Inside Crypter-as-a-Service: An Ecosystem Analysis of the exploit.in Underground Forum Research Talks
arXiv SecurityArchived Jun 24, 2026✓ Full text saved
arXiv:2606.24226v1 Announce Type: cross Abstract: Crypter-as-a-Service (CraaS) has become a key enabling layer of the contemporary malware economy by providing on-demand evasion capabilities through underground service markets. In this paper, we present a longitudinal characterization of the CraaS ecosystem on exploit.in, a major Russian-language cybercrime forum with a presence on both the clear web and the dark web. From a collection of approximately 1,000,000 posts, we combine keyword filteri
Full text archived locally
✦ AI Summary· Claude Sonnet
Computer Science > Computers and Society
[Submitted on 23 Jun 2026]
Inside Crypter-as-a-Service: An Ecosystem Analysis of the exploit.in Underground Forum Research Talks
Mathieu Jeannot (UL, CNRS, LORIA), Jean-Yves Marion (LORIA, UL, CNRS), Manon Pamar (LORIA, UL, CNRS), Maira Nassau (LORIA, UL, CNRS), Pierre Marty (LORIA, UL, CNRS), Romain Guittienne (LORIA, UL, CNRS)
Crypter-as-a-Service (CraaS) has become a key enabling layer of the contemporary malware economy by providing on-demand evasion capabilities through underground service markets. In this paper, we present a longitudinal characterization of the CraaS ecosystem on this http URL, a major Russian-language cybercrime forum with a presence on both the clear web and the dark web. From a collection of approximately 1,000,000 posts, we combine keyword filtering, LLM-assisted annotation, and manual validation to extract a corpus of 491 threads and 2,949 posts spanning January 2020 to August 2025. Our analysis shows that crypters on this http URL are not merely sold as static tools, but as continuously maintained operational services whose value depends on recurring stub renewal - sometimes on a daily basis - sustained antivirus evasion, and trust-based delivery. We develop a taxonomy of five seller types and four buyer profiles, and map the buyer-seller correspondences that structure market transactions. We further document pricing models ranging from low-cost per-build Telegram bot services to high-end custom development and salaried recruitment. Using social-network analysis, we find that the market is hierarchically structured around a small core of highly central actors, many of whom appear to function as trust brokers or other influential intermediaries, while its stability relies on a broader trust and governance infrastructure including escrow, guarantors, reputation systems, and security deposits. Finally, we discuss differences between the CraaS model observed on this http URL and that reported on HackForums. Although both forums share similar service logics, our corpus suggests that this http URL exhibits a more professionalized and service-oriented CraaS configuration.
Subjects: Computers and Society (cs.CY); Cryptography and Security (cs.CR)
Cite as: arXiv:2606.24226 [cs.CY]
(or arXiv:2606.24226v1 [cs.CY] for this version)
https://doi.org/10.48550/arXiv.2606.24226
Focus to learn more
Journal reference: Workshop on Attackers and Cyber-Crime Operations, IEEE European Symposium on Security and Privacy, Jul 2026, Lisbon (Portugal), Portugal
Submission history
From: Pierre MARTY [view email] [via CCSD proxy]
[v1] Tue, 23 Jun 2026 07:13:41 UTC (2,533 KB)
Access Paper:
view license
Current browse context:
cs.CY
< prev | next >
new | recent | 2026-06
Change to browse by:
cs
cs.CR
References & Citations
NASA ADS
Google Scholar
Semantic Scholar
Export BibTeX Citation
Bookmark
Bibliographic Tools
Bibliographic and Citation Tools
Bibliographic Explorer Toggle
Bibliographic Explorer (What is the Explorer?)
Connected Papers Toggle
Connected Papers (What is Connected Papers?)
Litmaps Toggle
Litmaps (What is Litmaps?)
scite.ai Toggle
scite Smart Citations (What are Smart Citations?)
Code, Data, Media
Demos
Related Papers
About arXivLabs
Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)