Russia’s “Crime-as-a-service” Exposed – Just Look At What You Can Buy

russian cybercrime sale

Fancy buying yourself a complete botnet to fool around with? Or maybe you’d just like to borrow someone else’s for a couple of hours? Or alternatively, thrash out a million spam emails carrying the message of your choice? Or perhaps spying is more your thing, in which case, being able to access someone’s emails, text messages and social media accounts might interest you?

All this and more can be purchased at fire sale prices in Russia’s underground web community…

So long as you can read and write Russian (or possibly just use Google Translate), you can buy at least twenty different kinds of services through Russia’s favorite hacker forums. Products range from the aforementioned botnets and spying services, to crime-friendly VPN software checking services, and off-the-shelf exploits.

The kinds of services available to buy are detailed in an extensive new report out by Trend Micro. Most of them are nothing new for sure, but what really surprises is the widespread availability and inexpensiveness of the services on offer.

Essentially, cybercrime has become a commercial business, or “Crime-as-a-service” as TrendMicro security expert Rik Ferguson likes to call it. It’s a “very mature market”, explains Ferguson, where “every niche is catered for”.

By far and away the most popular ‘products’ on offer are programming services – essentially, malware creation, closely followed by the sale of popular off-the-shelf malware programs such spammers, Trojans, DDoS bots, SpyEye and Zeus.

Here’s a full run down of the ‘services’ that TrendMicro found online, courtesy of

Basic crypter (for inserting rogue code into a benign file): $10-$30 (£6.19-£19)
SOCKS bot (to get around firewalls): $100 (£62)
Hiring a DDoS attack: $30-$70 (£19-£43) for a day, $1,200 (£742) for a month
Email spam: $10 (£6.19) per one million emails
Expensive email spam (using a customer database): $50-$500 (£31-£310) per one million emails
SMS spam: $3-$150 (£1.86-£93) per 100-100,000 messages
Bots for a botnet: $200 (£124) for 2,000 bots
DDoS botnet: $700 (£433)
ZeuS source code: $200-$500 (£124-£310)
Windows rootkit (for installing malicious drivers): $292 (£180)
Hacking a Facebook or Twitter account: $130 (£80)
Hacking a Gmail account: $162 (£100)
Hacking a corporate mailbox: $500 (£310)
Scans of legitimate passports: $5 (£3.10) each
Winlocker ransomware: $10-20 (£6.19-£12.37)
Unintelligent exploit bundle: $25 (£15)
Intelligent exploit bundle: $10-$3,000 (£6.19-£1,857)
Traffic: $7-$15 (£4.33-£9.29) per 1,000 visitors for the most valuable traffic (from the US and EU)

Apparently, the costs can vary quite a bit for programming services, depending on the nature of what you requested. For example, a Trojan that steals information from banking and/or commerce websites could cost in the region of $1,300, whilst cheap and cheerful fake programs go for as little as $15 to $20.

According to TrendMicro, spamming and botnets make a good, cheap entry into the businesses for wannabe cybercriminals, but these are unlikely to deliver such good profits. In order to really cash in on cybercrime’s lucrative side, you’ll need to shell out a fairly large sum for zero-day development services.

As Ferguson explains:

“If I want to find out how to break into cybercrime – excuse the terrible pun – I can rent a botnet [for example], now buy myself a BlackHole exploit kit, and infect [victims] with my own custom Trojan from this other vendor … it’s like a jigsaw puzzle.”

You can download TrendMicro’s full report here (PDF).