March 13, 2023 By Jonathan Reed 4 min read

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism.

Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about full-time or long-term employment.

Like any modern business, nefarious gangs have selection criteria, compensation parameters and employment terms. So how much does crime really pay? Plus, with all the tech layoffs recently, will these people turn to the dark web looking for work?

Why people work for threat groups

As per Kaspersky, there are many reasons why individuals seek employment on the dark web. Some are lured by the prospect of making easy money. Also, a fair number of those unhappy with conventional job pay seek alternative employment on the dark web. However, these expectations are often misguided as salaries on the dark web are not necessarily higher than those in the legitimate economy. Changes in the job market, layoffs and pay reductions can also lead people to seek work with threat groups.

A lack of specific requirements such as higher education, military service and a clean criminal record can also make dark web jobs appealing. The primary requirement many ads share is that applicants must be of legal age. Many also require applicants to be addiction- and drug-free. The ability to work remotely and anonymously also makes dark web job posts attractive to freelancers and digital nomads.

Poor awareness of the risks associated with working with cyber crime groups, as well as a flippant attitude towards these consequences, are more reasons people consider employment on the dark web.

What jobs are available on the dark web?

From January 2020 through June 2022, approximately 200,000 job-related ads were posted on dark web forums, as per Kaspersky. The majority of these postings (41% of the total) occurred in 2020.

The highest level of posting activity was seen in March 2020. This may have been a result of a tighter job market due to the pandemic. During that time, a significant number of desperate job seekers turned to dark web forums. This resulted in a notable increase in the number of resumes posted. The highest levels of ad activity from both employers and job seekers occurred in March 2020.

In terms of the resumes posted on the dark web, there was a diverse range of expertise and job descriptions. This included everything from moderating Telegram channels to compromising corporate infrastructure. The study examined 867 ads that contained specific keywords, 638 of which were job vacancy postings and 229 of which were resumes.

The most sought-after roles on the dark web were developers, accounting for 61% of all job ads. Pentesters (attackers) came in second, representing 16% of the ads, while designers made up 10% of the total.

Source: Kaspersky

Dark web hiring terms

The methods of selecting IT professionals in the dark web market are comparable to those utilized by legitimate businesses. Threat group employers also strive to identify and hire highly skilled individuals to obtain the best possible outcomes.

The main selection criteria used include (as a percentage of job postings):

  • Test assignments: 82%
  • CV/portfolio: 37%
  • Interviews: 26%.

Dark web employment terms

In order to attract potential talent, dark web employers offer a variety of appealing job packages. The most commonly advertised benefits included remote work (45%), full-time employment (34%) and flexible work hours (33%). It’s worth noting, however, that remote work is a necessity since anonymity is a vital component for cyber groups. Other advertised employment perks may include paid time off, paid sick leave and a welcoming work environment.

As with legitimate job markets, threat actors also offer a variety of work arrangements to their employees, including full-time, part-time, traineeships, business relationships, partnerships or team membership. In addition, these organizations may conduct performance reviews, similar to Conti’s approach. Reviews can result in bonuses for productive employees or fines for those who fail to meet expectations. Some underground organizations even offer employee referral programs with bonuses for the successful recruitment of new workers.

Unsurprisingly, the dark web job market lacks legally executed employment contracts.

What do cyber crime groups pay?

Kasperksy examined over 160 job advertisements on the dark web that specifically mentioned a salary. In many cases, employers provided a pay range or a minimum amount. According to the analysis, the highest-paying job at the time of the study was coding, with a maximum salary of $20,000 per month. However, the minimum salary for this job was also the smallest among all the job ads analyzed, with a minimum of only $200.

The amount of compensation received on the dark web may increase over time based on performance, contributions and the overall success of the business. Also, while compensation is usually denoted in U.S. dollars, in practice, work is often remunerated in cryptocurrency.

Where will tech workers find work?

Despite the potential danger, cyber crime employees are open to participating in activities that are illegal or fall into a gray area. In times of crisis, tech workers may seek to earn additional income by turning to the shadow market. This was evident during the onset of the pandemic. In March 2020, the number of resumes posted on dark websites increased significantly.

In 2022, 1,045 tech companies laid off a total of 160,997 people. So far, in 2023, 382 companies have laid off a total of 104,557 workers. Some of these people were notified abruptly by an email in the middle of the night. Where will all these tech workers go? Some publicly announced their disappointment at how companies let them go.

In their desperation or out of resentment, will laid-off tech workers turn to the dark web to find a new job? If so, they should keep in mind that such work poses significant risks, including exposure and prosecution. And despite the promised salaries and bonuses, there is no real guarantee of payment.

More from News

CISA releases landmark cyber incident reporting proposal

2 min read - Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government. The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of…

Recent developments and updates in Biden cyber policy

3 min read - The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…

Change Healthcare cyberattack causes dire billing crisis

3 min read - Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today