The cybersecurity landscape is witnessing a significant transformation with threat actors adopting increasingly
sophisticated approaches to bypass security measures. In 2024, Radware’s research team conducted extensive analysis
on 46 deep-web hacker forums and over 26,000 threat actors’ forum threads. This research provides new insights into
emerging cyber threats and their potential impact on the financial services industry.
1. The Rise of the Infostealer Economy
Radware’s analysis reveals a thriving underground economy centered around information-stealing malware. On average,
we observed 3-4 daily mentions of unique “infostealer-as-a-service” across each monitored deep web forum. The
content analysis showed a clear split in the ecosystem: 56% of mentions relate to infostealer-as-a-service
offerings, while 44% of mentions consist of breached credentials freely being shared to boost seller
reputations.
We’ve observed several common factors across most of the new info-stealer ads:
-
Compatibility with other hacking tools: As threat actors' toolsets get more sophisticated each year,
it
affects how they decide what tools to produce. Infostealer developers aim to add features that align with
the
most important factor that influences the hacker’s buying process: compatibility with other hacking tools.
-
Modularity: By providing plug-ins and modules, threat actors can tailor their stealer offerings to
meet
the specific needs of their customers. According to our review of the new 2024 features collected from
infostealer ads, it appears that developers are targeting different user segments:
a. Individual threat actors: Info-stealer developers offer individual threat actors low-price
plans,
enhanced and simple UIs, as well as full technical support.
b. APT groups: Infostealer developers offer APT groups dedicated features for their primary
targets,
which are corporate accounts. For example, Mystic Stealer (see screenshots below) offers a dedicated
feature to steal passwords from Outlook, since most corporate organizations use it. We will soon
hear
more about ransomware attacks that establish initial access to an organization's network using
software
such as Mystic Stealer.
2. Credential-as-a-Service Clouds
A particularly concerning trend is the emergence of credential-as-a-service platforms, which operate on a
subscription model. On a daily or weekly basis, these services provide customers with freshly breached credentials
sorted by industry and geographic location.
For instance, one prominent service, Combo Cloud, saw a 46% increase in mentions between 2022 and 2024 while
simultaneously experiencing a 22% decrease in credentials distributed as text files—indicating a shift toward more
sophisticated distribution methods.
3. The OTP Bot Revolution
One of the most significant developments of 2024 is the rise of “OTP (One-Time Password) bots”—underground and
illegal services operated via Telegram that enable threat actors to automate social engineering.
How do OTP Bots Work?
-
Threat actors begin with a credential stuffing attack, using previously leaked username-password
combinations
to attempt logins on various online services. When login attempts fail due to two-factor authentication
(2FA)
requirements, the attackers log these accounts as potential targets for an OTP bot attack.
-
Using an external OTP bot service—operated via Telegram bots (see screenshot)—the threat actors input a
victim’s name and the name of a bank associated with the target (obtained from the credential stuffing
attack).
-
The OTP bot, using pre-recorded or AI-generated voice calls and SMS messages, impersonates a legitimate
entity (e.g., a bank, online service, or customer support). Victims receive urgent requests to provide the
OTP
sent to their device, often under the guise of fraud prevention or account verification.
-
Many victims, unaware that the request is fraudulent, disclose the OTP. The threat actors retrieve the 2FA
(Two-Factor Authentication) code for the targeted account. They then change the password and the 2FA phone
number in the account and thus lock out the actual account holder without a chance to reset the password.
The
victim is now unable to recover access, and the attackers gain full control over the account.
According to ads collected from multiple forums, 38 OTP bot services are currently available for $10 to $50 per
attack. These services have seen a 31% increase in mentions between 2023 and 2024, with 1,354 references recorded
during our research period alone.
These bots represent a sophisticated evolution in social engineering attacks. Rather than requiring attackers to
personally engage with victims, the bots impersonate legitimate financial services and manipulate targets into
sharing their two-factor authentication codes. Automating this process has made these attacks more scalable and more
challenging to detect.
4. The New Generation of DDoS Attacks
The DDoS-as-a-service ecosystem has experienced remarkable growth, with 34 distinct tools competing for over
196,000 followers. What makes this trend particularly alarming is the democratization of attack
capabilities. Our research indicates that virtually anyone with access to Telegram and $50 can launch
attacks generating up to 35,000 requests per second from a mobile device.
A notable innovation in this space is the integration of AI capabilities. On May 18, 2024, we documented the
emergence of "Stressed Cat," a DDoS tool that showcases advanced captcha-solving capabilities. Unlike
traditional DDoS tools that attempt to bypass captchas, this new generation employs AI to solve them,
enabling more efficient attacks with fewer bot sessions and effectively evading captcha-reliant detection
systems.
Key Insights and Implications
-
The decentralization of cybercrime has reached new heights, with threat actor forums facilitating
complete
separation between attack developers and executors. This separation of roles makes attribution and
law
enforcement intervention increasingly challenging.
-
Cybersecurity professionals must fundamentally rethink traditional security approaches. They need to
shift from
a defender mindset—focused on searching for potential threats in their logs—to a proactive offensive
perspective
that heavily relies on external cyber threat intelligence gathered from deep and dark web
platforms.