More job seekers than ever are turning to the Dark Web to find work.
According to a new Kaspersky Digital Footprint Intelligence new report, Inside the dark web job market: Their talent, our threat, there was a two-fold increase in the number of résumés and jobs posted on underground forums in Q1 2024 compared to Q1 2023. This number remained on the same level in Q1 2025.
Overall, in 2025, résumés outnumber vacancies 55% to 45%, driven by global layoffs and an influx of younger candidates.
Age distribution among the candidates shows a median seeker age of just 24, with a marked teenager presence.
Jobs found on the dark web are predominantly related to cybercrime or other illegal activities, although some legitimate positions are present as well.
Kaspersky findings show a shadow economy where 69% of job seekers did not specify a preferred field, openly signaling they’d take any paid opportunity – from programming to running scams or high-stakes cyber operations.
The most in-demand IT roles posted by employers on the dark web reflect a mature criminal ecosystem:
- Developers (accounted for 17% of vacancies) create attack tools;
- Penetration testers (12%) probe networks for weaknesses;
- Money launderers (11%) clean illicit funds through layered transactions;
- Carders (6%) steal and monetise payment data;
- Traffers (5%) drive victims to phishing sites or infected downloads.
Gender-specific patterns emerge in specialised applications. Female applicants predominantly seek interpersonal roles, including support, call-centre and technical-assistance positions. Male applicants, by contrast, more frequently target technical and financial-crime roles – developers, money mules or mule handlers.
Salary expectations vary sharply by specialisation. Reverse engineers command the highest compensation, averaging over $5 000 monthly, followed by penetration testers at $4 000 monthly and developers at $2 000.
Fraudsters tended to receive a fixed percentage of a team’s income. Money launderers average 20%, while carders and traffers earn approximately 30% and 50% of the full income, respectively.
These figures reflect a premium on scarce, high-impact skills within the shadow ecosystem.
“The shadow job market is no longer peripheral; it’s absorbing the unemployed, the underage, and the overqualified,” comments Alexandra Fedosimova, Digital Footprint Analyst at Kaspersky. “Many arrive thinking that the dark web and the legal market are fundamentally alike, rewarding proven skills over diplomas, with the dark web even offering some benefits – like offers landing within 48 hours and no HR interviews.
“However, not many realise that working on the dark web can lead to prison.”
Young individuals contemplating dark web employment must recognise that short-term earnings carry irreversible legal and reputational consequences, she adds.
Parents, educators, and the community are urged to report suspicious online solicitations immediately. Children should be shown that there are multiple skill-building and career pathways in legitimate technology sectors, such as cybersecurity
Kaspersky offers several recommendations to stay safe.
For individuals:
- Don’t follow links to suspicious-looking webpages. Never respond to unsolicited “easy money” offers, especially via Telegram or obscure forums. Verify job legitimacy through official channels.
- If you are a teen – report suspicious posts to parents, guardians or authorities. No high wage is worth a criminal record.
For organisations:
- Train employees to recognise phishing and suspicious links.
- Implement dark web monitoring for employee credentials and ex-staffer résumés. Train HR to spot “shadow experience” in applicant histories. Mandate multi-layered fraud detection – money mules and carders are entry-level roles in larger attack chains.
- Continuous monitoring of dark web resources significantly improves the coverage of various sources of potential threats, and allows customers to track threat actor’s plans and trends in their activities. This type of monitoring is a part of Kaspersky’s Digital Footprint Intelligence service.
- Use multiple sources of Threat Intelligence information (with coverage of surface, deep and dark web resources) to stay aware of actual TTPs used by threat actors.