Why Cybercriminals Still Look for Skilled Developers on Darknet Sites

Over the past several months, the darknet has undergone a series of changes that reflect a shakeup of the underground cybercriminal economy.

In one case, Joker’s Stash, one of the largest and most well-known underground markets that specialized in the buying and selling of stolen payment card data, announced in January that it would close shop in mid-February. The administrator of the site announced that the time was right to “retire,” according to analysts from Gemini Advisory and numerous other reports.

At around the same time, Europol, the EU’s law enforcement intelligence agency, announced that a global law enforcement operation shuttered DarkMarket, one of the world’s largest underground markets that trafficked in all types of illicit goods, from drugs to malware to stolen credit card data.

A few weeks later, the U.S. Justice Department, with help from Bulgarian authorities, seized the servers and infrastructure that supported the darknet websites of the NetWalker ransomware gang. Adding to the string of law enforcement disruptions, Europol announced that it had seized the servers that supported the Emotet botnet, one of the longest-running and most disruptive cybercriminal services ever created.

While the busts and criminal cases brought by law enforcement help put a temporary dent in the cybercriminal underground, the darknet economy continues to thrive. By some estimates, global cybercrime is expected to cost the world $6 trillion in 2021, which would make these underground markets and ongoing criminal operations the world’s third-largest economy, behind only the U.S. and China.

In the few weeks after Joker’s Stash announced its so-called retirement, security firms Kela and Flashpointalready found other underground sites with names such as Brian’s Club, Vclub, Yale Lodge and UniCC lining up to take its place. This includes ramping up their advertising and market campaigns as well as offering services such as a self-hosted checking service, which allows a buyer to check to see if the card data being bought is valid.

“Underground markets are used by threat actors to buy and sell tools, information, and access,” Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint, told Dice. “They facilitate the sale of stolen credentials to other threat actors, who in turn use them to access accounts where they can steal more information or launch further attacks. The trade in credential access continues to be an alarming part of the underground economy that powers the threat landscape.”

Surface Reflection

For analysts and researchers that study the darknet economy, these cybercriminal forums and sites offer a mirror reflection of the surface (or “clear”) web, at least in terms of the basics of connecting buyers and sellers.

“Similar to all normal business, business on the dark web requires sellers and buyers and services providers. In order for the economy to move there must be people who have wares to sell and people to buy them,” Brandon Hoffman, CISO at security firm Netenrich, told Dice. 

“Critical to the business of stolen credit cards are card shops. These shops, like Joker’s Stash, act as a one-stop place where sellers of stolen card data and buyers come together,” Hoffman said. “In the particular case of Joker’s Stash, being the number one card shop on the dark web, its closure introduces a temporary crippling on the ability for these types of cybercriminals to conduct business.”

And with the aboveground or surface web economy, those administrators and owners of these underground and darknet sites require those with certain skills, said Kristina Balaam, a senior security intelligence engineer with Lookout: “There’s quite a bit of overlap between the skills considered desirable for businesses operating on the dark web and the surface web. Dark web marketplace listings for general software engineering skills to develop phishing sites, malware or conduct illegal penetration tests. Malware developers often require the same skills as non-malicious software development or SaaS companies: digital assets, web or application developers, copywriters, etc.” 

Balaam added: “It’s entirely possible—though we don’t exactly know how common—that those with engineering experience for legitimate, non-criminal enterprises could shift their careers toward criminal activities: many of the skills are transferable.”

Dark Skills

Studies conducted by security firm Digital Shadows and its Photon Research Team, which track underground and cybercriminal sites such as the now-defunct Joker’s Stash, point out that both above-ground and darknet sites require certain programming skills for workers.

What makes a difference on the darknet is that administrators may value someone who knows the specifics of international law regarding server hosting and how to skirt law enforcement, or those who know how to ensure cryptocurrency payment can be taken for anonymous payments.

Other skills can include how to promote sites and forums on the darknet to attract buyers and sellers, since these marketplaces can’t take advantage of normal SEO best practices, according to Photon Research.

“Prestigious cybercriminal sites must ensure their high-level technical discussions are not diluted by new and inexperienced members,” said one member of the Photon Research team who asked not to be named due to the sensitivity of their research into cybercriminal forums. “Some forums, such as Dread, have dedicated sections for marketplaces to answer queries from members, while non-criminal platforms might instead utilize social media to directly communicate with their audience.”

The one thing that is more difficult on the darknet than on the clear web, however, is outsourcing projects. “Operators of dark web platforms have much less ability to outsource projects as they must remain suspicious of others and maintain their anonymity and the site’s security, meaning they must often learn the required skills themselves,” the Photon researcher told Dice.