Hackers for hire: The dark web, pen tests, and beyond

Hackers for hire are malicious actors who offer their services to carry out attacks on behalf of others or as a service. Such services include malware as a service (MaaS), ransomware as a service (RaaS), phishing as a service (PhaaS), distributed denial of service (DDoS) as a service, and other targeted attacks on specific systems or environments.

Hacker-for-hire services are available in abundance on the dark web. The dark web is an uncontrolled part of the internet that is not indexed to search engines, and as such, not subject to the same filtering that the Chrome™, Safari^®, or Firefox™ web browsers perform. The dark web is a notorious hub for hackers for hire who offer a range of services such as MaaS, RaaS, PhaaS, and DDoS attacks. On dark web marketplaces, potential clients can browse through the offerings of various hackers and select the services they need. Payments are typically made in crypto assets, which, depending on the type and cash out process, can provide anonymity for both parties involved. Privacy-centric coins such as Monero, Zcash, and AXEL tend to provide the highest level of anonymity, though investigators can still apply wallet analysis techniques to identify individuals associated with each transaction.

Hacker-for-hire services also exist beyond the dark web. Hackers for hire can also be found on social media platforms and messaging apps, such as WhatsApp and Telegram, which appeal to hackers and the customers that pay for their services because these apps provide end-to-end encryption of all messages.

How easy is it?

Crowe cybersecurity specialists conducted an investigation to see just how easy it would be to hire a hacker both on the regular and the dark web. Our team found that DDoS services seem to be the simplest option. Just by searching with terms like “IP booter” or “IP stresser” and using advanced techniques to find forum- and community-specific lists of these tools, our team obtained the following information from active sites offering hacker-for-hire services.

DDoS services often are presented by tier, based on resource use, application programming interface (API) access, and attack duration. One list of hacker-for-hire services offered four tiers: Tier 1 offered a continual attack duration of 300 seconds. Tier 4 offered a duration of 3,600 seconds and access to the developer API (dev API) for use in other applications.

Exhibit 1: DDoS services

DDoS services are easily accessible and affordable to any individual or group with some disposable income. However, our team wanted to look for more significant hacker-for-hire services, such as malware or ransomware. To do that, our team downloaded a dark web browser and looked for hubs offering those services.

Our team used search engines built for the Tor browser and searched for terms such as “ransomware” or “ransomware as a service” and discovered several marketplaces, vendors, and even individual developers offering custom payloads for customer-requested use cases. Some marketplace offerings provided guaranteed escrow, which points to a certain “professionalism” and the volume of resources used to market, sell, and purchase such services. Some marketplace offerings also included malware, adware, worms, and keyloggers, among other custom-developed tools. Most of these services came with developer support for setup and execution of each tool.

Through our research on the dark web, our team also found a market selling stolen crypto asset wallets, offering access to the wallets’ private keys in exchange for a separate payment of bitcoin (BTC). A sample listing follows:

Exhibit 2: Crypto asset wallets

On the dark web, our team also identified bad actors offering full menus of services that included service names, prices, and descriptions for each listing. Beyond menus, several sites provided detailed payment instructions, complete with accepted methods, escrow of services, middlemen services, invoices, customer registration, and customer service portals. Following is an example of a services menu our team encountered:

Exhibit 3: Hacker-for-hire services menu

What we discovered in our investigation is that anyone with internet access can hire hackers, employ their services, and even purchase compromised credentials, wallets, and personal information. These threats should be taken seriously, and organizations and individuals should take appropriate action to mitigate these threats before they are actualized.

The offerings our team identified were all deliverable services based on certain exploitation criteria, the hacker’s skill set, and the available tool kit. Additionally, most were reasonably affordable for any individual with the funds and motivation to purchase services. The scope of hacker-for-hire services is limited only by a target’s online presence. Theoretically, anyone can become a hacker’s target for the right price.

Typical customers

According to a report by the cyberthreat intelligence firm Mandiant, the most significant clients for hackers for hire are government-sponsored groups like UNC2589 and APT28.

