AI, IoT, And Cloud Experts Power The Next Wave Of Attacks | #cybercrime | #infosec

The dark web has its own job boards. Its own recruiters. Its own economy of skills. 

There, posts read like the listings on LinkedIn or Indeed, only the roles are not for project managers or analysts. They are for AI specialists, cloud exploiters, and social engineers fluent in English. The recruits are not employees. They are accomplices. 

ReliaQuest research showed how the market is booming. Job-related posts on cybercriminal forums such as Exploit and RAMP more than doubled between 2023 and 2024. By mid-2025, they had already equaled the previous year’s total. The growth signals a shift. Cybercrime is no longer a trade of generalists. It is an industry of specialists.

AI at the Core

At first, attackers leaned on large language models to write malware. That was crude. Now, they want more. 

Since late 2024, groups have recruited AI experts to automate entire workflows. A ransomware group once known as BlackLocknow uses an AI chatbot to negotiate ransoms. What was once manual drudgery is being offloaded to code. The result is faster, repeatable, and harder to disrupt. 

The same applies to deepfakes. Criminal recruiters openly advertise for developers who can fabricate convincing voices and faces. The tactic is no longer novel. It is operational. In one case, attackers impersonated a CFO and stole $25 million, researchers said.

The technology will only sharpen. Soon, language will not be a barrier. Social engineering at scale will follow.

Cloud in the Crosshairs

If AI is the brain, the cloud is the body. The research highlighted how recruitment posts calling for Azure and Entra expertise quadrupled between 2023 and 2024. Interest has cooled slightly in 2025 but remains high. Attackers see cloud environments as a gateway into Active Directory domains, where data is rich and extortion is lucrative. 

The threat is far from theoretical. Ransomware affiliates openly seek penetration testers who know VPNs, Azure, and Entra. The aim is to compromise the cloud, pivot to the enterprise, and take control.

The Next Front: IoT

Then there are the cameras, sensors, and connected devices that hum quietly on the edge of networks. They are unmanaged, often unpatched, and easily overlooked. In 2025, recruitment for IoT expertise returned after a lull, surpassing previous years.

The reason is simple: IoT can be turned into a weapon.

In one breach, attackers used a camera to bypass endpoint defenses, deploy ransomware, and cripple an enterprise. This is the future of persistence. Bad actors will not always come through the front door, they will crawl through the forgotten cracks. 

ClickFix and Other In-Demand Skills

Some skills surge, some fade. In 2024, an adversary pioneered the ClickFix technique for malware execution. Within months, recruitment for ClickFix specialists appeared on dark-web boards, and by spring 2025, activity had spiked 850%. Recruitment drives adoption. Adoption fuels attacks.

The same pattern holds with social engineering. English-speaking operators are prized. Recruiters account for nearly nine out of ten postings. Groups like Scattered Spider proved the tactic works. 

Others now want to copy. Hypervisor skills are also rising, enabling attackers to compromise multiple virtual machines at once. What was niche in 2023 has become standard by 2025. 

What It Means for Defenders

Attackers innovate, yet their goals do not. Profit is the constant. Extortion and encryption remain the endgame. 

For defenders, this offers an opportunity. ReliaQuest said understanding what adversaries are hiring for today offers a view of what they will attack tomorrow. That foresight is a weapon in itself. 

Strong cloud governance, strict help-desk protocols, real-time monitoring of exposed assets, and tested detection rules all slow attackers down. Security is not about perfection. It is about resistance. Burglars abandon the house with too many locks. Malefactors do the same.

The dark web is hiring. Organizations should be preparing.