The criminal underground is populated with forum marketplaces where, allegedly, cybercriminals share and trade knowledge, skills, and cybercrime products. However, it is still unclear whether all marketplaces matter the same in the overall threat landscape. To effectively support trade and avoid degenerating into scams-for-scammers places, underground markets must address fundamental economic problems (such as moral hazard, adverse selection) that enable the exchange of actual technology and cybercrime products (as opposed to repackaged malware or years-old password databases). From the relevant literature and manual investigation, we identify several mechanisms that marketplaces implement to mitigate these problems, and we condense them into a market evaluation framework based on the Business Model Canvas. We use this framework to evaluate which mechanisms `successful' marketplaces have in place, and whether these differ from those employed by `unsuccessful' marketplaces. We test the framework on 23 underground forum markets by searching 836 aliases of indicted cybercriminals to identify `successful' marketplaces. We find evidence that marketplaces whose administrators are impartial in trade, verify their sellers, and have the right economic incentives to keep the market functional are more likely to be credible sources of threat.

翻译：网络犯罪地下世界充斥着各类论坛市场，据称网络犯罪分子在此共享和交易知识、技能及网络犯罪产品。然而，所有市场在整体威胁态势中的重要性是否相同仍不明确。为有效支持交易并避免沦为诈骗泛滥之地，地下市场必须解决使实际技术及网络犯罪产品（而非重新打包的恶意软件或陈年密码数据库）得以交换的基本经济问题（如道德风险、逆向选择）。基于相关文献与人工调查，我们识别了市场为缓解这些问题所实施的若干机制，并将其提炼为基于商业模式画布的市场评估框架。运用该框架，我们评估了"成功"市场所采用的机制，并探究其与"不成功"市场所用机制是否存在差异。我们通过检索836名被起诉网络犯罪分子的化名以识别"成功"市场，对23个地下论坛市场进行了框架测试。研究结果表明，那些管理员保持交易中立、验证卖家身份、并具备维持市场运转的经济激励机制的市场，更可能成为可信的威胁来源。