Cyber criminal groups wooing hackers with seven-figure salaries and holiday pay

A person at a computer looking dejected with one hand on their head staring at computer code
(Image credit: Getty Images)

Cyber criminal groups have been found to be attracting hackers and tech professionals alike with white-collar employment benefits and huge salaries as high as $1.2 million.

Analysis from Kaspersky found that the spike in cyber crime over the last two years has prompted some groups to accelerate hiring to keep pace with demand.

Researchers at the firm analysed more than 200,000 employment ads posted on dark web pages between January 2020 and June 2022.

The result concluded that the volume of ads increased rapidly during the onset of the pandemic, surpassing an average of 10,000 ads per quarter - a figure that peaked in March 2020.

“A total of roughly 200,000 employment-related ads were posted on the dark web during the period in question,” researchers said. “The largest number of these, or 41% of the total, were posted in 2020.”

"Posting activity peaked in March 2020, possibly caused by a pandemic-related income drop experienced by part of the population,” the security firm added.

Dedicated 'hacker’ roles weren’t the only area in which cyber criminal groups were found to be seeking additional expertise.

Groups increasingly sought out staff to fill developer, admin, and designer positions while other in-demand roles included software engineers and network testers.

Job ads seeking developers were the most frequent, the study revealed, accounting for 61% of the total. Similarly, developers also topped the list of the best-paid dark web-sourced IT roles, with the largest monthly salary standing at $20,000.

Employee incentives

Dark web job listings highlighted by Kaspersky bore similarities to an average tech sector job advert. Groups seeking new starts frequently offered a range of incentives such as holiday pay, flexible working hours, and future employee referral bonuses.

“Employers on the dark web seek to attract applications by offering favourable terms of employment, among other things,” researchers said. “The most frequently mentioned advantages included remote work, full-time employment, and flextime.”

“You can also come across paid time off, paid sick leaves, and even 'a friendly team' listed among the terms of employment.”

Some groups were also found to conduct regular performance reviews, researchers found. This practice was commonplace in the Conti cyber crime group and saw employees granted bonuses based on exemplary performance or fines due to poor productivity.

Risk and reward

The reasoning behind some dark web users seeking roles can vary, researchers suggested. Some may be seeking alternative income streams while others may have lost jobs during the onset of the pandemic in 2020.

“People may have several reasons for going to a dark web site to look for a job. Many are drawn by expectations of easy money and large financial gain,” researchers wrote.

The study also noted that while some jobs advertised on the dark web offered more than what an individual could earn legally, there was little difference between the average level of IT professionals’ pay on both sides of the legal divide.

“Although dark web jobs could be expected to pay higher than legitimate ones, we did not detect a significant difference between the median levels of IT professionals’ compensation in the cyber criminal ecosystem and the legitimate job market.”

Accelerating operations

Rik Ferguson, VP of security intelligence at Forescout, told IT Pro this research highlights the growing sophistication of cyber criminal groups and their demand for technical expertise across a range of fields.


Storage's role in addressing the challenges of ensuring cyber resilience

Understanding the role of data storage in cyber resiliency


“For many years now, cyber crime has been a highly distributed and specialised field. One criminal gang might contract out specific requirements to independent specialists offering services such as 'crypting', escrow, money mules, coding, and many more,” he said.

“Recently though, some of the more established and successful ransomware threat actors (LockBit for example) have hired professionals, particularly in software development, directly into their operation.”

Ferguson added that this recruitment trend could be due to a need to improve operational efficiency and maximise the impact of offensive capabilities.

“Some of this is for efficiency, the ability to control the development of a more effective 'product' and thus recruit more affiliates to spread the ransomware,” he said. “Some of it may well be driven by competitive and confidentiality concerns around keeping their operation insulated, both from their criminal competition and from law enforcement.”

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at, or on Twitter and LinkedIn.