When business is good, companies invest additional money and resources into recruiting and retaining the best talent, whether it’s IT support, cybersecurity or another crucial tech position. With cybercriminal firms, it’s not much different.
With an underground economy worth billions, cybercrime and other underground groups need the same tech talents and skills that help fuel the aboveground economy. A recent Kaspersky analysis of job ads and resumes posted on 155 darknet forums finds these illegal groups looking to lure tech talent by offering competitive salaries, bonuses, promotions and other perks… much like their legitimate counterparts.
These darknet—a.k.a. dark web—organizations offer a mix of legal, semi-legal and illegal job openings, with some salaries as high as $20,000 per month, although the median levels of pay offered to tech pros varied between about $1,300 and $4,000, according to the Kaspersky analysis.
The most in-demand job titles among these darknet groups are for developers, although reverse engineers could command a median salary of $4,000 per month.
In keeping with the times, some groups offer perks such as remote work and flex time. “That being said, remote work is a necessity rather than an attractive offer on the dark web, as anonymity is key in the world of cybercrime. You can also come across paid time off, paid sick leaves, and even a friendly team listed among the terms of employment,” Kaspersky researchers noted.
The push for tech talent for cybercriminals working within the darknet—which typically refers to any .onion website that can only be reached using the anonymizing Tor browser—comes as the underground economy continues to thrive. The latest numbers from the FBI’s annual Internet Crime Complaint Center (IC3) report found that cybercrime (such as ransomware, business email compromise, identity theft and data breaches) increased by 7 percent from 2020 to 2021, totaling $6.9 billion in losses across the U.S. alone.
By some estimates, cybercrime is costing victims across the globe trillions of dollars, according to one estimate. With this amount of money at stake, criminal organizations need skilled workers, said Phil Neray, vice president of cyber defense strategy at security firm CardinalOps.
“It's not surprising that cybercriminal organizations are looking to hire more developers and security experts—just like all other businesses,” Neray told Dice. “The difference here is that if you're successful at deploying ransomware to an organization like Colonial Pipeline or JBS, you might end up on the FBI's ‘Cyber Most Wanted’ list.”
Cybercrime’s Dark Mirror
In the analysis, the Kaspersky researchers reviewed about 200,000 employment-related ads posted on these darknet forums between January 2020 and June 2022. Most of the postings peaked in March 2020, when the COVID-19 pandemic began redefining the global economy and its underground counterpart.
The study found an overwhelming number of job ads (about 60 percent) were for developers, with pen testers second at 16 percent and designers third at about 10 percent. The researchers also found some underground jobs required potential applicants to undergo several rounds of interviews and “test assignments involving encryption of malware executables and evasion of protective measures, and a probation period.”
The continued adoption of recruiting and HR techniques from legitimate businesses is not surprising, especially as cybercrime becomes more lucrative and the groups grow in sophistication, said Mike Parkin, senior technical engineer at Vulcan Cyber.
“We’ve been watching the cybercriminal world adopt more and more of the trappings of legitimate businesses for years. It’s no real surprise to see them taking on the same human resources recruiting techniques found in the legitimate business world,” Parkin told Dice.
The Kaspersky report adds that one reason why developers are in such demand right now is that attacks are becoming more frequent and malware more sophisticated.
“This could suggest that the complexity of cyberattacks is growing. The higher demand for developers could be explained by a need to create and configure new, more complex tools,” according to the analysis.
With cyber-threats on the rise, Darren Guccione, CEO and co-founder at Keeper Security, noted that underground groups with the money and means will continue these recruitment efforts.
“Even more disturbing is that the growing demand for cybersecurity professionals is in large part due to the increasing frequency of cyberattacks and data breaches. That demand is expected to remain high over the next decade as employers, governments and higher learning institutions work to address the current talent gap,” Guccione told Dice.
Does Cybercrime Pay?
While the salaries and benefits that cybercriminal organizations offer might seem tempting for some, several experts noted that most of the compensation is below what legitimate cybersecurity or IT jobs offer in the U.S.
As the Kaspeksey report clearly shows, most of these job ads are aimed at applicants in Russian and eastern European countries where costs are lower and good-paying jobs are often scarce.
“As crime is the name of the game, there will of course be very little need to worry about tax codes, immigration visas, residency situations and monetary transfers—meaning that organized cybercrime groups can focus on hiring very specific sets of skills that they need to plug into their enterprise,” said Andrew Barratt, vice president at security consulting firm Coalfire.
And the pay offered on darknet sites appeals to certain types of developers or tech professionals who need money to supplement a legitimate income, Barratt added.
“There are huge swathes of very high standard software engineers around the world that, for one reason or another, don’t have access to the U.S. economy and as such a $4,000 to $20,000 side-hustle may be life-changing in countries where there can still be property found for sub-$100,000, and in some places sub-$50,000,” Barratt told Dice.
Parkin also noted that the ads are designed to attract workers outside of the U.S. “Most of their talent pool will come from areas where working for a cyber-criminal gang carries neither the stigma [nor] legal consequences of working for a criminal enterprise as it does in the U.S.,” he added.
These types of recruitment efforts are likely to continue until a greater effort is made to crack down on cybercrime, which will require more effort from U.S. and international law enforcement.
“We’ll probably see this sort of recruiting grow until, or even if the international law enforcement community makes some concerted effort to stop it,” Parkin noted. “Even then, they’ll only manage to drive it further underground, as these criminal enterprises will continue to exist as long as there are social, economic, cultural, and political reasons for them to exist.”
