March 13, 2023 By Jonathan Reed 4 min read

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism.

Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about full-time or long-term employment.

Like any modern business, nefarious gangs have selection criteria, compensation parameters and employment terms. So how much does crime really pay? Plus, with all the tech layoffs recently, will these people turn to the dark web looking for work?

Why people work for threat groups

As per Kaspersky, there are many reasons why individuals seek employment on the dark web. Some are lured by the prospect of making easy money. Also, a fair number of those unhappy with conventional job pay seek alternative employment on the dark web. However, these expectations are often misguided as salaries on the dark web are not necessarily higher than those in the legitimate economy. Changes in the job market, layoffs and pay reductions can also lead people to seek work with threat groups.

A lack of specific requirements such as higher education, military service and a clean criminal record can also make dark web jobs appealing. The primary requirement many ads share is that applicants must be of legal age. Many also require applicants to be addiction- and drug-free. The ability to work remotely and anonymously also makes dark web job posts attractive to freelancers and digital nomads.

Poor awareness of the risks associated with working with cyber crime groups, as well as a flippant attitude towards these consequences, are more reasons people consider employment on the dark web.

What jobs are available on the dark web?

From January 2020 through June 2022, approximately 200,000 job-related ads were posted on dark web forums, as per Kaspersky. The majority of these postings (41% of the total) occurred in 2020.

The highest level of posting activity was seen in March 2020. This may have been a result of a tighter job market due to the pandemic. During that time, a significant number of desperate job seekers turned to dark web forums. This resulted in a notable increase in the number of resumes posted. The highest levels of ad activity from both employers and job seekers occurred in March 2020.

In terms of the resumes posted on the dark web, there was a diverse range of expertise and job descriptions. This included everything from moderating Telegram channels to compromising corporate infrastructure. The study examined 867 ads that contained specific keywords, 638 of which were job vacancy postings and 229 of which were resumes.

The most sought-after roles on the dark web were developers, accounting for 61% of all job ads. Pentesters (attackers) came in second, representing 16% of the ads, while designers made up 10% of the total.

Source: Kaspersky

Dark web hiring terms

The methods of selecting IT professionals in the dark web market are comparable to those utilized by legitimate businesses. Threat group employers also strive to identify and hire highly skilled individuals to obtain the best possible outcomes.

The main selection criteria used include (as a percentage of job postings):

  • Test assignments: 82%
  • CV/portfolio: 37%
  • Interviews: 26%.

Dark web employment terms

In order to attract potential talent, dark web employers offer a variety of appealing job packages. The most commonly advertised benefits included remote work (45%), full-time employment (34%) and flexible work hours (33%). It’s worth noting, however, that remote work is a necessity since anonymity is a vital component for cyber groups. Other advertised employment perks may include paid time off, paid sick leave and a welcoming work environment.

As with legitimate job markets, threat actors also offer a variety of work arrangements to their employees, including full-time, part-time, traineeships, business relationships, partnerships or team membership. In addition, these organizations may conduct performance reviews, similar to Conti’s approach. Reviews can result in bonuses for productive employees or fines for those who fail to meet expectations. Some underground organizations even offer employee referral programs with bonuses for the successful recruitment of new workers.

Unsurprisingly, the dark web job market lacks legally executed employment contracts.

What do cyber crime groups pay?

Kasperksy examined over 160 job advertisements on the dark web that specifically mentioned a salary. In many cases, employers provided a pay range or a minimum amount. According to the analysis, the highest-paying job at the time of the study was coding, with a maximum salary of $20,000 per month. However, the minimum salary for this job was also the smallest among all the job ads analyzed, with a minimum of only $200.

The amount of compensation received on the dark web may increase over time based on performance, contributions and the overall success of the business. Also, while compensation is usually denoted in U.S. dollars, in practice, work is often remunerated in cryptocurrency.

Where will tech workers find work?

Despite the potential danger, cyber crime employees are open to participating in activities that are illegal or fall into a gray area. In times of crisis, tech workers may seek to earn additional income by turning to the shadow market. This was evident during the onset of the pandemic. In March 2020, the number of resumes posted on dark websites increased significantly.

In 2022, 1,045 tech companies laid off a total of 160,997 people. So far, in 2023, 382 companies have laid off a total of 104,557 workers. Some of these people were notified abruptly by an email in the middle of the night. Where will all these tech workers go? Some publicly announced their disappointment at how companies let them go.

In their desperation or out of resentment, will laid-off tech workers turn to the dark web to find a new job? If so, they should keep in mind that such work poses significant risks, including exposure and prosecution. And despite the promised salaries and bonuses, there is no real guarantee of payment.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today