-
Underground hacking forums are publishing far more original fraud tutorials after a long slowdown.
-
Carding and cash-out guides now make up the largest share of new posts, replacing older scam methods.
-
Researchers say AI is helping some criminals create convincing guides faster, while others use them to build trust and promote paid illegal services.

Underground hacking forums are creating more new fraud guides again after activity slowed for many months. Researchers say the biggest change is the growing focus on carding and cash-out methods. These scams help criminals steal payment card details and turn stolen data into money.
Security company Radware studied activity across 24 deep and dark web forums. The research covered posts shared between December 2022 and April 2026. The team reviewed 8,870 tutorial posts. After removing copied content, they found 3,034 unique hacking and fraud guides.
The findings show that underground communities are no longer relying only on old tricks. New fraud methods are appearing more often, giving criminals fresh ideas to learn and copy.
Fraud Guides Shift Toward Faster Ways to Make Money
Researchers found that the number of new tutorials dropped sharply in 2024. Activity stayed low through the middle of 2025. That trend changed later in the year. According to the researchers, first-time tutorial releases fell to around 45 new posts each month during 2024.
That pace stayed almost unchanged until mid-2025. After that, activity grew quickly. Researchers said monthly output climbed to between 110 and 140 original tutorials throughout 2026. They added that forums are not simply sharing the same old methods again. Instead, members are continuing to produce new techniques.
The subjects covered in these guides also changed. Carding became the biggest topic in the study. It made up 19 percent of tutorials during 2024. By 2026, that figure had grown to 38 percent. At the same time, black-hat SEO and affiliate abuse lost popularity. Those topics dropped from 33 percent of all tutorials in 2024 to only 13 percent in 2026. The diversification of forum services extends to harassment-for-hire offerings in the U.S. and Europe.
Researchers also saw more guides covering offensive security and phishing. Many of these tutorials no longer stop after showing how to break into an account. They also explain how criminals can earn money from stolen accounts and stolen login details.
The researchers said that looking at only one part of a fraud attack does not tell the whole story. They explained that many tutorial writers now teach both the break-in stage and the cash-out stage together. This gives readers a complete guide instead of teaching only a few separate techniques.
The report also found that telecom companies and social media platforms appeared most often when tutorials named a target industry. Together, these sectors made up almost two-thirds of all tutorials that mentioned a specific business type.
Researchers linked this trend to the role these services play during fraud operations. Criminals may target them to intercept one-time passcodes, obtain verified accounts, or support cash-out activities after stealing information.
Reputation Matters as Much as Profit
The report found that reposts do not always show what criminals value most. Some tutorials appeared many times across different forums. However, researchers discovered that high repost numbers often came from organized promotion instead of real interest.
Among tutorials copied at least ten times, 79 percent came from coordinated repost campaigns. These campaigns were controlled either by one account or by hidden premium members.
This means that popular-looking tutorials may not actually be the most useful or respected. In many cases, they are simply promoted more aggressively. Researchers also found different reasons why criminals publish tutorials. Some authors want to build a strong reputation inside underground communities. A respected name can help them gain trust from other members.
Others use free guides as advertisements. The tutorials attract readers first. Later, those same readers may be encouraged to buy paid illegal products or services offered by the author. For this, repost numbers can reflect marketing efforts just as much as community interest.
AI Helps Produce More Convincing Underground Tutorials
The report also shows that artificial intelligence is making tutorial writing easier for some criminals. Researchers examined three different case studies during their investigation. One involved an AI-generated collection of attack methods. The author locked parts of the content behind engagement rules and hidden sections. This helped the person gain credibility inside the hacking forum.
Another case looked at a free cash-out guide. Although it appeared to offer useful information at no cost, it mainly worked as a tool to attract customers for paid criminal services. The third case involved public security research that someone rewrote and published again under a threat actor’s name. Researchers said this helped create a false image of experience and authority. Two of the three case studies showed clear signs of AI helping create or rewrite the content.
Even so, researchers said experienced criminals still play an important role. Many fraud guides depend on detailed knowledge of specific software and online services. Criminals often need to understand the exact order of steps and the right timing needed to abuse weaknesses inside online systems.
Researchers believe newer AI agents could reduce that gap in the future. As these tools become better at finding business logic weaknesses, they may help less experienced criminals create more advanced fraud guides.
The researchers also believe these tutorials can help defenders. They said security teams should watch underground forums closely because new tutorials often appear before the same fraud methods spread more widely.
The guides also show complete attack steps instead of single tricks. This gives defenders a useful checklist for testing their own systems. According to the researchers, criminals often reveal where organizations should start looking for weaknesses before attackers begin using those methods on a larger scale.