Meanwhile, Exploit’s last contest offered more prize money—$80,000 in total—but was more specific, asking for entries on cryptocurrency attacks, thefts, and vulnerabilities in April 2021. One sub-genre of the theme was “security of working with cryptocurrencies, except for banal things.”
“It’s another way that the criminal world is mirroring and adapting and adopting best practices from the legitimate side of the business,” says Budd. He compares some of the processes and entries as akin to those of legitimate cybersecurity research conferences and events, such as Black Hat, Defcon, and Pwn2Own. Unlike cybersecurity researchers who find issues to make products and services more secure before sharing their research for others to learn from, the criminals are producing the work with malicious intent.
The criminal contests have their own rules to reduce the chance of cheating, Budd says. On Exploit, the rules say the entries “must not have been published elsewhere,” should be “meaningful and voluminous,” they should include technical details such as code or algorithms, and be “at least 5,000 characters (excluding spaces).” That equals out to around 1,000 words, or the rough length of this WIRED article. The rules on XSS are similar—“copy-paste = expulsion from the contest, in disgrace”—but they require articles to be longer (at least 7,000 characters) and say there should be “proper formatting, spelling, and punctuation.”
However, scammers are going to scam. In their most recent contests, Exploit had 35 entries and XSS had 38 entries. But XSS disqualified 10 of them. The winners of the competitions are decided by forum members voting on the entries, but the sites’ admins can also pick the winners, and there have been complaints of vote rigging, according to Sophos.
These competitions have evolved and grown over time, Budd says. Previous research from cybersecurity firm Digital Shadows, which has since been acquired by ReliaQuest, shows that contests on cybercrime forums started around 2006. Roman Faithfull, a cyber-threat intelligence analyst at ReliaQuest, says these earliest competitions were very simple. “At the start, they were quite low-key,” Faithfull says. “They weren’t always organized by forum administrators.”
Some of the earliest competitions, he says, asked forum members to design logos or even offered a small monetary prize to the commenter on a forum thread who had the longest account history on the site. “As forums became more sophisticated, the contests in general became more sophisticated,” Faithfull says.
Since around 2015, the contests, most of which are held annually, have focused on writing and submitting articles and code, the ReliaQuest researcher says. “There’s a lot of focus on stuff that will make people money,” he adds. As this has happened, the prize pots have increased too: On XSS, the total prize pot was $1,000 in 2018 and rose to $40,000 with $14,000 for the winner in 2021. “No one is going to put out their absolute best stuff into this unless they’re in a really hard spot and need some quick cash,” Faithfull says. “You’re unlikely to see a ransomware group, or really, someone really high up.”
