Surge in Dark Web Recruitment: The Rise of Cybercrime Specialization
ReliaQuest has recently unveiled a detailed analysis revealing a significant increase in dark web recruitment targeting skills essential for hacking, particularly in the realms of artificial intelligence (AI), cloud environments, and social engineering. This trend signals a notable shift in how cybercriminals are structuring their operations and enhancing their capabilities.
Dark Web Recruitment Explodes
The findings from ReliaQuest cover a timeline from January 2023 through July 2025, spotlighting a dramatic rise in job-related postings on well-known cybercriminal forums like "Exploit" and "RAMP." Notably, the volume of recruitment and self-promotional posts on these platforms more than doubled from 2023 to 2024, achieving 2024’s total by mid-2025. This rapid growth indicates a heightened level of specialization and organization among threat actors within these clandestine markets.
Cybercriminal forums are increasingly mimicking legitimate job markets. Recruiters are on the lookout for skilled individuals, while potential adversaries are presenting themselves as job seekers. ReliaQuest highlights that the uptick in job-related posts on dark web forums points to this alarming trend, underscoring the evolving landscape of cybercrime recruitment.
The Impact of AI on Cyber Threats
A prominent trend evident in the report is the rising demand for experts in artificial intelligence. Attackers are shifting from merely utilizing large language models for generating malicious code; they’re now actively recruiting AI specialists to fully automate entire attack workflows. This transition allows for quicker, scalable operations, consequently liberating resources for other objectives.
Groups such as "GLOBAL GROUP" (formerly known as "BlackLock") have begun integrating AI chatbots into their ransomware negotiations, automating tasks that previously required substantial manual effort. This level of automation enables adversaries to execute attacks more swiftly, reducing downtime and leaving organizations with diminished opportunities to detect and respond effectively.
Growing Demand for Deepfake and Language Skills
Deepfake technology is becoming increasingly common among malicious actors, facilitating more effective social engineering attacks. Notably, the report details an incident where a deepfake impersonation of a Chief Financial Officer helped a cybercriminal obtain $25 million from a victim company in February 2024. Since the second quarter of 2024, recruitment posts have notably focused on deepfake capabilities, which allow attackers to impersonate individuals and enhance the efficacy of their social engineering efforts.
The demand for English-speaking social engineers has also surged, with postings more than doubling between 2024 and 2025. This spike reflects a robust recruitment landscape, driven largely by the successes of groups like "Scattered Spider," who have effectively leveraged these skills for initial access attacks.
Rising Recruitment for Cloud and IoT Skills
The demand for expertise in cloud environments, particularly platforms like Microsoft Azure and Entra, has surged significantly. ReliaQuest notes that job postings seeking candidates with cloud exploitation skills—especially for Azure—quadrupled from 2023 to 2024. While there was a slight decrease in mentions during the early part of 2025, indicators suggest that this trend will likely continue, with potential spikes forecasted later in the year.
This uptick is likely linked to financially motivated threat actors, including closed ransomware groups and affiliates, seizing opportunities to exploit cloud infrastructures to gain access to Active Directory domains. The analysis underscores the importance of implementing robust security measures in the cloud, such as least privilege access, multifactor authentication (MFA), and regular credential audits.
Additionally, interest in skills related to the exploitation of Internet of Things (IoT) devices has also shown an upward trajectory following an earlier dip in 2024. Recruitment for IoT device compromise is projected to surpass previous years’ activity by the end of 2025, with one stark example being a March 2025 incident where "Akira" ransomware used a camera to circumvent endpoint detection and response systems.
Evolving Skills Landscape in Cybercrime
The job market for cybercriminals is becoming increasingly focused on specialized techniques such as ClickFix malware execution and hypervisor exploitation. Notably, demand for ClickFix expertise surged by an impressive 850% between late 2024 and early 2025, with a 200% increase occurring within just one month following the appearance of relevant recruitment posts.
The demand for hypervisor expertise reflects a broader trend where adversaries swiftly upskill to meet market requirements. As demand grows, these skills become more commonplace within the cybercriminal ecosystem. For instance, the "Scattered Spider" group has utilized social engineering to compromise virtual environments, deploying ransomware through their virtual machines.
Recommendations for Cyber Defense
In light of these evolving recruitment trends, ReliaQuest advises organizations to stay vigilant regarding emerging cyber threats. The report emphasizes that, despite the continuous evolution of attack methodologies and the pursuit of novel skill sets, the fundamental objectives of cybercriminals—namely, profit through data exfiltration and system encryption—remain unchanged. This consistency provides organizations with a strategic advantage to tailor their defenses accordingly.
To combat the specialized skills being sought after in the dark web, businesses are encouraged to adopt a multi-layered security strategy. Key recommendations include timely detection and response initiatives, automating password resets, and employing security tools that identify compromised assets and suspicious activities. Continuous training on social engineering tactics and regular risk assessments will be crucial in effectively countering the specialized skills emerging in the cybercriminal landscape.
