New tutorials on underground hacking forums have roughly doubled
Underground hacking forums are producing more original tutorials again, with growing attention on financial fraud, particularly the theft and fraudulent use of payment card data, known as carding, and cash-out techniques.

New tutorials per month versus reposts (Source: Radware)
Fraud tutorials gain momentum
Radware analyzed 8,870 tutorial posts published across 24 deep- and dark-web forums between December 2022 and April 2026. After removing reposts, the dataset contained 3,034 unique hacking and fraud guides.
“New tutorial output collapsed through 2024 to roughly 45 first-time publications a month and stayed flat into mid-2025. From late 2025, it roughly doubled, to between 110 and 140 new tutorials a month across 2026,” researchers noted. “The forums are not only recycling a fixed set of techniques; they are producing new ones.”
The increase in activity was accompanied by a shift in subject matter. Carding grew from 19% of tutorials in 2024 to 38% in 2026, making it the largest category in the dataset. During the same period, black-hat SEO and affiliate manipulation declined from 33% to 13%, reflecting a shift toward direct financial fraud.
Other topics gained ground as well. Offensive security and phishing accounted for a larger share of published material than they did two years earlier. Many of the guides describe multiple stages of fraud activity, covering techniques used to gain access to accounts as well as methods used to monetize stolen credentials.
“You can’t fully understand fraud if you only look at one piece of the puzzle. By teaching the break-in and cash-out sides side by side, tutorial authors are giving readers the complete playbook, not just a few random tricks.”
Reputation and profit drive tutorial publishing
Telecom and social media were the sectors most frequently referenced in tutorials that identified a specific target. Together, they accounted for nearly two-thirds of industry-tagged content. The report links that focus to the role these services play in fraud operations, including intercepting one-time passcodes, obtaining verified accounts, and supporting cash-out activity.
High repost counts also proved to be a poor indicator of genuine popularity. Among tutorials reposted at least 10 times, 79% were distributed through coordinated campaigns run by a single account or hidden premium members.
Radware found that some authors publish tutorials to build credibility within underground forums, while others use them to promote paid products and services, making repost volume as much a measure of promotion as community interest.
AI is lowering the bar for underground tutorial authors
AI is making it easier to produce convincing underground tutorials, even though experienced operators remain central to sophisticated fraud.
Radware’s case studies included an AI-generated catalog of attack techniques whose author used hidden content and engagement requirements to build reputation within a hacking forum, a “free” cash-out tutorial that served as a lead-generating tool for paid criminal services, and public security research rewritten and republished under a threat actor’s name to manufacture false authority and credibility.
Two of the three case studies involved AI-assisted content creation or repackaging. Many fraud guides still depend on application-specific knowledge, including the precise sequence and timing of actions needed to exploit business logic in online applications.
Researchers say newer agentic AI tools could narrow that gap as they become more capable of identifying business logic vulnerabilities.
What security teams can learn from watching the forums
These tutorials are an early warning system. Watching what gets published, and how often, can tip you off to fraud techniques before they show up in the wild. And because the guides walk through actual attack workflows and business logic abuse, they double as a checklist of weak spots worth stress-testing in your own applications. The criminals are basically telling you where to look.