An introduction to the Spanish-language underground

An introduction to the Spanish-language underground

The Spanish-language cybercriminal underground is “a largely unstable and unpredictable community”, according to Flashpoint’s Cybercrime subject matter expert, Liv Rowley. In March of this year, the top dark web forum, Cebolla Chan 3.0, came back online, after an absence of more than a year. The behaviour of the forum’s users while it was down, and now that it’s active once again, highlights the ways in which the Spanish-language underground is evolving. We spoke to Rowley to find out more about Cebolla Chan 3.0, the threat that the Spanish-language cybercriminal underground poses, and how we can disrupt threats from this ecosystem.


What can you tell us about Cebolla Chan 3.0 and its users?

Cebolla Chan 3.0 is the top Spanish-language underground forum, at least in terms of perceived reputation. If you throw “Cebolla Chan 3.0” into a search engine, you will find YouTube videos and blog posts celebrating and immortalizing the forum. Part of the reason Cebolla Chan 3.0 rose to such prominence likely has to do with its inclusion in the “Hidden Wiki,” a sort of Yellow Pages to the deep and dark web. The Hidden Wiki is many people’s first stop on the dark web, and Cebolla Chan 3.0 became the second stop for many Spanish-speakers.

Cebolla Chan 3.0 has had a peculiar history. The site first appeared in October 2014, then went offline in September 2016. The explanation that was given was that there would be going offline in order to improve operational security. Nobody, however, heard publicly from Cebolla Chan 3.0 (or any associated admins, etc.) until March 2018, when the site unexpectedly came back online (while I was working on my presentation for RSA – it led to several changes in what I had originally planned!). By back online, I mean back online – the URL is the same, the posts on the site from before the site went offline are still there, and accounts that were created in 2014, 2015, 2016, are seen being active on the forum again. Members of Cebolla Chan 3.0 are still waiting on an explanation for what happened here. Despite this strange activity, people are flocking back to Cebolla Chan 3.0.

The members of Cebolla Chan 3.0 really run the gamut in terms of how much of a threat they present. Many members of Cebolla Chan 3.0 are there to participate solely in the forum rooms dedicated to erotica and conspiracy theories. Other members, however, are looking to profit from cybercrime. Historically on Cebolla Chan 3.0, we’ve observed members sharing tutorials on how to commit cybercrime, recruitment of insiders at banks, and the sale of compromised information such as bank accounts. As Cebolla Chan 3.0 has only been back online for a month, we’re still waiting to see what types of cybercrime will appear on this forum in 2018.


What happened when it went offline? What changed as a result? What can this tell us about the dark web in general?

When Cebolla Chan 3.0 went offline in September 2016, Flashpoint observed the migration of many members of Cebolla Chan 3.0 to other deep and dark web forums. On those other forums, former Cebolla Chan 3.0 members discussed what had happened to the forum and vendors set up shop on new communities. Many vendors would use their reputation from Cebolla Chan 3.0 to establish themselves in these spaces (saying things like “I was so-and-so on Cebolla Chan 3.0, I sold this, I worked with this person, etc.”).

Interestingly, we noticed a variety of “Cebolla Chan” spin-offs arise – that is to say, forums that had similar layouts and branding to Cebolla Chan 3.0. Many former members of Cebolla Chan 3.0 immediately flocked to these new forums, despite them having no content on them or anything. This really helps highlight the appeal of the “Cebolla Chan” brand among Spanish-speaking cybercriminals.

We’ve also seen the rise of alternative communication platforms during that time. More and more cybercriminals are choosing to communicate via messaging applications like Telegram or social platforms like Discord. While this is not a direct result of Cebolla Chan 3.0 going offline, it’s likely that Spanish-speaking cybercriminals seeking more stable platforms have turned to these platforms to communicate and carry out business.


Can you explain how the Spanish-language cybercriminal underground differs from other communities?

There are a variety of characteristics that set the Spanish-language underground apart from other cybercriminal undergrounds. As a community, the Spanish-language underground is very unstable, with forums going online and offline frequently and often without explanation. Despite this instability, the community continues to exist and thrive (I’ll elaborate more in Q2!).

Furthermore, every linguistic community has its own distinct types of crime that we see being discussed. While it’s difficult to make generalizations about such a large and constantly-changing community, we tend to see Spanish-speaking cybercriminals rely less on technical knowledge and more on social engineering techniques. In other words, there’s more of a focus on deception of victims, and less on crafting the next banking Trojan.


