Nobody is immune to being scammed online—not even the folks working the scams. Cybercriminals utilizing hacking boards to purchase software program exploits and stolen login particulars maintain falling for cons and are getting ripped off hundreds of {dollars} at a time, a brand new evaluation has revealed. And what’s extra, when the criminals complain that they’re being scammed, they’re additionally leaving a path of breadcrumbs of their very own private data that would reveal their real-world identities to police and investigators.

Hackers and cybercriminals usually collect on particular boards and marketplaces to do enterprise with one another. They can promote upcoming work they need assistance with, promote databases of individuals’s stolen passwords and bank card data, or tout new safety vulnerabilities that can be utilized to interrupt into folks’s gadgets or methods. However, these offers usually don’t go to plan.

The new analysis, revealed right now by cybersecurity agency Sophos, examines these failed transactions and the complaints folks have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.

Wixey examined three of essentially the most outstanding cybercrime boards: the Russian-language boards Exploit and XSS, plus the English-language BreachForums, which changed RaidForums when it was seized by US law enforcement in April. While the websites function in barely alternative ways, all of them have “arbitration” rooms the place individuals who assume they’ve been scammed or wronged by different criminals can complain. For occasion, if somebody purchases malware and it doesn’t work, they might moan to the location’s directors.

The complaints generally result in folks getting their a refund, however extra usually act as a warning for different customers, Wixey says. In the previous 12 months—the interval the analysis covers—criminals on the boards have misplaced greater than $2.5 million to different scammers, the evaluation says. Some folks complain about shedding as little as $2, whereas the median scams on every of the websites ranges from $200 to $600, in keeping with the analysis, which is being introduced on the BlackHat Europe safety convention.

The scams are available a number of varieties. Some are easy, others are extra refined. Frequently, there are “rip-and-run” scams, Wixey says, the place the customer doesn’t pay for what they’ve obtained or the vendor will get the cash however doesn’t ship throughout what they bought. (These are sometimes referred to as “rippers.”) Other forms of scams contain faked information or safety exploits that don’t work: One individual on BreachForums claimed a vendor tried to ship them Facebook information that was already public.

In one excessive incident on the Exploit discussion board, an account posted a prolonged grievance that they’d supplied somebody with a Windows kernel exploit and hadn’t been paid the $130,000 they’d agreed for it. The purchaser mentioned they might pay as soon as they’d examined the software program however by no means stumped up the money. “At each stage, he gave different excuses for delaying the payment,” a translated model of the grievance says.