Inside Crypter-as-a-Service: An Ecosystem Analysis of the exploit.in Underground Forum Research Talks

Computer Science > Computers and Society [Submitted on 23 Jun 2026] Inside Crypter-as-a-Service: An Ecosystem Analysis of the exploit.in Underground Forum Research Talks Mathieu Jeannot (UL, CNRS, LORIA), Jean-Yves Marion (LORIA, UL, CNRS), Manon Pamar (LORIA, UL, CNRS), Maira Nassau (LORIA, UL, CNRS), Pierre Marty (LORIA, UL, CNRS), Romain Guittienne (LORIA, UL, CNRS) Crypter-as-a-Service (CraaS) has become a key enabling layer of the contemporary malware economy by providing on-demand evasion capabilities through underground service markets. In this paper, we present a longitudinal characterization of the CraaS ecosystem on this http URL, a major Russian-language cybercrime forum with a presence on both the clear web and the dark web. From a collection of approximately 1,000,000 posts, we combine keyword filtering, LLM-assisted annotation, and manual validation to extract a corpus of 491 threads and 2,949 posts spanning January 2020 to August 2025. Our analysis shows that crypters on this http URL are not merely sold as static tools, but as continuously maintained operational services whose value depends on recurring stub renewal - sometimes on a daily basis - sustained antivirus evasion, and trust-based delivery. We develop a taxonomy of five seller types and four buyer profiles, and map the buyer-seller correspondences that structure market transactions. We further document pricing models ranging from low-cost per-build Telegram bot services to high-end custom development and salaried recruitment. Using social-network analysis, we find that the market is hierarchically structured around a small core of highly central actors, many of whom appear to function as trust brokers or other influential intermediaries, while its stability relies on a broader trust and governance infrastructure including escrow, guarantors, reputation systems, and security deposits. Finally, we discuss differences between the CraaS model observed on this http URL and that reported on HackForums. Although both forums share similar service logics, our corpus suggests that this http URL exhibits a more professionalized and service-oriented CraaS configuration. Subjects: Computers and Society (cs.CY); Cryptography and Security (cs.CR) Cite as: arXiv:2606.24226 [cs.CY]   (or arXiv:2606.24226v1 [cs.CY] for this version)   https://doi.org/10.48550/arXiv.2606.24226 Focus to learn more Journal reference: Workshop on Attackers and Cyber-Crime Operations, IEEE European Symposium on Security and Privacy, Jul 2026, Lisbon (Portugal), Portugal Submission history From: Pierre MARTY [view email] [via CCSD proxy] [v1] Tue, 23 Jun 2026 07:13:41 UTC (2,533 KB) Access Paper: view license Current browse context: cs.CY < prev   |   next > new | recent | 2026-06 Change to browse by: cs cs.CR References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)