Join Us at Our Upcoming Events Events
Skip to Main Content

Hackers for Hire

Did you know hackers are bankrolled by both the good guys and the bad?

The dynamic is “ethical” hackers are hired by the good guys, and “malicious” hackers are hired by the bad guys. But occasionally hackers flip sides.

For example, malicious hackers’ exploits can also give them enough notoriety to get job offers from companies like Microsoft, Apple, the Department of Defense, and Facebook. The temptation of a legitimate salary at a prestigious organization is enough for many to flip to the ethical side.

In 2006 hacker Chris Putnam created an XSS-based worm that made Facebook pages look like myspace pages, Facebook promptly hired him. Peiter “Mudge” Zatko, a member of the Cult of the Dead Cow hacking group not only scored a job with DoD but went on to work for Google only to return by request to help Obama.

hacker for hire peiter zatko

Petier Zatko after flipping

hackers for hire

Peiter Zatko before flipping

Exploits demonstrate skills in finding vulnerabilities that bypass Q&A and the developers in-house, making hackers attractive candidates who prove their capabilities upfront.

Hacking requires technical intelligence, experience, and years of knowledge-building to develop. Because of this, there is a high demand from legitimate organizations and criminal organizations alike for this skill set.

The Hacker Marketplace

Hackers for hire can come from anywhere, but a new article by the Google Threat Analysis Group (TAG) focuses on a spate of recent hacker-for-hire exploits from groups in India, Russia, and the UAE. For your awareness, we’ve included their associated domains in our post.

Here are the domains associated with their activities

  • myproject-login[.]shop
  • mysite-log[.]shop
  • supp-help[.]me
  • account-noreply3[.]xyz
  • goolge[.]ltd
  • goolge[.]help
  • account-noreply8[.]info
  • account-server[.]xyz
  • kcynvd-mail[.]com
  • mail-goolge[.]com
  • kcynve-mail[.]com

Indian hack-for-hire Group Domains:

  • clik[.]sbs
  • loading[.]sbs
  • userprofile[.]live
  • requestservice[.]live
  • unt-log[.]com
  • webtech-portal[.]com
  • id-apl[.]info
  • rnanage-icloud[.]com
  • apl[.]onl
  • go-gl[.]io

Russian hack-for-hire Group Domains:

  • login-my-oauth-mail[.]ru
  • oauth-login-accounts-mail[.]ru
  • my-oauth-accounts-mail[.]ru
  • login-cloud-myaccount-mail[.]ru
  • myaccounts-auth[.]ru
  • security-my-account[.]ru
  • source-place-preference[.]ru
  • safe-place-smartlink[.]ru
  • safe-place-experience[.]ru
  • preference-community-place[.]ru

Source: Google Analysis of Sites Used by Hackers

Darkweb Hacker Services

  • Freelance Hackers – Hackers with no moral scruples will use criminal marketplaces on the dark web to post their services. Both the hacker and the potential employer can interact anonymously without being tracked. Hackers list their commercial services and describe their skill set and price per project. These are paid through bitcoin or other decentralized cryptocurrencies.

Hacker-for-hire listings may include a commission-based model that increases if the size of the job increases. Instead, it may have set his price points. These listings are only available on a .onion site. This is a type of website that can only be accessed using anonymous browsers like Tor and cannot be googled.


Here is an example of a hacker-for-hire price listing on a .onion site:



  • DIY Phishing Kits – these kits are another way to access hacker skills.  Some criminals looking for hacker assistance may use the dark web to find websites that sell “kits” or software that enables them to pull off a cyber-attack without having to write the code themselves. Is to purchase ready-made or custom kits made by hackers. These kits rely on open-source frameworks like GoPhish or Evilginx and often have detailed instructions on usage and deployment and customer service departments to ensure success.

These dark web hacker kits even have customer service lines to ensure the hacks are successful. The type of people who may buy these kits are not interested in investing the time in learning but see the value in hacking – or they are novice hackers looking for additional support, or learning tools, bolstering their confidence and confirming their methods. Newer hackers are often called “script kiddies.”

