Underground HR: recruiting on the dark web

Illegal businesses in the shadow economy need employees no less than their legal counterparts. Let’s take a look at how “dark HR” works.

Vacancies and recruiting on the dark web

Cybercrime, like any other business, needs employees. But where do they come from? It’s not as if ransomware operators place ads on regular recruitment sites. As you might expect, criminals fill their ranks from the same place where they carry out their shady business (buying/selling illegal substances, stolen data and hacking services, among other things) — the dark side of the internet. Our experts who monitor threats to organizations on the dark web have studied the shadow labor market and found a huge number of job ads there. This post covers their main observations.

Who dark HR is looking for

Most jobs on the dark web involve semi-legal, or outright illegal activities such as hacking websites or corporate databases. Such “vacancies” can easily land applicants swiftly in the dock but, regrettably, that doesn’t always seem apparent to them. For instance, a seemingly harmless design job advertised on a dark web forum almost certainly involves creating fake websites and phishing e-mails mimicking those of bona fide companies.

Some perfectly legal positions also crop up from time to time, with a proper employment agreement, vacations, and even health insurance. These are normally vacancies for developers of educational courses and banking staff, as well as some positions that require specialists in a narrow field — primarily reverse engineers and pentesters. For companies legally operating in these areas, it makes sense to seek out candidates in their own habitat — the dark web. Unfortunately, it’s hard to distinguish an above-board vacancy from a criminal one, not least because hacker groups themselves refer to hackers as “pentesters” and don’t always include the dodgy details in the job description.

There are significantly more job offers than job seekers (the latter just 17%) on the dark web. According to our experts, dark web users prefer to respond to job ads personally rather than posting on forums. Most in demand are developers (61% of vacancies), followed by said “pentesters” (16%), and designers (10%).

Pay package and working conditions

One might assume that the risks of working on the “dark side” are compensated by higher wages, but the data doesn’t confirm this. True, there are offers with astronomical sums like US$100,000 salary per month, but most likely these are scam ads. The median monthly salary for a developer (according to ads offering the position) is US$2,000, and for a pentester — US$2,500. Reverse engineers stand out from the crowd with a median of US$4,000.

In general, it’s relatively rare for ads to specify a pay package, while sometimes a regular wage isn’t envisioned at all. Payment is often offered on a piecework basis, with some ads offering a percentage of the “profits” (including victims’ ransom payouts for decrypting their data). Bonuses often make up a significant portion of the remuneration.

Some hacker groups calculate payouts based on performance review, with bonuses and penalties for high and low scores, respectively. For high-level positions, there may be promises of paid vacation and sick leave, steady salary growth and career development, and other goodies, just like a legitimate company would offer. The types of employment range from internships and part-time work to business partnerships.

As a rule, income is specified in US dollars, but payments are made in cryptocurrency.

Terms of employment

The shadow economy, like the legal one, needs professionals, so the job requirements are similar. But its underground nature presupposes a high level of anonymity on the part of both job seekers and employers. As such, resumes are mentioned in around one in three vacancies, and interviews in just one in four. The main method of selecting candidates is through test assignments — often paid.

These can be multistage, from basic testing of technical skills to actual work tasks and a probation period. A curious feature of dark web job ads is the oft-encountered requirement for abstinence from alcohol and drugs.

Who’s drawn to the shadows

The combination of a non-too spectacular salary and high-risk activity ought to discourage all but the most swashbuckling of job seekers from seeking employment in the dark corners of the web. But the reality is that vacancies do find their applicants. More often than not, it’s life circumstances that force people to go over to the dark side. For instance, there was a surge in ads in March 2020, when many found themselves in lockdown with no source of income. Among the dark web job seekers you can also find:

  • Those desperate to find work at a suitable level and hoping to get it in the shadow sector;
  • People trying to cut ties with the state and/or evade tax;
  • Freelancers who have switched to cryptocurrencies after no longer being able to earn money from Western exchanges;
  • Candidates with problems: criminal records, on the run, illegal immigrants, no education, bad reputation in the IT HR community;
  • Those looking for a part-time job for a couple of months, for example, during self-isolation;
  • Swashbucklers with a romantic, inflated sense of their own exceptionalism (well-described in the movie Live Free or Die Hard, aka Die Hard 4.0).

Is the juice worth the squeeze?

If you ever find yourself thinking about looking for work on the dark web, remember this: risks associated with criminal activity always outweigh the possible benefits. Hacker groups are being targeted and de-anonymized the world over, and the chances of getting away with it are slim. And besides the real possibility of jail time, such jobs offer no guarantee of getting paid on time — or at all.

You can download the full report after filling in a simple form at the end of the Securelist blogpost.