The private military industry skyrocketed in the early-2000’s during the Global War on Terror, resulting in nation states from around the world recognising the value and advantage of outsourcing military capabilities to the private sector. This outsourcing may stem from various reasons — from plausible deniability to resource constraints, cost efficiency to risk management.
With the state- and non-state actors continuing to rapidly develop their 5th Generation Warfare (5GW) capabilities, cyberspace has become the forefront of such developments and contest, creating a gap for cyber mercenaries to fill. The waters around cyber statecraft is already murky, and the lines blurred even more. Adversary attribution is the kryptonite of most cyber intel practitioners, but that’s not the focus of this article.
In this article, I’d like to dive deeper into the emerging field of cyber mercenaries and the rise of state actors outsourcing their cyber warfare and cyber espionage capabilities to private entities. We’ll look into a few case studies of cyber mercenary groups who are either currently active or have been active in the past.
Atlas Intelligence Group – The Cybercrime Marketplace Revolutionising Hacking-for-Hire
First discovered by Cyberint in 2022, Atlas Intelligence Group (AIG), also known as “Atlantis Cyber-Army”, stood out as a unique cyber-criminal organisation. The group focuses on recruiting cyber mercenaries for specific jobs and keeping recruits on a “need-to-know” basis when it comes to strategic campaigns.
AIG is recognised for its efficient and structured approach to carrying out cyber operations, which include everything from ransomware deployments to complex espionage missions. Their operations have been linked to a wide variety of criminal activities targeting corporations and governments worldwide.
Business Model
AIG operates on a marketplace model, where clients can access a selection of cyberattack services. Their catalog includes ransomware, DDoS attacks, cyber espionage, and data theft. These services are sold at different price points, depending on the complexity of the operation. The group operates in cryptocurrency, typically Bitcoin, which helps maintain anonymity and ensures untraceable transactions. AIG is one of the most organised groups in the dark web, using a subscription-based or one-time payment system for various cybercrime packages.
Operation Method
AIG relies on a decentralised network of cybercriminals. They recruit skilled hackers, developers, and malicious actors to carry out operations on behalf of clients. The group maintains a certain level of operational segregation, where only admins and key figures are fully in-the-know about ongoing operations, while recruits doing the “dirty work” are kept in the dark and only informed of their specific tasks. It has been reported that the group puts heavy emphasis on accountability and professionalism, providing their clients with proof of work throughout the contract. Unlike other cyber-criminal organisations, AIG’s operations model is akin to that of a sophisticated cartel.
Communication Channels
AIG operates through encrypted dark web forums and private messaging platforms such as Telegram. They operate three different Telegram channels, each with thousands of subscribers. These channels are dedicated to data leak sales, recruitment, and announcements, respectively.
Furthermore, AIG offers an easy and anonymous method to purchase their services through their e-commerce store hosted on the Sellix.io platform.
Group Structure
As previously stated, AIG’s structure is very sophisticated, and bears resemblance to organised cartels. At the top of the food chain is an individual known as Mr.Eagle, who oversees all of the group’s operations.
The “Admins Team” acts as the senior management of AIG, overseeing upcoming and ongoing campaigns, recruitment, communication, and advertising. Cyberint has identified at least four individuals making up the Admins Team, namely El Rojo, Mr.Shawji, S41T4M4 and Coffee.
The Dark Basin – Fall-Guys-for-Hire
Dark Basin was a hacker-for-hire group that was uncovered by Citizen Lab in 2017. It was initially reported that the group targeted thousands of individuals and hundreds of organisations across 6 continents, chief among these being advocacy groups, journalists, and senior government officials. Citizen Lab established high confidence links between Dark Basin and an Indian company named BellTroX InfoTech Services.
Business Model
Dark Basin operated as a contract-based hacking service, targeting individuals and organisations based on client requests. The operation focused on gathering sensitive data such as emails, internal documents, and financial records that could be used in legal disputes of corporate espionage.
Operation Method
Dark Basin relied heavily on phishing attacks to compromise email accounts and gain access to sensitive communications. The group used spear phishing techniques, sending carefully crafted emails to specific targets, tricking them into divulging login credentials. Once they had access to an account, Dark Basin operators would monitor it, exfiltrate data, and report back to their clients. Thei activities spanned across various sectors, including journalism, NGOs, activism, and corporate litigation.
Communication Channels
Not much is known about Dark Basin’s communication tactics; however, it is believed they communicated with clients through encrypted channels and dark web forums, ensuring anonymity for both parties.
Group Structure
In the initial report on Dark Basin, Citizen Lab stated with high confidence that they had established links between the group and an Indian company named BellTroX InfoTech Services. The director of BellTroX, Sumit Gupta, was also indicted in California in 2015 for his involvement in a similar hacker-for-hire scheme alongside US private investigators. BellTroX employees promoted their services online as “ethical hacking”. Dark Basin was believed to have a distributed structure, with hackers and technical experts located across different regions, although primarily in India. The operation was likely run by a central management team that coordinated with various cells responsible for conducting the phishing attacks and gathering data. This decentralised approach allowed them to operate globally while maintaining operational security.
Victimology
Dark Basin’s victims were diverse, including journalism, activists, environmental NGOs, corporate executives, and lawyers involved in litigation and negotiations. Their targets were often involved in high-stakes legal cases or political movements, where access to private communications could significantly impact outcomes.
Why Cyber Mercenaries Are on the Rise
Several factors contribute to the rise of cyber mercenaries. First, the digital transformation of societies and economies has created new vulnerabilities, making cyber operations a key tool in both statecraft and corporate competition. The low cost of entry and high potential rewards make cyber mercenary operations an attractive alternative to conventional military or intelligence operations.
Second, the proliferation of sophisticated cyber tools on the black market has lowered the barrier for entry. Previously, only state actors had access to the most advanced cyber capabilities, but now, these tools are available for purchase or rent by any entity with the resources. This has enabled cyber mercenaries to offer state-level capabilities without the constraints or oversight faced by official state cyber units.
Additionally, the lack of clear international regulations or norms governing cyber warfare creates an environment where cyber mercenaries can operate with impunity. Unlike traditional warfare, where the use of mercenaries is governed by international law, cyberspace remains largely unregulated. This legal ambiguity allows cyber mercenaries to operate in a space where attribution is difficult, and accountability is minimal.
Sources and References
- https://www.jstor.org/stable/48707883
- An Introduction to Fifth Generation Warfare – Grey Dynamics
- How Does the Cyber Mercenary Business Work? (secureops.com)
- UN chief warns of ‘cyber mercenaries’ amid spike in weaponising digital tools | UN News
- Atlas Intelligence Group (A.I.G) – The Wrath of a Titan (cyberint.com)
- ‘AIG’ Threat Group Launches With Unique Business Model (darkreading.com)
- Countering hack-for-hire groups (blog.google)
- Dark Basin: Uncovering a Massive Hack-For-Hire Operation – The Citizen Lab
- Northern District of California | Private Investigators Indicted In E-Mail Hacking Scheme | United States Department of Justice
- ‘Dark Basin’ hacking group targeted thousands in hack-for-hire scheme | Red Canary
- Dark Basin: Researchers Uncover Major Hack-for-Hire Group – Infosecurity Magazine (infosecurity-magazine.com)
- Think tank report labels NSO, Lazarus ‘cyber mercenaries’ • The Register
- Void Balaur | The Sprawling Infrastructure of a Careless Mercenary – SentinelOne
- The Far-Reaching Attacks of the Void Balaur Cybermercenary Group | Trend Micro (US)
- A new group of cyber mercenaries targets businesses, journalists — including some in Russia | CyberScoop
