Hacker programming in technology environment showing profitability of cyber extortion
New Report Shows Just How Profitable Cyber Extortion Can Be by Nicole Lindsey

New Report Shows Just How Profitable Cyber Extortion Can Be

In just a few years, cyber extortion has gone from a fringe hacking activity to something that is now very much mainstream. In fact, it’s now remarkably easy to download tools and how-to manuals for cyber extortion from the dark web, and hacking syndicates are becoming much more brazen about advertising for cyber extortion jobs in broad daylight. According to a new report from the Digital Shadows Photon Research Team, it’s now possible to make upwards of $360,000 per year by joining a cyber extortion team.

Details of the Digital Shadows report on cyber extortion

On the surface, of course, it might sound impossible that it’s possible to get hired for a cyber extortion job, and that these jobs now pay more than six figures a year. But the Digital Shadows report (“A Tale of Epic Extortions: How Cybercriminals Monetize Our Online Exposure”) goes into considerable detail on not just how these cyber extortion teams work, but also the exact salaries that members of these teams can expect to earn if they cross over to the dark side of the cyber security world.

For example, one notorious hacking group known as “The Dark Overlord” (TDO) has placed the equivalent of online job descriptions on the dark web for potential cyber extortion specialists. Elite hackers can expect to earn six- and even seven-figure incomes – much more than they could ever expect to earn from United States tech companies like Google, Apple or Facebook. According to one pricing mechanism uncovered by the Digital Shadows team, cyber extortion salaries start at $8,100 during a 90-day “probationary period” and then quickly skyrocket to $30,000 per month in Year 1 and $90,000 per month in Year 2. (Yes, those are monthly salaries and not annual salaries!) It’s completely within the realm of possibility that you might be able to make upwards of $1 million per year if you have strong network management, penetration testing or programming skills.

Cyber extortion for hire, in broad daylight

And even if you don’t have the requisite network management or programming skills to get hired immediately, there are plenty of ways to get up to speed on cyber extortion quickly, according to the Digital Shadows report. For example, on some underground forums, it’s possible to obtain guides to online blackmail and cyber extortion for as little as $10. On these so-called dark web forums, you can also purchase user credentials, network and web access codes, and just about any sensitive document you could imagine (including high-value intellectual property from top Hollywood film studios).

In short, the barriers to entry are now incredibly low when it comes to cyber extortion, and that has many cyber experts concerned. If a talented programmer is looking to maximize earnings, a career as a cyber extortionist might have growing appeal. That’s especially true since many of the job descriptions and job offers sound like Silicon Valley HR representatives have written them. In some cases, there are “bonuses” paid out if a candidate has knowledge of specific languages (e.g. Arabic, Chinese, German). In other cases, candidates have the ability to work on a “commission” basis, in which they forego a monthly salary in lieu of keeping as much as one-third of all money that is successfully extorted from a victim.

New cyber extortion schemes exposed

Where the Digital Shadows report is most eye-opening is where it delves into the specific cyber schemes used to extract money from cyber extortion victims. A decade ago, cyber extortion basically consisted of a blackmail or ransom message sent via email instead of via the mail. That escalated into ransomware attacks, in which the hacker had the power to coordinate massive distributed denial of service (DDOS) attacks in order to paralyze a victim who refused to pay the ransom. One-off ransomware attacks soon escalated into massive, worldwide cyber attacks, such as the much-publicized WannaCry ransomware attack that proliferated to over 100 countries.

Currently, says the Digital Shadows report, the most common form of cyber extortion is known as “sextortion.” As the report points out, there have been over 792,000 attempts worldwide, impacting 89,000 recipients. The average victim ends up paying out $540 to the hacker syndicate carrying out the cyber attacks. There are two basic variants of these sextortion attacks. In the first variant, the hacker accuses the recipient of having an extramarital affair or engaging in certain forms of sexual activities. If the recipient does not pay the extortion fee to stop the attack, then video footage or other sensitive information (e.g. photos, text messages) will be released publicly and the user’s computer system might become the victim of a denial of service attack. In the second variant of the attack, a victim is told that there is evidence of them viewing sexual content on the Internet, and that disturbing details will be released on a platform like social media unless a payment is made (usually via a cryptocurrency like Bitcoin).

Another popular cyber extortion threat is known as “scaled funding.” This scheme is actually a clever variant of crowdfunding, in which a hacker taps into deep or dark web crowdfunding sites in order to “raise money” for a batch of sensitive documents. If a certain funding target is hit, then even more personally identifiable information might be released, as part of a massive data breach. Sometimes, the data or personal information for sale is the result of a previous hacking initiative that turned up a treasure trove of new documents – such as the hack of the British insurer Hiscox that turned up insurance documents related to the 9/11 terror attacks.

Big takeaways from the Digital Shadows report

There are two major lessons from this Digital Shadows report. The first is that cyber crime does pay… very well. With a little knowledge of spear phishing and computer programming, it might be possible to make anywhere from $360,000 to $1+ million per year by working with a cyber extortion team (assuming, of course, that law enforcement officials don’t catch you first). The second major lesson is that threat actors are becoming more and more creative in how they carry out their cyber extortion schemes, thereby escalating the digital risk for high net-worth individuals online. New innovations – such as cryptocurrencies or crowdfunding – are seamlessly blended into older ransom or blackmail schemes, creating an entirely new cyber threat. Clearly, given the size and scope of cyber extortion today, more needs to be done to stop all types of cyber attacks that attempt to monetize data breaches illegally.