You say that the Spanish-language cybercriminal underground is “a largely unstable and unpredictable community” – is this more so than other communities?

The Spanish-language underground is more unstable and unpredictable than many other cybercriminal communities. While the Spanish-language underground community deals with fewer law enforcement interventions than, say, the English or Russian-language communities, there’s a lot more internal chaos on these forums. Some of the things we’ve seen over the past couple of years is a top Spanish-language carding forum going offline and changing domains three times (it is currently still offline) and a top Spanish-language dark web forum losing all of its user information (meaning everyone had to re-register). Much of this instability is largely unexplained.

Despite this instability, the Spanish-language underground is persistent. Forums can go up and down, but users migrate from one forum to another, resuming business as usual.  I like to think of the Spanish-language underground as a sort of Hydra, a multi-headed beast; if you cut off one head – disrupt one forum – another will take its place. If you want to seriously disrupt this underground, you must find a way to cut off all its heads, disrupt all its platforms at once.

As a quick note about my comment on law enforcement takedowns: I don’t believe there are as many targeting the Spanish-language underground. I’m basing this analysis off of a lack of public-facing media reporting, of which I’ve seen none indicating that there has been significant law enforcement intervention in Spanish-language forums. This is likely because this community is not considered as big of a threat as many English and Russian-language communities, and those entities that would be more interested in these communities (such as Latin American governments) don’t have the resources to devote to takedowns.  


What other trends are you seeing in the Spanish-language underground community? What activity is increasing/decreasing?

As mentioned, alternative communications platforms such as Telegram and Discord are continuing to attract cybercriminal actors.

We’ve also been looking into a type of fraud that Spanish-language cybercriminals call “binero” fraud. In this fraud scheme, threat actors identify BINs (bank identification numbers, hence “binero”) that are improperly validated during checkout processes for online purchases. Upon discovering a BIN that is not validated properly, fraudsters will generate fake card numbers that start with that BIN in order to conduct fraudulent purchases. There is no compromised card information involved in this type of fraud, as the card information is simply invented. This fraud is becoming increasingly common on Telegram, though we’ve also seen it for years on the Spanish-language forums.


What surprises you about what you’re seeing?

I’ve been very surprised to see such a relatively unsophisticated cybercriminal underground endure so many disruptions.


How is the threat posed by Latin American threat actors changing?

Cybercriminals communities are growing within Latin America. Increased internet penetration across the continent is allowing more people access to cyberspace, thus allowing for the possibility of more cybercriminals.

We’re also seeing Latin American cybercrime become more tied into the larger global crime scene. The Ploutus.D malware variant is a great example of this. Ploutus.D compromises ATMs and causes ATM-jackpotting (when an ATM spits out all the money in it, rather like hitting the jackpot). In this case, Ploutus.D appears to have come originally from Eastern Europe to Mexico, where it was modified to infect ATMs there. In November 2017, Ploutus.D made the jump across the border and began compromising ATMs in the US as well.


Why are Latin American threat actors often overlooked as a threat to U.S.-based businesses?

I believe one of the reasons many US-based businesses overlook Latin American threat actors is because it’s not “sexy” cybercrime. On the Russian-language underground, for instance, individuals make new exploit kits, clever loaders, potent banking Trojans. On the Spanish-language side, it’s more a of a “death by a thousand cuts” type situation, with crimes such as phishing and carding purchases hurting profits without grabbing headlines.


How we can disrupt these threats? What do CSOs need to know/do?

First, be aware of these threats. Latin America is maturing as a cybercriminal threat, and we must keep our eyes on that. If you’re not sure if you should be worried about Latin America, start with taking inventory: do you have partners or subsidiaries in the region? Where are your servers and other infrastructure located? Could any of this be at risk? If you believe your organization might be targeted by actors from this region, monitor your web traffic for any patterns in fraudulent behavior. Being prepared and proactive is important.

If you are concerned about the region, consider getting eyes on the Spanish-language underground. As stated, it’s unstable and unpredictable; is your team prepared to track these changes? Identify the threat actors that are openly talking about and mentioning your organization or your sector. Be prepared to have to find these individuals once again if a forum goes offline.


«What kind of data should companies be looking for on the dark web?


Typical 24: Marino Gualano, MainAd»
Kate Hoy

Kate Hoy is Editor of IDG Connect

  • twt
  • twt
  • Mail

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.


Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.



Should the government regulate Artificial Intelligence?