The Unfolding History of Japanese-Speaking Underground Communities
Click here to download the complete analysis as a PDF. Click here to download the Japanese version of this analysis as a PDF. Scope Note: Recorded Future collaborated with a Japanese security researcher with extensive knowledge in Japanese underground forums to explore the capabilities, cultures, and organization of Japanese hacking communities as a follow-up to Recorded Future’s previous piece on Chinese and Russian hacking communities. Sources the researcher used include direct forum access and actor engagement._ _This report will be of greatest interest to organizations seeking to understand the Japanese-speaking criminal underground to better monitor industry and company-specific threats within the Japanese region, as well as to those investigating Japanese online criminal activity.
Executive Summary
Underground hacker communities have taken many forms, usually becoming an outlet for a country’s technologically educated to collaborate on projects and conduct business deals ranging from innocuous to illegal. It is no surprise then that Japan, as one of the most technologically developed countries in the world, would also have its own underground community. The Japanese underground consists of largely collaborative, anonymous forums, and a more aggressive cross-pollination between foreign and Japanese forum members than we have observed among their Chinese counterparts.
Key Judgments
Underground communities in Japan are relatively immature compared to their Chinese-, English-, or Russian-speaking counterparts. However, because interactions between Japanese hackers and their foreign counterparts are growing, Japanese hackers are likely to grow in number and sophistication in the future.
Illegal drug sales dominate Japanese underground content. Unlike English-speaking underground communities, no black market sites specifically for illicit content exist, and most sales threads are created on general-purpose forums or bulletin board systems (BBSes). Illegal drugs are sold by contacting an actor’s email within a sales thread and setting up an in-person meeting.
Unlike English, Russian, or other language communities, the adoption of Bitcoin as a form of online payment has been slow. Instead, prepaid gift cards, such as Amazon and iTunes gift cards, are used for payment.
A small portion of Japanese-speaking communities are formed inside sub-threads of English-speaking forums. Additionally, rather than using tools created themselves, Japanese hackers will often use external tools adopted by other hacking communities.
Background
Underground communities on the internet are prevalent in many languages and reside in a variety of forums. While some forums are hosted on websites easily searchable on the internet, some are also contained in mobile chat groups and even on websites hosted on the Tor hidden service or other overlay networks, which provide anonymity to internet connections. Sites advertising or discussing illegal content benefit from the Tor’s anonymous nature. A variety of these websites, including bulletin board systems (BBSes), will use this anonymity to specialize in illicit sexual content, hacking, and malware, as well as illegal drug and firearms trades. These marketplaces serve as platforms for safer trades of illegal goods such as drugs, firearms, forged identification documents, and credit card information stolen by hackers in exchange for anonymous cryptocurrencies, including Bitcoin and Monero. Most of the examples above are found in English-, Chinese-, or Russian-speaking communities, but the majority of Japanese-speaking underground communities are housed within general-purpose bulletin board systems — a series of message boards and forums in which information is exchanged in posts among members. While some bulletin board systems are Tor websites, many of them are sites on the clear web, readily accessible through a general-purpose internet browser.
The History of Japanese Underground Communities
The history of underground communities in Japan dates back to the late 1990s. In 1996, the BBS forum Ayashii Warudo (Suspicious World) was created. This series of message boards was the largest of its kind in Japan. It was particularly revolutionary to netizens at the time, created during a transition period in which Japanese netizens were moving from closed community networks to the present internet forums. The website consisted of a simple textboard with multiple posts and comments, as well as a separate page for “link collection,” in which similar websites were advertised. This format soon became the template for multiple groups of websites sharing the same culture and the same site designs. Although new sites continued to spring up in the 2010s, the advent of social media sites equipped with more sophisticated functions caused posts on message boards to reduce in number.
In May 1999, an anonymous BBS called ni channeru (2channel) emerged with a catchphrase of “from hacking to what to cook for dinner,” where users could post about a broad range of topics. In 2017, 2channel changed its name to 5channel. It still remains one of the largest groups of message boards in Japan and served as the inspiration for the precursor of the American forum 4chan.
The 1990s represented the early days of the Japanese internet and, with only a limited number of users, accessing the Japanese internet itself made a user a part of the underground community. The internet communities listed above had developed their own culture, and there was a variety of categories of discussion available within these communities through message boards dedicated to different fields.
Hacker culture also led to the publication of books on hacking and the underground during this time, and Computer Aku No Manyuaru (Vicious Computer Manual) — published in March 1998 — sold over 100,000 copies. In July of that same year, “Hacker Japan” was launched and boasted the longest history among security periodicals in Japan until it was suspended in November 2013.
However, the internet does not operate in a vacuum. In 1999, the Act on Prohibition of Unauthorized Access, also known as the Unauthorized Computer Access Act, was enacted by the Japanese government. As internet access increased among the public and social media use began to rise, underground communities became less active.
