In late January 2023, Kaspersky Lab published a report on dark web ads looking for specialized skilled individuals.  The company researched the job offers in the underground for over 30 months and found that criminals and gangs (mostly those associated with advanced persistent threat or established criminal groups) posted more than 200,000 ads looking for individuals with software development experience, maintaining IT infrastructure, and designing web sites to support criminal activities and email campaigns.  Notably, the peak of this solicitation occurred during the COVID pandemic period, where the larger hostile actor ecosystem sought to leverage the uncertainty brought on by the tumultuous environment to their operational advantage, executing campaigns against a distracted world populace.

The report yielded some interesting insight into both the dark web and where the more advanced groups look to recruit qualified individuals.  Per some of the company’s findings, approximately 61% of ads posted actively pursued developers, which is not surprising as the ability to create new malware and identify new, previously undiscovered exploits are a premium, commanding the highest paid monthly salaries.  Per Kaspersky, one ad paid a monthly remittance of USD 20,000, a huge amount given that the median levels of pay to other professional services varied between USD 1,300-4,000/month.  This is not surprising given that sophisticated malware development typically occurs within a team structure with software lifecycles and where progress is documented like in a legitimate software business, according to one cybersecurity expert.  Other highly sought after skill sets included attack specialists and individuals able to create fake websites.

The solicitation for talent is not unexpected nor is it surprising, given the increased professionalization of the cybercrime ecosystem and adoption of legitimate business practices to help spurn this criminal industry.  According to at least one cybersecurity global consulting firm, cybercrime is now estimated to be worth USD 6 billion, making it the world’s third largest economy.  Therefore, recruiting and retaining the best individuals is a must for enterprising groups that want to remain profitable and sustainable.  And while some may stick to tried-and-true crimes such as spam, phishing, and ransomware, the innovative groups are looking to expand their repertoires, and gain a foothold into emerging technologies that will attract more customers.  In 2023, hostile actors are expected to expand their efforts and go after electric vehicles, supply chains, and cloud services, which will require individuals knowledgeable of these advanced technologies to exploit effectively and stealthily.

For a criminal enterprise, the cybercrime underground continues to mimic its legitimate counterparts.  In addition to operating more like authentic businesses, these groups must not only compete with their competition to attract the best talent, like real companies they must also vet perspectives to ensure that they are indeed qualified.  Kaspersky found that groups will put viable candidates through a multi-stage hiring process that includes submission of a resume, a formal interview, test assignments, and even a probationary period.  And perhaps even more telling is how gangs “sell” their brand to prospective applicants citing the advantages of remote work, full-time employment, and the ability to work flexible hours more tailored to the needs of the applicant.  This is the same nomenclature found in legitimate company employment ads to entice candidates.

It appears that the criminal underground is facing the same problems as legitimate businesses in trying to attract the right talent for its needs.  There has been substantive literature on the difficulties businesses face in attracting qualified individuals for their IT needs.  As such, competition is fierce, and because of this, one State of Cybersecurity study found that nearly 60% of enterprises had difficulties in retaining their cybersecurity talent, which was largely the result of being lured away by other companies.  The frequency of such losses is impactful with the cybersecurity industry being estimated of being short 3.4 million workers in 2022.  Simply said, there are s insufficient personnel resources to fill those positions being actively recruited.  And in some instances, organizations are looking for individuals to do everything, thinking that these professionals’ experience should be applicable throughout the entire cybersecurity enterprise ecosystem, a near-impossible role for any individual to fulfill.

As 2023 progresses, the legitimate and criminal ecosystems will continue to mirror each other in their IT needs.  Competing and rival entities will aggressively go-after individuals that they see benefiting their enterprises, offering incentive packages, bonuses, and even profit-sharing.  It seems even criminals have the same employment concerns as their legitimate world counterparts, looking for career opportunities, flexible work schedules, and above all, maximum compensation.  What’s becoming clear is that the availability of the better skilled individuals is outpacing the demand for their services. As global economic conditions stagnate and organizations look to tighten their financial belts to include implementing partial or even full hiring freezes, the cybercrime ecosystem will try to take advantage of this opportunity where some businesses try to weather the downturn with understaffed and under resourced IT security staffs.  This is a worrisome situation.

Cybercrime’s employment opportunities are disconcerting given the types of talent being recruited.  These suggest an appetite for developing the next generation of tools needed as newer technologies are implemented into enterprises, devices, and products. Without having comparative talent knowledgeable about these technologies to counter these attacks is not a worthwhile gamble.  Law enforcement efforts have been admirable and successful, but there are not enough of them to make a noticeable dent in cybercriminal activities, nor to deter criminals from doing what they do best.  The job postings in the dark web are a red flag for the attacks of the future.  The more sophisticated criminals are planning and getting the capabilities in line for the next evolution of attacks.  Organizations should be doing the same, preparing accordingly now in anticipation of them.  Otherwise, they will find themselves in the same position they are in now. And judging from the profit being generated from cybercrime, that’s not a good place to be.

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.