Cyber Intelligence: HUMINT Operations

How to engage Threat Actors during undercover operations in the cyber-crime battleground


Monitoring cyber crime forums is certainly very important but when information arrives on a forum it is often already too late or has already been exploited by some Threat Actor previously who exchanged it or sold it privately with his most trusted contacts or buyers.

What is HUMINT in the Cyber field?

Anonymization & Privacy

Anonymize yourself in the cyber space means use different tools that hide the user’s personally identifiable information from websites, forums and chat used or visited. The privacy’s topic and being anonymous on the internet is hotly debated lately and is crucial during undercover operations involving the virtually human interaction with criminals.

What are the most used platforms for chatting in the underground communities?

First, you need to be prepared on the main communication methods used by cyber criminals. For example, during an incident, if you need to investigate a criminal or profile a Threat Actor you will need to have the whole environment ready to start a conversation on one of the opponent’s used platforms.

Some contact examples by Threat Actors

Go undercover

When you go undercover and start different operations or investigations you should need to create a background and parallel stories to real life, using different nick names, aliases and contact information.

  • What is the sector in which I want to specialize and investigate?
  • Where do I think the Threat Actors that interest me come from? What is their mother tongue?
  • What information do I want to get from the actors I’m talking to?
  • What is their background?
  • How long will I have to interact with the Threat Actor? Do I need to establish a long-term relationship or do I just need a spot information?

Reputation and credibility

Having a good reputation and credibility is key to surviving in communities. Before you have a good reputation on a forum or make yourself known in underground communities a lot of time has to pass and requires a lot of accreditation work and vetting processes.

Top 10 advantages of HUMINT operations

Here the main advantages of these operations:

  1. Prevent any future attacks before other threat actors find out or fix it before it’s too late.
  2. Get victims of attacks that would never be posted on any forum. Knowing if your company, a third party supplier or a company in the same industry is among the victims of an attack which will not be published is very crucial information.
  3. Understand how fraud schemes are composed. Fully understand these processes is essential to avoid getting blown away during an investigation or a vetting process for closed communities.
  4. Obtain information on money laundering schemes such as bank accounts and companies used to carry out the fraud. This info is almost never shared in the forums. Only with the right engagement is it possible to discover them.
  5. Obtain information on Bank drop services and money mule accounts.
  6. Discover new vulnerabilities or malware that can be used against your organization.
  7. Discover new sources to be monitored such as new forums, markets, telegram or discord channels or private groups.
  8. Study Threat Actors and their backgrounds in depth.
  9. Protect your company like no tool can.

Tips & Tricks

Some tips & tricks to survive:

  • Start from your home country by meeting criminals who speak the same language as you to fully understand the patterns they use to commit illegal activities.
  • Be wary of payments in any form. Everything can be tracked and even a small mistake can be decisive for your safety and integrity.
  • Be wary of any information given to you. You are the first one who is faking it and whoever is on the other side of the keyboard can do the same by causing you to make mistakes.
  • Beware of typo or acronyms and during a conversation. They may reveal your native language or the country you come from.
  • Initially set yourself specific goals. Look for information that is relatively easy to obtain so that you can practice. Only when you are confident you can try to get more relevant information.
  • Don’t disappear once you get the information or reached your goal. Always try to leave an open communication channel so that you can return to the person if necessary and avoid suspicions that you are just a cop.
  • Study as many acronyms as you can. In forums and during a conversation you will often struggle to understand what they are writing to you. Knowing the slang and terms used by the attackers is essential to avoid being caught unprepared.
  • Out there you can be anyone like a group, a researcher, a hacker or an insider. Evaluate who you want to be based on what your goal is.
  • Engage Threat Actors before they publish confidential information and are contacted by others, allows you to gain credibility with the TA and doesn’t arouse suspicion.
  • Engage actors before an incident or relevant post, will create a preferential channel that will require no introduction.
  • Study how fraud works and the mechanisms that fuel cyber-crime. There are many papers and lectures about it.
  • Always remember that when you look deep, the deep looks at you.
  • Try to be present on various forums in order to be ready to interact in case of incident and gain credibility without ever committing illegal acts.
  • Think like a criminal act like a cop and use all the information you get for benevolent and ethical purposes.


Human interaction with cyber-criminals is not easy, but if managed in the right way it can lead to strategic and fundamental findings for your company or sector.

“Cyber Intelligence is not a hobby. It is not a subset of Cyber Security one can easily pivot into.

It’s a passion and no matter how much you invest in access, tools, or cutting-edge technologies, intelligence is still about people.”

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store