Hackers On Demand
By Steven Melendez
In 2013, a pair of private investigators in the Bay Area embarked on a fairly run-of-the-mill case surrounding poached employees. But according to a federal indictment unsealed in February, their tactics sounded less like a California noir and something more like sci-fi: To spy on the clients' adversaries, prosecutors say, they hired a pair of hackers.
Nathan Moser and Peter Siragusa were working on behalf of Internet marketing company ViSalus to investigate a competitor, which ViSalus had sued for poaching some of its former employees. Next, the government alleges, Moser and Siragusa—a retired, 29-year veteran of the San Francisco police department—recruited two hackers to break into the email and Skype accounts of the competing firm. To cover their tracks, they communicated by leaving messages in the draft folder of the Gmail account "krowten.a.lortnoc"—"control a network" in reverse, according to the indictment.
A posting by a person searching for exploits and using the email address of accused hacker Sumit Gupta.
Federal prosecutors did not specify how the defendants found their hackers, but an email address apparently belonging to one of the hackers, Sumit Gupta of Jabalpur, India, was also used last year on the freelancer message board WorkingBase by someone seeking software that could compromise computers running Windows and Microsoft Office. The poster, who was offering $250 to $750, wrote, "Code should be FUD," meaning fully undetectable, "and fully working. Looking a cheap cost."
Clients span from executives hoping to gain an edge over their competitors to spurned lovers hoping to spy on their exes.
The California case sheds light on a burgeoning cybercrime market, where freelance hackers, both on public forums and in black markets, cater to everyone from cheating students and jealous boyfriends to law firms and executives, according to Jeffrey Carr, president of Seattle-based security firm Taia Global. He calls the industry "espionage as a service."
While it is difficult to verify the legitimacy or the quality of the hacker postings on a half-dozen online exchanges that Fast Company examined, some sites boast eBay-like feedback mechanisms that let users vouch for reliable sellers and warn each other of scams. Carr describes a range of expertise, from amateur teenagers wielding off-the-shelf spyware who may charge up to $300 for a single operation, to sophisticated industrial espionage services that make tens of thousands of dollars or more smuggling intellectual property across international lines. "The threat landscape is very complex," he says. "A hacker group will sell to whoever wants to pay."
At Hackers List, for instance, hackers bid on projects in a manner similar to other contract-work marketplaces like Elance. Those in the market for hackers can post jobs for free, or pay extra to have their listings displayed more prominently. Hackers generally pay a $3 fee to bid on projects, and users are also charged for sending messages. The site provides an escrow mechanism to ensure vendors get paid only when the hacking's done.
While Hackers List says it's intended only for "legal and ethical use" like recovering lost passwords, it boasts about a dozen job listings a day, in some cases to anyone capable of hacking into private websites, social media accounts, and online games.
