Economy of hacking: how do hackers make money?

Joseph Poppy Headshot
Joseph Poppy
Security Blogger
04th February 2022

The root of all evil

80% of all human endeavour is committed to making money, with the remaining 20% spent finding interesting ways to spend it. These are figures that I’ve just made up, but I said it in the Bulletproof office, and everyone nodded, which either means it speaks a certain truth or, once again, everyone is doing their best to ignore me. With this in mind, it’s fair to say people tend not to put a lot of effort into something unless they know they’re going to be financially rewarded for it. This includes hacking.

Whilst there are undoubtedly those who just hack for fun, the majority of malicious hacking is done, unsurprisingly, for financial gain. There are a lot of ways someone with a certain set of cyber skills can make money. The above-board way is to become a penetration tester, which can lead to a long, lucrative and satisfying career. However there are those who embrace the dark side become a hacker – and there’s a lot of ways a hacker can monetise their misdeeds.

From simple, age-old tactics to clever new strategies, there’s a lot that keeps the hackers’ economy afloat. Remember, most hackers are going to give all of them a go at the same time, so you need to be alert.

Hackers are finding more and more ways to monetise their time and effort
Hackers can just nick your credit card
Card details stolen online can be cloned, sold or simply used to buy nice things

Hackers can just nick your credit card

Starting with the obvious, cyber criminals can just swipe your credit card, or rather your credit card data. The last few years have seen a number of card-skimming instances. One high-profile attack involved over 300,000 British Airways customers losing their credit card details to hackers, resulting in a hefty £180 million fine (thanks, GDPR)! The main culprit was a nefarious line of JavaScript called Magecart. If this script was placed into embedded payment pages, then hackers could steal credit card details as they are entered and submitted. There was no need to go to the bother of compromising databases themselves.

Magecart has been described as "the biggest threat to e-commerce in 2020", and big names such as Ticketmaster and the aforementioned BA have been hit. Whilst it could be argued that adhering to compliance packages such as PCI DSS would prevent these types of attack, recent events show that this is not necessarily the case.

Selling data on the dark web
The dark web... backlit keyboards are essential

Selling data on the dark web

As any good penetration tester will tell you, compromising a confidential corporate database is a challenging hack more often than not, so why do hackers do it? Well, for the hundreds of millions of records containing personal information. Whilst this information can be used to commit identity theft, those who purloin such data tend to sell it on the dark web instead.

The dark web might sound like something from a cheap fantasy book, but there’s a lot of dodgy activities that goes on there. Personal data lifted from compromised databases (particularly email addresses) can be sold. Personal data is valuable as it can be used by those in the know to commit identity theft. Hotel chain Marriott was hacked in 2018 and 2020 (will they ever learn?), and the vast amount of data stolen, which included passport numbers, will certainly end up for sale on the dark web. A particular note-worthy case was 2020's easyJet hack, where the personal details of over 9,000,000 people fell into hackers’ hands.

In addition to this, email addresses can be sold on to enable fraudsters to commit phishing campaigns, which in turn could lead to identity theft or the spreading of malware for other monetisation streams, such as whaling (we’ll get to that later). That malware in question could be adware, cryptomining software or even our old friend ransomware. Speaking of which...

Even after paying a hacker's ransom, there’s no guarantee you’ll get access to your files
Never forget the classic
Some hackers use Bitcoin to monetise their ransomware attacks.

Never forget the classic

You may remember ransomware from its sell-out 2017 tour (you might recall its smash hit, WannaCry, which crippled the NHS), and it’s not gone away. Research from Sophos shows that from 2017 to 2020, ransomware campaigns have only dropped 3%, and 51% of companies are still hit by ransomware. This makes it an effective way for hackers to make money. We spoke of this iconic cyber villain in our 2019 annual cyber security report, and highlighted its continuing prevalence in our 2020 report too. Theoretically, it’s the simplest way to monetise a hack. Through sophisticated phishing tactics or simply by dropping malware once access has been gained to a network, hackers can begin encrypting crucial files and charge a hefty sum (usually in Bitcoin) to unencrypt them.

If that wasn’t bad enough, a lot of companies found that when they paid the ransom (something you should never do) they didn’t actually get their files back. You can’t trust hackers these days. Worryingly, ransomware is evolving. Some strains deliberately slow the rate of encryption and spread in order to keep under alerting thresholds and therefore stay undetected for longer. Some have even showed devious tactics like directly encrypting the hard drive’s Master Boot Record, meaning there’s no need to waste all that time going from file to file.

WannaCry alone is known to have earned hackers at least £108,000 in Bitcoin. This is a tidy sum, but the cost to businesses is of course much higher than this, as they must suffer loss of sales and cost of recovery. £100k is a good haul, so hackers are unlikely to let it go.

Have you considered a career in security?

Penetration testers use real-life hacker tools and techniques to legitimately test the security of an organisation’s apps and infrastructure.

Bulletproof are always on the lookout for talented individuals, so if you’re a seasoned pen tester or just looking to start out, you’ll find a role on our careers page.

Learn more
Hi-ho hi-ho, let’s mine some Monero
And once you’ve been mining long enough, a coin grows inside your computer. That’s how it works.

Hi-ho hi-ho, let’s mine some Monero

As we pointed out in the Bulletproof annual cyber report 2019, cryptojacking became more prominent on the cyber landscape over 2017’s ransomware trend. For reasons I still don’t understand, Bitcoin became a thing, setting a precedent that lead to a rise in digital ‘currencies’. The majority of these are obtained by using CPU or more recently GPU power to ‘mine’ for it. As said, Bitcoin is the most popular currency, but is becoming increasingly harder, and therefore less profitable, to mine. Monero seems to be the currency of choice for most hackers.

