The dark web is a collective name for a variety of websites and marketplaces that bring together individuals willing to engage in illicit or shady activities. Dark web forums contain ads for selling and buying stolen data, offers to code malware and hack websites, posts seeking like-minded individuals to participate in attacks on companies, and many more.

Just as any other business, cybercrime needs labor. New team members to participate in cyberattacks and other illegal activities are recruited right where the business is done – on the dark web. We reviewed job ads and resumes that were posted on 155 dark web forums from January 2020 through June 2022 and analyzed those containing information about a long-term engagement or a full-time job.

This post covers the peculiarities of this kind of employment, terms, candidate selection criteria, and compensation levels. Further information, along with an analysis of the most popular IT jobs on the dark web, can be found in the full version of the report.

Key outcomes

Our analysis of the dark web job market found:

• The greatest number of ads were posted in March 2020, which was likely related to the outbreak of the COVID-19 pandemic and the ensuing changes in the structure of the job market.
• The major dark web employers are hacker teams and APT groups looking for those capable of developing and spreading malware code, building and maintaining IT infrastructure, and so on.
• Job ads seeking developers are the most frequent ones, at 61% of the total.
• Developers also topped the list of the best-paid dark web IT jobs: the highest advertised monthly salary figure we saw in an ad for a developer was $20,000.
• The median levels of pay offered to IT professionals varied between $1,300 and $4,000.
• The highest median salary of $4,000 could be found in ads for reverse engineers.

The dark web job market

Most dark web employers offer semi-legal and illegal jobs, but there are ads with potentially legal job offers that comply with national laws. An example is creating IT learning courses.

Sketchy employment arrangements can border on the illegal and sometimes go against the law. An example of a dubious job is selling questionable drugs for profit on fraudulent websites.

Dirty jobs are illegal and often present a criminal offense. An individual engaged in these can be prosecuted and jailed if caught. Fraudulent schemes or hacking websites, social network accounts and corporate IT infrastructure all qualify as dirty jobs.

Offers like that come from hacker groups, among others. Cybercrooks need a staff of professionals with specific skills to penetrate the infrastructure of an organization, steal confidential data, or encrypt the system for subsequent extortion.

Attack team coordination diagram

People may have several reasons for going to a dark web site to look for a job. Many are drawn by expectations of easy money and large financial gain. Most times, this is only an illusion. Salaries offered on the dark web are seldom significantly higher than those you can earn legally. Moreover, the level of compensation depends on your experience, talent, and willingness to invest your energy into work. Nevertheless, unhappy with their pay, a substantial percentage of employees in the legitimate economy quit their jobs to find similar employment on the dark web market. Changes on the market, layoffs, and pay cuts, too, often prompt them to look for a job on cybercrime websites.

Other factors are a lack of certain candidate requirements, such as a higher education, military service record, absence of prior convictions, and so on. Legal age is the main requirements that many ads have in common. Dark web jobs look attractive to freelancers and remote workers because there is no office they have to show up in, and they can remain digital nomads. Candidates are attracted by a large degree of freedom offered on the dark web: you can take as many days off as you want, there is no dress code, and you are free to choose any schedule, tasks and scope of work.

Another reason why people look for a job on the dark web is poor awareness of possible consequences or a flippant attitude to those. Working with underground teams, let alone cybercrime groups, poses serious risks: members can be deanonymized and prosecuted, and even getting paid is not a guarantee.

Example of a resume posting

Dark web job market statistics

To analyze the state of the dark web job market in January 2020 through June 2022, we gathered statistics on messages that mentioned employment, posted on 155 dark web forums. Messages were selected from forum sections on any jobs, not necessarily those in IT.

A total of roughly 200,000 employment-related ads were posted on the dark web forums during the period in question. The largest number of these, or 41% of the total, were posted in 2020. Posting activity peaked in March 2020, possibly caused by a pandemic-related income drop experienced by part of the population.

Ad posting statistics by quarter, Q1 2020–Q2 2022 (download)

The impact of the pandemic was especially noticeable on the CIS markets.

The resume of a candidate who has found himself in a pinch (1)

The resume of a candidate who has found himself in a pinch (2)

Some of the living in the region suffered from reduction of income, took a mandatory furlough, or lost their jobs altogether, which subsequently resulted in rising unemployment levels (article in Russian).

Tags on an ad offering a job amid the crisis

Some jobseekers lost all hope to find steady, legitimate employment and began to search on dark web forums, spawning a surge of resumes there. As a result, we observed the highest ad numbers, both from prospective employers and jobseekers, or 6% of the total, in March 2020.

Posting dynamics on dark web job forums in 2020–2022 (download)

Ads seeking jobs were significantly fewer than those offering, with just 17% of all ads we found related to employment. The statistics suggest that jobseekers respond to job ads by prospective employers more frequently than they post resumes.

Resumes posted on dark web forums target diverse areas of expertise and job descriptions: from moderating Telegram channels to compromising corporate infrastructure. This study focused on IT jobs specifically. We analyzed 867 ads that contained specified keywords, 638 of the ads being vacancy postings and 229 being resumes.

The most in-demand professionals on the dark web were developers: this specialization accounted for 61% of total ads. Attackers (pentesters) were second, with 16%, and designers came third, with 10%.

Distribution of dark web job ads across specializations (download)

Selection criteria

The methods of selecting IT professionals on the dark web market are much the same as those used by legitimate businesses. Employers similarly look for highly skilled workforce, so they seek to select the best candidates.

Selection criteria in dark web job postings. The percentages presented were calculated out of the total number of ads that clearly stated selection criteria (download)

Job postings often mention test assignments, including paid ones, as well as interviews, probation periods, and other selection methods.

