By Matthew Goldstein • 1/15/15
A man in Sweden says he will pay up to $2,000 to anyone who can break into his landlord’s website. A woman in California says she will pay $500 for someone to hack into her boyfriend’s Facebook and Gmail accounts to see if he is cheating on her.
The business of hacking is no longer just the domain of intelligence agencies, international criminal gangs, shadowy political operatives and disgruntled “hacktivists” taking aim at big targets. Rather, it is an increasingly personal enterprise.
At a time when huge stealth attacks on companies like Sony Pictures, JPMorgan Chase and Home Depot attract attention, less noticed is a growing cottage industry of ordinary people hiring hackers for much smaller acts of espionage.
A new website, called Hacker’s List, seeks to match hackers with people looking to gain access to email accounts, take down unflattering photos from a website or gain access to a company’s database. In less than three months of operation, over 500 hacking jobs have been put out to bid on the site, with hackers vying for the right to do the dirty work.
It is done anonymously, with the website’s operator collecting a fee on each completed assignment. The site offers to hold a customer’s payment in escrow until the task is completed.
In just the last few days, offers to hire hackers at prices ranging from $100 to $5,000 have come in from around the globe on Hacker’s List, which opened for business in early November.
For instance, a bidder who claimed to be living in Australia would be willing to pay up to $2,000 to get a list of clients from a competitor’s database, according to a recent post by the bidder.
“I want the client lists from a competitors database. I want to know who their customers are, and how much they are charging them,” the bidder wrote.
Others posting job offers on the website were looking for hackers to scrub the Internet of embarrassing photos and stories, retrieve a lost password or change a school grade.
The rather matter-of-fact nature of the job postings on Hacker’s List shows just how commonplace low-profile hacking has become and the challenge such activity presents for law enforcement at a time when federal and state authorities are concerned about data security.
Hacking into individual email or social media accounts occurs on a fairly regular basis, according to computer security experts and law enforcement officials. In September, the Internet was abuzz when hackers posted nude photos of female celebrities online.
It is not clear just how successful Hacker’s List will prove to be. A review of job postings found many that had yet to receive a bid from a hacker. Roughly 40 hackers have registered with the website, and there are 844 registered job posters. From the postings, it is hard to tell how many of the job offers are legitimate.
The site did get a favorable review recently on hackerforhirereview.com, which specializes in assessing the legitimacy of such services. The reviewer and owner of that site, who would identify himself only as “Eric” in emails, said he gave his top rating to Hacker’s List because it’s a “really cool concept” that limits the ability of customers and hackers to take advantage of one another.
In light of the novelty of the site, it’s hard to say whether it violates any laws.
Arguably some of the jobs being sought on Hacker’s List — breaking into another person’s email account — are not legal.
The founders of Hacker’s List, however, contend that they are insulated from any legal liability because they neither endorse nor condone illegal activities.
The website includes a 10-page terms and conditions section to which all users must agree. It specifically forbids using “the service for any illegal purposes.”
Some experts say it is not clear whether Hacker’s List is doing anything wrong in serving as a meeting ground for hackers and those seeking to employ them.
Yalkin Demirkaya, president of the private investigation company Cyber Diligence, and a former commanding officer of the New York Police Department’s computer crimes group, said a crackdown would depend on whether law enforcement officials saw it as a priority. He said Hacker’s List may skate by because many of the “people posting the ads are probably overseas.”
But Thomas G. A. Brown, a senior managing director with FTI Consulting and former chief of the computer and intellectual property crime unit of the United States attorney’s office in Manhattan, said hacker-for-hire websites posed problems.
“Hackers for hire can permit nontechnical individuals to launch cyberattacks with a degree of deniability, lowering the barriers to entry for online crime,” Mr. Brown said.
The website, which is registered in New Zealand, is modeled after several online businesses in which companies seeking freelancers can put projects out to bid. Some have compared the service to a hacker’s version of the classified advertising website Craigslist. Hacker’s List even has a Twitter account (@hackerslist), where it announces the posting of new hacking assignments.
Still, the three founders of Hacker’s List are not willing to go public with their own identities — at least not yet.
After registering with the website and beginning an email conversation, a reporter contacted one of the founders. Over a period of weeks, the founder, who identified himself only as “Jack,” said in a series of emails that he and two friends had founded Hacker’s List and that it was based in Colorado. Jack described himself as a longtime hacker and said that his partners included a person with master’s degree in business administration and a lawyer.
He said that the three were advised by legal counsel on how to structure the website to avoid liability for any wrongdoing by people either seeking to hire a hacker, or by hackers agreeing to do a job. The company, he said, tries to do a small background check on the hackers bidding on jobs to make sure they are legitimate, and not swindlers.
“We all have been friends for a while,” Jack said in an email, adding that Hacker’s List “was kind of a fluke occurrence over drinks one night.”
“We talked about a niche and I built it right there,” he said. “It kind of exploded on us, which was never expected.”
Hacker’s List began its website several months after federal prosecutors and F.B.I. agents in Los Angeles completed a two-year crackdown on the hacker-for-hire industry. The investigation, called Operation Firehacker by the F.B.I., led to the filing of criminal charges against more than a dozen people across the country involved in either breaking into a person’s email account or soliciting a hacker for the job.
In New York, information uncovered during the investigation in Los Angeles led to the arrest in 2013 of Edwin Vargas, a New York Police Department detective at the time, who was charged with paying $4,000 for the hacking of the email accounts of 43 people, including current and former New York police officers. Mr. Vargas, who pleaded guilty in November 2013 and was sentenced to four months in prison, said he had been motivated by jealousy and wanted to see whether any of his colleagues were dating an ex-girlfriend who is the mother of his son.
The F.B.I. investigation also involved the cooperation of the authorities in China, India and Romania, because a number of the websites where the hackers advertised their expertise were based overseas.
Still, the market for hackers, many of whom comply with the law and act more like online investigators, shows no signs of slowing. Many companies are hiring so-called ethical hackers to look for weaknesses in their networks.
David Larwson, a director of operations with NeighborhoodHacker.com, which is incorporated in Colorado, said he had seen increased demand from companies looking to make sure their employees are not obtaining sensitive information through hacking. He said in an email that companies were increasingly focused on an “insider threat” leading to a breach or unauthorized release of information.
On its website, NeighborhoodHacker describes itself as a company of “certified ethical hackers” that works with customers to “secure your data, passwords and children’s safety.”