Since around 2015, the contests, most of which are held annually, have focused on writing and submitting articles and code, the ReliaQuest researcher says. “There’s a lot of focus on stuff that will make people money,” he adds. As this has happened, the prize pots have increased too: On XSS, the total prize pot was $1,000 in 2018 and rose to $40,000 with $14,000 for the winner in 2021. “No one is going to put out their absolute best stuff into this unless they’re in a really hard spot and need some quick cash,” Faithfull says. “You’re unlikely to see a ransomware group, or really, someone really high up.”

The content of the entries to the most recent two contests is reasonably broad, the Sophos research found. Some were more innovative, while others were essentially repeating information found elsewhere. The winning entry in Exploit’s 2021 crypto competition was the creation of the cloned blockchain.com website, w ith Sophos saying it is “relatively simplistic” overall. “A cloned site like this would typically be used like any other phishing or credential-harvesting site,” the research says.

Other winning entries or those getting honorable mentions in the Exploit competition focused on targeting initial coin offerings, a guide to creating a phishing site to steal people’s cryptocurrency account details, and a tutorial on creating a cryptocurrency from scratch. However, it is worth noting that there have been free and publicly available tutorials on how to do this for several years,” the Sophos research says.

One entry into the XSS competition detailed the author’s experience attacking Microsoft’s Active Directory service and how to hide hacking tools from Windows’ antivirus systems. The winning XSS entry, though, centered on vulnerabilities in electronic payment systems; it also highlighted one vulnerability in the XSS forum that allowed people to “effectively generate cryptocurrency out of thin air,” the Sophos research says. Only one article focused on hardware. The author wrote a guide to creating a hardware cryptocurrency wallet and included photographs and CAD drawings. It isn’t cybercrime-specific, and instead tries to keep people’s bitcoin and other cryptocurrencies safe from attacks, the research says.

“These are good for helping us to understand what people in the criminal underground are looking at, broadly speaking,” Budd says, adding he believes the main purpose of the contests for the forums is to encourage community. Multiple cybercrime forums of different sizes are operating at any one time, and if a forum has better conversation, technical information, and offers incentives, then there’s a greater chance people will keep coming back.

But the contests may also help to feed into more organized cybercrime groups. The prize money for the contests is often put up by the forum owners, but it can also be provided by prominent cybercrime gangs—including All World Cards and the LockBit ransomware group. The XSS competition in 2022 was sponsored by one threat actor using the handle Alan Wake, which has been linked to the Conti ransomware group by some. “If your sponsor likes your article,” one post read, “after the end of the competition you will be offered a highly paid job in the Alan Wake team.”