Abstract
Abstract
Crypter-as-a-Service (CraaS) has become a key enabling layer of the contemporary malware economy by providing on-demand evasion capabilities through underground service markets. In this paper, we present a longitudinal characterization of the CraaS ecosystem on exploit.in, a major Russian-language cybercrime forum with a presence on both the clear web and the dark web. From a collection of approximately 1,000,000 posts, we combine keyword filtering, LLM-assisted annotation, and manual validation to extract a corpus of 491 threads and 2,949 posts spanning January 2020 to August 2025. Our analysis shows that crypters on exploit.in are not merely sold as static tools, but as continuously maintained operational services whose value depends on recurring stub renewal - sometimes on a daily basis - sustained antivirus evasion, and trust-based delivery. We develop a taxonomy of five seller types and four buyer profiles, and map the buyer-seller correspondences that structure market transactions. We further document pricing models ranging from low-cost per-build Telegram bot services to high-end custom development and salaried recruitment. Using social-network analysis, we find that the market is hierarchically structured around a small core of highly central actors, many of whom appear to function as trust brokers or other influential intermediaries, while its stability relies on a broader trust and governance infrastructure including escrow, guarantors, reputation systems, and security deposits. Finally, we discuss differences between the CraaS model observed on exploit.in and that reported on HackForums. Although both forums share similar service logics, our corpus suggests that exploit.in exhibits a more professionalized and service-oriented CraaS configuration.
Direct answer
What can I do from this paper page?
Use this page to scan "Inside Crypter-as-a-Service: An Ecosystem Analysis of the exploit.in Underground Forum Research Talks" quickly: start with the summary and abstract, then check the authors, source, topics, and related papers. From here, open Scollr to follow Cybercrime and Law Enforcement Studies research, save the paper, or map adjacent work.
Research areas
Follow related topics
Citation
BibTeX
@article{Jeannot2026Inside,
title = {Inside Crypter-as-a-Service: An Ecosystem Analysis of the exploit.in Underground Forum Research Talks},
author = {Mathieu Jeannot and Jean-Yves Marion and Manon Pamar and Maira Nassau and Pierre Marty and Romain Guittienne},
journal = {arXiv (Cornell University)},
year = {2026},
doi = {10.48550/arxiv.2606.24226},
url = {https://doi.org/10.48550/arxiv.2606.24226}
}
FAQ
Using this paper in a discovery workflow
How do I find related work for this paper?
Use the related papers and topic links on this page as starting points. In Scollr, you can also open the paper and build a literature map around its references, citing papers, and related work.
How can I keep up with new Cybercrime and Law Enforcement Studies research papers?
Follow Cybercrime and Law Enforcement Studies research in Scollr. New papers from the topic flow into a personalized feed, and you can save useful studies to revisit later.
Can I cite this paper from this page?
This page includes a static BibTeX block for Inside Crypter-as-a-Service: An Ecosystem Analysis of the exploit.in Underground Forum Research Talks. Always verify the DOI, source, and publication details against the publisher record before submitting a manuscript.
Follow this research in Scollr
Follow the topics and authors behind this paper, save useful studies, and build a literature map when you are ready to go deeper.
Get the app