Hackers for hire: Freelance cyber-spies at your service

It's like Angie's List, but for hackers.

Hackerslist.com is a marketplace that hooks up hackers with jobs, and non-hackers with experts to do their dirty work. The user-friendly site lets people post assignments and get bids from interested freelance hackers.

If it sounds sketchy, it's because it is -- but that doesn't mean it's expressly against the law. As CNET's Dan Ackerman pointed out, there are plenty of jobs that hackers can do that fall squarely within the bounds of legality -- testing your company for cybersecurity threats, for example, or helping you unlock your own cell phone if you forget your password. But the fact that the site's terms of use clearly forbid using the forum for illegal activities doesn't stop people from posting jobs to, say, break into an ex's email or Facebook account.

Some of the posts include a request to help scrub embarrassing pictures and information from search engines, change a course grade and several pleas of social media or email "hacks for justice." Fee offers range from $10 to several thousand.

Hackers List is not the only one of its kind, but it's gaining some attention, from media outlets and hacking insiders. The editor of Hacker for Hire Review -- a site dedicated to researching and reviewing sites of this type -- gave it a glowing recommendation last month, saying that it is "the way hiring a professional hacker should be," and heralding its strict no-scammers policy.

Sites like Hackers List and Neighborhood Hacker (another Hacker for Hire Review favorite) make hooking up with a hacker easy, giving the un-connected an entry point into an already robust marketplace. But these sites, said Jeffrey Carr, president and CEO of Taia Global cybersecurity consultants, are at the low end of the spectrum.

While here, Task Rabbit-like jobs are being handed out for small sums by regular Joes, "there's a lot of freelance work being done by hackers around the world," said Carr. "The hackers I have spoken to in my research earn six-figure incomes easily doing work for Russian oligarchs and billionaires." We're talking corporate espionage -- competitive intelligence and sabotage.

"These mercenary hacker groups range from small groups with little funding to specialty shops run by ex-governmental spooks to highly financed criminal groups who use similar if not identical tactics to nation state actors," he wrote in a white paper released Friday about espionage-as-a-service (EaaS), or high-echelon hacking for hire.

He believes that these hackers often fly under the regulatory radar because their advanced maneuvers are mistaken for the work of foreign governments -- as he suspects was the case in the FBI's fingering of North Korea for the Sony Pictures attack -- and predicts that this, coupled with demand for their services, will feed the growth of EaaS over the next couple years.

The process for procuring their services is, naturally, much more complex, and includes a broker to either help hackers sell their stolen data, or help find a hacker capable of getting the information a buyer wants. The chain contributes to the estimated $300 billion annual cost to U.S. companies as a result of intellectual property theft.

For the rest of us, Hackers List and others of its ilk provide an entry-level path into the marketplace that eschews the dangerous shadows of the dark web and international cyber crime syndicates. That is, unless (or until) it gets shut down.

"I'd be surprised if it actually stays up for very long now that it's been brought out," Carr mused, adding that the Computer Fraud and Abuse Act would make it easy for a prosecutor to argue that the site's owners are advocating illegal activity. "You can assume all those networks will be monitored by the NSA and the FBI. They're begging for that kind of attention."

Speaking anonymously with the New York Times, the founders of Hackers List, who identify themselves as a longtime hacker, a business administration expert and a lawyer, said that they structured the Colorado-based site to indemnify themselves against liability for wrongdoing on the part of the site's users.

In any event, Carr considers operations like this small potatoes in the grand scheme of things. "No serious Black Hatter would ever do anything like that," he said.

  • Amanda Schupak

    Amanda Schupak is the science and technology editor at CBSNews.com