2023.



For details of the 2016 event see here.

For details of the 2017 event see here.

For details of the 2018 event see here.

For details of the 2019 event see here.

For details of the 2022 event see here.


The one day event is being held in the 'Computer Lab' on the West Cambridge site.


09:00 Registration

09:30 Hunting in pack(et)s -- Cybercrime investigation as a team sport

Elliott R. Peterson Federal Bureau of Investigation

Abstract: Cybercrime methodologies advance rapidly, responding to pressure from government, private sector, and even competition among criminals. This talk will discuss a multidisciplinary approach to cybercrime investigations that accounts for this advancement through proactive partnerships between government, private sector, and academic institutions. Told through the backdrop of several recent investigations including botnet takedowns and seizures of DDoS-for-hire services, the talk will discuss best practices for information sharing and aligning goals and strategies. Finally, it will explore how academic analysis of law enforcement operations can be used to refine future operational strategies.

10:00 "You think that you'd get laid if it wasn't for advancements in technology?" A sociological analysis of marginalised masculinity in Incel communities

Jade Hutchinson Macquarie University and University of Groningen

Abstract: Involuntary Celibates (Incel) communities encompass an expanding network of social networking spaces, and research suggests socio-technical factors facilitate Incel movement toward violent extremism. Men and masculinities studies should be applied to better understand and prevent the propagation of Incel ideology and violence. Masculinity -- the expectations and ordering of men in society -- is said to critically shape Incels' fidelity to the community and reinforce their justification for violence. In these research areas, Bourdieu's concepts of 'field' and 'habitus' become central to analyse environments that enable and constrain behaviour and motivations. The concepts are seldom used to elucidate the influence of socio-technical ecologies -- composed of software and hardware such as websites and mobile devices -- on Incel masculinity. We consider the ways Incel masculinity is enabled and constrained by the technological milieu where Incel communities dwell and develop. We focus on Bourdieu's concepts 'field' and 'habitus' to examine the discourse and action occurring in certain Incel online social networking spaces, and to explore the ways their technologies and spaces may shape opportunities to construct masculine identities. We suggest that Incel communities and their various masculine identities are similarly conditioned and characterised by interrelated and entangled socio-technical structures and systems as gendered beings.

10:25 An analysis of conversations on cybercrime forums in the context of autism

Jessica Monteith University of Cambridge

Abstract: First, please think about what are the characteristics of a stereotypical hacker? Now think about the typical autistic traits. Any overlaps? There have been many studies into the relationship between autism and cybercrime, many from a psychological angle, some used a systematic approach to combine analysis on autistic traits and cybercriminal characteristics. But the research I am sharing with you in this presentation is the first to use underground forum data to find out if actors who associate themselves with autism are more or less likely to engage in cybercrime-related conversations than other actors.

10:50 Coffee break

11:20 The role of RNPAs in improving cybercrime reporting in Scotland

Juraj Sikra University of Strathclyde and Taras Shevchenko Kyiv National University

Abstract: The Scottish neoliberal government's enlisting of community and private sector organisations in economic cybercrime reporting is a form of responsibilisation. These organisations collect, evaluate and forward victims' cybercrime reports as state intelligence. I pioneer the term Responsibilised Non-Policing Agencies (RNPAs) to unmask the genealogy of their acquired role. I interviewed and compared Scottish versus Italian RNPAs to understand responsibilisation internationally and improve cybercrime reporting nationally. Scottish RNPAs are state-sponsored charities, banks, regulators of commerce and private institutions. Italian RNPAs are private law firms. All were represented by their relevant functions. In Scotland, RNPAs form a responsibilisation buffer zone between the state and victims. The Scots state exports selective funding and catholic responsibility to RNPAs and imports cybercrime intelligence. The Italian state is comparatively disengaged. Victims risk criminal responsibilisation, which is why they turn to RNPAs. Scottish RNPAs supply an opportunity cost dilemma. The state can keep using RNPAs to narrate an improving cybercrime reporting strategy, which is cheaper. Alternatively, the state can restructure the funding of select RNPAs and increase funding for specialised cybercrime policing, which is more expensive. Both options are viable with specialisation bearing the opportunity cost.

