Pandemic Drives 200,000 Job Posts in Evolving Dark Web Employment Ecosystem

As the COVID-19 pandemic triggered widespread layoffs and economic uncertainty, a clandestine labor market emerged on the dark web, revealing a sophisticated underground economy. A comprehensive study by Kaspersky’s Digital Footprint Intelligence division highlights this alarming trend, showing that the dark web has transformed into a functional employment ecosystem. This ecosystem attracts a diverse array of individuals, including laid-off professionals, underpaid developers, digital nomads, and even teenagers seeking quick financial gains.

The findings illustrate a maturing underground economy where job advertisements closely resemble legitimate HR postings and compensation rates align with global tech salaries. However, the nature of the work remains perilous and often criminal.

A Job Market Born of Crisis and Desperation

Kaspersky’s analysis of 155 cybercriminal forums from January 2020 to June 2022 revealed over 200,000 employment-related posts. Key insights include:

• 41% of these posts emerged during the pandemic’s first year.
• Activity peaked in March 2020, coinciding with mass layoffs and rising unemployment.
• Economic desperation compelled many users to seek work, regardless of its legality.

The study also indicated that 69% of job seekers did not specify a preferred field, indicating a willingness to accept any paid work—from software development to scam operations and high-risk cyberattacks. This “any-job-will-do” mindset reflects both economic strain and a significant shift: criminal work is no longer limited to seasoned hackers but has become a fallback for struggling or inexperienced youth. The median age of a dark web job seeker is just 24.

The Dark Web’s Professional Talent Pipeline

Despite its illicit nature, the dark web’s talent pipeline mirrors a polished corporate HR process:

• 82% of employers assigned test tasks.
• 37% required CVs or portfolios.
• 26% conducted interviews.
• Some employers insisted on probation periods, daily deliverables, and even KPIs.

Selection criteria are stringent; one malware developer advertisement required candidates to encrypt files to evade antivirus scans for 24 hours—a test that exceeds the complexity of many legitimate coding assessments.

A Mature Criminal Ecosystem: Who’s Hiring and for What?

While developers accounted for 61% of IT-specific ads in Kaspersky’s earlier findings, the broader criminal marketplace revealed a more complex division of labor designed to support scalable cybercrime operations.

Top in-demand roles across the underground economy include:

• Developers (17%): Responsible for building phishing portals, malware, botnets, ransomware, and automation tools.
• Penetration testers/attackers (12%): Tasked with breaking into corporate networks, escalating privileges, deploying ransomware, and exfiltrating data.
• Money launderers (11%): Focused on moving illicit proceeds through layered cryptocurrency or bank transactions.
• Carders (6%): Engaged in stealing and monetizing payment-card data through fraudulent purchases or dumps.
• Traffers (5%): Funnel victims to phishing pages, scam services, and malicious downloads.

This distribution reflects a well-organized enterprise structure—attack, monetization, infrastructure, and distribution.

Gender Dynamics: Crime Roles Reflect Occupational Stereotypes

Kaspersky’s report also highlights emerging gender-specific patterns in underground job applications:

• Female applicants predominantly sought:

  • Call-center roles
  • Support roles
  • Technical-assistance and communication-driven positions

• Male applicants overwhelmingly targeted:

  • High-risk technical roles (developer, reverse engineer)
  • Financial-crime activities (money mules, mule handlers, carding)

These patterns mirror broader societal workforce divisions, now replicated in criminal labor markets.

Salary Economics: High-Risk, High-Skill, High Reward

Salary expectations on the dark web reflect a premium on specialized technical skills critical to major cybercrime operations.

Monthly compensation averages include:

• Reverse engineers: $5,000+ (highest paid; crucial for exploiting vulnerabilities)
• Penetration testers: ~$4,000 (frontline attackers responsible for breaches)
• Developers: ~$2,000 (core builders of malware and tools)

Fraudsters typically operate on profit-share models:

• Money launderers: ~20% of team’s revenue
• Carders: ~30%
• Traffers: Up to 50%, the highest share due to direct revenue generation

Such variable compensation structures resemble high-risk sales roles, where the “product” consists of stolen data, exploited networks, or successfully extorted ransoms. Some postings even promise $20,000–$60,000 per month, although many of these advertisements are likely inflated or outright fraudulent.

From Developers to Designers: A Full Shadow Workforce

The Kaspersky report reveals surprising diversity in dark web job categories:

• Designers create phishing pages, fake banking apps, and marketplace user interfaces.
• Analysts conduct OSINT, map corporate structures, and estimate ransom demands.
• Tutors teach hacking, coding, or assist with university assignments.
• HR-like roles manage recruitment for cybercrime syndicates.

Roles such as forum moderators, technical writers, and project managers further underline the corporate-like structure of the underground economy.

Why This Shadow Economy Matters Now

The Kaspersky report exposes a troubling evolution: cybercrime is no longer an ad hoc activity but an industrialized economy with defined job roles, career paths, performance metrics, and compensation systems. Despite its professional appearance, the risks are extreme:

• No legal contracts
• High likelihood of non-payment
• Recording, monitoring, and deanonymization by law enforcement
• Criminal prosecution and multi-year imprisonment
• Exposure to syndicates that routinely exploit their own workers

Many individuals seeking a “quick job” on the dark web find themselves ensnared in criminal networks from which they cannot easily escape.

Kaspersky’s findings provide one of the most detailed glimpses yet into the modern underground labor market—a parallel universe where desperate job seekers cross ethical and legal lines, cybercrime groups operate like tech startups, and young talent becomes the backbone of global digital crime.

According to publicly available etedge-insights.com reporting, as cybercrime becomes more structured, profitable, and accessible, its workforce and the associated threats will only continue to grow.

Follow the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.