Poorly paid cybersecurity staff risk ‘breaking bad’ on the dark web, CIISec warns

The Chartered Institute of Information Security warns that salaries must be increased, or employers risk losing their workers to cybercrime.

The warning follows new research that has uncovered highly skilled workers moonlighting on the dark web.

Cyber security support body CIISec commissioned a six-month qualitative analysis report which found skilled workers moonlighting on the dark web.

The UK body also compared the practice of swapping honest work with crime to the exploits of fictional chemistry teacher Walter White, who doubles as a drug dealer in the HBO drama Breaking Bad.

The CIISEC research was carried out by a former police officer and covert operative who now works as a private sector adviser. It involved trawling dark web forums for job adverts from June to December 2023.

The researcher found that a wide range of trained individuals, from developers and pen testers to PRs and voice actors, were touting their skills on the dark web to increase pay, replace dried-up work, or buy Christmas presents.

Full Walter White

According to the researcher, the types of people advertising their services fell into three groups.

He categorised the first group as highly skilled professionals with a decade of experience in security or IT.

He found evidence of individuals currently working for a “global software agency”, professional pen testers offering to test cybercrime products, AI prompt engineers, and web developers.

Some stated that they needed a “second job” or made comments like “Xmas is coming, and my kids need new toys”. Others even offered a portfolio of work as evidence of their skills.

The second group consisted of people just starting in IT or security, hungry for work and education.

One person inquired, “Where do I start in hacking as a programmer?” as positions advertised looking for a “beginner designer” whose “creative journey has just begun.”

Various hacking groups were also seeking to hire students and offered training services.

The third group consisted of those looking to branch out into cybercrime, and were a smaller number of individuals from industries outside of security or IT

The research uncovered an out-of-work voice actor advertising for phishing campaign opportunities, a “creative wizard” offering to “elevate your visual content”, a PR for a hacking group, and content writers.

Making crime pay

“Gartner research shows that 25% of security leaders will leave the security industry by 2025 due to work-related stress – and that’s just leaders,” says Amanda Finch, CEO of CIISec.

She continued, “Salaries and long hours are contributing to this, and we’re starting to see the impact. Our analysis shows that highly skilled individuals are turning to cybercrime.”

“Given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge. Preventing this means ensuring we are doing all we can as an industry to attract and retain talent.”

Cyber security salary, pay, and conditions have long been a moot point, particularly in the public sector.

Last year, we reported how an HM Treasury job ad for a head of cyber security with a salary between £50,500 and £57,500 attracted disbelief and ridicule on social media.