11:45 Following the trail: Tracking user styles on clear and dark web forums

Pranav Maneriker The Ohio State University

Abstract: Stylometry on web forums enables researchers to track changes in a user's writing style across multiple posts and threads. Our prior work has shown that combining structural and textual features can help identify darkweb users who migrate across different forums. However, on the darkweb, users often try to conceal their identities through pseudonyms and other obfuscation techniques. In this study, we investigate whether author identification models trained on clear web forums can be applied to darkweb forums. To accomplish this, we leverage Reddit data to model the clear web, as Reddit forms the basis of popular darkweb forums like Dread. We analyze whether authorship identification models trained on Reddit data can successfully identify authors on Dread and other darkweb forums present in the CrimeBB dataset. We also investigate how the amount of training data and its specificity affect the accuracy of our models. Finally, we compare the performance of fine-tuned clear web models to those trained on darkweb data alone. (Full list of authors: Pranav Maneriker, Yuntian He, Scott Duxbury, Dana Haynie, and Srinivasan Parthasarathy)

12:10 PostCog: A tool for interdisciplinary research into underground forums at scale

Jack Hughes University of Cambridge

Abstract: Underground forums provide useful insights into cybercrime, where researchers analyse underlying economies, key actors, their discussions and interactions, as well as different types of cybercrime. This interdisciplinary topic of study incorporates expertise from diverse areas, including computer science, criminology, economics, psychology, and other social sciences. Historically, there were significant challenges around access to data, but now there are research datasets of millions of messages scraped from underground forums. The problems now stem from the size of these datasets and the technical nature of methods and tools available for data sampling and analysis at scale, which make data exploration difficult for non-technical users. PostCog has been developed to solve this problem, a web application developed to support users from both technical and non-technical backgrounds in forum analyses, such as search, information extraction and cross-forum comparison.

12:35 Lunch

13:15 The effect of online ad campaigns on cybercrime: A cross-national difference-in-differences quasi-experiment

Asier Moneva Netherlands Institute for the Study of Crime and Law Enforcement and The Hague University of Applied Sciences

Abstract: European law enforcement agencies have begun to use targeted online ad campaigns to raise cybercrime awareness among at-risk populations. Despite their rapid proliferation, there is little research to support their efficacy and effectiveness. This study uses a quasi-experimental difference-in-differences design to evaluate the effect of seven campaigns deployed in 2021 and 2022 on the volume of DDoS-attacks recorded in six European countries: Denmark, Finland, Netherlands, Norway, Sweden, and Portugal. The results show mixed effects, suggesting that the campaigns are not effective in reducing DDoS-attacks in the short term. Law enforcement has partly justified the use of targeted online ad campaigns on the premise that they reduce DDoS-attacks. However, the evidence in this regard is inconclusive. If public support for the use of such campaigns is to be secured in the long term, law enforcement will likely need to rely on stronger arguments. (Full list of authors: Asier Moneva and Rutger Leukfeldt)

13:40 An empirical study on the offensive use of AI in underground forums

Saskia Schröer University of Liechtenstein

Abstract: A large body of security research has focused on the use of Artificial Intelligence (AI) to protect networks, computers, and systems. However, AI can also be used for offensive purposes to conceive more targeted and sophisticated attacks that are executed at higher frequency and larger scale. This study explores the empirical evidence for the offensive use of AI in the wild, using a state-of-the-art Natural Language Processing (NLP) technique based on topic modelling. The empirical evidence for this study is based on CrimeBB's collection of discussions in underground forums, which provide an intriguing global perspective of their activities. Our results reveal that attackers exhibit a strong interest in learning more about AI. They actively seek advice on techniques, search for easy-to-use tools, discuss potential malicious applications, and exhibit an increased interest in the circumvention of defensive mechanisms. Our findings also suggest that AI is likely to be drawn into the arms race in cyberspace, giving rise to a new threat landscape as well as ethical concerns with respect to dual-use AI tools. (Full list of authors: Saskia Laura Schröer, Shoufu Luo, Jeremy D. Seideman, Pavel Laskov, and Sven Dietrich)

