Hacker Persona Part 2: The Evolution of Gamers into Application Hackers

In the first blog, I covered how and why gaming has become the primary source of new application security threat actors, from the critical changes in the gaming industry to how gamers get exposed to marketplaces. In this blog, I will examine the evolution of application hackers. By the end of this six-minute read, you will understand how script kiddies evolve into cybercriminals-as-a-service in only a few months.


Figure1: 15 Y.O. teen asks in marketplace forums what type of account is more suitable for running telegram bots.


Figure2: Breached gaming account. The main bait that pulls gamers into the underground marketplace.

The Gamer to Hacker Timeline

Step 1: Exposure – Gamers’ first exposure to underground marketplaces
The first part in this blog series covered how gamers get exposed to hacker marketplaces.

Step 2: Division into types of hacking – Hackers’ first career decisions
In our first blog post, we discussed the emergence of hacker marketplaces and how users tend to spend a few months experimenting with hacking tools and tutorials. As they gain experience, gamers often focus on specific hacking techniques and domains, typically related to their game genre.

For example, gamers who enjoy First-Person Shooter (FPS) games, known for their fast-paced and high-adrenaline gameplay, often have an interest in cyber-attacks that provide a similar experience. Two popular types of attacks for this group are account takeover (ATO) attacks and Denial of Service (DDoS) attacks. These attacks are quick and intense, aligning with the psychological “need for speed” of the typical hacker persona.

Strategy game players tend to develop more strategic and puzzle like skills such as reversing and de-obfuscation techniques to interpret and understand code in application defenses. This technical skill is critical for hackers. Understanding defensive techniques and code allows them to develop new methods to bypass these security systems.

Gamers who primarily play Role-Playing Games (RPGs), a genre that requires familiarity with game lore, uncovering secrets through dialogue, research, and exploration, tend to professionalize in active and passive reconnaissance, the pre-attack intelligence gathering phases in the cyberattack chain. These individuals also find themselves equipped with the skills for scamming and stealing sensitive information through social engineering.

Step 3: Hacker Baptism – First hands-on hacking activity
In this stage, gamers evolve into unexperienced hackers or ‘script kids.’ The first hacking attempt is a significant milestone in a hacker’s evolution. It could be their first breached account or their first DDoS attack against a gaming server after losing a game or tournament. This experience leaves the hacker with a sense of power and an adrenaline rush they will strive to recreate. The hacker feels like they have leveled up and, in the process, developed three critical skills:

  1. Self-learning without a structured framework: hacking techniques evolve rapidly, so the only way to learn is through tutorials and hands-on experience.
  2. High failure tolerance: initial attack attempts are unlikely to succeed. A hacker needs to build persistence and have strong psychological traits to avoid burnout.
  3. Proactively seeking assistance: hacking requires various expertise. A hacker can buy tools or consult with forum members for best practices in its self-development.

Step 4: Proactivity – Turning from the silent viewer into the proactive player
In this step, the new threat actor is eager to build his or her reputation as a contributing member within their hacking communities on Discord, Telegram, and underground forums. To achieve this goal, they employ similar techniques as used by popular social media influencers:

  1. Sharing “freebies” – hackers share hacking resources, such as breached account credentials, for free.
  2. Engaging in challenges and competitions to demonstrate their skills and earn clout and prizes.
  3. Providing tutorials and guides to position themselves as experts and gain followers.
  4. Collaborating with other well-known figures in the community on joint projects to expose themselves to new audiences and gain credibility.
  5. Leveraging memes and humor to come across as relatable and entertaining.

The goals are building their reputation, gaining credit on the forum, and getting access to more exclusive content. By becoming well-known in the community, the hacker can attract customers and collaborators for future business ventures in the hacking marketplaces.


Step 5: Business owner – Turning from buyer into seller
In this step, the new threat actor is eager to monetize their skills and build a sustainable business in the underground marketplaces. They transition from becoming a consumer of hacking tools and services into a provider.


To achieve this, they employ tactics similar to startup founders:

  1. Developing a unique value proposition—The hacker identifies a gap in the underground market and focuses on developing a tool or service that better fills this need than any existing offerings. This could be a more effective account cracking tool, a stealthier malware strain, or a DDoS-for-hire service with better service levels and greater impact guarantees.
  2. Building an MVP (Minimum Viable Product)—With the unique value proposition in mind, the hacker builds a basic version of the tool or service. They leverage coding and hacking skills acquired in previous steps to create a functional offering, even if it lacks polish.
  3. Marketing and promotion—the hacker promotes the new tool or service on underground forums and chat groups where they gained reputation. They offer discounts to early adopters and quietly seed positive reviews to generate buzz and establish credibility.
  4. Scaling up—As their customer base grows, hackers reinvest profits into better infrastructure to support more users and optimize their attacks. They begin recruiting affiliates and resellers to expand their sales channels.

Step 6: Sustainability – Operating a hacking tool for more than six months
In the final stage of its evolution, the gamer-turned-hacker has achieved a steady state of business operations with a stable income stream. Key focuses at this stage include:

  1. Diversification – expanding offerings to include multiple attack vectors and targets.
  2. Professionalization – implementing customer support, SLAs, tiered pricing, and other trappings of legitimate businesses.
  3. Reputation management – carefully guarding their standing and brand on the underground markets.


Arik Atar

Arik Atar recently joined Radware's industry-leading Threat Research team, bringing his flavor of threat intelligence. While new to Radware, he draws on multifaceted expertise built across a 7-year career on the front lines of cyber threat hunting. In 2014, While completing his BA in International Relations and Counterterrorism at IDC University, Arik took his first steps on the darknet as part of his research on Iran-sponsored attack groups. On Bright Data, Arik uncovered both cyber adversaries'. He led investigations against high-profile proxy users that misused Bright Data's global residential proxy network to initiate mass-scale DDoS and bot attacks. In 2021, he moved from inspecting the attack logs from the attacker's view to inspecting the attack from the defender's point of view in human security (formal art PerimeterX), where he leveraged multiple hacker identities he developed over the years to hunt cyber threat intelligence on application hackers. Arik delivered keynote speeches at conferences such as Defcon, APIParis, and FraudFights' Cyber Defender meetups. Arik’s diverse career path has armed him with unique perspectives on application security. His expertise combines strategic cyber threat analysis with game theory and social psychology elements

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center