Have you ever wondered how cybercriminals explain their mysterious means of income to others? While not all threat actors’ illicit activity is so lucrative that they have to account for an eight-bedroom mansion in the hills and a Porsche collection, many cybercriminals’ friends and families may question their means of income if they have no apparent gainful employment. Following discussions on cybercriminal forums on the dark web, we dived into this topic.
An interesting thread on the high-profile Russian-language cybercriminal forum Exploit posed this very question, asking the site’s members, “what do you say when people ask you about your work?”
The thread starter mused: “A new acquaintance, [or] an old one whom you haven’t seen [for a while], asks ‘Vasya, how do you earn money?’” They added “Goodness knows why everyone wants to ask us that, but it’s a fact that they do.”
Many participants in the thread agreed that they are asked this sort of question all the time, although opinions were split on what the best response is. We explore some of their answers below.
THE “SILENCE IS GOLDEN” APPROACH
Rather than providing a direct answer, some responders to the thread disputed whether you would be asked the question in the first place. One user claimed you’re only likely to get asked about your job if you “drive a lambo and have luxury real estate,” implying cybercriminals who do not engage in conspicuous displays of wealth can fly under the radar. This divide in cybercriminal personality and ethics was echoed in another forum member’s response, who prosthelytized: “It’s best not to show anyone your salary, live alone, and surround yourself with ordinary people.”
Another common response was “my finances don’t concern you,” although this suggestion was frequently shot down by users who said that this approach usually backfires, leading to more aggressive, curious questioning or dangerous assumptions. Another avoidance response was that cybercriminals should just smile and keep quiet, allowing the questioner to use their imagination to come up with their own answers. As one user commented: “Silence and a smile will always […] be cooler than any invention.”
THE RIGHT RESPONSE FOR LOVED ONES & AUTHORITIES
At times, the thread debated the trustworthiness of forum members’ partners, with opinions split on whether cybercriminals come clean about their “job” to casual girlfriends, long-term partners, or even their wives.
The refrain of “the only woman you can trust is your mother” was frequently repeated, with many advising against revealing all to “your girl.” A more charitable interpretation of this suggestion is that keeping the truth from loved ones is, in essence, keeping them out of harm’s way by allowing them to plead ignorance.
Even more critical than having an explanation for a significant other is having an explanation for your significant other’s parents. Commenters lamented that even if you’re able to dodge most people’s questions, a new partner’s family is dead set on learning everything about whom their beloved daughter has started dating.
Finally, the need for a concrete explanation was emphasized by one forum user who highlighted that you must provide details about your income and employment status when dealing with some form of authority (i.e. realtors, landlords, tax authorities).
In the case of dealing with taxes, all sorts of convoluted methods for front companies and fictitious salaries were proposed to help keep up the pretense. Still others brought up interest from the police or security services, with one grimly remarking: “those who are especially interested and want to introduce themselves […] usually introduce themselves in three holding your armpits.”
LAUGHING YOUR WAY THROUGH IT
Several forum members provided wickedly facetious answers to the thread starter’s question. Some more creative contributions included:
- Antique restorer
- Car mechanic
- Truck driver
- CCTV operator
- Heir to an oil tycoon
One user said that they always replied that they were unable to find any work after being released from prison, adding that this usually caused the topic to be dropped. Still others advocated replying that work is so tiring you can’t talk about it in your free time. In a novel approach to the dilemma, one member suggested point-blank telling the truth, because “no one will believe you.”
Lastly, another user suggested the “don’t worry” approach, saying that when talking to children or old people you can merely reply, “if I tell you, they’ll fire me.” Others disagreed, saying that you can’t joke with everyone and pointing out that even taxi drivers are prone to interrogating their passengers about what they do for a living, leading to an uncomfortable interview.
AND THE BEST RESPONSE GOES TO?
Most participants in the thread, however, took the issue seriously and engaged in earnest discussion about the pros and cons of various answers. By far the most common suggestion in response to “what do you do for a living?” was to reply with some form of IT-related employment (indeed, many cybercriminals began their careers with a natural curiosity in the technology sector). Ideas included search engine optimization, online advertising, information security, website design, software development, IT journalism, programming, or server administration.
There are downsides to this approach though: As the thread’s original author noted, “I used to answer that I’m a programmer, an IT specialist, but now every taxi driver out there is interested in what field of IT you’re in or what type of programmer you are.”
Others agreed, saying that many people out there fancy themselves an IT specialist, and that admitting you’re in the IT industry opens you up to lots of follow-up questions or, worse, requests to complete bespoke IT projects.
One frequently-suggested solution to ending further conversation quickly was to make your answer as obscure as possible. For instance, if you’re pretending to be a programmer, discussing Python scripts is a no-go, as everyone has dabbled in Python these days. Instead, discussing more unusual programming languages or systems apparently reduces the opportunity for follow-up questions. Summed up by one cybercriminal forum user: “the more succinctly you describe your field of activity, the less likely people are to ask questions.”
Another tactic was to say that you can’t answer detailed questions because you’re subject to a non-disclosure agreement (NDA) with your employer. The thread also said that if your interviewer wants to commission you to complete a type of project you are claiming to carry out on a daily basis (e.g. creating a website or installing software), you can merely shut down the proposal by inflating your hourly rate to an extortionate amount.
This sort of neighborly IT work is not always considered a bad thing however—as one forum user put it: “As long as I can fix my friends’ computers, everyone is happy!”
Other users suggested avoiding IT-related lines of questioning entirely. One user advised that “a ‘business analyst’ or ‘financial analyst’ works” because this explains the hours you spend in front of a computer. More significantly, with this answer, “You will not be digging deep, and no one will ask you to reinstall Windows.” Another cybercriminal forum user chimed in, “if they ask you for advice on where to invest, you can vaguely bring up different tools and throw in incomprehensible words until they lag behind…” Another user used the response, “I trade cryptocurrency,” commenting that when people ask what that is you can obscure your job’s function and “say a few abstruse words about blockchains and this is where the questions end.”
THE DARK WEB DEBATE CONTINUES…
Lying and deception are integral parts of cybercriminals’ daily operations, yet threat actors still struggle with the decision of whether to lie or not to lie in response to questions about their employment status.
While this Russian-language thread was initiated on Exploit back in 2019, it’s still very popular and alive one year later, attracting new discussions and answers. This indicates the importance of this issue to threat actors and their interest in discovering how others go about addressing this dilemma.
While there was no one true best answer from all the suggestions, general rules of thumb to follow did emerge. As the world becomes more comfortable with technology and the IT sector, posing as an IT specialist may not cut the mustard with particularly inquisitive questioners, whether that’s a tech-savvy Uber driver or a well-read father-in-law.
Threat actors on Exploit and other cybercriminal forums will likely continue the conversation into 2021 as the cybercriminal community tries to adapt to the reality and aggressive authorities they are confronted with on a daily basis.
If you’re curious about dark web monitoring for your company’s assets, read more on our blog here.