Kaspersky Digital Footprint Intelligence prepared a new report Inside the dark web job market: Their talent, our threat. There was a two-fold increase in the number of résumés and jobs posted on underground forums in Q1 2024 compared to Q1 2023, and this number remained on the same level in Q1 2025. Overall, in 2025, résumés outnumber vacancies 55% to 45%, driven by global layoffs and an influx of younger candidates. Age distribution among the candidates shows a median seeker age of just 24, with a marked teenager presence.
Jobs found on the dark web are predominantly related to cybercrime or other illegal activities, although some legitimate positions are present as well. Kaspersky findings show a shadow economy where 69% of job seekers did not specify a preferred field, openly signaling they’d take any paid opportunity – from programming to running scams or high-stakes cyber operations. The most in-demand IT roles posted by employers on the dark web reflect a mature criminal ecosystem:
• developers (accounted for 17% of vacancies) create attack tools;
• penetration testers (12%) probe networks for weaknesses;
• money launderers (11%) clean illicit funds through layered transactions;
• carders (6%) steal and monetize payment data;
• traffers (5%) drive victims to phishing sites or infected downloads.
Gender-specific patterns emerged in specialized applications. Female applicants predominantly sought interpersonal roles, including support, call-center, and technical-assistance positions. Male applicants, by contrast, more frequently targeted technical and financial-crime roles – developers, money mules, or mule handlers.
Salary expectations varied sharply by specialization. Reverse engineers commanded the highest compensation, averaging over $5,000 monthly, followed by penetration testers at $4,000 monthly and developers at $2,000. Fraudsters tended to receive a fixed percentage of a team’s income. Money launderers average 20%, while carders and traffers earn approximately 30% and 50% of the full income, respectively. These figures reflect a premium on scarce, high-impact skills within the shadow ecosystem.
“The shadow job market is no longer peripheral; it’s absorbing the unemployed, the underage, and the overqualified. Many arrive thinking that the dark web and the legal market are fundamentally alike, rewarding proven skills over diplomas, with the dark web even offering some benefits – like offers landing within 48 hours and no HR interviews. However, not many realize that working on the dark web can lead to prison,” comments Alexandra Fedosimova, Digital Footprint Analyst at Kaspersky.
Young individuals contemplating dark web employment must recognize that short-term earnings carry irreversible legal and reputational consequences. Parents, educators, and the community are urged to report suspicious online solicitations immediately. Children should be shown that there are multiple skill-building and career pathways in legitimate technology sectors, such as cybersecurity. For example, Kaspersky has special project What we should do with kids who hack on how teens can be rehabilitated and taught to use their skills for good. Kaspersky’s ‘Cyber Pathways’ project also offers a comprehensive look into the essential cybersecurity roles, skills, and tools, to help newcomers to cybersecurity, IT generalists, seasoned experts to discover their ideal cybersecurity role.
Kaspersky offers several recommendations to stay safe.
Individuals:
• Don’t follow links to suspicious-looking webpages. Never respond to unsolicited “easy money” offers, especially via Telegram or obscure forums. Verify job legitimacy through official channels.
• If you are a teen – report suspicious posts to parents or authorities. No high wage is worth a criminal record.
Organizations:
• Train employees to recognize phishing and suspicious links.
• Implement dark web monitoring for employee credentials and ex-staffer résumés. Train HR to spot “shadow experience” in applicant histories. Mandate multi-layered fraud detection – money mules and carders are entry-level roles in larger attack chains.
• Continuous monitoring of dark web resources significantly improves the coverage of various sources of potential threats, and allows customers to track threat actor’s plans and trends in their activities. This type of monitoring is a part of Kaspersky’s Digital Footprint Intelligence service.
• Use multiple sources of Threat Intelligence information (with coverage of surface, deep and dark web resources) to stay aware of actual TTPs used by threat actors.

The analysis was based on 2,225 job-related posts – vacancies and resumes – published on dark web forums between January 2023 and June 2025. Some of the forums and resources reviewed may no longer be accessible at the time of publication.