March 13, 2023 By Jonathan Reed 4 min read

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism.

Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about full-time or long-term employment.

Like any modern business, nefarious gangs have selection criteria, compensation parameters and employment terms. So how much does crime really pay? Plus, with all the tech layoffs recently, will these people turn to the dark web looking for work?

Why people work for threat groups

As per Kaspersky, there are many reasons why individuals seek employment on the dark web. Some are lured by the prospect of making easy money. Also, a fair number of those unhappy with conventional job pay seek alternative employment on the dark web. However, these expectations are often misguided as salaries on the dark web are not necessarily higher than those in the legitimate economy. Changes in the job market, layoffs and pay reductions can also lead people to seek work with threat groups.

A lack of specific requirements such as higher education, military service and a clean criminal record can also make dark web jobs appealing. The primary requirement many ads share is that applicants must be of legal age. Many also require applicants to be addiction- and drug-free. The ability to work remotely and anonymously also makes dark web job posts attractive to freelancers and digital nomads.

Poor awareness of the risks associated with working with cyber crime groups, as well as a flippant attitude towards these consequences, are more reasons people consider employment on the dark web.

What jobs are available on the dark web?

From January 2020 through June 2022, approximately 200,000 job-related ads were posted on dark web forums, as per Kaspersky. The majority of these postings (41% of the total) occurred in 2020.

The highest level of posting activity was seen in March 2020. This may have been a result of a tighter job market due to the pandemic. During that time, a significant number of desperate job seekers turned to dark web forums. This resulted in a notable increase in the number of resumes posted. The highest levels of ad activity from both employers and job seekers occurred in March 2020.

In terms of the resumes posted on the dark web, there was a diverse range of expertise and job descriptions. This included everything from moderating Telegram channels to compromising corporate infrastructure. The study examined 867 ads that contained specific keywords, 638 of which were job vacancy postings and 229 of which were resumes.

The most sought-after roles on the dark web were developers, accounting for 61% of all job ads. Pentesters (attackers) came in second, representing 16% of the ads, while designers made up 10% of the total.

Source: Kaspersky

Dark web hiring terms

The methods of selecting IT professionals in the dark web market are comparable to those utilized by legitimate businesses. Threat group employers also strive to identify and hire highly skilled individuals to obtain the best possible outcomes.

The main selection criteria used include (as a percentage of job postings):

  • Test assignments: 82%
  • CV/portfolio: 37%
  • Interviews: 26%.

Dark web employment terms

In order to attract potential talent, dark web employers offer a variety of appealing job packages. The most commonly advertised benefits included remote work (45%), full-time employment (34%) and flexible work hours (33%). It’s worth noting, however, that remote work is a necessity since anonymity is a vital component for cyber groups. Other advertised employment perks may include paid time off, paid sick leave and a welcoming work environment.

As with legitimate job markets, threat actors also offer a variety of work arrangements to their employees, including full-time, part-time, traineeships, business relationships, partnerships or team membership. In addition, these organizations may conduct performance reviews, similar to Conti’s approach. Reviews can result in bonuses for productive employees or fines for those who fail to meet expectations. Some underground organizations even offer employee referral programs with bonuses for the successful recruitment of new workers.

Unsurprisingly, the dark web job market lacks legally executed employment contracts.

What do cyber crime groups pay?

Kasperksy examined over 160 job advertisements on the dark web that specifically mentioned a salary. In many cases, employers provided a pay range or a minimum amount. According to the analysis, the highest-paying job at the time of the study was coding, with a maximum salary of $20,000 per month. However, the minimum salary for this job was also the smallest among all the job ads analyzed, with a minimum of only $200.

The amount of compensation received on the dark web may increase over time based on performance, contributions and the overall success of the business. Also, while compensation is usually denoted in U.S. dollars, in practice, work is often remunerated in cryptocurrency.

Where will tech workers find work?

Despite the potential danger, cyber crime employees are open to participating in activities that are illegal or fall into a gray area. In times of crisis, tech workers may seek to earn additional income by turning to the shadow market. This was evident during the onset of the pandemic. In March 2020, the number of resumes posted on dark websites increased significantly.

In 2022, 1,045 tech companies laid off a total of 160,997 people. So far, in 2023, 382 companies have laid off a total of 104,557 workers. Some of these people were notified abruptly by an email in the middle of the night. Where will all these tech workers go? Some publicly announced their disappointment at how companies let them go.

In their desperation or out of resentment, will laid-off tech workers turn to the dark web to find a new job? If so, they should keep in mind that such work poses significant risks, including exposure and prosecution. And despite the promised salaries and bonuses, there is no real guarantee of payment.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today