Identifying critical threat actors in cybercrime forums remains challenging due to overreliance on activity-based metrics while neglecting technical expertise. Method: This paper proposes a CVE-CAPEC-driven dual-mode heterogeneous network modeling approach, integrating attack knowledge graphs (CVE/CAPEC) with criminological behavioral frameworks, and combining Louvain community detection with k-means clustering to precisely identify expert hackers possessing specific offensive capabilities. Contribution/Results: It presents the first systematic integration of attack knowledge graphs and criminological theory for hacker role identification; reveals cross-forum homophilous attack-interest community structures; and defines quantifiable behavioral distinctions between “experts” and “novices.” Experiments identify 4% of participants as high-value experts—covering critical attack patterns—while classifying ~50% as low-capability actors. These findings provide both theoretical grounding and empirical support for targeted threat intelligence resource allocation.

The advent of Big Data has made the collection and analysis of cyber threat intelligence challenging due to its volume, leading research to focus on identifying key threat actors; yet these studies have failed to consider the technical expertise of these actors. Expertise, especially towards specific attack patterns, is crucial for cybercrime intelligence, as it focuses on targeting actors with the knowledge and skills to attack enterprises. Using CVEs and CAPEC classifications to build a bimodal network, as well as community detection, k-means and a criminological framework, this study addresses the key hacker identification problem by identifying communities interested in specific attack patterns across cybercrime forums and their related key expert actors. The analyses reveal several key contributions. First, the community structure of the CAPEC-actor bimodal network shows that there exists groups of actors interested in similar attack patterns across cybercrime forums. Second, key actors identified in this study account for about 4% of the study population. Third, about half of the study population are amateurs who show little technical expertise. Finally, key actors highlighted in this study represent a promising scarcity for resources allocation in cyber threat intelligence production. Further research should look into how they develop and use their technical expertise in cybercrime forums.