Department of Computer Science and Technology

Cambridge Cybercrime Centre: Eighth Annual Cybercrime Conference, 23 June 2025

The Cambridge Cybercrime Centre's eighth one day conference on cybercrime will be held on Monday, 23rd June 2025.

REGISTRATION LINK: https://onlinesales.admin.cam.ac.uk

PAST CONFERENCES

For details of the 2016 event see here.

For details of the 2017 event see here.

For details of the 2018 event see here.

For details of the 2019 event see here.

For details of the 2022 event see here.

For details of the 2023 event see here.

For details of the 2024 event see here.

LOCATION

The one day event is being held in 'West Hub' on the University's West Cambridge site (just across the road from the 'Computer Lab').

AGENDA

09:00 Registration

09:30 KEYNOTE:

Sunoo Park New York University

Abstract: TBA

10:15 Ten years of the Cambridge Cybercrime Centre

Richard Clayton Cambridge Cybercrime Centre

Abstract: The CCC formally started work in October 2015. This talk looks back not just at what we have achieved (which is a fair bit)-- but rather more importantly, at what our model of sharing data 'sometimes before we have even looked at it ourselves' has enabled others to achieve.

10:45 Coffee break

11:15 Session 1: Trust, Identity, and Communication in Cybercriminal Ecosystems

From trust to trade: Uncovering the trust-building mechanisms supporting cybercrime markets on Telegram

Roy Ricaldi, Eindhoven University of Technology, Tina Marjanov, University of Cambridge, and Luca Allodi, Eindhoven University of Technology

Abstract: Illicit activities online occur in inherently dangerous and untrustworthy environments. The structured nature of forums along with users’ ability to develop lasting identities, helped mitigate some of the trust issues. Recently, Telegram’s privacy features, user anonymity, and ease of use have made it a popular alternative to traditional underground forums for cybercriminal activities. However, lacking many of the features forums provided, the dynamics of trust-building within Telegram groups and channels in cybercrime markets remain underexplored.

This paper identifies the market segments within the Telegram cybercriminal ecosystem and proposes a taxonomy of trust-building mechanisms that facilitate trade. The research examines the distribution of these mechanisms across market segments, applying the framework at scale. The findings reveal that, even if the mechanisms are scarce and sparse, Telegram communities adopt a variety of trust building mechanisms, blending traditional forum practices with Telegram’s unique capabilities. Unlike forums, which emphasize long-term reputation and admin-mediated vetting, Telegram groups leverage more immediate mechanisms, such as proof-of-delivery messages and automated bots, to manage transactions and mitigate fraud risks. The paper concludes by emphasizing the evolving nature of trust-building in illicit markets and highlights the implications for future research.

Power, identity and group dynamics in hacking forums

John McAlaney, Bournemouth University

Abstract: There is a cybercriminal ecosystem through which cybercrimes are discussed and planned, and through which knowledge and skills are shared. This represents a complex social psychological environment through which individuals must navigate, however there is a lack of research on this aspect of cybercriminal communities. By use of the CrimeBB dataset provided the University of Cambridge this work in progress will involve the analysis of posts from both surface and underground hacking forums to determine the role of social psychological factors such as group dynamics, power hierarchies, and social identity. This builds upon previous, exploratory work that utlilised Linguistic Inquiry Word Count (LIWC) analysis and identified these factors as being central to discussions on hacking and cybercriminal forums.

Three data analytical approaches will be used in this project, which would be social network analysis, natural language processing analysis using bidirectional encoder representations from transformers (BERT), and thematic analysis. In doing so it will present a mixed methods and holistic overview of the social psychological processes evident in hacking and cybercriminal forums. These results can be used to better inform threat identification and prevention approaches, including how to encourage those who may become involved in cybercrime towards legitimate cybersecurity careers.

