Traditional employment involves background checks, verified identities, and accountability structures. However, freelance platforms often require little more than an email address to get started. While many platforms have implemented verification systems, the bar for entry is still low.
This accessibility creates an environment where bad actors can easily establish profiles that look legitimate. A cybercriminal can create multiple accounts across different platforms, building up fake portfolios and purchasing positive reviews to appear trustworthy. Within days, they can present themselves as established professionals ready to assist unsuspecting clients with their digital needs.
Criminals now openly advertise services that support phishing operations, though they're careful to disguise their true intentions. Listings might offer "email template design," "landing page creation," or "data collection services" without mentioning their malicious applications.
As described in Phishing-as-a-Service: The Rise of Subscription-Based Cybercrime, these services offer everything a threat actor needs, "Spoofed email templates, Credential harvesting websites, Hosting services, Email delivery tools, Dashboards for managing and tracking campaigns, Step-by-step guides or even customer support." This toolkit allows less technically skilled criminals to launch sophisticated attacks.
A scammer can hire someone to create convincing replicas of bank login pages, corporate email templates that mimic legitimate companies, or SMS messages designed to steal credentials. The freelancer creates the tool, the client deploys it for phishing, and both parties maintain plausible deniability about the ultimate purpose. The economic model is, "For a fraction of the cost it would take to create a phishing infrastructure from scratch, attackers can lease powerful tools with immediate returns."
Cybercriminals split up their tasks, making it very hard to catch and prosecute them. A graphic designer making a fake Microsoft login page might truly not know how it'll be used. A copywriter writing urgent emails about account checks could be clueless they're aiding a phishing scam.
Learn more: Different types of phishing and how to prevent them
According to Dark Web and Cyber Crime as a Service by Yushi Mogra and Dr. Bijal Talati, this model has fundamentally transformed the cyber threat landscape by making sophisticated attacks accessible to anyone willing to pay.
Mogra and Talati explain that CaaS operates similarly to legitimate Software-as-a-Service models, offering subscription-based or one-time purchase options tailored to specific criminal needs. The authors detail a complex ecosystem that includes specialized service providers who develop attack tools, marketplaces with rating systems and escrow services, affiliate networks that distribute malware, and cryptocurrency payment systems that maintain anonymity.
Beyond phishing kits, the dark web marketplace offers Malware-as-a-Service, where harmful software like ransomware and spyware is sold with clear instructions and regular updates. Ransomware-as-a-Service operates on profit-sharing models, with developers typically keeping 30-40% of ransom payments while affiliates who deploy the attacks receive the rest. DDoS-for-Hire services allow anyone to overwhelm websites with traffic, with pricing starting as low as $10 per hour.
Notably, Phishing-as-a-Service: The Rise of Subscription-Based Cybercrime observes that "PhaaS platforms provide their criminal users with templates, analytics, and automation—all optimized for their nefarious purposes." This is similar to legitimate business tools, making cybercrime as user-friendly as any mainstream software platform.
Mogra and Talati document several high-profile cases that illustrate the scale of the problem. The REvil ransomware group, which operated from 2019 to 2021, exemplified the Ransomware-as-a-Service model. Partners who deployed their ransomware received between 60-70% of ransom payments, while developers maintained the infrastructure and provided decryption tools. Their attacks on JBS Foods and Kaseya resulted in ransom demands between $11 million and $70 million.
Furthermore, the researchers describe 16Shop, a Phishing-as-a-Service platform that sold ready-made phishing kits targeting companies like Apple, Amazon, and PayPal for as little as $100. These kits included email templates, fake websites, hosting options, and step-by-step guides, making sophisticated phishing attacks available to beginners.
Webster's, a DDoS-for-hire service, had over 136,000 registered users before law enforcement shut it down in 2018. For just $15, anyone could launch distributed denial-of-service attacks against targets of their choice. The service featured a user-friendly interface where customers simply selected a target and duration, requiring no technical knowledge. Mogra and Talati note that the platform was responsible for millions of attacks worldwide, targeting banks, government websites, and critical infrastructure.
The Dark Side of Micro-Task Marketplaces: Characterizing Fiverr and Automatically Detecting Crowdturfing, a study by researchers Steve Webb and Hancheng Ge, analyzed nearly 90,000 gig listings on Fiverr and found that among randomly sampled gigs, 6% were what researchers call "crowdturfing tasks", services designed to manipulate social media, search engines, and other online platforms. However, in the online marketing category specifically, 55.3% of gigs were crowdturfing services. When researchers applied machine learning classifiers to detect these malicious listings across their entire dataset, they identified over 19,900 crowdturfing gigs, representing 22.2% of all active listings.
According to the research paper, the top-earning seller on Fiverr had sold over 601,000 gigs and earned at least $3 million over approximately two years, all from crowdturfing services. The top ten sellers were almost exclusively offering manipulation services, with nine out of ten specializing in what the platform categorizes as "online marketing, advertising, or business" gigs.
