On August 9, 2020, Torum’s administrator announced the forum is shutting down. What was this forum, and will its users find alternatives? KELA explored various darknet sources, as well as Torum itself, to find out. Here is a summary of our findings:
- Torum was an English-speaking underground forum that posed as a nonprofit cybersecurity website. While both its members and users of other forums agreed Torum was a good place to discuss cybersecurity and learn hacking methods, the site was overwhelmed by newbies and scammers who damaged its reputation.
- Torum’s administrator announced he is closing the forum because he lost interest in supporting it.
- Torum was an active, stable community, which will likely be missed by users. The forum has a few alternatives in the darknet, including CryptBB, which recently became public. This post will explore what distinguished Torum and what darknet chatter reveals about possible alternatives.
- As users struggle to find new forums with a decent community, it is crucial to continue tracking these sources to understand new trends and TTPs, and proactively mitigate potential risks emerging from them.
The announcement of Torum shutting down
The History of Torum
Launched in May 2017, Torum reportedly had more than 130,000 users, a substantial number for an underground forum. RaidForums, the most popular English-speaking forum, has about 465,000 members, 15,000 active daily.
Torum only gained popularity among the English-speaking audience in February 2019, when Kickass (an English-speaking platform for cybercriminals) went offline. Torum’s user base increased by 639% from February to October of that year.
We used KELA’s DARKBEAST to dive into Torum’s posts, concluding it was actively maintained throughout 2020, with almost 95,000 posts published from January to August. Based on our analysis, in addition to cybersecurity discussions, many conversations focused on malicious activities and other related information, as well as trading and sharing accesses and databases.
Torum’s activity in 2020 (number of messages)
The official reason for closure, provided by Torum’s administrator, is that he “lost the passion” to maintain the forum. We found nothing indicating otherwise. Torum was known for frequent outages: members mentioned the site could be down for a few days at a time, suggesting the administrator wasn’t rushing to fix technical issues. Some users also said the administrator was tired of the flood of spam messages on Torum.
A message posted on Onion Links, a Telegram channel dedicated to darknet news: “In particular, the closure of the site is associated with constant spam, which was barely sorted out by the moderators. Both Dread and Envoy faced the same problem, which is why registration was suspended at the first one.”
Was Torum Unique?
According to users’ complaints on other forums, Torum featured many beginners asking “noob questions” and scammers posting malicious links. When discussing Torum shutting down, some mentioned it wasn’t such a loss. Others still paid respect to the forum: “Torum had it all – wacky stuff, DNM related content, discussion on fraud, scripting, hacking, cracking, and of course shitposts. For many, it was the community that introduced them to the concepts of NetSec and fraud.”
Users discussing the closure of Torum (source: darknet forum TheHub)
A user discussing the closure of Torum on (source: Dread, “the darknet Reddit”)
It appears that Torum had loyal members, who rarely posted on other underground forums, at least with the same user handles. Torum’s ten most active users used 2-3 other forums on average, with Torum as their primary platform.
So what types of data were sold on Torum, and what interested its members? Here’s a quick review of the topics discussed in July 2020:
Hacking and Cybersecurity
Users often asked for advice from experienced users, and the forum was considered a place where one could learn hacking. Here are a few recent examples of such questions: “What can I do with IP address?”, “Have CC [credit card data] + info – now what?”, “Is it possible to get into someone’s iPhone camera and spy on them?” Torum claimed to be a place for in-depth discussions about cybersecurity, but these conversations were much less common. However, some users referred to Torum members as experienced hackers. Besides hacking, community members discussed general interest topics, such as Covid-19.
Discussions about darknet websites (source: Dread)
Databases for Sale and Free
Torum users shared popular recent leaks (Tokopedia breach and BlueLeaks, for example), as well as exclusive findings. For instance, one user posted data stolen from an Irish financial company, and others pointed out the company’s site has an XSS vulnerability. Users shared databases in the forum’s Intel exchange section, open for members who posted ten messages on Torum.
Database leaks on Torum (via DARKBEAST)
Accounts, Remote Access and Credit Card Data for Sale
Various users were looking to buy and sell remote access to organizations, accounts of financial services (including WebMoney, Exmo, PayPal, Yandex Money), and other types of data. Based on their offering, we assume sellers didn’t use Torum as an exclusive trading platform.
Malware for Sale
Thanos ransomware, which emerged in late 2019, attracted the attention of Torum users debating whether the author of a post advertising it should be trusted. He identified as the developer of Thanos, who decided to offer it to Torum’s users. Exploits, RATs, ATM malware, and other malicious tools were also discussed and offered for sale.
The developer of Thanos ransomware offered his product on Torum (via DARKBEAST)
As can be seen, the data offered on Torum were rarely unique. However, users valued it as a place for hacking-related conversations and learning. Torum had a private section for administrators and moderators of the forum, but it was closed following leaks of private discussions. Now, both veterans and newbies must find a new platform for similar discussions.
Where Will Users Migrate?
Most users have been probably already using other platforms and markets dedicated to leaks, malware, tools, etc. Torum was never famous for being the first source for such offers, so users will look for a new place to discuss hacking activities. Here are the leading alternatives:
According to darknet chatter, a prospective replacement is CryptBB, which recently eased the acceptance process of new users. CryptBB, launched in 2017, started as a private English-speaking hacking forum known for its rigorous application policy, only accepting members who pass an interview. However, in late 2019, CryptBB opened a section for “newbies” who are not skilled enough to be accepted but still want to learn from experienced hackers, posting a thread on Dread, where administrators invite beginners to improve their skills and evolve into “pro” members.
CryptBB has around 10,000 users, but when users struggle to find forums with a decent community, the application process and the semi-private mode might attract new users. Even on Torum, members were looking for platforms with a strict screening process, including Exodus, an exclusive forum that was closed in 2017.
A user interested in an alternative to Exodus (source: Torum; via DARKBEAST)
As CryptBB seems focused on gaining a larger audience and building a new brand on the darknet, Torum’s closure is a positive development. Some users are already recommending CryptBB as a replacement.
A thread on HiddenAnswers, the darknet alternative of Quora
CryptBB’s contenders include TheHub, claiming to have around 157,000 users, who are supposedly less into hacking activities and not as active as Torum’s users. We traced about 16,000 messages posted in 2020 – while Torum had almost 95,000.
Users discussing an alternative to Torum (source: TheHub)
A now-deleted thread discussing Torum (source: TheHub; via DARKBEAST)
Even before Torum shut down, some users mentioned alternative darknet forums: Dread, Nulled, Cracked, Helium, HackTown, HackForums, Envoy, and some Russian-speaking forums.
While Torum and its alternatives are not where critical leaks are posted every day, they are a valuable source, revealing relationships between prominent hackers who share information about new TTPs. This data could be even more useful than the results of the hacking activities (e.g., leaks) as it can help prevent attacks.