Underground and illegal organizations operate on the dark web much like their legitimate, above-ground enterprise counterparts do. This also means these illegitimate businesses need to recruit for open positions and advertise for skilled cybersecurity and technology workers to fill specific, if nefarious, needs.
While these dark web job boards should be avoided, some cybersecurity professionals are increasingly turning to these underground websites to look for work or advertise their skills, especially if they feel legitimate job searches have stalled, according to recent research published by security firm Kaspersky.
The analysis, based on 2,225 job-related posts – vacancies and resumes – published on dark web forums between January 2023 and June 2025, found a “two-fold increase” in the number of resumes and underground jobs posted on various dark web forums between the first quarter of 2023 and the first quarter of 2024.
These numbers also remained steady in the first quarter of 2025 as well.
Kaspersky researchers also found that resumes outnumber job vacancies by 55 percent to 45 percent this year. This trend appears driven by global layoffs and an influx of younger potential candidates, with the median job seeker being about 24 years old.
A significant reason for this increasing interest in underground job boards is money.
Kaspersky researchers found job posts showing reverse engineers could command more than $5,000 in monthly salary, while seasoned penetration testers could earn $4,000. Developers were promised pay starting at $2,000.
While trusting what an underground or cybercriminal organization might pay is a risky proposition, the lure of the work in unstable times, combined with what seems like easy money, is tempting for many tech and cyber pros. It also continues to blur the line between the legitimate and illegitimate worlds, said Jason Soroko, senior fellow at security firm Sectigo.
“Criminal forums often promise outsized returns or revenue sharing that looks far more attractive than an entry-level security role, especially to someone who has been laid off or shut out of traditional hiring funnels,” Soroko told Dice. “In practice, the underground labor market is volatile, rife with non-payment and scams, and carries obvious legal and personal risk, while established security careers and bug bounty programs can offer competitive compensation over time.”
The Kaspersky researchers also noted that over time – as the lines between the above-ground economy and dark web economy have blurred – some skilled workers no longer see a difference.
“While the shadow market contrasts with legal employment in areas such as contract formality and hiring speed, there are clear parallels between the two. Both markets increasingly prioritize practical skills over formal education, conduct background checks and show synchronized fluctuations in supply and demand,” according to Kaspersky.
Dark Web Cybersecurity Skills
The Kaspersky research shows that many of the cyber skills needed within legitimate security teams – such as penetration testing – are also in demand among underground and cybercriminal organizations.
The five most in-demand skills on the dark web include:
- Developers, accounting for 17 percent of listed job vacancies, to create attack tools
- Penetration testers, accounting for 12 percent of listed job vacancies, to probe networks for weaknesses
- Money launderers, accounting for 11 percent of listed job vacancies, to clean illicit funds through layered transactions
- Carders, accounting for 6 percent of listed job vacancies, to steal and monetize payment data
- Traffers, accounting for 5 percent of listed job vacancies, to drive victims to phishing sites or infected downloads
While money laundering skills are specifically for illegal dark web activity, Soroko and other experts note that pen testing and DevOps skills have legitimate and illegitimate uses. This is also a concern for employers, as a potential candidate may have developed needed skills while working for a cybercriminal organization.
“The same penetration testing techniques used for legitimate red teaming can be turned toward initial access for ransomware crews, and the same automation and DevOps skills that build cloud services can be redirected into scalable fraud and data theft,” Soroko added. “That blurring of skill sets means employers can no longer assume that a clean resume equates to a clean history, and it raises the stakes for insider risk, ethics training and background checks.”
When it comes to developing skills through underground organizations, recent geopolitical issues have also helped muddy the waters of how some professionals think about ways to earn a living, said Casey Ellis, founder at Bugcrowd.
“There are a bunch of different factors here, with two big ones to call out: Necessity, and the blurring of ethical lines. Overall, job scarcity and increasing economic pressure, which, at this point, is a phenomenon that is being experienced globally. When it is an issue of survival and the opportunity presents itself, people will choose crime to survive,” Ellis told Dice.
In many cases, changing views of the web and other issues have redefined what a “bad guy” is, Ellis added. “In the case of hiring someone for overt cybercriminal activity, this distinction is probably clear to the person applying to the job, but their ethical threshold might be compromised relative to where they may have landed in the past,” he added.
The Trouble With North Korea
While this blurring of the lines between legitimate and illegitimate job postings might seem academic, it’s having real-world consequences for businesses, employees and cybersecurity professionals.
Since 2020, the U.S. government, law enforcement and several large-scale IT security firms, including Microsoft, have tracked how the North Korean government has successfully placed remote IT workers in an array of jobs, including at major software firms.
“North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries,” according to one Microsoft security report. “In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees.”
In June, the U.S. Department of Justice announced that the FBI and other law enforcement agencies searched 29 known or suspected “laptop farms” across 16 states linked to North Korea’s illicit activities, while seizing 29 financial accounts used to launder funds, as well as 21 fraudulent websites.
The Justice Department also found that many of the North Korean organizations that placed remote IT workers in a variety of jobs had help from U.S. citizens. Since then, at least four Americans have pleaded guilty to playing various roles in these schemes.
These types of schemes add to the blurring of legitimate and illegal work, and this is only likely to increase, Soroko noted.
“We already see this in campaigns attributed to North Korean groups that disguise contract work as normal freelance development while quietly feeding sanctioned programs, and these boards extend that model to a much wider range of actors,” Soroko added.
In other cases, cybercriminal groups such as Scattered Lapsus$ Hunters claimed to have recruited insiders working at cybersecurity firms to supply them with information.
John Bambenek, president at Bambenek Consulting, noted that in a time of economic uncertainty and fewer opportunities for younger tech pros, picking up money working for underground dark web groups is becoming tempting for many.
“It’s always been true that a lack of economic opportunities leads a subset of people to pursue criminal or semi-criminal activity. In particular, it’s a difficult hiring environment for entry-level workers. Given the dollars involved, it could be tempting for younger workers whose earning potential hasn’t grown but over time, it’s probably more lucrative to be on the good side of things,” Bambenek told Dice. “That being said, it’s also not hard to look in the cybersecurity industry to find highly paid consultants who, a couple of decades ago, were cybercriminals themselves. We’ve created an illusion that an early life of crime may be a lucrative life of cybersecurity work later.”