The research paper categorized crowdturfing tasks into three main types:
Polyworking is where individuals juggle multiple jobs or side gigs simultaneously. This trend is popular with Gen Z workers, with 48% maintaining some sort of side job, the highest rate among all generations.
In an ITPro article, Evgeny Kuskov, a security expert at Kaspersky, explains the security challenge, "When your calendar is packed with tasks from three different jobs and you have notifications coming in from five separate apps, and you're also switching between client chats, invoices, and creative work on the same device, it's only a matter of time before something slips."
Over the last year, Kaspersky detected more than six million attacks disguised as platforms or content related to 20 popular work tools. The top targets were Zoom, with 3.8 million attacks, Microsoft Excel with 835,000, and Outlook with 731,000, followed by OneDrive with 352,080 and Microsoft Teams with 151,800.
Furthermore, ITPro reports that platforms such as Fiverr, Upwork, LinkedIn, and Behance are being used for phishing schemes disguised as legitimate job offers. Kaspersky observed more than 650,000 attempts to visit phishing pages disguised as LinkedIn alone over the course of a year.
"A single employee clicking a malicious link can lead to data breaches, ransomware infections, or financial fraud," as noted in Phishing-as-a-Service.
Kuskov identifies the core security risk, "Gen Z's work-life-tech overlap creates a unique kind of cognitive overload. This constant multitasking increases the risk of mistakes: sending a wrong file to a wrong client, overlooking a phishing email, misconfiguring access permissions. It's not about carelessness — it's about the sheer volume of digital demands pulling attention in all directions. And in cybersecurity, even one small lapse can have big consequences."
Freelance platforms also enable sophisticated social engineering attacks. Criminals hire freelancers to gather intelligence on target companies, researching organizational structures, employee names, and internal processes. With this information, they craft personalized spear-phishing attacks that are far more likely to succeed than generic spam.
Some cybercriminals even hire voice actors or video editors through freelance platforms to create deepfake content for business email compromise schemes. Mogra and Talati emphasize that this personalization happens at scale through what they describe as AI-powered tools that automate the creation of highly targeted phishing emails and deepfake content. The compartmentalization ensures that individual freelancers may genuinely be unaware of the malicious purposes their work serves.
Looking ahead, Phishing-as-a-Service warns that "As artificial intelligence becomes more accessible, it's likely that PhaaS will incorporate even more automation, personalization, and evasion techniques."
Read also: What are hyper-personalized AI phishing attacks?
When someone can find a service listed on a well-known platform, complete with reviews and ratings, it makes them trust it a bit more. Services that would immediately raise red flags on dark web marketplaces seem legit when presented alongside legitimate offerings for logo design or content writing.
Payment processing through these platforms also helps criminals. Rather than dealing with cryptocurrency exchanges or other payment methods that might attract attention, they can use the platform's built-in payment systems. The platform handles the transaction, takes its commission, and the money appears as legitimate freelance income.
The academic research on CaaS reveals that dark web marketplaces mirror legitimate e-commerce platforms with sophisticated features including product listings organized by category, user reviews and ratings to build trust, escrow services to prevent fraud, and cryptocurrency integration for anonymous payments. According to Mogra and Talati, these platforms even offer customer support, regular software updates, and user-friendly interfaces that make cybercrime look and feel like any other online service.
Freelance platforms have a dilemma of balancing stricter verification and monitoring which could deter both criminals and legitimate users who value the platforms' ease of use and privacy. Some platforms have implemented artificial intelligence to detect suspicious listings and behavior patterns. The research paper's machine learning classifier achieved 97.35% accuracy in detecting crowdturfing gigs, showing that automated detection is possible.
Mogra and Talati note that law enforcement faces challenges in combating these operations. The dark web's decentralized and anonymous nature, combined with cryptocurrency payments, makes tracking and prosecuting cybercriminals difficult. When authorities manage to shut down marketplaces or arrest key operators, new platforms typically emerge within days.
Addressing these challenges requires cooperation between platforms, law enforcement, and users. Platforms must invest in better verification systems while maintaining accessibility. The research suggests that machine learning approaches can effectively identify malicious listings, but these systems need to be implemented and continuously updated to stay ahead of evolving tactics.
Users need education about red flags in job postings and service requests. Law enforcement requires updated tools and international cooperation to pursue criminals who exploit the borderless nature of freelance work. The research paper noted that the majority of both buyers and sellers of crowdturfing services were from the United States and other Western countries, challenging assumptions that these problems primarily originate in developing nations.
As Mogra and Talati conclude, solving these problems demands an approach including enhanced cybersecurity measures, international collaboration, increased business and public awareness, and robust legal frameworks.
Ratings and reviews can be manipulated or purchased, allowing malicious actors to quickly establish credibility.
AI tools allow attackers to scale high-quality phishing and social engineering with minimal technical skill.
Design, marketing, automation, and development categories are particularly attractive due to their dual-use nature.