Thanks primarily to the crime movies of the 1950s , there seems to have always been an idealized aura surrounding crime gangs who rely on the code of camaraderie among thieves. Indeed, it may be true that the closer you edge towards the unprotected fringes of humanity, the more you must depend on your “mates” to provide the security that society’s institutions otherwise provide. However, the fact remains that, crooks are by nature dishonest and undependable.

The same runs true in the world of cyber. What may seem to be a self-protecting haven is often a dark hole into which the inexperienced sink, never to come back up for air.

The dark web is currently rife with forums advertising, not only the threats and fruits of cybercrime endeavors but also listings for job applicants and business transactions—hundreds if not thousands, according to a recent report from Kaspersky. One would think we’re witnessing the birth of a new industry, one ruled by criminal syndicates and rogue states. And they’re doing their best to create that aforementioned sense of security that’s allegedly based on cooperation and mutual interests.

But the mirage only holds water from a distance.

Table of Contents

Rogue-anizing the Web

While there may be some collaboration and cooperation among cybercriminals or cybercriminal organizations, the ruling design remains competition. This is simply because many cybercriminals–like most businessmen–are motivated by financial gain. Moreover, the pool of potential victims and resources is limited, and greed is still a pervasive trait.

Cybercriminals compete for access to valuable targets, such as banks, financial institutions, or high-profile individuals. They also compete for access to limited resources, such as botnets, malware, or exploit kits. Add to this the classic crooked obsession with “turf wars”, and you suddenly have crime groups attacking one another with denial-of-service and other tactics to disrupt or disable their rivals.

That being said, all financial endeavors tend to consolidate. It makes sense, and increases the profits. Consequently, we are now seeing increasing instances where cybercriminals or cybercriminal organizations collaborate and form alliances. They may work together to launch coordinated attacks on specific targets, or they may share knowledge or resources. However, such collaborations are often temporary and can quickly dissolve if the interests of the parties involved diverge.

Trust among Thieves

The Dark Web is by its nature rife with scams and fraudulent activities, which can make it difficult to determine who to trust and who not to. It is a highly unregulated and chaotic environment, with no official structure or hierarchy.

Cybercriminals who operate on the Dark Web are generally freelancers who work independently or in small groups, collaborating on projects as needed. On one hand, thanks to its nature, the dark web offers cybercriminals a platform from which they can operate anonymously and without fear of detection. On the other hand, that same lack of formal organization or authority can make it challenging to establish trust between parties and to ensure–for example–and ensure safe and secure transactions, and reliable payment for services rendered.

Consequently, operatives have to rely on their own skills and knowledge to protect themselves from being scammed or hacked by others. Thankfully, reputation is everything in this world, as we shall see below, and most cybercriminals will have to work as some time or another through a dark web forum. He or she needs to be accepted into the forum and to prove their worth.

Structuring Crime - Steps up the Ladder

There are no fast rules for the overall structure of the cybercrime world. Crimes may be committed by individuals or groups with varying levels of organization, and while the more prominent stories involve organized networks that engage in coordinated activities, many scammers operate independently or in small groups.

Organizations usually have a hierarchical structure and use sophisticated techniques to avoid detection and maximize their profits. Many operate from within the intelligence networks of rogue nation-states servicing espionage or cyber warfare, gathering intelligence, disrupting infrastructure, or conducting other malicious activities.

As in most hierarchies, one’s level is determined by factors such as expertise, experience, and access to resources. A typical organization might have a leader or leaders who are responsible for making strategic decisions and coordinating the activities of the group. Below them, there might be managers or coordinators who oversee specific operations or projects. At the lowest levels, one finds the foot soldiers or specialists who carry out specific tasks, such as hacking, phishing, or malware development. Alternative structures—lateral ones, for example—involve franchises that provide services to other criminal groups.

In both cases, the beginning cybercriminal will typically develop his/her technical skills, such as programming, networking, or hacking. Some may start by engaging in simple hacking activities, such as defacing websites or stealing passwords. Coincidentally, they may begin exploring online forums, experimenting with code, and learning about different tools and techniques.

As they gain experience and expertise, individuals may start to engage in more sophisticated activities, such as developing and selling malware or carrying out phishing attacks. At this point, they may start offering their services as freelancers to other cybercriminals or criminal organizations. Once they establish their reputation within the criminal community, they may even be invited to join an organized network. Alternatively, they may start their own—eventually rising to leadership positions, overseeing operations and making strategic decisions.

O, as in Organized

Each day, hundreds if not thousands of deals are agreed upon in the Dark Web between cyberthugs buying and selling data, hacking services, and more. Deals may involve more than two parties, and often one participant may be using a fake account to disrupt the deal on purpose.

A large percentage of deals are automated, some relying on smart contracts,1 most paid for with cryptocurrencies. In addition, the environment offers escrow services, i.e. guarantors that a deal will be honored–sometimes offered as part of a forum’s services. These agents (again–sometimes an account controlled by a smart contract) hold payment received from one party before delivering it to the other upon a task’s completion. There are even arbitration procedures for those agreements that went afoul. Securelist estimates that in 2022 alone nearly 313,000 Telegram (the favorite communications channel) messages involved escrow activities.

But the system is far from foolproof; Kaspersky’s 2023 report on Business on the Dark Web warns that even these administrative services could be fake. In 2021, cyberthugs infiltrated a crime-making forum and stole the participants’ money by offering them a fake phishing money transfer service. Escrow agents may disappear with the money or the goods. And then, of course, there are the criminals who either cancel a contract whenever it suits them or deliver fake outdated products.

Forums are quite strict, however, and anyone deemed a ‘fraudster’ may be added to blacklists, destroying his/her reputation and, in effect, shutting down their operation. Their names and nicknames are published, and often even their crypto wallet details.

Moreover, unsurprisingly, there are some forum administrators who may themselves not always be honest…

When Crime Pays… How Much?

What makes employment in the world of cybercrime attractive for some is that it is open to all, regardless of formal education or police record. Employers do not care how old you are, whether you have a clean military record, are drug free, etc. As with any employer, one would be astounded with the terms of compensation and other employment offered by some cybergangs—especially in this age of post-COVID layoffs in the high-tech industry and wage reductions.

Nearly half of advertised jobs offer remote working conditions, and a third are for full-time employment. Employers may offer on-the-job training, bonuses and conduct periodic reviews. According to Security Intelligence, developers—at 61%—are the most in-demand professionals, with designers a lowly 10%. Head hunters will assess test assignments, resumes and portfolios, and even conduct interviews.

Salaries range from $200 to $20 K per month, and payment is more often than not made in cryptos. Freelancers are often paid in advance (if deemed trustworthy), in partial payments based on delivery, are all upon final delivery—most often from an escrow account or agent.

On one hand, the dark web is becoming more complex but, on the other, more structured. This puts a life in cybercrime almost at our easily-burned fingertips; however, it also provides a framework from within which crime fighters may more easily operate—given the higher definition of a target.

The moment attacks can be ordered and offered, they can also be tracked and be warned of in advance. This both expands but also ameliorates the task of the cybersec professional.

We’re certainly in for some interesting times.


When Nick Szabo first conceived the idea of ‘smart contracts nearly thirty years ago, he could never have envisioned that they would come to play such a central part in the crimeworld of the future. A smart contract is basically a ‘computerized transaction protocol’ that executes the terms of a contract upon pre-defined inputs. By placing such a program securely in the blockchain, the element of trust—usually instilled within a legal framework (lawyers, courts, etc.)—are supplanted by the self-interest of the network community.