Underground Hacking Forums See Surge in Original Content, Shifting Focus to Financial Fraud
Analysis of deep and dark web forums reveals a significant increase in new tutorials, with a pronounced shift towards financial fraud techniques like carding.

Underground hacking forums are experiencing a resurgence in original content creation, with a notable shift in focus towards financial fraud, particularly carding and cash-out techniques. Research conducted by Radware analyzed 8,870 tutorial posts across 24 deep and dark web forums between December 2022 and April 2026, identifying 3,034 unique guides after removing duplicates.
The output of new tutorials, which had previously collapsed through 2024 to around 45 monthly publications, roughly doubled from late 2025 onwards. The forums are now consistently publishing between 110 and 140 new tutorials each month in 2026, indicating a move beyond the recycling of existing methods to the development of novel techniques.
This increase in activity is accompanied by a significant change in subject matter. Carding, the fraudulent use of stolen payment card data, has grown from representing 19% of tutorials in 2024 to a dominant 38% in 2026, making it the largest category. Concurrently, topics like black-hat SEO and affiliate manipulation have declined from 33% to 13%, signaling a broader trend towards direct financial gain.
Other areas, such as offensive security and phishing, have also seen an increased share of published material. Many of the newly published guides are comprehensive, detailing multiple stages of fraud operations, from initial account compromise to methods for monetizing stolen credentials. This integrated approach aims to provide users with a complete playbook for fraud, rather than isolated tactics.
Telecom and social media sectors are frequently targeted in these tutorials, accounting for nearly two-thirds of industry-specific content. These sectors are crucial for fraud operations, enabling the interception of one-time passcodes, the acquisition of verified accounts, and facilitating cash-out activities.
The rise of AI is also playing a role in lowering the barrier to entry for tutorial authors. While experienced operators remain central to sophisticated fraud, AI tools are making it easier to generate convincing content. Case studies highlighted AI-assisted content creation and repackaging, though many guides still rely on application-specific knowledge.
Radware's analysis suggests that tutorial authors are motivated by building reputation within underground communities or promoting paid products and services. High repost counts, often driven by coordinated campaigns, are not always indicative of genuine community interest but can be a measure of promotional efforts.
Security teams can leverage these forum trends as an early warning system. Monitoring the publication and frequency of these tutorials can provide insights into emerging fraud techniques before they become widespread. The detailed workflows and business logic abuse described in these guides also offer a valuable checklist for stress-testing application security.