Hackers for hire: The scam within the scam

Hackers-for-hire have been in the mainstream media again recently, after a data leak from a cybersecurity firm in China revealed that hiring hackers is an increasingly common practice. It’s happening worldwide, and it poses a major security risk to governments and private organisations – with hired hackers earning tens of thousands of dollars to harvest data from targets, feeding it back to their clients. 

Malicious hackers-for-hire are a real (and growing) problem. But the vast majority of malicious hacking services advertised on the dark web are not legitimate – and that is a problem, too. 

Scam by false promises 

Research shows that many hackers offering for-hire services are actually scams – with only a small number of them delivering what they promise. 

The service providers often lack the skills required to complete the tasks they’re offering, or they simply never have any intention of doing the job; knowing that there’s little chance of clients being able to file complaints or seek compensation. 

A 2019 study by researchers at Google and UC San Diego, for example, found that only five out of 27 hacker-for-hire services actually launched attacks against targets. 

Of course, things have changed since then. The proliferation of more affordable and accessible cyber tools and automation means that the barriers to entry for malicious hackers are lower than before; it’s easier to launch attacks without being a skilled hacker, and easier to scale those attacks too. Threat actors can deploy services and intelligence that just wasn’t available to them before – so while we haven’t been able to find reliable data on this, it’s reasonable to assume that genuine hacker-for-hire services are becoming more prevalent. 

A 2023 report by the UK’s National Cyber Security Centre (NCSC) predicted that the number of hackers for hire will grow over the coming five years, driving a growth in the number and frequency of cyber attacks. 

Jonathon Ellison (Director of Resilience and Future Tech at NCSC) told Sky News,

"Our new assessment highlights that the threat will not only become greater but also less predictable as more hackers for hire are tasked with going after a wider range of targets and off-the-shelf products and exploits lower the barrier to entry for all.” 

An unregulated space where clients are unprotected and vulnerable  

The services offered by hackers-for-hire are wide ranging: from personal attacks against individuals, to attacks against specific websites, DDoS attacks, and attacks that target large-scale organisations in both the private and public sectors. 

So when it comes to getting scammed by the false promises of a hacker-for-hire ad, the scope of potential victims is wide-ranging too – from individuals with a vendetta against someone, to groups wishing to compromise a corporation or government organisation; and everyone in between. 

Should we care? If someone goes and hires a hacker for malicious purposes, isn’t it fair if they get scammed?

Well; yes, maybe. But the rise of hacker-for-hire scams represents a bigger problem. It shows that malicious hacking is an increasingly lucrative enterprise, and that the anonymity of online spaces creates the conditions for new scams all the time. And crucially, it puts those who are legitimately seeking a hacker-for-hire (or pentester) at risk – those who want to test the security of their own network assets have the potential to come up against a scammer instead of a genuine hacker, incurring financial losses and potentially reputational damage too. 

How can clients identify a legitimate hacker-for-hire? 

When engaging a pentester, clients should always: 

• Look in the right places. This means reputable hacker platforms and reliable word-of-mouth recommendations, not the dark web or anonymous hacker forums.
• Thoroughly check references and reviews. Past clients should be willing to share information about the quality of the hacker’s work (and those clients should be easily identifiable as legitimate, too).
• Ask for proof of credentials. Sometimes this is in the form of certification, but sometimes it’s not; a genuine pentester should be willing to share their work history where it doesn’t infringe on the privacy of past clients, and they should be comfortable talking openly about why they do what they do.
• Know who your hacker is. They’re probably going to have privileged access to confidential data at some point during the process, so you must be able to conduct thorough background checks on them – the real person, not the digital avatar.
• Put a contract in place. And wherever possible make this your contract – not theirs. Make sure it covers the scope of the project, payment terms, and a Non-Disclosure Agreement to protect any sensitive data that the hacker might access. And if your pentester pushes back against the idea of having a contract at all, then walk away. 

Join us at Black Hat MEA 2024 to learn directly from the world’s best ethical hackers. Meet them face-to-face, gain insights into how they work, and build relationships to ensure you have the best pentesters in your contact book when you need them.