Want to hack your ex-spouse’s cellphone? Steal the private passwords to get dirt on your annoying neighbors? How about disrupting your business competitor’s operation, perhaps by shutting down its online network or holding data for ransom?
All of these activities are illicit and malicious, but a growing cadre of professional “black hat” hackers are providing their services to all comers. These “retail” activities, often run by sophisticated criminal networks and individuals, appear to be on the rise. Instead of offering their services in the shadows of the dark web, however, many are hanging their shingles up in plain sight, just an online search away. But they come with a caveat to the crooked emptor – the real target for these hackers is often the people who hire them.
Although precise figures on this latest form of e-commerce are unavailable, experts say the combination of the pandemic, millions of people working from home and widespread online commerce has provided countless opportunities for hackers and cyberthieves of all stripes. “Phishing” and “pharming,” where cyberthieves use false identities to steal personal information such as bank and credit card account information, accounted for 33% of all cybercrime in the U.S. last year, according to SEON , a company specializing in anti-fraud systems.
That one crime category has more than twice the victim count – 241,342 victims – of the next-highest consumer crime (non-payment/non-delivery). This global wave of fraud and cyber disruption is relentless and ongoing. The company estimates that e-commerce retailers alone are hit with an average 206,000 web-based attacks per month.
Deep, often personalized hacks target individuals and go beyond the standard cybercrime fare of stealing identity information to access credit card and bank accounts. The cybersecurity firm Atlas VPN , in a recent survey of hackers for hire on the dark web, found a laundry list of nefarious services on offer:
While individual hackers have been out there for years, it’s believed many now collaborate with larger, organized cybercriminal groups.
“Innovative hacking technologies have been mostly developed by large hacker groups,” noted a spokesperson for Atlas VPN. “Smaller groups or individual hackers do not have enough resources to develop such software.”
You needn’t use a special browser to locate these offerings on the dark web, though. An ordinary search engine turns up several of them in seconds. A simple search led to dozens of sites offering an array of services. The search phrase “hackers for hire,” for example, turns up sites for “professionals” whose real identities are concealed.
One site advertises people who can hack Apple and Android phones. The pitch: “Married couples want to be sure their spouse/partner is not being unfaithful. Parents who are interested in monitoring their children. Employers also employ cellphone hackers to monitor their employees.”
Big Brother is not just one entity these days. It is a vast array of anonymous, third-party entrepreneurs and gangs thriving in a world in which nearly everyone is connected, mined for free information – and spied upon. The sites RealClearInvestigations surveyed were clearinghouses for these professionals and weren’t bashful about their consumer appeal. “The good news is that these services are easily accessible on the mainstream Internet,” one site trumpeted. “At the same time, your privacy remains intact.” Good luck with that.
The pricing is put out there like a restaurant menu, often for the most malicious services. For $250 per job, you can hack someone’s social media accounts and carry out “credit card scams, identity theft and so on.” The higher the complexity and duration, the higher the price. Some even provide hourly rates from $28 to $300, or you can bid on specific jobs in a hacking marketplace. (Name your price! Everything’s on the table, from video games to company email systems.)
And if you hire one, you’d be not only committing a crime but risking becoming a victim. That makes these services less like newfangled ways for people to attack their enemies than traditional confidence games that engage their marks in crooked schemes so they will be hesitant to contact the cops after they get taken.
“Maybe 90% – closer to 100% – of these services are trying to get money out of you and prey on people,” says James Bore of Bore Security Consultancy in London. “But they are hard to identify and even harder to track down.”
While some clients seek out these illegal services, others are approached by criminals who scour the web for leads. A frustrated tweet complaining “I’m locked out of my system” can lead to offers of assistance that can in turn lead to more dangerous offers and scam operators. These “distress” signals are flares that often attract criminals, Bore said.
Some hackers may also be working for businesses trying to protect themselves from attack. These “white hat” or “ethical” hackers test systems, websites and databases for vulnerabilities and offer advice on how the make them more secure. Many of these professionals (acting more as legitimate consultants) cut their teeth in black hat operations before turning to safer and more ethical work.
There’s a further twist to the story. Bryan Hornung , CEO of Xact IT Solutions, a cybersecurity consultancy, said, “At least 50% of the `’retail’ posts offering hacking for hire are law enforcement trying to trap scamsters.”
In other words, it’s not unusual for a company to hire a hacker to monitor other black-hat hackers who may be planning attacks on specific companies or institutions and coordinating with others in dark web dialogues, Hornung added. In a way, ethical hackers act as counter-intelligence agents who are working to prevent or shut down major cybercrimes – before they happen. Many of these connections and activities – and their legality – are muddled by a pastiche of federal laws . Some hacking falls between the cracks of outdated regulations, while most is patently illegal. But modern law enforcement has yet to catch up with cybercrime in a meaningful way.
Who are the con artists in these rackets? You’ll probably never know. It’s difficult to tell who’s running a scam online unless you actually engage with the hackers (and send money you will never see again) or they are caught by law enforcement.
U.S. authorities may pursue and even indict foreign-based hackers, but they have little chance of arresting them and bringing them to trial. The Justice Department, for example, indicted six Russian hackers affiliated with a Russian intelligence agency last year in connection with malware attacks that resulted in more than $1 billion in losses. But their chances of them being apprehended or extradited by their own government are slim to none. They are also unlikely to travel to places where they would be arrested.
“A lot of hacking groups are based in countries that are beyond U.S. jurisdiction,” said Hornung, who estimates there are “tens of thousands” of black-hat hackers out there, a handful of whom he contacts to get a heads up on future cyberattacks.
“The economics of being a bad guy are good,” says Oren Falkowitz , a former hacker for the National Security Agency and CEO of Area 1 Security in Silicon Valley. “Most are former government employees in places like Russia, China, South America and Israel. They are allowed to do ‘services’ on their own.”
And, Hornung notes, “they can sniff out reporters and law enforcement when inquiries are made about their services on the dark web.” Often, poorly paid state-employed hackers hang out their shingles to make extra money on the side.
“Hacking was already on an upward trajectory like a hockey stick,” observes Hornung, but the pandemic “was like lighter fluid and a match … and some guys got better.”