How do hackers actually get paid for their services?
The successful hacker is the one whose real name is never known, who shuns the limelight, and stays off the radar. In fiction – notably the cyber punk novels by the likes of William Gibson and Bruce Sterling – these anonymous cyber crooks met in smoky bars to trade their wares, move data, and get paid. But in reality, hacking is far less colorful, with most transactions occurring on the dark web and other portions of the Internet untracked by search engines. So, with anonymity paramount, paper trails taboo, and the honor thieves concealed by computer screens, the question remains, how do hackers today actually get paid?
“We have to look past the American and western standards of what the typical international hacker’s lifestyle looks like,” says Alan Webber, research director for innovation and transformation at IDC. “How people live in other parts of the world is already very different, and this just further translates to how the hackers overseas may live.”
Really, to understand how hackers are paid, you have to take a step back and look at who they really are. Hollywood (and even Silicon Valley) tends to show them as a “console cowboy” looking for one big score before getting out and living on a beach somewhere, but that’s far from the truth. The real world hacker is just as likely to be someone who has a day job, possibly even in the field of cyber security.
“There are hackers that are on the white hat side – as in trying to keep the bad guys at bay – and then there are those who are the gray hat guys, who may work for a security firm, and they may frequent the markets of the dark web, but to buy the malware so they can reverse engineer it,” explains Stephen Coty, director of threat research at Alert Logic. “Then there are the black hat guys who try to make money from hacking including the stealing of data.”
And in the U.S., black hat hackers probably also punch a clock like the rest of us. “You have to have a day to day job to explain how you’re getting money to pay your bills,” says Coty. After all, they can’t exactly file a 1099 form, pay their taxes, and hope their illicit and illegal activities go otherwise unnoticed.
But this doesn’t mean hackers aren’t making big scores online — and actually somehow getting paid. Those individuals offering their services or stolen goods on the dark web have numerous ways to receive compensation. “Those who hacked a million credit card numbers can go to the dark web where it is like a garage sale, and these numbers can be sold in blocks, and it is very much run like a business,” says Webber. Here, cash isn’t necessarily king. Criminals will pay for stolen data in gift cards, drugs, or other illicit items.
“This isn’t that different from other criminal activities,” says Ben FitzGerald, senior fellow and director of the technology and national security program at Center for a New American Security. “Hackers just tend to be a little more savvy when it comes to getting paid.”
And just as Gibson’s cyber punk novels involved those who could move stolen data, the real world has given rise to “digital fences” says Webber. “Their whole business is the buying and selling of digital information.”
But money is still the currency of choice, it just takes some good ol’ fashioned — or new wave — money laundering. For instance, the transferring of funds has been made easier thanks to services including Western Union, Cryptocheck and Money Gram, which allow for sending of cash.
Meanwhile Bitcoin has opened an even more secure avenue for criminals to remain anonymous, making it a preferred option among the hacking community. “It all depends on the experience of the person and their level of trust, but a lot of these new services create a data path that is increasingly untraceable,” says Coty. “Bitcoin fills the void very nicely.”
“There is no coin laundry in the digital world,” notes Webber. “Bitcoin is as close as it gets.”
And then there are the hackers who are actually paid by cash and check. Unbelievable, you say? Unreachable, say authorities. These cyber-crooks are paid in government-issued currency because they are actually on the country’s payroll. Cyber punk novels may have led us to imagine shadowy figures working for large, international, mega-corporations. But in reality, while there are likely some hackers on staff in the corporate world, most of the on-the-books operators are likely working for a government entity.
“China has been using teams of hackers, and those individuals are paid like anyone else in China,” says Webber. In some cases the hackers may enjoy a better lifestyle because of their skills and talent; while some regimes may hire international hackers and pay them officially as security consultants.
“This is the best example of recent revelations, where a hacker is paid as a software consultant as if they were a reputable business,” says FitzGerald. “That is a semi-legitimate way of running an illicit business.”