Dark web job posts for AI & social engineering skills surge
ReliaQuest has released new analysis showing substantial growth in dark web recruitment targeting hacking skills related to artificial intelligence, cloud environments, and social engineering.
Dark web recruitment surges
The report covers data from January 2023 through July 2025 and highlights a significant increase in job-related postings on prominent cybercriminal forums such as "Exploit" and "RAMP". The volume of recruitment and self-promotion posts more than doubled from 2023 to 2024 and had already reached 2024's total by the middle of 2025. This trend points to increasing specialisation and efficiency among threat actors operating in these underground marketplaces.
Cybercriminal forums are mirroring legitimate job markets, with recruiters seeking skilled individuals and adversaries marketing themselves as job seekers. The analysis from ReliaQuest emphasises that "job-related posts on dark-web forums like 'Exploit' and 'RAMP' doubled from 2023 to 2024 and matched 2024's total by mid-2025, highlighting rapid recruitment growth."
AI automation driving new threats
One of the most notable trends identified is the growing demand for artificial intelligence experts. Attackers are no longer content with simply using large language models to generate malware. The report states: "Adversaries are increasingly recruiting AI experts to automate entire attack workflows, allowing for faster, scalable operations and freeing resources for other objectives." Integration of AI is enabling cybercriminal groups to conduct operations more rapidly and at greater scale, putting additional pressure on security operations teams.
In some cases, groups such as "GLOBAL GROUP" (formerly "BlackLock") have incorporated AI chatbots into ransomware negotiations, automating tasks that previously required significant manual input. According to the analysis, "by automating operations, adversaries can conduct attacks faster and reduce downtime between attacks, leaving organizations with less time to detect and respond."
Deepfake and language skills in demand
Deepfake technology is becoming a tool for malicious actors to execute more effective social engineering attacks. The report highlights cases such as a deepfake impersonation of a Chief Financial Officer used to extract USD $25 million from a victim company in February 2024. The analysis notes: "Since Q2 2024, recruitment posts have advertised deepfake capabilities that enable attackers to impersonate employees and execute more effective social engineering attacks."
Job postings for English-speaking social engineers are at an all-time high, more than doubling between 2024 and 2025. The report observes: "Among the most in-demand skills is English-speaking social engineering, with job posts more than doubling from 2024 to 2025. Recruiters account for 87% of these postings, indicating strong demand, likely fueled by the success of groups like 'Scattered Spider' in leveraging this skill for initial access attacks."
Cloud and IoT targets
Recruitment for expertise in cloud environments, particularly Microsoft Azure and Entra, has increased markedly. The report finds that "recruitment posts seeking candidates skilled in cloud exploitation - specifically Azure - quadrupled from 2023 to 2024." Although there was a slight decline in mentions during the first half of 2025, activity levels suggest the trend will continue, with possible spikes later in the year.
The analysis explains: "The surge in activity between 2023 and 2024 is likely driven by financially motivated threat actors, such as closed ransomware groups or affiliates, seizing the opportunity to target cloud environments to pivot into Active Directory domains." The report recommends organisations apply strong security controls in the cloud, including least privilege access, multifactor authentication (MFA), credential audits, and cloud security posture management tools.
Interest in skills aimed at exploiting Internet of Things (IoT) devices is also on the rise again after an initial dip in 2024. Recruitment for IoT device compromise is on track to surpass previous years by the end of 2025. The analysis states: "A stark example occurred in March 2025 when 'Akira' ransomware exploited a camera to bypass EDR systems, deploying ransomware and rendering the EDR solution ineffective."
Changing skills landscape
The cybercriminal job market is increasingly focused on techniques such as ClickFix malware execution, English-language social engineering, and hypervisor expertise. The demand for ClickFix expertise led to an 850% surge in related activity between late 2024 and early 2025, with a 200% spike in just one month after recruitment posts appeared.
On the point of skill development, the report says: "This fluctuation in demand for hypervisor expertise tells a familiar story: When there's demand for an expertise, adversaries quickly upskill to fill the gap... as the demand was met, hypervisor expertise became just another standard skill in the criminal job market, highlighting the adaptability of the adversary ecosystem." One cited example involves the "Scattered Spider" group compromising virtual environments by leveraging social engineering and deploying ransomware through their own virtual machines.
Defensive recommendations
ReliaQuest recommends that enterprises remain aware of evolving recruitment trends to anticipate emerging cyber threats. The analysis underlines: "Although attackers continue to innovate their attacks and pursue up-and-coming skill sets, their goal remains the same: profit through data exfiltration and system encryption. The consistency in these core objectives gives organizations an advantage, allowing them to tailor defenses to disrupt attackers' progress."
The report advises organisations to implement a layered security strategy, focusing on timely detection and response, automating password resets and session terminations, and using security tools to identify exposed assets and suspicious activities. Additionally, ongoing training and awareness of social engineering tactics, proactive vulnerability management, and regular risk assessments are recommended to counteract the increasingly specialised skills being recruited in criminal marketplaces.
