Inside Hacker’s Tutorials: Using Underground Knowledge Bases as an Early-Warning Feed for Enterprise Defenders


July 13, 2026 09:38 AM

In recent months, the Radware CTI team observed a rise in the number of hacking tutorials and guides posted on threat actors' forums.

Download now

In recent months, the Radware CTI team observed a rise in the number of hacking tutorials and guides posted on threat actors' forums. In this research, 9,000 forum thread topics from over 3,000 distinct tutorials and guides, over a period of three years, were analyzed to understand which knowledge was shared and assess the impact on the online application threat landscape in 2026.

EXECUTIVE SUMMARY

Underground forums that appeared to be in decline are quietly re-arming. Between December 2022 and April 2026, Radware’s CTI team collected 8,870 tutorial posts across 24 deep- and dark-web forums, which were reduced to 3,034 unique hacking and fraud guides after reposts were removed. The picture that emerges is not a static library of old tricks. It is a growing, shifting body of knowledge that is being pointed, with increasing precision, at financial fraud.

The clearest signal is volume. New tutorial output collapsed through 2024 to roughly 45 first-time publications a month and stayed flat into mid-2025. From late 2025, it roughly doubled, to between 110 and 140 new tutorials a month across 2026. The forums are not only recycling a fixed set of techniques; they are producing new ones.

Carding and identity theft grew from 19% of all tutorials in 2024 to 38% in 2026, making it the most-taught subject by a wide margin, while cash-out content roughly tripled within the new supply. The black-hat SEO and affiliate manipulation vectors that once dominated moved in the opposite direction, falling from 33% to 13% over the same period. The ecosystem shifted from audience-building and grey-hat money tricks toward direct, hands-on financial fraud.

Among the 29% of tutorials that named a specific victim brand or platform, telecom (33.5%) and social media (30.8%) together account for 64% of all industry-tagged content, well ahead of e-commerce and retail (11.8%), payments and fintech (10.4%), and crypto (5.9%). These are not arbitrary targets. Telecom accounts and social-media identities are the infrastructure a fraudster needs to intercept one-time codes, to farm verified accounts, and to convert stolen credentials and card data into cash. The rise in carding and the focus on telecom and social media indicate that forums teach the full attack kill chain, from break-in to cash-out.

Behind that chain sits a smaller and more deliberate hand than the volume suggests. Activity is heavily concentrated: the top 1% of accounts account for nearly one-third of all postings, and the top 10% account for more than half. Among tutorials reposted ten or more times, 79% are pushed by a single account or by hidden premium members rather than spreading organically across the community. A prime example of this was the September 2025 peak of 712 tutorials, which consisted of 84% of a single tutorial template pushed across multiple forums. Repost volume is therefore a measure of promotion effort rather than reader demand; much of what looks popular is small operators advertising their own materials. Radware assesses with moderate confidence that a share of these coordinated pushes are automated and predatory - “free” guides and lead magnets built to convert novice readers into buyers or into the victims of rug-pull scams.

Generative AI is the accelerant that ties these trends together. Three case studies show similar patterns: In our first case study - a “100 techniques” catalog generated by a jailbroken model and betrayed by a word-substitution filter, in our third case study - a research blog by a Google engineer repackaged and reposted under a threat actor’s own name as a proof-of-concept. AI lowers the cost of producing convincing tutorials, which helps explain the supply surge. It has not yet replaced the human expert. Through the research window, AI still cannot provide the application-specific business logic depth a working cash-out guide requires, such as the timing and correct sequence of steps for a specific online application. That gap is narrowing, however. Purpose-built, agentic-driven pen testing agents released in the last few months are designed to close exactly this contextual depth, and their adoption is the variable most likely to reshape both the supply and the demand side of this ecosystem.

For defenders, the tutorial layer is an underused sensor. Its metadata is an early-warning feed. The rate of new guides per subject shows threats forming before they surface as attacks. Its content is a catalog of true-positive malicious flows, mostly low- to mid-level business-logic abuse, that maps directly to the vulnerabilities worth hunting for. The trajectory through 2026 is clear: a growing and evolving body of carding and cash-out methods entering circulation, aimed at the identity and telecom infrastructure that turns stolen data into money, produced by a concentrated operator class and increasingly assisted by generative AI.

Threat Advisory

Want to read the complete threat advisory?

Download it for free right now.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
CyberPedia