Cybercriminal communities, growth and innovation

# Cybercriminal communities, growth and innovation ## **1. What shapes an ad-fraud community?** |**Design choice**|**Options observed**|**Impact on performance**| |---|---|---| |**Market selection**|_Specialised_ (e.g. traffic-fraud niche) vs. _General_ (broad fraud menu)|General communities attract a bigger, more diverse skill pool and grow faster.| |**Market orientation**|_Technical_ (proof-of-work entry, code-heavy threads) vs. _Customer oriented_ (easy sign-up, after-sales sections, tutorials)|Customer-oriented sites trigger deeper debates, more replies per thread and stronger network effects.| **Take-away:** Forums that are both **general + customer focused** (GENCUST1/2) outperform others by blending diverse talent with user-friendly onboarding. --- ## **2. How do they innovate?** - **User-led ideation:** Threads explicitly solicit bot ideas; admins spin up new AI sections when demand surges. - **AI & deepfakes:** Communities co-create AI-driven botnets, deep-fake voices/faces and adaptive SEO tools, demonstrating rapid tech diffusion. - **Requisite variety:** Diverse skills + customer feedback loops enable quick, incremental tweaks that evade detection. --- ## **3. Measuring community health** (methodology tips) In this paper ([[TFSC22.pdf]]), I track **threads/day, replies/thread, new members/day & backlinks**. High _replies/thread_ (>10) signal real collaboration, whereas high _threads/member_ with low replies can mean spam or bot-posted content (Richet, 2022). --- ## **4. Practical guidance** ### **For advertisers & publishers** 1. **Demand radical transparency** from ad networks (traffic sources, audience extension practices). 2. **Build threat-intel pipelines** that monitor both specialised and general forums for emerging tools (AI bots, deepfakes). 3. Treat unusually cheap reach or sudden traffic spikes as red flags tied to underground services. ### **For law-enforcement & policy makers** 1. **Undermine community value-creation**: seed bad reputations, disrupt knowledge exchange, or poison shared tooling. 2. **Target diversity hubs**: contrary to intuition, broad customer-oriented forums are often more innovative than niche technical ones, making them prime disruption targets. 3. Push for **international standards** on defining and auditing click-fraud to close legal gaps. ### **For cyber-security vendors** - Integrate **forum telemetry**: growth metrics, new AI threads, surge in backlink popularity (... into anomaly) detection models and ad-fraud scoring. --- ## **5. Broader perspective on cybercrime** - **Platformisation of crime:** Communities mirror SaaS businesses: on-boarding flows, tiered memberships, after-sales support. - **Professionalisation & “crime supply-chain”:** Loose, transnational teams exchange specialised components (botnets-as-a-service, deepfake kits), accelerating innovation. - **AI as force-multiplier:** Expect deeper automation (voice cloning, behavioural mimics) that blurs lines between ad-fraud, phishing and financial fraud. - **Dynamic capabilities:** Just like legitimate firms, successful criminal forums develop marketing, customer-relationship and experimentation capabilities to survive. --- ### **Bottom line for practitioners** Monitoring cyber-criminal communities is no longer optional. Their customer-centric approach and rapid AI adoption mean **new fraud techniques can reach market in months**. By watching how these forums grow and what their users demand, defenders can anticipate the next wave of abuse...rather than merely reacting to it. ## Bibliography Richet, J. L. (2022). How cybercriminal communities grow and change: An investigation of ad-fraud communities. _Technological Forecasting and Social Change_, _174_, 121282.