This year, many researchers are talking about an increase in business interest in cybersecurity and its tools. This process is largely due to the actualization of information security risks, which are based on a number of factors, from geopolitical tensions to simplifying access to malware and reducing the "entry threshold" for hacker activity.
The world of cybersecurity is inextricably linked with its "counterpart" – the world of hacking, which also does not stand still. Not only the hacking tools themselves and other HPE are being developed, but also the model of distribution of hacker services. Attackers actively use management and marketing tools, promote their services through mailing lists and account management, blogs in social networks, and use other positioning and promotion tools.
In this article, we have analyzed the main features of hacking as a business, the model of providing services and promoting such services through different channels, as well as the full range of services that hackers offer to their clients.
Cases when a company orders attacks on itself are quite common. The company's goal in this case is to test the security of its resources in the most "field" conditions.
However, the activity of white hackers is associated with high risks if::
With such initial data, there is no guarantee that the "white" pentester will not be involved in a criminal case for hacking corporate networks. Therefore, "white", legal hackers usually work "in the white": after the conclusion of a contract or through special platforms that act as an arbitrator in case of disputes.
The second model cannot exist without trading platforms. As a rule, they are classic forums with the interface "ala imageboard": there are forum branches, topics (threads) and user messages with various kinds of suggestions.
These bulletin boards need to be created, administered, and maintained. Specially developed services offer additional services. For example, they act as a guarantor between the buyer and seller, which can be called an element of the marketplace system. Dealing with such platforms is a very complex process.
You can add that additional difficulties are created when the site's infrastructure and its moderators are dispersed in several countries, and, accordingly, the process of catching them and blocking the resource must occur in several jurisdictions at once. Such events usually have a serious impact on the market, but they also occur extremely rarely: of the current examples in the Darknet, you can only cite the closure of the Hydra site, which was not associated with hacking, but was moderated according to similar principles.
One of the forms of monetization of such software is its distribution using MaaS, RaaS, and so on models. HPE "as a service" can cost the buyer from several hundred to tens of thousands of dollars, depending on the characteristics and purpose of a particular program and its effectiveness.
Globally, the "producer market" can be divided into two branches, according to their target audience:
At the same time, the software can be delivered using different payment models. For example, with a one-time payment for the program or work on a subscription. Particularly "exclusive" services may even be provided for a certain percentage of the hacker's profit.
As a rule, professional groups are engaged in APT attacks that take quite a long time, but allow you to get a high income by selling "profitable" data or receiving a ransom from the victim company.
To evaluate the difference in approaches to positioning and promotion, consider two examples of dimensions: Anonymous and Conti. The first group actively maintains its Twitter account, periodically makes political statements and actively "flirts with the audience", trying to create an image of "noble robbers".
Conti, on the contrary, serves as an example of hacker professionalism, since most of the information about the group is obtained from reports on the investigation of their attacks. Their main marker is a focus on commercial activities and making money. Unlike Anonymous Users, they are much less known to the general audience and are not particularly interesting, since they have never made any statements other than the terms of the ransom.
Conditionally, the middle sector can include malefactors who deal with unfair competition issues. This type of activity can include phishing, DDoS, providing access to previously hacked infrastructure, or selling client databases or other user databases.
It is interesting that the attackers promote their services also through "white channels" of marketing. For example, through tg communities and chats, as well as through email newsletters. For example, Alexey Lukatsky in his channel posted a sample of such a proposal "killer run of a competitor's site", which came to his mail. On the one hand, this indicates the presence of a large "cold base" in the hands of intruders, on the other – its low quality, since information security specialists are unlikely to fall into the category of the target audience for hacker services.
A relatively small segment of the hacker market is carding services, mobile (and other) "penetration", collecting data about a competitor from open (OSINT) and not so sources in order to search for compromising data, hacking accounts in various social networks.
One of the markers of this type of activity is a link to a specific person who, for example, by virtue of their work duties, has access to certain data and networks. For example, the story of the dismissal of twenty Meta* employees who sold access to Instagram accounts was widely reported.
A dangerous trend is the attempts of some hacker groups to become legitimate from the point of view of a wide audience, to give their activities an attractive appearance from the point of view of certain views.
At the same time, there are very few effective tools at the global level to combat the "backbone" segments of the hacker market, and any investigation in this area can take a huge amount of time and turn out to be nothing simply because the obtained evidence cannot be accepted in a third country due to the peculiarities of the legislation.
It is also important to keep in mind that not only the cybersecurity market is growing, but also the shadow cybercrime market, which, like information security, is trying to adapt and become attractive to its end users.
The world of cybersecurity is inextricably linked with its "counterpart" – the world of hacking, which also does not stand still. Not only the hacking tools themselves and other HPE are being developed, but also the model of distribution of hacker services. Attackers actively use management and marketing tools, promote their services through mailing lists and account management, blogs in social networks, and use other positioning and promotion tools.
In this article, we have analyzed the main features of hacking as a business, the model of providing services and promoting such services through different channels, as well as the full range of services that hackers offer to their clients.
Briefly about ethical hacking
First of all, it is worth mentioning an area that stands apart from illegal activity – "white" hacking. Formally, hacking becomes "white" if there are two signs:- the customer and the "victim" are the same company;
- the hacker does not have a direct task to exploit the identified vulnerabilities.
Cases when a company orders attacks on itself are quite common. The company's goal in this case is to test the security of its resources in the most "field" conditions.