Evaluating the impact of anonymity on emotional expression in drug-related discussions: a comparative study of the dark web and mainstream social media

Haitao Shi, University of Edinburgh

Abstract: The surge in discussions related to darknet drug trading has highlighted growing public health and policy concerns, yet the unique communication dynamics within these forums remain understudied. This study investigates how anonymity influences emotional disclosure in drug-related discussions by comparing darknet forums and mainstream social media platforms. Using BERTopic topic modelling (with DarkBERT as the embedding model), this study analyses large-scale text data from the CrimeBB database and Telegram, both shared by the Cambridge Cybercrime Centre, to identify drug-related themes and their trends. BERT-based sentiment analysis is then applied to quantify differences in emotional expressions across identical topics, revealing the specific impact of anonymity on discourse. This novel approach bridges a key literature gap by directly contrasting these environments. The findings may guide public health strategies, such as evaluating whether darknet forums offer a safer space for harm reduction discussions, and inform policy interventions, including targeted educational campaigns. By addressing this underexplored dynamic, the study provides fresh perspectives on illicit online communication and its implications for public health and policy.

12:30 Lunch

13:30 Session 2: Technical Threats and Exploitation Tactics

Blockchain address poisoning

Taro Tsuchiya, Carnegie Mellon University

Abstract: In many blockchains, e.g., Ethereum, Binance Smart Chain (BSC), the primary representation used for wallet addresses is a hardly memorable 40-digit hexadecimal string. As a result, users often select addresses from their recent transaction history, which enables ``blockchain address poisoning.‘’ The adversary first generates lookalike addresses similar to one with which the victim has previously interacted, and then engages with the victim to ``poison’' their transaction history. The goal is to have the victim mistakenly send tokens to the lookalike address, as opposed to the intended recipient. Compared to contemporary studies, this paper provides four notable contributions. First, we develop a detection system and perform measurements over two years on Ethereum and BSC. We identify 13 times the number of attack attempts reported previously---totaling 270M on-chain attacks targeting 17M victims. 6,633 incidents have caused at least 83.8M USD in losses, which makes blockchain address poisoning one of the largest cryptocurrency phishing schemes observed in the wild. Second, we analyze a few large attack entities using improved clustering techniques, and model attacker profitability and competition. Third, we reveal attack strategies---targeted populations, success conditions (address similarity, timing), and cross-chain attacks. Fourth, we mathematically define and simulate the lookalike address-generation process across various software- and hardware-based implementations, and identify a large-scale attacker group that appears to use GPUs.

The human attack surface: understanding hacker techniques in exploiting human elements

Marre Slikker, Kate Labunets, Jan Van Acken, Department of Information and Computing Sciences Utrecht University, The Netherlands

Abstract: This study explores how hackers on underground forums discuss and refine techniques for exploiting human elements in cybercrime. While existing research primarily focuses on technical attack vectors or adopts a defensive approach, this study shifts focus to the offensive side by analyzing key discussion topics, tracking their evolution, and assessing their implications for preventive cybersecurity measures. The main research question is: What do hackers on underground forums discuss about the exploitation of human elements in their attacks? To address this, this study conducts a systematic literature review to define human elements in cybersecurity and extract keywords. These keywords inform Latent Dirichlet Allocation topic modeling, which identifies the most prevalent discussions topics on human elements. LDA is selected due to its effectiveness in uncovering hidden topics in unstructured text. Trend analysis is conducted to examine how these discussions evolve over time in response to technological and social changes. This study utilizes the CrimeBB dataset from the Cambridge Cybercrime Centre, consisting of millions of hacker forum discussions spanning over a decade. By identifying key topics and their evolution, this research offers actionable intelligence for cybersecurity practitioners while advancing the theoretical understanding of offensive techniques targeting the human element to enhance proactive defenses.

Evading algorithmic censorship: exploring the role of language in hacktivist attack related correspondence

Amira Sharif and Charles Lanfear, University of Cambridge

Abstract: This study aims to investigate hacktivists interactions in underground chat channels (i.e., telegram and discord). Here, “hacktivist threat actors are defined as entities whose use of offensive cyber capabilities hinges primarily around personal and ideological motivations, rather than the demands of a sponsoring state or in the pursuit of financial gain” (Djavaherian, 2022 p. 2). Unlike individual-hackers, hacktivists are more threatening because of their organised structure, ideological motivations, and potential to create a widespread impact. This is alarming because hacktivist activities have been on the rise in recent years, and the literature behind it is limited. Namely, most studies focus on Western hacktivist movements (e.g., Anonymous, LulzSec), but there is little research on how hacktivists from different linguistic and cultural backgrounds communicate.