Job posting that offers applicants a test assignment

One job ad even contained a detailed description of the employee selection process. An applicant had to undergo several rounds of screening, test assignments involving encryption of malware executables and evasion of protective measures, and a probation period.

Example of a candidate selection flow

The absence of addictions, such as drugs and alcohol, is one of the requirements peculiar to the recruitment process on the dark web.

Job posting saying that only those free from addictions can be selected

Employment terms

Employers on the dark web seek to attract applicants by offering favorable terms of employment, among other things. The most frequently mentioned advantages included remote work (45%), full-time employment (34%), and flextime (33%). That being said, remote work is a necessity rather than an attractive offer on the dark web, as anonymity is key in the world of cybercrime. You can also come across paid time off, paid sick leaves, and even a friendly team listed among the terms of employment.

Employment terms in dark web job postings. The percentages presented were calculated out of the total number of ads that clearly stated the terms of employment (download)

Cybercrime groups, who look for the most highly skilled professionals, offer the best terms, including prospects of promotion and incentive plans.

Employment terms in a dark web job posting

These groups may conduct performance reviews as did Conti. The reviews may result in the employee receiving a bonus or being fined due to unproductivity. On top of that, some underground organizations run employee referral programs offering bonuses to those who have successfully engaged new workers.

Similarly to the legitimate job market, dark web employers offer various work arrangements: full time, part time, traineeships, business relationships, partnerships, or team membership.

Job posting that suggests cooperation

The absence of a legally executed employment contract is the key differentiator between the dark web and the legitimate job market. This is not to say that you never come across perfectly legal job ads on the dark web. For instance, we discovered several ads seeking a developer for a well-known Russian bank and mentioning a legally executed contract and voluntary health insurance.

Legitimate job ad found on the dark web

Levels of compensation

We analyzed more than 160 IT job ads that explicitly stated a salary^[1]. When reviewing the statistics, it is worth bearing in mind that dark web employers typically state rough salary figures. Many employers provide a pay range or a lower limit.

Job posting that indicates a ballpark level of compensation

Your level of compensation may grow with time depending on how much effort you invest, your contribution, and how successful the business is on the whole. Compensation is typically indicated in dollars, but in practice work is often paid for in cryptocurrency.

The diagram below shows the minimum and maximum levels of compensation for selected IT jobs.

IT pay ranges from dark web job ads (download)

The most highly paid job at the time of the study was coding, commanding a maximum of $20,000 per month. However, the lower limit there was the smallest: just $200.

Example of offer with the highest salary for developers

The median monthly salary of a reverse engineer was also notably high at $4,000.

Median monthly IT salaries on the dark web

Some dark web job ads promised levels of compensation much higher that the figures quoted above, but it included bonuses and commissions from successful projects, such as extorting a ransom from a compromised organization.

Not every job posting made the compensation statistics, as some looked suspicious or openly fraudulent.

Thus, a job ad on the dark web promised up to $100,000 per month to a successful pentesting candidate. Interestingly enough, the work was described as “legal.”

Job posting on a dark web forum offering an inflated compensation figure

Besides the usual hourly, daily, weekly, and monthly rates, there are other forms of compensation that serve as the base pay or complement it. You could come across job ads that offered wages to be paid for completing a job: hacking a website or creating a phishing web page.

Various performance-dependent commission was often promised in addition to the salary. For example, a pentester could be promised a monthly salary of $10,000 along with a percentage of the profits received from selling access to a compromised organization’s infrastructure or confidential data, extortion, and other ways of monetizing the hack.

Example of a job ad that offered a salary and a performance bonus

Candidates were often offered commission only. In several cases, no compensation of any kind was provided. Applicants were offered to work pro bono, for promised commission, or for a share of the profits in the future.

Example of an unpaid job ad

Takeaways

The dark web is a versatile platform that cybercriminals not only use for striking deals and spreading illegal information, but also for hiring members to their teams and groups.

The data provided in this report shows that demand for IT professionals is fairly high on cybercrime websites, with new team members often being salaried employees. It is interesting, too, that cybercrime communities use the same methods for recruiting new members as legitimate organizations, and job ads they post often resemble those published on regular recruitment sites.

The ads we analyzed also suggest that a substantial number of people are willing to engage in illicit or semilegal activities despite the accompanying risks. In particular, many turn to the shadow market for extra income in a crisis. Thus, the number of resumes on dark web sites surged as the pandemic broke out in March 2020. Although dark web jobs could be expected to pay higher than legitimate ones, we did not detect a significant difference between the median levels of IT professionals’ compensation in the cybercriminal ecosystem and the legitimate job market.

Software development proved to be the most sought-after skill, with 61% of all ads seeking developers. This could suggest that the complexity of cyberattacks is growing. The higher demand for developers could be explained by a need to create and configure new, more complex tools.

It is worth noting that the risks associated with working for a dark web employer still outweigh the benefits. The absence of a legally executed employment contract relieves employers of any responsibility. A worker could be left unpaid, framed or involved in a fraudulent scheme.

It is not worth forgetting the risks of being prosecuted, put on trial and imprisoned for the unlawful activities. The risks of cooperating with hacker groups are especially high, as deanonymization of their members is a priority for cybercrime investigation teams. The group may be exposed sooner or later, and its members, face jail time.

To inquire about threat monitoring services for your organization, please contact us at [email protected].

To get the full version of the report, please fill in the form below. If you cannot see the form, try opening this post in Chrome with all script-blocking plugins off.

^[1] Salary levels expressed in Russian rubles were converted using the effective rate at the time of the study: 75 rubles per dollar.