Crypter-as-a-Service (CraaS) has become a key enabling layer of the contemporary malware economy by providing on-demand evasion capabilities through underground service markets. In this paper, we present a longitudinal characterization of the CraaS ecosystem on exploit.in, a major Russian-language cybercrime forum with a presence on both the clear web and the dark web. From a collection of approximately 1,000,000 posts, we combine keyword filtering, LLM-assisted annotation, and manual validation to extract a corpus of 491 threads and 2,949 posts spanning January 2020 to August 2025. Our analysis shows that crypters on exploit.in are not merely sold as static tools, but as continuously maintained operational services whose value depends on recurring stub renewal - sometimes on a daily basis - sustained antivirus evasion, and trust-based delivery. We develop a taxonomy of five seller types and four buyer profiles, and map the buyer-seller correspondences that structure market transactions. We further document pricing models ranging from low-cost per-build Telegram bot services to high-end custom development and salaried recruitment. Using social-network analysis, we find that the market is hierarchically structured around a small core of highly central actors, many of whom appear to function as trust brokers or other influential intermediaries, while its stability relies on a broader trust and governance infrastructure including escrow, guarantors, reputation systems, and security deposits. Finally, we discuss differences between the CraaS model observed on exploit.in and that reported on HackForums. Although both forums share similar service logics, our corpus suggests that exploit.in exhibits a more professionalized and service-oriented CraaS configuration.

翻译：暂无翻译