Government-sponsored groups use hackers for hire to carry out espionage, sabotage, or any other disruption against their rivals. Corporate entities sometimes use hacker-for-hire services to gain access to competitors' trade secrets like recipes or internal documentation, customer financial data, or to even take down a competitor's website through a DDoS attack. Individuals use hacker-for-hire services for personal reasons, most notably for revenge or specific personal goals like self-enrichment.

Potential customers don’t need to understand how DDoS works, why it’s harmful to businesses, or the consequences of carrying out attacks. All they need to provide is a target and payment. Hiring a hacker for DDoS services can be accomplished simply by searching for keywords.

Serious consequences

Attacks carried out by hackers for hire can have devastating effects on organizations and individuals. In addition to the direct financial costs associated with a breach, organizations suffer reputational damage. Customers might lose trust in a business that has been breached, leading to a loss of revenue. According to a 2022 report by IBM, 83% of organizations have experienced more than one data breach.

But hacker-for-hire attacks can also have serious consequences for the hackers themselves when they’re caught. In December 2022, the Federal Bureau of Investigation (FBI) seized approximately 48 domains in relation to DDoS-for-hire services. The domains were run by six individuals, who were later arrested and are facing criminal charges. The FBI linked the 48 domains to DDoS attacks targeting educational organizations, government agencies, and notable gaming platforms between 2014 and 2022. While these sites are no longer active, it is worth noting that they contained wording like “booter” and “stresser.”

Consequences have also rained down on hackers who provide RaaS. In January 2023, the FBI shut down a major Russian crime syndicate known as Hive. The takedown was the culmination of two years of stealth hacking with assistance from other global government entities. Prior to its shutdown, Hive sold ransomware tools and services to affiliates, dating back to spring of 2021.

The importance of pen tests

One of the most effective ways organizations can mitigate the threat of hackers for hire is to hire a hacker – more specifically, a pen tester. Pen testers can evaluate the security of an organization’s external internet presence, its internal network, a specific website or application, and even simulate niche scenarios like ransomware, malware, and social engineering campaigns.

By identifying vulnerabilities through these assessments, organizations can take steps to address them before they can be exploited by malicious hackers. Often, pen tests reveal specific areas in which organizations can make improvements, such as network segmentation, Microsoft Active Directory™ security, and missing security patches attributed to several systems.

Pen testing assessments typically follow a defined structure, with system- and service-specific tools executed to test each set of vulnerabilities. For example, an external pen test almost always begins with service enumeration, port scans, vulnerability scans, exploiting any identified vulnerabilities, and testing any vulnerable methods of privilege escalation in the environment.

Pen testers also create exploit code to evaluate known vulnerabilities, known as proof of concept. After evaluation of a client’s environment, pen testers provide a report detailing any identified findings, thorough descriptions, and detailed steps for remediation of any discovered vulnerabilities.

Pen tests are worth the investment for organizations of all sizes, ranging from restaurants, banks, and e-commerce businesses to large multinational corporations and government organizations. Even the smallest businesses least assumed to be a target can be targeted by hackers for hire, and the costs associated with a breach can be devastating.

Pen tests and getting ahead of threats

The rise of hackers for hire poses a significant threat. These malicious actors offer a range of services, including malware, ransomware, phishing, and DDoS attacks, and can be sourced on the dark web, social media platforms, and messaging apps. What’s more concerning is that such attacks can be sourced by anyone, and contracting a hacker for hire continues to be more accessible every day.

While the types of people who pay for these services vary, the consequences for organizations that fall victim to a cyberattack can be catastrophic, including direct financial costs of billions of dollars and reputational damage. One of the most effective ways for organizations to protect themselves is through regular pen testing, which can identify vulnerabilities in a system or network before they can be exploited by malicious hackers. It is always important for businesses to regularly measure the security of their environment and services and to take proactive, preventive measures to improve their security posture.

Microsoft and Active Directory are trademarks of the Microsoft group of companies.
Safari is a trademark of Apple Inc., registered in the U.S. and other countries and regions.
Firefox is a trademark of the Mozilla Foundation in the U.S. and other countries.