Underground forums serve as hubs for cybercriminal activities, offering a space for anonymity and evasion of conventional online oversight. In these hidden communities, malicious actors collaborate to exchange illicit knowledge, tools, and tactics, driving a range of cyber threats from hacking techniques to the sale of stolen data, malware, and zero-day exploits. Identifying the key instigators (i.e., key hackers), behind these operations is essential but remains a complex challenge. This paper presents a novel method called EUREKHA (Enhancing User Representation for Key Hacker Identification in Underground Forums), designed to identify these key hackers by modeling each user as a textual sequence. This sequence is processed through a large language model (LLM) for domain-specific adaptation, with LLMs acting as feature extractors. These extracted features are then fed into a Graph Neural Network (GNN) to model user structural relationships, significantly improving identification accuracy. Furthermore, we employ BERTopic (Bidirectional Encoder Representations from Transformers Topic Modeling) to extract personalized topics from user-generated content, enabling multiple textual representations per user and optimizing the selection of the most representative sequence. Our study demonstrates that fine-tuned LLMs outperform state-of-the-art methods in identifying key hackers. Additionally, when combined with GNNs, our model achieves significant improvements, resulting in approximately 6% and 10% increases in accuracy and F1-score, respectively, over existing methods. EUREKHA was tested on the Hack-Forums dataset, and we provide open-source access to our code.

翻译：地下论坛是网络犯罪活动的中心，为参与者提供了匿名性和逃避常规在线监管的空间。在这些隐蔽的社区中，恶意行为者相互协作，交换非法知识、工具和策略，从而催生了从黑客技术到被盗数据、恶意软件及零日漏洞销售等一系列网络威胁。识别这些活动背后的关键煽动者（即关键黑客）至关重要，但仍是一项复杂的挑战。本文提出了一种名为EUREKHA（增强地下论坛关键黑客识别的用户表征）的新方法，旨在通过将每个用户建模为文本序列来识别这些关键黑客。该序列通过一个大型语言模型（LLM）进行处理，以实现领域特定适应，其中LLM充当特征提取器。然后，这些提取的特征被输入图神经网络（GNN）以建模用户结构关系，从而显著提高识别准确性。此外，我们采用BERTopic（基于Transformer双向编码器表征的主题建模）从用户生成内容中提取个性化主题，使得每个用户能够拥有多种文本表征，并优化最具代表性序列的选择。我们的研究表明，经过微调的LLM在识别关键黑客方面优于现有最先进方法。此外，当与GNN结合时，我们的模型取得了显著改进，与现有方法相比，准确率和F1分数分别提高了约6%和10%。EUREKHA在Hack-Forums数据集上进行了测试，并且我们提供了代码的开源访问。