Radware Study: Analysis of Over 26,000 Web Forum Threads Reveals Cyber Threats to Financial Services


The cybersecurity landscape is witnessing a significant transformation with threat actors adopting increasingly sophisticated approaches to bypass security measures. In 2024, Radware’s research team conducted extensive analysis on 46 deep-web hacker forums and over 26,000 threat actors’ forum threads. This research provides new insights into emerging cyber threats and their potential impact on the financial services industry.

1. The Rise of the Infostealer Economy

Radware’s analysis reveals a thriving underground economy centered around information-stealing malware. On average, we observed 3-4 daily mentions of unique “infostealer-as-a-service” across each monitored deep web forum. The content analysis showed a clear split in the ecosystem: 56% of mentions relate to infostealer-as-a-service offerings, while 44% of mentions consist of breached credentials freely being shared to boost seller reputations.

We’ve observed several common factors across most of the new info-stealer ads:

  1. Compatibility with other hacking tools: As threat actors' toolsets get more sophisticated each year, it affects how they decide what tools to produce. Infostealer developers aim to add features that align with the most important factor that influences the hacker’s buying process: compatibility with other hacking tools.

  2. Modularity: By providing plug-ins and modules, threat actors can tailor their stealer offerings to meet the specific needs of their customers. According to our review of the new 2024 features collected from infostealer ads, it appears that developers are targeting different user segments:

    a. Individual threat actors: Info-stealer developers offer individual threat actors low-price plans, enhanced and simple UIs, as well as full technical support.

    b. APT groups: Infostealer developers offer APT groups dedicated features for their primary targets, which are corporate accounts. For example, Mystic Stealer (see screenshots below) offers a dedicated feature to steal passwords from Outlook, since most corporate organizations use it. We will soon hear more about ransomware attacks that establish initial access to an organization's network using software such as Mystic Stealer.

    Mystic Stealer targeting corporate Outlook accounts

2. Credential-as-a-Service Clouds

A particularly concerning trend is the emergence of credential-as-a-service platforms, which operate on a subscription model. On a daily or weekly basis, these services provide customers with freshly breached credentials sorted by industry and geographic location.

For instance, one prominent service, Combo Cloud, saw a 46% increase in mentions between 2022 and 2024 while simultaneously experiencing a 22% decrease in credentials distributed as text files—indicating a shift toward more sophisticated distribution methods.

3. The OTP Bot Revolution

One of the most significant developments of 2024 is the rise of “OTP (One-Time Password) bots”—underground and illegal services operated via Telegram that enable threat actors to automate social engineering.

How do OTP Bots Work?

  1. Threat actors begin with a credential stuffing attack, using previously leaked username-password combinations to attempt logins on various online services. When login attempts fail due to two-factor authentication (2FA) requirements, the attackers log these accounts as potential targets for an OTP bot attack.

  2. Using an external OTP bot service—operated via Telegram bots (see screenshot)—the threat actors input a victim’s name and the name of a bank associated with the target (obtained from the credential stuffing attack).

    OTP bot in Telegram used to target bank customers
  3. The OTP bot, using pre-recorded or AI-generated voice calls and SMS messages, impersonates a legitimate entity (e.g., a bank, online service, or customer support). Victims receive urgent requests to provide the OTP sent to their device, often under the guise of fraud prevention or account verification.

  4. Many victims, unaware that the request is fraudulent, disclose the OTP. The threat actors retrieve the 2FA (Two-Factor Authentication) code for the targeted account. They then change the password and the 2FA phone number in the account and thus lock out the actual account holder without a chance to reset the password. The victim is now unable to recover access, and the attackers gain full control over the account.

According to ads collected from multiple forums, 38 OTP bot services are currently available for $10 to $50 per attack. These services have seen a 31% increase in mentions between 2023 and 2024, with 1,354 references recorded during our research period alone.

These bots represent a sophisticated evolution in social engineering attacks. Rather than requiring attackers to personally engage with victims, the bots impersonate legitimate financial services and manipulate targets into sharing their two-factor authentication codes. Automating this process has made these attacks more scalable and more challenging to detect.

4. The New Generation of DDoS Attacks

The DDoS-as-a-service ecosystem has experienced remarkable growth, with 34 distinct tools competing for over 196,000 followers. What makes this trend particularly alarming is the democratization of attack capabilities. Our research indicates that virtually anyone with access to Telegram and $50 can launch attacks generating up to 35,000 requests per second from a mobile device.

A notable innovation in this space is the integration of AI capabilities. On May 18, 2024, we documented the emergence of "Stressed Cat," a DDoS tool that showcases advanced captcha-solving capabilities. Unlike traditional DDoS tools that attempt to bypass captchas, this new generation employs AI to solve them, enabling more efficient attacks with fewer bot sessions and effectively evading captcha-reliant detection systems.

Key Insights and Implications

  1. The decentralization of cybercrime has reached new heights, with threat actor forums facilitating complete separation between attack developers and executors. This separation of roles makes attribution and law enforcement intervention increasingly challenging.

  2. Cybersecurity professionals must fundamentally rethink traditional security approaches. They need to shift from a defender mindset—focused on searching for potential threats in their logs—to a proactive offensive perspective that heavily relies on external cyber threat intelligence gathered from deep and dark web platforms.

Stressed Cat DDoS tool using AI to solve captchas
Arik Atar

Arik Atar

Arik Atar recently joined Radware's industry-leading Threat Research team, bringing his flavor of threat intelligence. While new to Radware, he draws on multifaceted expertise built across a 7-year career on the front lines of cyber threat hunting. In 2014, While completing his BA in International Relations and Counterterrorism at IDC University, Arik took his first steps on the darknet as part of his research on Iran-sponsored attack groups. On Bright Data, Arik uncovered both cyber adversaries'. He led investigations against high-profile proxy users that misused Bright Data's global residential proxy network to initiate mass-scale DDoS and bot attacks. In 2021, he moved from inspecting the attack logs from the attacker's view to inspecting the attack from the defender's point of view in human security (formal art PerimeterX), where he leveraged multiple hacker identities he developed over the years to hunt cyber threat intelligence on application hackers. Arik delivered keynote speeches at conferences such as Defcon, APIParis, and FraudFights' Cyber Defender meetups. Arik’s diverse career path has armed him with unique perspectives on application security. His expertise combines strategic cyber threat analysis with game theory and social psychology elements

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia