Digital Soldiers of Fortune: The Rise of Cyber Mercenaries

The private military industry skyrocketed in the early-2000's during the Global War on Terror, resulting in nation states from around the world recognising the value and advantage of outsourcing military capabilities to the private sector. This outsourcing may stem from various reasons -- from plausible deniability to resource constraints, cost efficiency to risk management.

With the state- and non-state actors continuing to rapidly develop their 5th Generation Warfare (5GW) capabilities, cyberspace has become the forefront of such developments and contest, creating a gap for cyber mercenaries to fill. The waters around cyber statecraft is already murky, and the lines blurred even more. Adversary attribution is the kryptonite of most cyber intel practitioners, but that's not the focus of this article.

In this article, I'd like to dive deeper into the emerging field of cyber mercenaries and the rise of state actors outsourcing their cyber warfare and cyber espionage capabilities to private entities. We'll look into a few case studies of cyber mercenary groups who are either currently active or have been active in the past.

Defining Cyber Mercenaries

Cyber mercenaries operate in a grey area of cyber warfare, where traditional state actors and criminal organisations intersect. Unlike state-sponsored threat actors, which are bound by a chain of command and geopolitical strategy, cyber mercenaries act independently, motivated primarily by financial gain. They offer services that range from offensive cyber operations—such as hacking and data theft—to disinformation campaigns, espionage, and cyber sabotage.

Their emergence mirrors the role of private military contractors (PMCs) in conventional warfare, where military expertise is outsourced to the private sector. Cyber mercenaries, however, have the advantage of anonymity and deniability, making it difficult to attribute their actions to any particular client. This creates a powerful tool for nation-states and corporations that want to conduct covert operations without facing the direct consequences of cyber retaliation or international condemnation.

Case Study 1: Atlas Intelligence Group - The Cybercrime Marketplace Revolutionising Hacking-for-Hire

Overview

First discovered by Cyberint in 2022, Atlas Intelligence Group (AIG), also known as "Atlantis Cyber-Army", stood out as a unique cyber-criminal organisation. The group focuses on recruiting cyber mercenaries for specific jobs and keeping recruits on a "need-to-know" basis when it comes to strategic campaigns.

AIG is recognised for its efficient and structured approach to carrying out cyber operations, which include everything from ransomware deployments to complex espionage missions. Their operations have been linked to a wide variety of criminal activities targeting corporations and governments worldwide.

Business Model

AIG operates on a marketplace model, where clients can access a selection of cyberattack services. Their catalog includes ransomware, DDoS attacks, cyber espionage, and data theft. These services are sold at different price points, depending on the complexity of the operation. The group operates in cryptocurrency, typically Bitcoin, which helps maintain anonymity and ensures untraceable transactions. AIG is one of the most organised groups in the dark web, using a subscription-based or one-time payment system for various cybercrime packages.

Operation Method

AIG relies on a decentralised network of cybercriminals. They recruit skilled hackers, developers, and malicious actors to carry out operations on behalf of clients. The group maintains a certain level of operational segregation, where only admins and key figures are fully in-the-know about ongoing operations, while recruits doing the "dirty work" are kept in the dark and only informed of their specific tasks. It has been reported that the group puts heavy emphasis on accountability and professionalism, providing their clients with proof of work throughout the contract. Unlike other cyber-criminal organisations, AIG's operations model is akin to that of a sophisticated cartel.

Communication Channels

AIG operates through encrypted dark web forums and private messaging platforms such as Telegram. They operate three different Telegram channels, each with thousands of subscribers. These channels are dedicated to data leak sales, recruitment, and announcements, respectively.

Furthermore, AIG offers an easy and anonymous method to purchase their services through their e-commerce store hosted on the Sellix.io platform.

Group Structure

As previously stated, AIG's structure is very sophisticated, and bears resemblance to organised cartels. At the top of the food chain is an individual known as Mr.Eagle, who oversees all of the group's operations.

The "Admins Team" acts as the senior management of AIG, overseeing upcoming and ongoing campaigns, recruitment, communication, and advertising. Cyberint has identified at least four individuals making up the Admins Team, namely El Rojo, Mr.Shawji, S41T4M4 and Coffee.

Finally, the "Mercenaries" are the hackers-for-hire of the group, performing all the jobs for AIG's clients. Interestingly, there are no permanently employed mercenaries in AIG. Mercenaries are employed as contractors with contracts including, but not limited to, "red teamers", "social engineering" and "OSINT experts".

Victimology

AIG’s victims include a wide spectrum of entities, from high-net-worth individuals to multinational corporations and government agencies. AIG truly lives up to the "soldiers of fortune" mantra. They do not target specific industries or regions, but rather take on contracts that will bring in the most profit. Based on their marketplace listings, most of their leaked data for sale originates from public sector entities and government targets, while most of their initial access being sold comes from the finance, manufacturing, and education industries.

Case Study 2: Dark Basin - Fall-Guys-for-Hire

Overview

Dark Basin was a hacker-for-hire group that was uncovered by Citizen Lab in 2017. It was initially reported that the group targeted thousands of individuals and hundreds of organisations across 6 continents, chief among these being advocacy groups, journalists, and senior government officials. Citizen Lab established high confidence links between Dark Basin and an Indian company named BellTroX InfoTech Services.

Business Model

Dark Basin operated as a contract-based hacking service, targeting individuals and organisations based on client requests. The operation focused on gathering sensitive data such as emails, internal documents, and financial records that could be used in legal disputes of corporate espionage.

Operation Method

Dark Basin relied heavily on phishing attacks to compromise email accounts and gain access to sensitive communications. The group used spear phishing techniques, sending carefully crafted emails to specific targets, tricking them into divulging login credentials. Once they had access to an account, Dark Basin operators would monitor it, exfiltrate data, and report back to their clients. Thei activities spanned across various sectors, including journalism, NGOs, activism, and corporate litigation.

Communication Channels

Not much is known about Dark Basin's communication tactics; however, it is believed they communicated with clients through encrypted channels and dark web forums, ensuring anonymity for both parties.

Group Structure

In the initial report on Dark Basin, Citizen Lab stated with high confidence that they had established links between the group and an Indian company named BellTroX InfoTech Services. The director of BellTroX, Sumit Gupta, was also indicted in California in 2015 for his involvement in a similar hacker-for-hire scheme alongside US private investigators. BellTroX employees promoted their services online as "ethical hacking". Dark Basin was believed to have a distributed structure, with hackers and technical experts located across different regions, although primarily in India. The operation was likely run by a central management team that coordinated with various cells responsible for conducting the phishing attacks and gathering data. This decentralised approach allowed them to operate globally while maintaining operational security.

Victimology

Dark Basin's victims were diverse, including journalism, activists, environmental NGOs, corporate executives, and lawyers involved in litigation and negotiations. Their targets were often involved in high-stakes legal cases or political movements, where access to private communications could significantly impact outcomes.

Case Study 3: Void Balaur - The Infamous Cyber Mercenary Group

Overview

Void Balaur is a notorious cyber mercenary group that has gained global attention for its involvement in hacking-for-hire operations. The group, named after a mythical Romanian dragon, has been linked to a wide range of cyber-attacks targeting high-profile individuals, corporate executives, government officials, and political dissidents. The group operates on a contract basis, providing their services to a variety of clients, including private investigators, corporations, and possibly nation-states. Void Balaur has become infamous for its willingness to target anyone for the right price, making them one of the most dangerous players in the cyber mercenary landscape.

Business Model

Void Balaur operates as a cybercrime-for-hire service, offering a variety of hacking and espionage services to clients willing to pay for access to their advanced capabilities. Their business model revolves around targeted attacks, including email and social media account hacking, data exfiltration, surveillance, and doxing. They also offer "real-time monitoring" of individuals' communications, making them a valuable resource for clients looking to gather intelligence or gain leverage over their targets.

Void Balaur has been linked to the sale of personal data stolen from various government databases, including passport information, medical records, and telecommunications data. This access to sensitive information has allowed the group to expand its range of services and attract clients with various motives, including corporate espionage, political opposition, and even personal vendettas.

The group conducts its business primarily on dark web forums, where clients can place orders and pay for services using cryptocurrency, ensuring anonymity and making it difficult for law enforcement to trace their activities.

Operation Method

Void Balaur focuses primarily on spear phishing, credential theft, and network infiltration. They use a combination of social engineering techniques and custom-built malware to compromise their targets. Once inside a system or account, they exfiltrate sensitive data, including emails, documents, and personal information, which can be used by their clients for blackmail, corporate espionage, or political sabotage.

One of the group's signature tactics is their ability to hack into telecommunications networks, allowing them to track and monitor individuals in real-time by accessing call records, text messages, and even location data. Void Balaur's advanced capabilities have made them particularly effective at gathering intelligence on high-profile targets, including politicians, journalists, and corporate executives.

Communications Channel

Void Balaur is not known to communicate or advertise their services on non-Russian language dark web forums and cyber-criminal marketplaces. They are believed to make use of encrypted messaging platforms, and their reliance on anonymity networks like Tor helps them protect their operations from being traced by law enforcement. Once a contract is agreed upon, the group likely uses secure communication tools like PGP encryption to exchange sensitive information, ensuring that both them and the client maintain confidentiality throughout the operation.

In some cases, Void Balaur has been known to offer live updates to their clients as they monitor or attack their targets, providing real-time data as it is exfiltrated. This level of direct interaction with clients sets them apart from other hacker-for-hire groups, which often operate in a more hands-off manner.

Group Structure

Although knowledge on their structure and operating model is scarce, Void Balaur appears to be a decentralised organisation, with a core leadership team directing operations and recruiting skilled hackers to carry out various tasks. The group functions with a high level of compartmentalisation, ensuring that different cells are responsible for specific operations. This decentralised structure makes the group resilient to law enforcement crackdowns, as different parts of the organisation can continue operating even if one cell is compromised.

According to TrendMicro's report on Void Balaur back in November 2021, the group appears to work similar hours to that of a legitimate company. They start their working day around 06:00 UTC and work until 19:00 UTC. The group is reportedly less active over weekends, but often works seven days a week and does not take long breaks over holidays.

While the exact size of Void Balaur is unknown, the group's extensive activities suggest a highly organised and professional operation capable of running multiple campaigns simultaneously across different regions and sectors.

Victimology

Void Balaur's services are not only acquired for typical cyber-crime but are used for political reasons as well. Common targets for the group are based in former Soviet states; however, Void Balaur has been known to target individuals and organisations based elsewhere in Europe and in other parts of the world. Void Balaur's victims are varied and include corporate executives, politicians, journalists, human rights activists, and high-net-worth individuals. The group's clients often seek to gather intelligence on political rivals, business competitors, or activists who oppose government policies. The group's ability to infiltrate telecommunications networks has allowed them to target individuals across industries and geographies, making their victims vulnerable to surveillance and data theft regardless of their location. Although the group is primarily Russian speaking, they have been known to target Russian businesses and political entities.

TrendMicro's investigation into Void Balaur uncovered that the most common targets for the group are organisations with access to large amounts of individuals' personal data. These targets include:

• Mobile and core telco companies

• Cellular equipment vendors

• Radio and satellite communication companies

• ATM machine vendors

• Point-of-sale (POS) system vendors

• Fintech companies and banks

• Business aviation companies

• Medical insurance organizations in at least three regions of Russia

• In Vitro Fertilization (IVF) clinics in Russia

• Biotechnology companies that offer genetic testing services

Why Cyber Mercenaries Are on the Rise

Several factors contribute to the rise of cyber mercenaries. First, the digital transformation of societies and economies has created new vulnerabilities, making cyber operations a key tool in both statecraft and corporate competition. The low cost of entry and high potential rewards make cyber mercenary operations an attractive alternative to conventional military or intelligence operations.

Second, the proliferation of sophisticated cyber tools on the black market has lowered the barrier for entry. Previously, only state actors had access to the most advanced cyber capabilities, but now, these tools are available for purchase or rent by any entity with the resources. This has enabled cyber mercenaries to offer state-level capabilities without the constraints or oversight faced by official state cyber units.

Additionally, the lack of clear international regulations or norms governing cyber warfare creates an environment where cyber mercenaries can operate with impunity. Unlike traditional warfare, where the use of mercenaries is governed by international law, cyberspace remains largely unregulated. This legal ambiguity allows cyber mercenaries to operate in a space where attribution is difficult, and accountability is minimal.

The Implications for Global Security

The rise of cyber mercenaries has profound implications for global security. Their operations can disrupt critical infrastructure, compromise sensitive data, and undermine trust in governmental and corporate institutions. The growing involvement of these groups in geopolitically sensitive operations also increases the risk of miscalculation and unintended escalation between nation-states.

The Grey Area Between Cyber-Criminals and State-Sponsored Actors

Cyber mercenaries often operate in a blurred space between cyber-criminal enterprises and state-sponsored actors. Unlike traditional cyber-criminals motivated solely by financial gain, cyber mercenaries are contracted for operations that serve a wide range of purposes, from espionage to disruption. These operations may be conducted on behalf of nation-states, corporations, or even organised crime syndicates, depending on who is willing to pay. For instance, groups like Void Balaur have been linked to both criminal enterprises and political campaigns, offering hacking services to a wide array of clients.

This grey area creates difficulties in framing policies or legal responses, as the same group may one day work for a government, conducting what could be considered state-sanctioned cyber warfare, and the next day, conduct illegal espionage for a private entity. The lack of clarity about whether these actors should be treated as cyber-criminals, private contractors, or state agents complicates international legal responses and cooperation.

The Challenge of Attribution

Attribution is particularly challenging when dealing with cyber mercenaries. Many of these groups employ sophisticated OPSEC techniques, such as encrypted communications, VPNs, burner devices, and dark web platforms, to conceal their identities. Additionally, because cyber mercenaries operate on behalf of third parties, attacks can easily be misattributed to their clients or even another state.

For example, a cyber mercenary group could conduct attacks that serve state interest, leading to speculation about their ties to national governments, especially when political or strategic objectives align with those certain nations. This ambiguity makes it difficult to determine whether the attack was state-sponsored or purely mercenary in nature. Misattribution can have serious consequences, leading to misguided retaliation or diplomatic crises based on incorrect assumptions about the actor behind the attack.

The Challenge of Imposing Costs on Cyber Mercenaries

Imposing costs on cyber mercenaries is a major hurdle for law enforcement and cyber defence organisations. One of the main reasons is the globalised nature of cyber mercenary operations, which often transcends national borders. These groups can be physically located in one country while carrying out attacks on organisations or individuals in another, making it difficult for law enforcement agencies to pursue them. Moreover, cyber mercenaries frequently operate from jurisdictions that have limited or no extradition treaties, effectively shielding them from prosecution.

In addition, the use of cryptocurrencies for payment further complicates efforts to track and sanction cyber mercenaries. Anonymous transactions make it challenging to follow the financial trails left by cyber mercenaries or their clients. Even when some of these actors are exposed, they can often regroup under a new name or platform, as seen in the persistence of groups like Dark Basin.

Furthermore, imposing costs on cyber mercenaries requires an international coalition of law enforcement and cyber security professionals, but efforts are often hindered by the reluctance of some states to cooperate, especially when they may benefit from the services of these groups. Some countries may covertly harbour or tolerate cyber mercenaries, turning a blind eye to their activities as long as they align with national interests or remain directed at foreign entities.

The Need for Intelligence in Countering Cyber Mercenaries

As cyber mercenaries continue to proliferate, threat intelligence practices and methodology have become indispensable resources in the fight against these actors. Cyber intelligence platforms can provide crucial insights into emerging threats, enabling better decision-making, improved readiness, and faster response. A successful threat intelligence programme involves not only collecting data but also ensuring that intelligence is actionable.

Enhancing Visibility and Early Detection

Threat intelligence platforms (TIPs) aggregate and correlate data from multiple sources -- including internal and external data points, dark web forums, public data, and proprietary data feeds -- which should allow organisations to detect cyber mercenary activity before they can cause harm. By monitoring threat actors' communications and tracking their methods, these platforms can provide early warning of potential attacks, allowing for timely defensive measures. For example, intelligence on groups like Void Balaur has revealed their tactics, techniques, and procedures (TTPs), enabling organisations to anticipate and mitigate attacks before they occur.

Improving Attribution and Threat Actor Profiling

TIPs that use advanced analytics, including machine learning and behavioural analytics, can help defenders identify the source of attacks by analysing patterns and correlating data across multiple incidents. This enables organisations to build detailed profiles of threat actors, helping to differentiate between state-sponsored advanced persistent threat (APT) groups and independent mercenary actors. These profiles can then be shared across the community to enhance collective defence efforts.

