The Kaspersky Digital Footprint Intelligence team studied the labor market on the dark web. After analyzing 200,000 ads published between 2020 and 2022, it turned out that among the professionals most in demand by the cybercriminal community were the profiles of developers, attackers and designers. According to experts, among the professional skills needed to check job postings are the creation of malware and phishing pages, hacking into the digital infrastructure of companies or hacking web and mobile applications. The average level of remuneration offered to these professionals ranges from $1,300 to $4,000 per month.
The Kaspersky Digital Footprint Intelligence (DFI) team reviewed jobs and resumes posted on 155 dark web forums between January 2020 and June 2022, analyzing information related to information about long-term or part-time jobs. According to the collected data, about 200,000 vacancies were posted on the dark web during the study period. 41% of these ads were published in 2020, with activity peaking in March, possibly due to a drop in income for part of the population as a result of the pandemic.
Monthly dynamics of the number of job postings and job postings on darknet forums in 2020-2022
Kaspersky Lab experts carefully analyzed more than 800 IT vacancies on the dark web and selected ads that directly mention wages (about 160), although most of the ads indicate an approximate salary. Mentioned average salary ranges from $1,300 to $4,000 per month, with the highest average salary being offered for profile reverse engineering.
Average monthly salary of IT professionals on the dark web
The highest salary noted by Kaspersky Lab experts is for a developer position in the amount of $20,000 per month, while the lowest salary does not exceed $200. Please note that some of these announcements include bonuses and commissions for completed projects (such as a completed ransom note).
Developers, attackers and designers top the list of the most in-demand professions on the dark web
Developers are the most in-demand professionals on the dark web, accounting for 61% of all ads. Among them, web developers are most in demand, needed to develop various digital products, such as phishing pages (60% of developer offers). Malicious coders are also welcome. This job description may include developing Trojans, ransomware, thieves, backdoors, botnets, and other types of malware, as well as creating and modifying attack vectors.
Distribution of job offers on the dark web by specialization
“Intruders”, IT professionals who carry out attacks on networks, web applications and mobile devices, are the second most sought-after cybercriminal job market with 16% of advertising. The position closest to a legitimate job in this context is that of a pentester (pentester). Most of the vacancies of cybercriminals on the darknet are related to actions aimed at compromising the infrastructure of companies. The purpose of these actions is to distribute ransomware, steal data or steal money directly from hacked accounts. Some cybercriminal recruitment groups seek to sell access to compromised systems to other cybercriminals or hack web and mobile applications.
With 10% advertising, designers are the third most in-demand professional category. Developers are usually responsible for creating a malicious product, such as a phishing page or email, that will be difficult to distinguish from its legitimate version.
On the dark web, employers are also looking for IT administrators, reverse engineers, analysts, testers, and representatives of other less common IT professionals: engineers and architects, repairmen, technical writers, forum moderators, or even managers and project managers.
An example job posting for a reverse engineer
“Searching for specialized IT profiles is one of many topics that are constantly discussed on the Dark Web. For companies that want to proactively respond to cyber attacks and maintain their IT security at the highest level, it is important today to monitor the interests of the cybercriminal community and analyze its activities on an ongoing basis. The more you know about your adversary, the better prepared you are,” said Polina Bochkareva, security analyst at Kaspersky Lab.
To learn more about the dark web job market, visit Securelist.
To protect against business threats, Kaspersky Lab researchers recommend implementing the following measures:
- Continuous monitoring of searchable dark web resources greatly improves coverage of various potential threat sources and allows customers to monitor attacker plans and trends. This monitoring is one of the tasks of the Digital Footprint Intelligence service from Kaspersky Lab.
- Use a variety of threat intelligence sources (covering resources from the surface web, deep web, and dark web) to stay on top of the actual TTPs being used by attackers.
- Dedicated services can help fight high-profile attacks. The Kaspersky Managed Detection and Response service helps you detect and stop intrusions at an early stage, before attackers reach their goals. If you encounter an incident, the Kaspersky Lab service will help you respond and minimize the consequences. For example, it can identify compromised hosts and protect the infrastructure from similar attacks in the future.