Following a series of high-profile cyberattacks, the heat has largely centered on young men. However, that balance may be shifting, driven by changes in underground forums and a worrying trend on Telegram.

“Think of a cybercriminal and what comes to mind? Probably a hacker in a hoodie. Maybe Russian, maybe British, but invariably male,” notes cybersecurity researcher Rebecca Taylor.

None of this is wrong, she adds, except that we’re forgetting one hidden but expanding cohort: women.

Don't miss our latest stories on Google News

Taylor, a researcher at security firm Sophos, has been working on a new study that proves cybercrime is more than just a young man’s game.

Merit trumps gender in underground forums

Just a decade ago, female hackers were perceived with hostility by the general hacker community. If women identified themselves, users would harass them, and sometimes lower their reputation or popularity points on the forums.

But researchers have observed that, over time, perhaps as the underground economy has become more professionalized, gender has become less of an issue. In some instances, it may now even be an advantage.

“Forums are very open to diversity of thought, experience, and skill sets now,” says Taylor.

The researcher adds that she’s recently seen more requests on underground forums for women to aid with various types of cybercrime.

These range from supporting social engineering to recruiting people in workplaces to bring them in as insiders.

Female voice for vishing — Female callers sought for social engineering. Image by Cybernews

These findings are backed by an earlier 2023 Trend Micro study by Mayra Rosario Fuentes, which reported that forums preferred to use women for social engineering projects because they’re seen as more trustworthy.

“Women are probably sought out due to people being more likely to trust female service agents versus male callers. Some forum users have explicitly said they prefer women for call-based jobs and are better than men at extracting information."
Trend Micro study, 'The gender equal cybercriminal underground'

The study also revealed that underground forums now contain a significant number of female visitors. Trend Micro visited 5 English- and Russian-language forums, collected a control sample, and found that 40% of visitors were women.

“What’s concerning about that statistic is this number is higher than the amount of women working in cybersecurity,” Taylor adds.

The women of Conti

While researchers stop short of proclaiming the cyber underworld as having undergone some kind of female emancipation, they note that over time, it has become more meritocratic.

Gender ad on forum — Forums have become meritocratic enough for female crims to hawk their services

Taylor says that there’s evidence from recent forum breaches that ransomware gangs will rally around their top talent, regardless of gender.

When 55-year-old Latvian Alla Witte, aka “Max,” was arrested in the US by the FBI in 2021 and subsequently charged with 19 counts for her role in the cybercriminal network behind the Trickbot malware strain, her criminal colleagues were there to back her up.

And despite the gender neutral pseudonym, they appear to have known that the multilingual maths grad was a “she.”

The conversation on this topic is live. Join in the discussion.

This was confirmed after the notorious ransomware gang, Conti, imploded following an ideological fallout in 2022, when internal data from the Russian-speaking gang was leaked (sometimes referred to as the “ContiLeaks”).

Witte, it turns out, was an important Conti member responsible for creating and managing key malware used by the gang.

“[in the leaked data] She was referred to using the pronouns 'she’ and ‘her’... when she was arrested, other members of the group came together to try and provide a lawyer for her to get out of prison,” Taylor reveals.

The mother of bears

According to research by cybersecurity training body SANS, women have also been linked to hacktivist activity, carrying out cyberattacks to promote a political, social, or ideological cause, and often backed by hostile governments.

These include Yuliya Vladimirovna Pankratova, who appeared on a US sanctions list in 2024.

A member of Cyber Army of Russia Reborn (CARR), she managed the group’s Telegram channel and acted as its public voice under the alias “Mother of Bears.”

Russian hackers multiple — Under the hood, many Russian hacktivists are reported to be female. Image by Shutterstock

According to Google's threat intelligence team, Mandiant, she helped produce Telegram content, including voice messages tied to a cyberattack on a Texas-based water facility.

After being identified, rather than retreat into the background, Pankratova began celebrating her hacker sisterhood, pointing out that roles as diverse as designers, defacers, and DDoS operators were all filled by women.

The e-girls of Telegram

On other platforms, the climate isn’t as embracing. Telegram's low barrier to entry and ability to rapidly recreate banned channels have made it the platform of choice for a new generation of cybercriminals, including Scattered Spider and violent extremist networks such as The Com.

According to Taylor, some of the channels on the platform are notably more” inflammatory” than traditional underground forums, with rampant racial and sexual slurs in a “younger male space” shaped by toxic masculinity and manosphere-style dynamics.

“It is a genuinely awful, horrible place to be,” Taylor adds.

It’s within this space that a worrying new group of women exists within cybercrime: e-girls.

According to Taylor, e-girls are not exclusively associated with cybercrime, but some of them drift that way via platforms like X and TikTok.

Often presented as Japanese anime figures, they maintain relationships with key members of criminal cybergangs, playing the role of virtual cheerleaders, girlfriends, or sexualized objects.

Image X via @meowsavy.

“They tend to be younger women in quite domineering relationships, subjected to sexual degradation. It falls under the category of coercive control. They're made to do things and are forced into certain positions,” she explains.

This includes girlfriends being encouraged to write their partners’ names across their body parts and then share images of it with the community.

Domestic abuse charity Refuge suggests that victims of trauma or abuse in the real world may be more likely to fall into these kinds of controlling relationships online.

But Taylor adds that people need to be open to the fact that some e-girls participate for attention or for financial gain.

She uses @meowsevy, also allegedly an administrator for Scattered Lapsus Hunters, as a case in point.

Sevy, who also goes by the names “Darya” or “Barbie,” regularly posts across different channels, and is quite comfortable asking for gifts and cash.

“There are lots of examples of things that people have sent her where she's doing things to herself in return for gifts: Louis Vuitton…Cash. A Rolex. Ultimately, she kind of owns that e-girl status,” says Taylor.

However, this activity has come at a cost to Sevy, who is regularly doxxed, with her identity and contact details revealed online across underground forums, Telegram, and X.

Underground forums have also claimed that Sevy has been “swatted” more than once, where people have found out her home address and sent the police over.

The Dutch police are working on preventative measures to help e-girls who are essentially victims of sextortion.

Hackers most unladylike

Many people still find it incomprehensible that a lady is capable of committing crimes deemed “technical” despite the increasingly lower barrier to entry with vibecoding, AI, and “off-the-shelf” phishing kits.

In her work, Taylor says she comes up against this attitude a lot.

“It’s still met with absolute shock. Women online committing crimes? Are you sure?”
Rebecca Taylor, cybersecurity researcher, Sophos

And yet this is what the friends and family of Valerie Gignac thought when the Quebec-based 27-year-old was arrested by Canadian mounties on hacking and spying charges in 2015.

Perhaps not thinking she was capable of such crimes, supporters claimed that it was a case of mistaken identity.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!

35,607,543,468

Exposed Passwords

Yet investigators were able to prove very quickly that Gignac was the owner of a global hacking forum with over 35,000 users and a major botnet operator.

She was charged with taking over people's computers remotely, spying on them through their web cameras, and harassing them through their computer speakers.

If further proof were needed, Gignac even created YouTube videos under the name “queen Sh0cka,” which showed her trolling families with hardcore porn.

“There was a capability that people underestimated,” says Taylor.

YUliYA aka Mother of Bears — Hacktivist Yuliya Pankratova, a loud and proud member of CARR. Image: US Treasury sanctions list

Meanwhile, Taylor is closely following last year’s arrest of three teens and a 20-year-old as part of an investigation into cyberattacks targeting UK retailers M&S, Co-op, and Harrods.

While further details of the investigation have yet to emerge, the media picked up on a narrative that conveniently fits the male teen "gamer-to-hacker" trope. And yet it neglects the fact that the twenty-year-old arrested was female.

“If we're trying to prevent, detect, and respond, we need to really open our eyes to the fact that the attacker or the threat isn't just a boy, or a man, it could genuinely be anyone,” Taylor warns.

Unlock more exclusive Cybernews content on YouTube.

Share

Post