However, the activity of white hackers is associated with high risks if::
- no contract was signed for testing the infrastructure;
- the hacker does not work through the bug bounty platform.
With such initial data, there is no guarantee that the "white" pentester will not be involved in a criminal case for hacking corporate networks. Therefore, "white", legal hackers usually work "in the white": after the conclusion of a contract or through special platforms that act as an arbitrator in case of disputes.
"Flagships" of the hacker business
As in any industry, there are major players in hacking who earn the most revenue and, in addition, influence the market itself, its trends and other parameters. These include, for example, three types of "strategic organizations".Ad Platform Owners
Globally, hacking has two models. The first one is focused on making a profit from the victim, through extortion. The second is to receive money "from the client": a database buyer, a breakdown customer who wants to harm competitors with a DDoS attack, and so on.The second model cannot exist without trading platforms. As a rule, they are classic forums with the interface "ala imageboard": there are forum branches, topics (threads) and user messages with various kinds of suggestions.
These bulletin boards need to be created, administered, and maintained. Specially developed services offer additional services. For example, they act as a guarantor between the buyer and seller, which can be called an element of the marketplace system. Dealing with such platforms is a very complex process.
You can add that additional difficulties are created when the site's infrastructure and its moderators are dispersed in several countries, and, accordingly, the process of catching them and blocking the resource must occur in several jurisdictions at once. Such events usually have a serious impact on the market, but they also occur extremely rarely: of the current examples in the Darknet, you can only cite the closure of the Hydra site, which was not associated with hacking, but was moderated according to similar principles.
HPE Manufacturers
Stressors, stillers, rootkits, brute-forces, and other malicious programs are quite complex. Their production, as a rule, requires a high level of technical competence and often takes considerable time.One of the forms of monetization of such software is its distribution using MaaS, RaaS, and so on models. HPE "as a service" can cost the buyer from several hundred to tens of thousands of dollars, depending on the characteristics and purpose of a particular program and its effectiveness.
Globally, the "producer market" can be divided into two branches, according to their target audience:
- Those who are aimed at a mass audience. As a rule, these are sellers of stressors or brute-force programs. Such software is often used by beginners, hacktivists, and just people who are not experienced in hacking. Therefore, such parameters as the native interface, language localization, and other elements that make the process of using HPE easier are important for them.
- Those who target a professional audience. For example, manufacturers of cryptographic programs, vipers, and other specific software. For such programs, the main marker is efficiency, and if it is high, then they will be used regardless of nativity and "usability".
At the same time, the software can be delivered using different payment models. For example, with a one-time payment for the program or work on a subscription. Particularly "exclusive" services may even be provided for a certain percentage of the hacker's profit.
Professional hacker groups
Professional teams can be called the face of the hacker community, since they usually attract the most attention from both information security specialists and ordinary people who read about their attacks in the media.As a rule, professional groups are engaged in APT attacks that take quite a long time, but allow you to get a high income by selling "profitable" data or receiving a ransom from the victim company.
To evaluate the difference in approaches to positioning and promotion, consider two examples of dimensions: Anonymous and Conti. The first group actively maintains its Twitter account, periodically makes political statements and actively "flirts with the audience", trying to create an image of "noble robbers".
Conti, on the contrary, serves as an example of hacker professionalism, since most of the information about the group is obtained from reports on the investigation of their attacks. Their main marker is a focus on commercial activities and making money. Unlike Anonymous Users, they are much less known to the general audience and are not particularly interesting, since they have never made any statements other than the terms of the ransom.
Small and medium-sized hacker businesses
A huge number of people in the world of hacking do much less loud and significant things than those listed above. In this segment, the gradation is rather conditional, since it is determined not by the type of activity, but by the volume of services provided.Conditionally, the middle sector can include malefactors who deal with unfair competition issues. This type of activity can include phishing, DDoS, providing access to previously hacked infrastructure, or selling client databases or other user databases.
It is interesting that the attackers promote their services also through "white channels" of marketing. For example, through tg communities and chats, as well as through email newsletters. For example, Alexey Lukatsky in his channel posted a sample of such a proposal "killer run of a competitor's site", which came to his mail. On the one hand, this indicates the presence of a large "cold base" in the hands of intruders, on the other – its low quality, since information security specialists are unlikely to fall into the category of the target audience for hacker services.
A relatively small segment of the hacker market is carding services, mobile (and other) "penetration", collecting data about a competitor from open (OSINT) and not so sources in order to search for compromising data, hacking accounts in various social networks.
One of the markers of this type of activity is a link to a specific person who, for example, by virtue of their work duties, has access to certain data and networks. For example, the story of the dismissal of twenty Meta* employees who sold access to Instagram accounts was widely reported.
Results
Despite its illegality, the hacking market is by no means marginal: it is not only growing quantitatively, but also qualitatively, using current methods of attracting an audience, elements of the service model, and other business technologies, even if not to the extent that it occurs in the "white" IT sector.A dangerous trend is the attempts of some hacker groups to become legitimate from the point of view of a wide audience, to give their activities an attractive appearance from the point of view of certain views.
At the same time, there are very few effective tools at the global level to combat the "backbone" segments of the hacker market, and any investigation in this area can take a huge amount of time and turn out to be nothing simply because the obtained evidence cannot be accepted in a third country due to the peculiarities of the legislation.
It is also important to keep in mind that not only the cybersecurity market is growing, but also the shadow cybercrime market, which, like information security, is trying to adapt and become attractive to its end users.
