The researcher was careful to point out that data from 550 unique hosts was analysed and this was a relatively small sample compared to the total number of criminal operations.
The traffic that was analysed came from these communities and different accounts from a variety of backgrounds were used to lure threat actors to click on specific links.
Both IP addresses and user agents were collected during an operation on Russian-only cyber forums.
The intention was to understand which anonymisation services, VPNs or hosting providers were used the most by cyber criminals and those who are frequent visitors to these community sites.
The researcher said he/she used social engineering to get different accounts with different backgrounds and reputations to convince users of the forums to click on specific links.
A total of 694 hits were recorded, meaning that some among the 550 unique hosts clicked on more than one link.
Fifty-seven percent of the IPs recorded used anonymisation services like VPNs, hosting providers, proxies or onion routing to conceal their identities. Only 13% used the privacy-focused browser, Tor.
The most commonly used ISP for ensuring anonymity was M247, a well-known European provider, while French provider OVH was second. Microsoft and Amazon were third and fourth.
The researcher removed all IPs that coming through VPN services, hosting providers, proxies and Tor exit nodes and obtained what are called clean IPs. The biggest provider in this category was Russia's Rostelecom, followed by India's Bharti Airtel.
Windows was used by 68% of those operating on these forums with Linux use limited to 9%. Four percent each used Android and iOS devices.
"The analysis was carried out on a relatively small number of hosts with a specific target in the Russian communities compared to the total number of criminals out there," the researcher noted. "However, it was relevant to carry out in-depth analysis and it highlighted many interesting points.
"This kind of data is very difficult to collect because hackers and cyber criminals are very smart and it is very hard to fool them.
"So, are the hackers all Russian? Given the high amount of traffic coming from the US, we can probably begin to assume that Russian threat actors are not using Internet services located in or passing through the US so a conclusion can be drawn: Not all the threat actors on top-tier Russian hacking forums are Russian."