BreachForums & TeamPCP Promote Supply Chain Competition as Cybercrime Gets Gamified

Underground cybercrime communities are increasingly borrowing ideas from legitimate tech ecosystems: branding, public challenges, shared tools, reputation building, and even prize-based competitions. Recently BreachForums and TeamPCP promoted what they describe as a “supply chain competition,” encouraging threat actors to conduct the “biggest supply chain attack” using allegedly open-sourced “Shai-Hulud” tooling.

At first glance, the prize money may look like the main point. But the more concerning part is the way these communities are framing cybercrime as a collaborative challenge. Public recruitment, shared tooling, operational benchmarking, and community-driven attack campaigns all help normalize offensive activity and make it easier for more actors to participate.

Why Is the Gamification of Cybercrime Concerning?

Gamification changes how threat actors engage with attacks. Instead of isolated operators working alone, underground forums can turn attacks into public campaigns where participants compete for status, recognition, and financial rewards.

This creates a more scalable cybercrime ecosystem. Actors can share infrastructure ideas, copy each other’s workflows, reuse code, and build on public narratives to gain attention. Even when a tool release is incomplete, exaggerated, or partly symbolic, it can still help less experienced actors by giving them automation logic, deployment patterns, persistence concepts, and operational examples.

In other words, the value is not always in a polished malware tool. Sometimes, the real risk comes from the ideas, workflows, and copycat potential that spread through the community.

How Did NoName057(16) Use Gamification Before This?

This is not the first time threat actors have used game-like mechanics to scale participation. SOCRadar’s analysis of NoName057(16) & DDoSia showed how the group used a voluntary botnet model where participants knowingly installed the DDoSia tool and joined attacks. The group encouraged involvement through propaganda, points, rankings, team-based activity, and occasional cryptocurrency rewards.

That model matters here because it shows how gamification lowers the barrier for participation. People with limited technical skills can still contribute when the ecosystem gives them tools, instructions, leaderboards, and a sense of belonging. In the case of BreachForums and TeamPCP, the “competition” framing follows the same broader pattern: cybercrime becomes more public, more social, and more incentive-driven.

Why Are Supply Chain Attacks an Attractive Target?

The supply chain angle makes this trend even more serious. Attackers understand that compromising a trusted dependency, package, update process, GitHub repository, CDN link, or CI/CD workflow can create access far beyond a single victim.

One successful compromise can affect many downstream organizations at once. That is why supply chain attacks remain attractive to both skilled actors and lower-skill participants looking for high-impact results.

Organizations should watch for suspicious package updates, unexpected CI/CD changes, GitHub or CDN-hosted payload distribution, third-party compromise indicators, and references tied to TeamPCP or Shai-Hulud narratives across underground channels.

This incident reflects a wider shift. Cybercrime is no longer only about individual attacks. Some underground communities now behave more like startup ecosystems, with open-source projects, affiliate models, reputation systems, competitions, and fast collaboration cycles.

That should concern every defender.

How Can SOCRadar Supply Chain Intelligence Help?

SOCRadar Supply Chain Intelligence helps organizations monitor third-party risk through a combined view of CTI, DRP, and ASM insights, including vendor exposure, attack surface signals, vulnerability indicators, leaked data, suspicious news, and cybercriminal ecosystem activity.

With dashboards, third-party company tracking, risk scoring, global news monitoring, AI insights, and reporting, security teams can keep a closer eye on supplier risk before it turns into a larger incident. In a threat landscape where underground actors are openly competing around supply chain compromise, continuous vendor visibility is no longer just helpful, it is part of staying ahead.