14:05 No easy way out: The effectiveness of deplatforming an extremist forum to suppress hate and harassment

Anh V. Vu University of Cambridge

Abstract: Legislators and policymakers worldwide are debating options for suppressing illegal, harmful and undesirable material online. Drawing on several quantitative data sources, we show that deplatforming an active community to suppress online hate and harassment, even with a substantial collective effort involving several tech firms, can be hard. Our case study is the disruption of harassment forum Kiwi Farms. We collected complete snapshots of this site and its primary competitor Lolcow Farm (over 14.7M posts during the past decade), supplemented with a full scrape of the Telegram channel used to disseminate new updates when the forum was down, tweets made by the online community leading the takedown, and with search interest and web traffic to the forum spanning two months before and four months after the event. Despite the active participation of a number of tech companies over several consecutive months, this campaign failed to shut down the forum and remove its objectionable content. While briefly raising public awareness, it led to rapid platform displacement and traffic fragmentation. Deplatforming a community without a court order raises issues about censorship versus free speech; ethical and legal issues about the role of industry in online content moderation; and practical issues on the efficacy of private-sector versus government action. (Full list of authors: Anh V. Vu, Alice Hutchings, Ross Anderson)

14:30 Coffee break

15:00 SoK: A data-driven view on methods to detect reflective amplification DDoS attacks using honeypots

Marcin Nawrocki Freie Universitat Berlin

Abstract: In this presentation we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment (CCC), network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges. (Full list of authors: Marcin Nawrocki, John Kristoff, Raphael Hiesgen, Chris Kanich, Thomas C. Schmidt, Matthias Wählisch)

15:25 Analysis of security mechanisms of dark web markets

Yichao Wang University of Kent

Abstract: This study aims to investigate the security mechanisms of different dark web markets to further understand their operation and evolution. To achieve this, we conduct data collection and experiments in 12 existing dark web markets and use some basic penetration testing tools to test these markets while considering potential ethical issues. We carry out a comparative analysis and present our results in three aspects: web security, account security, and financial security. Web security contains CAPTCHAs, DDoS protection, and others that "OWASP Top Ten" included; account security contains the username and password policy, and two-factor authentication; financial security contains allowed currencies, transaction mechanisms, and dispute policy. In conclusion, different types of security countermeasures used by the markets often reflect the operator's business philosophy, which in turn affects how the markets operate. We expect this study to contribute to a better understanding of dark web markets operation for the security research communities. More promisingly, in the future, we would like to see whether the application of different security mechanisms at different levels potentially affects the lifetime of the market, as users tend to choose the more reliable ones. (Full list of authors: Yichao Wang, Budi Arief, and Julio Hernandez-Castro)

15:50 Cream skimming the underground: Identifying relevant information points from online forums

Felipe Moreno Vera and Mateus Nogueira Federal University of Rio de Janeiro

Abstract: Underground hacking forums contain privileged and up-to-date information about the availability, development, and tentative use of exploits in the wild. These forums supply information ranging from beginner hacking skills to functional hacking tools, sometimes for free. We compare patterns from CrimeBB against a Russian market. In order to filter and extract useful information, we propose a machine learning approach to classify CrimeBB threads and tag them under three labels: Proof-of-Concept (PoC), Weaponization, or Exploitation. We apply NLP to pre-process post content and to encode textual information under three alternatives: bag-of-words (BoW), TF-IDF, and doc2vec. We define two tasks: task 1) for each thread, infer one of the three labels defined before; task 2) discriminate between exploitation and non-exploitation. After training Random Forests and Decision Trees for the two tasks, we observed that the performance of Random Forest was roughly 10% better than that of a Decision Tree for both tasks, at the expense of reduced interpretability. (Full list of authors: Felipe Moreno-Vera, Mateus Nogueira, Cainã Figueiredo, Daniel S. Menasché, Miguel Bicudo, Ashton Woiwood, Enrico Lovat, Anton Kocheturov, and Leandro Pfleger de Aguiar)

16:15 The Cambridge Cybercrime Centre

Alice Hutchings Cambridge Cybercrime Centre

Abstract: A brief update as to what the Centre has been working on, and future directions.

16:30 Social event


...back to main page