March 13, 2023 By Jonathan Reed 4 min read

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism.

Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about full-time or long-term employment.

Like any modern business, nefarious gangs have selection criteria, compensation parameters and employment terms. So how much does crime really pay? Plus, with all the tech layoffs recently, will these people turn to the dark web looking for work?

Why people work for threat groups

As per Kaspersky, there are many reasons why individuals seek employment on the dark web. Some are lured by the prospect of making easy money. Also, a fair number of those unhappy with conventional job pay seek alternative employment on the dark web. However, these expectations are often misguided as salaries on the dark web are not necessarily higher than those in the legitimate economy. Changes in the job market, layoffs and pay reductions can also lead people to seek work with threat groups.

A lack of specific requirements such as higher education, military service and a clean criminal record can also make dark web jobs appealing. The primary requirement many ads share is that applicants must be of legal age. Many also require applicants to be addiction- and drug-free. The ability to work remotely and anonymously also makes dark web job posts attractive to freelancers and digital nomads.

Poor awareness of the risks associated with working with cyber crime groups, as well as a flippant attitude towards these consequences, are more reasons people consider employment on the dark web.

What jobs are available on the dark web?

From January 2020 through June 2022, approximately 200,000 job-related ads were posted on dark web forums, as per Kaspersky. The majority of these postings (41% of the total) occurred in 2020.

The highest level of posting activity was seen in March 2020. This may have been a result of a tighter job market due to the pandemic. During that time, a significant number of desperate job seekers turned to dark web forums. This resulted in a notable increase in the number of resumes posted. The highest levels of ad activity from both employers and job seekers occurred in March 2020.

In terms of the resumes posted on the dark web, there was a diverse range of expertise and job descriptions. This included everything from moderating Telegram channels to compromising corporate infrastructure. The study examined 867 ads that contained specific keywords, 638 of which were job vacancy postings and 229 of which were resumes.

The most sought-after roles on the dark web were developers, accounting for 61% of all job ads. Pentesters (attackers) came in second, representing 16% of the ads, while designers made up 10% of the total.

Source: Kaspersky

Dark web hiring terms

The methods of selecting IT professionals in the dark web market are comparable to those utilized by legitimate businesses. Threat group employers also strive to identify and hire highly skilled individuals to obtain the best possible outcomes.

The main selection criteria used include (as a percentage of job postings):

  • Test assignments: 82%
  • CV/portfolio: 37%
  • Interviews: 26%.

Dark web employment terms

In order to attract potential talent, dark web employers offer a variety of appealing job packages. The most commonly advertised benefits included remote work (45%), full-time employment (34%) and flexible work hours (33%). It’s worth noting, however, that remote work is a necessity since anonymity is a vital component for cyber groups. Other advertised employment perks may include paid time off, paid sick leave and a welcoming work environment.

As with legitimate job markets, threat actors also offer a variety of work arrangements to their employees, including full-time, part-time, traineeships, business relationships, partnerships or team membership. In addition, these organizations may conduct performance reviews, similar to Conti’s approach. Reviews can result in bonuses for productive employees or fines for those who fail to meet expectations. Some underground organizations even offer employee referral programs with bonuses for the successful recruitment of new workers.

Unsurprisingly, the dark web job market lacks legally executed employment contracts.

What do cyber crime groups pay?

Kasperksy examined over 160 job advertisements on the dark web that specifically mentioned a salary. In many cases, employers provided a pay range or a minimum amount. According to the analysis, the highest-paying job at the time of the study was coding, with a maximum salary of $20,000 per month. However, the minimum salary for this job was also the smallest among all the job ads analyzed, with a minimum of only $200.

The amount of compensation received on the dark web may increase over time based on performance, contributions and the overall success of the business. Also, while compensation is usually denoted in U.S. dollars, in practice, work is often remunerated in cryptocurrency.

Where will tech workers find work?

Despite the potential danger, cyber crime employees are open to participating in activities that are illegal or fall into a gray area. In times of crisis, tech workers may seek to earn additional income by turning to the shadow market. This was evident during the onset of the pandemic. In March 2020, the number of resumes posted on dark websites increased significantly.

In 2022, 1,045 tech companies laid off a total of 160,997 people. So far, in 2023, 382 companies have laid off a total of 104,557 workers. Some of these people were notified abruptly by an email in the middle of the night. Where will all these tech workers go? Some publicly announced their disappointment at how companies let them go.

In their desperation or out of resentment, will laid-off tech workers turn to the dark web to find a new job? If so, they should keep in mind that such work poses significant risks, including exposure and prosecution. And despite the promised salaries and bonuses, there is no real guarantee of payment.

More from News

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today