The criminal contests have their own rules to reduce the chance of cheating, Budd says. On Exploit, the rules say the entries “must not have been published elsewhere,” should be “meaningful and voluminous,” they should include technical details such as code or algorithms, and be “at least 5,000 characters (excluding spaces).” That equals out to around 1,000 words, or the rough length of this WIRED article. The rules on XSS are similar—“copy-paste = expulsion from the contest, in disgrace”—but they require articles to be longer (at least 7,000 characters) and say there should be “proper formatting, spelling, and punctuation.”
However, scammers are going to scam. In their most recent contests, Exploit had 35 entries and XSS had 38 entries. But XSS disqualified 10 of them. The winners of the competitions are decided by forum members voting on the entries, but the sites’ admins can also pick the winners, and there have been complaints of vote rigging, according to Sophos.
These competitions have evolved and grown over time, Budd says. Previous research from cybersecurity firm Digital Shadows, which has since been acquired by ReliaQuest, shows that contests on cybercrime forums started around 2006. Roman Faithfull, a cyber-threat intelligence analyst at ReliaQuest, says these earliest competitions were very simple. “At the start, they were quite low-key,” Faithfull says. “They weren’t always organized by forum administrators.”
Some of the earliest competitions, he says, asked forum members to design logos or even offered a small monetary prize to the commenter on a forum thread who had the longest account history on the site. “As forums became more sophisticated, the contests in general became more sophisticated,” Faithfull says.
Since around 2015, the contests, most of which are held annually, have focused on writing and submitting articles and code, the ReliaQuest researcher says. “There’s a lot of focus on stuff that will make people money,” he adds. As this has happened, the prize pots have increased too: On XSS, the total prize pot was $1,000 in 2018 and rose to $40,000 with $14,000 for the winner in 2021. “No one is going to put out their absolute best stuff into this unless they’re in a really hard spot and need some quick cash,” Faithfull says. “You’re unlikely to see a ransomware group, or really, someone really high up.”
The content of the entries to the most recent two contests is reasonably broad, the Sophos research found. Some were more innovative, while others were essentially repeating information found elsewhere. The winning entry in Exploit’s 2021 crypto competition was the creation of the cloned blockchain.com website, with Sophos saying it is “relatively simplistic” overall. “A cloned site like this would typically be used like any other phishing or credential-harvesting site,” the research says.
Other winning entries or those getting honorable mentions in the Exploit competition focused on targeting initial coin offerings, a guide to creating a phishing site to steal people’s cryptocurrency account details, and a tutorial on creating a cryptocurrency from scratch. However, it is worth noting that there have been free and publicly available tutorials on how to do this for several years,” the Sophos research says.