Before the enactment of the Unauthorized Computer Access Act, a variety of illicit goods and services were casually exchanged in Japanese underground communities. Pirated goods, mainly in the form of pirated software (warez) and file-sharing software, were exchanged, in addition to pirated game ROMs and cheats. This was probably due to Japan’s low level of copyright enforcement in the late ‘90s and early 2000s. Hacking tools like phone phreaking technology, malware, and other cracking tools were also shared, along with small percentages of software reverse engineering tools. Many tools shared on Japanese forums around this time were originally developed by Japanese-speaking individuals. For example, Yoko Kuroki, a password analyzer released in January 2000 right before the Unauthorized Computer Access Act came into full effect, was developed by Japanese creators for a Japanese audience.
Yoko Kuroki interface. (Source: Reitaku University)
Information on illegal drugs, firearms and explosives, and illegal organizations (like the Aum Shinrikyo cult), as well as other gossip or cold cases censored by broadcast television were also widely shared on BBSes. Such information was mostly out of the ordinary in its nature, and appealed to audiences looking for shocking or morbid content. Sites that provided such information gained popularity in the early 2000s, eventually giving birth to Gekiura Joho (Extraordinary Information), a forum dealing in morbid gossip. However, many of these gossip or tabloid-related sites have since been closed down or have evolved into general forums.
Current Gekiura Joho homepage. (Source: https://gekiura.com/)
Current Landscape
Similar to their Chinese counterparts, Japanese forums largely do not compartmentalize wares into marketplaces, and instead advertise on general purpose forums, where discussions around hacking or other topics also occur. Most current Japanese underground interactions occur on the Onion Channel, the largest Japanese-speaking underground community today. This BBS opened in 2004, inspired by the previously created 2channel forum. While the Onion Channel is officially divided into three message boards of “Tor Ita” (tor board), “Eroi No” (pornography), and “Angura Ita” (underground board), all of them contain various subforums, with topics including illegal drugs, hacking, and illicit sexual content. All message boards offer a file upload feature through which files related to illicit sexual content, censored information, and stolen files are uploaded. This board shows that the underground community culture of the 1990s and 2000s is still alive and well, wielding a strong influence over their modern counterparts today.
Japanese-speaking underground communities constructed in the traditional BBS style allow anonymous posting with no account registration required, as opposed to English-speaking underground community forums that require sign-up. This site structure makes it difficult to eliminate spam posts and trolls, resulting in slow performance of these sites in general. Additionally, anonymity makes tracking actors on these sites incredibly difficult. For example, in August 2013, a large volume of membership information of 5channel Viewers, a paid service of the 5channel BBS, was leaked on the underground subsection of the Onion Channel. The media coverage of the incident made the Onion Channel widely known.
While many posts are anonymous, BBS sites like the Onion Channel are equipped with a function to allow users to enter a fixed handle name when posting a comment. To do so, the BBS requires a user to register through a “tripcode” system. This feature was adopted from 5channel. After a user enters a username and password, the BBS hashes the password to calculate an arbitrary string called a tripcode. This tripcode is then displayed in every post from the user alongside their username in the format “fixed handle name ◆ (tripcode).” If a password is accidentally leaked to the public domain, other individuals can spoof posts from the user by logging in with their account, as the tripcode remains the same after each login.
Other prominent Japanese underground forums include Kogarasu-maru and the now-unavailable Koushinkyo Cyber Division. Kogarasu-maru originally spun off from the Onion Channel and came to be used by Japanese hackers as a membership-only information sharing circle. Most Kogarasu-maru posts within this circle are related to hacking and maintaining anonymity online. Members will post on topics like “torrc settings optimization,” “how to improve anonymity with Whonix,” and “Kali Linux hacking tutorials.” Koushinkyo Cyber Division pages used to contain discussions mainly on hacking, carding, and anonymity among members.
Login section of Kogarasu-maru.
Unlike their Chinese counterparts, Japanese-speaking communities do not only rely on Japanese forums. In some cases, Japanese-speaking communities are formed inside subsections of English-speaking communities. Japanese hackers will also register accounts on non-Japanese message boards to gain information or access to services not readily accessible within domestic forums, like bulletproof hosting, which is more readily available on Russian- and English-language forums. Foreign communities will also occasionally flock to Japanese message boards to advertise online wares. There are also traces of posts made in non-fluent Japanese to advertise foreign message boards in Japanese-speaking communities.
Japanese forum post within a dark web community asking if anyone speaks an Asian language. (Source: Recorded Future)
As collaboration across Japanese and foreign forums has grown, preferred contact methods within the underground community in Japan has also begun to change. Until a few years ago, contact was made mainly through Yahoo Mail or disposable email addresses. However, the use of email services such as ProtonMail and Tutanota that are widely spread among English-speaking communities have begun to grow in popularity. The use of messenger services that specialize in privacy protection, like Telegram, Signal Private Messenger, Wickr, or Jabber, are also becoming more popular.