When mining for Monero (XMR), you are in fact part of a wider mining pool which uses your resources to maintain a public ledger which records transactions. For every transaction recorded you are rewarded with a small amount of XMR. If all of this sounds like nonsense, well, it’s because it is, but that’s the world we live in now.

Is your CPU unusually high? It’s this guy’s fault

The value of cryptocurrencies can fluctuate wildly, and the profitability of mining them is affected considerably by how much it costs to run the mining rig. A single computer won’t help much in the grand scheme of things, so naturally, to make any real money out of mining Monero, people will need a lot of CPU. A lot of CPU will inevitably rack up quite the electricity bill. So, instead of home mining rigs, hackers have worked out that it’s more cost effective to use other people’s CPU to mine for them.

This approach has led to a cryptojacking epidemic. Racks of servers are obviously juicy targets, so businesses have been hit relentlessly by the trend. Monero is different in the sense that the algorithm used to mine it can be injected into the code of a website or browser, meaning that anyone who happens to visit the affected website will unwittingly provide their CPU to a mining pool. The current value (at time of writing) of XMR sits at $64. Obviously, it takes a long time – or a lot of CPU – to generate 1 XMR, but several hacking groups have found ways to earn thousands from these campaigns.

Cryptomining is a lot more cost effective if you’re not the one footing the electric bill
Botnets for hire
Botnets are commonly used to perform DDoS attacks

Botnets for hire

Botnets, consisting of compromised devices forming a... net, are getting larger. This is in part due to the relatively recent explosion of IoT devices, particularly cheap variants that have taken a slapdash approach to security (if they took any approach at all). If a computer, server or IoT device is added to a botnet, the chances are you’ll never know, as the malware used won’t cause any noticeable disruptions. Hacking groups are forever struggling to have the biggest botnet, because in this instance size really can matter.

These botnets can then be used to commit targeted DDos attacks. This is where a site or service gets bombarded with so many requests that the server can’t process them quick enough, causing it to fall over and take the service offline. Think of it like a pub with only one person manning the bar, but thousands of customers barking out orders. Eventually, the poor bar person will curl up on the floor and cry and then no one can get a drink.

Hacking groups can charge an hourly rate for use of their botnet. There are a number of reasons for people to want to take a service offline, from cyber extortion, to people who are just angry at a site for their own reasons.

Grab your harpoon

We touched upon phishing earlier. This practise can easily cause a business no end of mischief. A more extreme version is whaling. Like phishing, whaling is the practise of sending an email in order to trick a user into doing something, only it specifically targets those higher up the chain of command. This is an easy way to commit CFO (or CEO) fraud by tricking a user into authorising a payment in response to a false invoice or simply stating that a wire transfer has to occur.

A lovely bit of blackmail
Why not check how many breaches your email addresses has been included in?

A lovely bit of blackmail

Whilst not technically ‘hacking’, there has been a rise in sextortion emails. These usually say something along the lines of:

“Dear user, we have managed to compromise your email box. To prove we have done this, your password is PASSWORD. Through this, we have managed to install malware on your computer which lets us see your screen and take control of your webcam. We’ve seen you accessing adult content, so send us lots of money in bitcoin or we will send the videos we have to all your contacts.”

Though the grammar will usually be much worse. Whilst this shows a distinct lack of understanding of how malware can work its way onto your computer, the inclusion of your actual password (or more likely, a former password) lends it a sense of authenticity. If they know this, what else could they have done?

Hackers would have received this password from previous data breaches, which unfortunately you have been involved in. You can see just how many breaches have included your email address on Troy Hunt’s superb (and free) haveibeenpwned service. If it’s any less than three, you either don’t use your email for much or you are very selective.

Surprisingly, some of these sextortion campaigns have been said to have earned $50k in the span of a week. Not bad for a simple bit of spam. This just goes to show that an extra bit of information can lend an air of believability to an email. Or some people have guilty consciences. The more data appearing in breaches, the more convincing these emails could become.

Penetration testers specialise in legally testing the security of an organisation's systems and applications
Money Money Money
Ensuring your business has tight security will make hacking less profitable

Money Money Money

There are yet more ways for hackers to make money. We haven’t even mentioned those paid to commit dubious acts on behalf of nations. Of course, the easiest way for a hacker to make money would be to become a penetration tester. Penetration testing is basically ethical, licensed hacking. You can earn good money and get great job satisfaction without the falling foul of the law.

Naturally, all the above tactics will adapt to changing environments and continue to plague the cyber landscape. Unfortunately, as long as there is money to be made, hackers will continue to hack. However, there are ways to defend against all of these issues. Effective SIEM threat monitoring can keep watch over your important assets. Penetration testing can check for any weaknesses in your apps and infrastructure to ensure no rogue code finds its way through the net. Effective security training can help educate your staff against the threats that are forever lurking in the cyber shadows.

If you make sure your business is doing everything right and has tight defences, it’ll become less profitable for hackers to have their way. The less profitable it becomes and the harder it is, the less of a target you’ll be.

Joseph Poppy Headshot

Meet the author

Joseph Poppy Security Blogger

Joseph is a Communications Executive and Security Blogger who has contributed articles covering a range of topics including staying ahead of cyber threats.

Keep hackers out of your business

Find your vulnerabilities before a hacker exploits them. Discover penetration testing today.

Discover pen testing

Related resources

Trusted cyber security & compliance services from a certified provider

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.