14:45 Coffee break

15:15 Session 3: Disruption and Resilience in Illicit Online Activities

Assessing the aftermath: the effects of a global takedown against DDoS-for-hire services

Anh V. Vu, Ben Collier, Daniel R. Thomas, John Kristoff, Richard Clayton, Alice Hutchings

Abstract: Law enforcement and private-sector partners have in recent years conducted various interventions to disrupt the DDoS-for-hire market. Drawing on multiple quantitative datasets, including web traffic and ground-truth visits to seized websites, millions of DDoS attack records from academic, industry, and self-reported statistics, along with chats on underground forums and Telegram channels, we assess the effects of an ongoing global intervention against DDoS-for-hire services since December 2022. This is the most extensive booter takedown to date conducted, combining targeting infrastructure with digital influence tactics in a concerted effort by law enforcement across several countries with two waves of website takedowns and the use of deceptive domains. We found over half of the seized sites in the first wave returned within a median of one day, while all booters seized in the second wave returned within a median of two days. Re-emerged booter domains, despite closely resembling old ones, struggled to attract visitors (80-90% traffic reduction). While the first wave cut the global DDoS attack volume by 20-40% with a statistically significant effect specifically on UDP-based DDoS attacks (commonly attributed to booters), the impact of the second wave appeared minimal. Underground discussions indicated a cumulative impact, leading to changes in user perceptions of safety and causing some operators to leave the market. Despite the extensive intervention efforts, all DDoS datasets consistently suggest that the illicit market is fairly resilient, with an overall short-lived effect on the global DDoS attack volume lasting for at most only around six weeks.

Modeling organizational resilience: a network-based simulation for analyzing recovery and disruption of ransomware operations

Dalya Manatova, Indiana University, Cathleen McGrath, Loyola Marymount University, and L Jean Camp, Indiana University

Abstract: Scholars describe ransomware-as-a-service (RaaS) organizations as commodity-based operations that function much like legitimate businesses. However, studying these cybercriminal groups remains challenging due to their closed nature and deliberate efforts to remain underground. One critical area of research is their resilience, as understanding how they recover from disruptions can inform more effective law enforcement and cybersecurity interventions.

We address this by modeling ransomware operations as networks of interdependent business processes, while also accounting for the personal connections (friendships) that influence operational resilience. Our network-based simulation assigns actors to workflow tasks spanning typical ransomware phases, including malware development, initial access, encryption, extortion, and ransom payment. The network evolves dynamically through friendship and workflow connections, representing the flow of information and personal ties.

We introduce perturbations by selectively removing tasks, nodes (actors), or communication links, and measure the system’s ability to recover. Such disruptions reflect scenarios like the sudden absence of key organizers, removal of specific roles, or the takedown of critical infrastructure, whether caused by law enforcement, internal disputes, or environmental factors. The simulation tracks time-steps for restoring operations, considering role redundancy, alternative communication paths, and the introduction of new actors.

Our findings provide insights into the adaptability of ransomware groups and the robustness of their operations. This study contributes to cybercrime research by offering a framework to simulate critical disruption points, expanding our understanding of RaaS ecosystems’ resilience and weaknesses.

The prevalence and use of conspiracy theories in anonymity networks

Marco Wähner, Center for Advanced Internet Studies and Felix Soldner, GESIS -- Leibniz Institute for the Social Sciences

Abstract: Conspiracy theories are not a modern phenomenon. However, the advent of the Internet has significantly altered the conditions for their dissemination. Consequently, research has increasingly focused on the emergence and spread of conspiracy theories on the Internet, particularly within social networks. However, understanding the spread and influence of conspiracy theories in anonymity networks and cryptomarkets is crucial for both academia and policymakers to develop effective intervention strategies. In this study, we present preliminary findings from our analysis of the ExtremeBB and CrimeBB datasets. Our research has two primary objectives: first, to identify conspiracy theories circulating within these forums, and second, to examine whether and how they are leveraged to promote illicit activities or sales of products and services. To achieve this, we employ natural language processing (NLP) techniques. Our findings contribute to a deeper understanding of the intersection between conspiracy narratives and illegal online activities

16:30 The Cambridge Cybercrime Centre: Future Directions

Alice Hutchings Cambridge Cybercrime Centre

Abstract: A brief update as to what the Centre has been working on, and future directions.

16:40 Social event

REGISTRATION LINK: https://onlinesales.admin.cam.ac.uk

...back to main page