Content in Japanese Underground Forums
Malware and Data
Malware development is not a common pursuit within Japanese-speaking communities based on the rare number of malware development posts, but malware purchased or leaked from criminal communities overseas are actively sold. For example, ransomware originally created by a foreign actor will be co-opted by Japanese criminals, who write ransom letters in fluent Japanese to target Japanese hosts.
A BBS post advertising a CryptoLocker variant. When it comes to data, Japanese hackers do not discriminate. Both domestic and international data is sold on Japanese underground forums, although in many cases it is not clear whether the data has been stolen by Japanese hackers themselves. For example, a May 2017 Japanese advertisement for Korean data was found on Kogarasu-maru, but seems to have been stolen by a hacker in a non-Japanese forum.
A Japanese ad on Kogarasu-maru selling a South Korean data dump.
Drugs, Weapons, and Illicit Sexual Content
The Japanese underground has a wide variety of drugs for sale, and drugs make up the majority of the posts. Just as it is in English, slang is often used in illegal drug and weapons trafficking in Japan. For example, on forum posts, cannabis is called “yasai,” and cocaine is called “chari,” while stimulant drugs are often referred to as “kori.” Additionally, weapons and illicit sexual content are occasionally advertised. Pistols, or “chaka,” are sometimes seen in forum advertisements on Japanese forums. Because all message boards offer a file upload feature and are anonymous by default, sellers can take advantage of this feature and share illicit content widely without fear of punishment.
In Japan, illegal drug sales are usually conducted in the form of an in-person transaction called “teoshi.” A seller will first post an advertising comment on a BBS such as “Osaka, Yasai, one gram, 5,000 yen,” with their contact information and will wait for buyers to send them an email. Buyers will contact the seller to meet at a specified location to conduct a transaction.
If sellers and buyers directly meet, they can complete transactions without leaving any evidence. Mail is discouraged as a form of drug transaction within Japan, both because some drug dealers have a habit of sending fake drugs, and because both domestic and international mail is screened before delivery. This is also why most drugs within the Japanese underground community are not ordered from other countries. Japanese customs is usually very effective at confiscating drugs and may directly visit the senders’ or buyers’ homes if the drugs were sent via mail. It is also understood among the users of English-speaking underground communities that no illegal drugs can be sent to Japan, and multiple drug-related English forums have discussed the efficacy of Japanese customs.
Reddit post of users warning other drug users not to ship to Japan because of Japanese customs.
Bulletproof Hosting Services and VPNs
The opening of a website hosting content that is usually censored by the Japanese government requires a server that is impervious to takedown requests, so bulletproof hosting services are used. Recently, international providers offering bulletproof hosting services have expanded their advertising presence within Japanese-language forums. Until a decade ago, services such as 000WebHost and XREA were used within Japan. Now, overseas services such as Novogara LTD, BlazingFast, and AbeloHost are commonly used by the country’s hackers. Information about these services are obtained by Japanese hackers through relationships with hacker peers overseas.
The use of VPNs within Japan has had a similar evolution. A free VPN service called VPN Gate, provided by the University of Tsukuba, had many users. Documents describing how to maintain anonymity in Tor and VPN Gate written in English and Japanese were widely circulated among forums. However, after it became widely known that the Japanese police archived VPN Gate logs, posts advertising overseas VPNs such as ExpressVPN and ProtonVPN gradually increased.
Payment Methods
Unlike English-speaking or other hacker communities, the adoption of Bitcoin as a form of online payment among Japanese hackers has been slow. While cash transactions are primarily used when buying drugs, prepaid gift cards, such as Amazon and iTunes gift cards, are usually used for online payment on Japanese forums. This is because they are convenient for netizens to obtain anonymously within Japan, while cryptocurrencies require the opening of an account and presentation of ID documents at the exchange in order to be converted into cash. Prepaid gift cards are also incredibly easy to use online, as the only data required to use gift cards is the code written on the back of the card. Thus, posts requesting prepaid cards occasionally appear on Japanese message boards.
Outlook
Underground communities in Japan largely adhere to the culture of their predecessors from the early 1990s. However, due to an increasing cross-pollination between Japanese and foreign hackers, Japanese hackers have an opportunity to grow in both number and sophistication. As many Japanese subsections continue to grow within English-speaking community forums, and as Japanese hackers develop relationships with foreign hackers, it is likely that Japanese hackers will continue to explore websites in other countries to obtain information and online goods not available in Japan, as they have done to obtain malware and VPN access. Message boards taking on the format of international forums will possibly emerge, and may begin to grow more influential and larger than the Onion Channel itself.
Related