Facilitating Incident Response and Risk Mitigation

TIPs are crucial in helping organisations respond to incidents by providing real-time threat assessments and actionable intelligence. When a cyber mercenary group launches an attack, these platforms should be able to quickly disseminate indicators of compromise (IOCs), TTPs, and other relevant data to organisations under threat, enabling them to swiftly adjust their defences. This collaborative, intelligence-driven approach can significantly reduce the impact of cyber mercenary activities and limit the damage caused by their attacks. To take it one step further, these platforms should allow for adversary emulation and tabletop exercises to test an organisation's response and readiness to cyber mercenary activities.

Supporting Law Enforcement and Policy Makers

CTI also plays a pivotal role in assisting law enforcement agencies and policymakers in understanding the scale and scope of cyber mercenary activities. By aggregating and analysing global cyber-attack data, TIPs can provide insight that can guide policy development and regulatory action, helping to establish legal frameworks and international cooperation needed to prosecute mercenaries. Furthermore, intelligence shared across nations can facilitate joint efforts to dismantle cyber mercenary operations and bring perpetrators to justice.

Collaboration and Information Sharing

Finally, intelligence platforms should promote collaboration between the public and private sectors, allowing businesses, governments, and cyber security organisations to share threat intelligence. This collective effort strengthens cyber resilience and provides a unified front against cyber mercenary groups. Public-private partnerships built around shared intelligence can make it more difficult for mercenaries to operate with impunity.

Conclusion

As the digital landscape continues to evolve, cyber mercenaries will play an increasingly prominent role in the world of cyber conflict. Groups like Void Balaur, AIG, and Dark Basin illustrate how cyber operations have become a commodity, available to those willing to pay for their services. This trend signals a shift toward a more privatized and unregulated form of digital warfare, where nation-states and corporations alike can outsource their most covert and complex cyber operations. To address this growing threat, the international community must develop new frameworks and regulations to manage the risks posed by cyber mercenaries and ensure accountability in cyberspace.

Cyber mercenaries may be the newest players on the battlefield, but their impact is already being felt across the globe. As their influence grows, so too will the challenges of maintaining stability and security in an increasingly interconnected world.

Sources and References

1. https://www.jstor.org/stable/48707883

2. An Introduction to Fifth Generation Warfare - Grey Dynamics

3. How Does the Cyber Mercenary Business Work? (secureops.com)

4. UN chief warns of ‘cyber mercenaries’ amid spike in weaponising digital tools | UN News

5. Atlas Intelligence Group (A.I.G) – The Wrath of a Titan (cyberint.com)

6. 'AIG' Threat Group Launches With Unique Business Model (darkreading.com)

7. Countering hack-for-hire groups (blog.google)

8. Dark Basin: Uncovering a Massive Hack-For-Hire Operation - The Citizen Lab

9. Northern District of California | Private Investigators Indicted In E-Mail Hacking Scheme | United States Department of Justice

10. ‘Dark Basin’ hacking group targeted thousands in hack-for-hire scheme | Red Canary

11. Dark Basin: Researchers Uncover Major Hack-for-Hire Group - Infosecurity Magazine (infosecurity-magazine.com)

12. Think tank report labels NSO, Lazarus 'cyber mercenaries' • The Register

13. Void Balaur | The Sprawling Infrastructure of a Careless Mercenary - SentinelOne

14. The Far-Reaching Attacks of the Void Balaur Cybermercenary Group | Trend Micro (US)

15. A new group of cyber mercenaries targets businesses, journalists — including some in Russia | CyberScoop

16. Void Balaur and the Rise of the Cybermercenary Industry | Trend Micro (US)

17. Void Balaur Hackers-for-Hire Targeting Russian Businesses and Politics Entities (thehackernews.com)

18. Cyber-mercenary group Void Balaur has been hacking companies for years (therecord.media)

19. Void Balaur: Tracking a Cybermercenary’s Activities (trendmicro.com)

20. Void Balaur hackers-for-hire sell stolen mailboxes and private data (bleepingcomputer.com)