Ethical Hacker Services

Businesses looking to understand their vulnerabilities will hire an “ethical” hacker. And as the number of exploits continues to set new records year after year, the criticality of action from all levels is becoming clear.

We have so many red flags in the in the cyber world right now. And what I’m concerned about is that we really could experience a cyber-cause, 9/11-style event where you would have mass shut down — maybe not just in one community or two communities, but many communities at the same time. We need to get ahead of that now. This needs to be a top priority from a security standpoint.  – Former Homeland Security Head Napolitano

Venues to find ethical hackers include private investigation companies or more public places like, LinkedIn, or Upwork. The hacking services can act as a security audit, finding gaps in security stature before malicious hackers do.


Both ethical and malicious hackers use the same techniques initially to find vulnerabilities within the network. Where they diverge is after the point of entry. Ethical hackers will see how far they can go without damaging the network.

Malicious Hackers may inject malware, begin a DDoS or ransomware attack, or sell credential access on the dark web, whereas ethical hackers will disclose and fix the vulnerability.

These techniques include:

  • Phishing (usually credential phishing)
  • Social Engineering
  • Password cracking tools
  • Penetration testing for vulnerabilities
  • TCP flooding, which imitates a denial of service (DOS) attack
  • Session hijacking
  • Move payloads through SSH tunnels
  • Use IPsec Tunnels to Gain Initial Access

Let’s Call out Credential Phishing

By and far, the most popular technique for gaining initial access is credential phishing emails. This often looks like Google, AWS, or Outlook password reset emails, pointing victims to the fake password reset landing pages that are virtually indistinguishable from the actual sites. If the trick is successful, the threat actor gains legitimate credentials to use or sell on the dark web marketplace.

Once they’ve gained access, there are ways they can keep it – even if the password gets changed later. Hackers use OAuth to grant access to email applications like Postbox, Mailbird, Thunderbird, or Spark and link these hacker-owned accounts to the victim’s email account.

How to Counteract Hackers

50% of websites have four or more critical vulnerabilities.  A lot must be done to tighten up user access and best practices. Here are our top 4 suggestions for keeping hackers outside your network.

1 – Multi-factor authentication (MFA)

MFA makes it harder for hackers to compromise an organization. Hackers are generally able to overcome two-factor authentication.

2 – Don’t Click

Never click on a link to a website that comes from within an email. Instead, hover over the link to see the domain URL and type in the web address in a browser or google it. Don’t click the link.

3 – Automatically Apply Version Patches and Fixes

Update your devices and software to the latest versions available.

4 – Check Your Track Record

Check if you’ve been involved in a data breach by entering your email address into the database at If you have been, it tells you details about where and when it occurred so you can change your passwords associated with that account.

5- Use a Threat Detection and Response (TDR) Tool

Don’t trust your eyes. The precision of fake landing pages can be visually identical to the real thing. A TDR should be able to look behind the curtain and tell you through digital fingerprinting what is legitimate. Additionally, dealing with encrypted traffic that can hide malicious data should be something your TDR can quickly sort out for you.

A study by the Ponemon Institute found that 65 percent of companies surveyed were not equipped to detect malicious SSL traffic.

How ThreatEye by LiveAction can help

Passwords reset phishing sites are undetectable to the human eye. Compare these two sites. Can you tell which one is the phishing site? Probably not. ThreatEye can.

phishing credential landing page example

Hackers don’t have the same access to load balancing and servers and will take longer to load. This is one of the characteristics ThreatEye behavioral heuristics can use to identify phishing websites.

ThreatEye has trained our threat detection and response model to detect phishing sites by ingesting hundreds of against phishing sites’ metadata characteristics. It references this data to detect copycat sites.

Using advanced behavioral analysis and machine learning, ThreatEye deploys Encrypted Traffic Analysis (ETA) to see into encrypted SSL traffic for live threat and anomaly analysis.

With LiveAction’s intelligent, infrastructure-independent ThreatEye, you can put hiring a hacker on the back burner and gain the security visibility you need in your mixed vendor, cloud, or SDWAN environment.

Get a demo of our product today.