A public marketplace for hackers-what could possibly go wrong?

Last November, Charles Tendell quietly launched a website called Hacker's List. Its name was literal. In this online marketplace, white-hat security experts could sell their services in bite-size engagements to people with cyber-problems beyond their grasp.

"Hacker's List is meant to connect consumers who have online issues to hackers or professionals out there who have the skills to service them," Tendell told Ars. "Consumers get bullied online, they lose personal information, they have things stolen from them, they get locked out of things, and they have people post negative things or post personal information. They didn't have a place to go to be able to get help and make sure they're getting the right price or the best person for a particular job. That's what Hacker's List is for."

The idea seemed clever enough. Soon after launch, The New York Times found the site and brought a stampede of traffic that initially caused it to go down under the strain. In the six months or so since, Hacker's List has been running without technical hitches. (The site is also utilizing CloudFlare's content delivery network nowadays.)

However, controversy has crept in to fill the void left by backend hiccups. It's true that Hacker's List's purpose remains showing the general population that "not all hackers are evil," as Tendell puts it. His intentions for the site also continue to be noble. But many of the project requests being posted to the site show the message isn't getting through as the marketplace scales. If anything, it seems that those who now flock to Hacker's List have largely been people looking for evil hackers to hire. And the site is constantly looking for ways to keep up.

Goldilocks filtering

Whether good or bad, all the attention Hacker's List has drawn since launch hasn't hurt Tendell. The founder and CEO of Denver-based Azorian Cyber Security is now also the co-host of a syndicated tech radio show and a frequent go-to cyber-expert for local and national news broadcasts. Tendell insists that Hacker's List is a separate entity from his business, but he admits that "being on the front page of a lot of things has increased Azorian's footprint and business." In fact, the international press coverage may be Hacker's List's biggest upside—because it's not clear how many actual business transactions happen through the site.

Charles Tendell, the founder of Hacker's List and CEO of Azorian Cyber Security.

According to data on the site itself, only a handful of the enrolled hackers have made any money through Hacker's List since its November 2014 launch. For most, their earnings listed have been just a few hundred dollars. While there are more than 3,000 "hacker" accounts registered—some representing security firms, others registered to individuals—there's no way to know how many are active. Some early adopters of the site who spoke with Ars quickly abandoned it as a source of projects when they saw the sorts of requests that started to come in.

Logistically, Hacker's List acts as a sort of reverse-eBay: customers post projects, then "hackers" bid on them. The customer selects someone for the job based on bids, and—if the project passes as legitimate with Tendell's team—the site acts as an intermediary. It holds the customer's payment until a project is done and they have approved the work. This escrow period also assures the person doing the work that the money is actually there. Afterwards, customers can rate the "hacker" based on their performance and write comments that appear on user profiles.

In theory, this checks and balances system is the same mechanism that keeps other user-generated economies, from AirBnB to Uber, honest. But a quick survey of the kinds of requests made on Hacker's List recently looks a lot less like someone trying to buy a used cell phone and a lot more like someone trying to hire a hit-man:

"Change my final grade"
"Change degree in english university"
"I want emails sent and received by addresses with the url [redacted] to be automatically forwarded to my proxy email address for an indefinite period of time. The addresses are not likely to be heavily protected but I require that no address can be missed from the forwarding hack."
"I am trying to find someone skilled in Hacking social media accounts to hack two facebook profiles."
"I believe my husband is cheating on me and I have no access to his phone and would someone to hack into his whatsapp to confirm this."
"My brother in law has been avoiding my sister lately a lot and she is worried…I would like to have a full access on his email."

From the start, Tendell hoped to filter most of the unwanted, legally questionable project requests with automatic software. "Initially, we had filters turned on, and that's what made the website collapse," he said. "We were still testing keywords, still testing the balance there." Things only became more complicated when these early filtering service woes ran up against Hacking List's initial moment in the media spotlight. In fact, that time was supposed to be a soft launch—the site was still running on a development server in Tendell's office.

"When The New York Times article first came out and it went viral, we had people come on the website posting whatever they wanted," Tendell said. "The site was doing as we coded it, and it shut the posts down and caused basically an internal denial of service attack. We went from almost no traffic whatsoever—me, the developers, and a few 'beta test' clients you could say—to about 5,000 visitors. In that first week, we were averaging 3,000 visitors a day."

There are 8.239 active projects up for bid on Hacker's List as of Tuesday, July 21. None have active bids.

There are 8.239 active projects up for bid on Hacker's List as of Tuesday, July 21. None have active bids.
Some are urgent pleas for help, such as this post from Hong Kong asking for assistance in dealing with an alleged blackmailer.
This woman wants someone to hack her husband's phone and social media.
And here's what looks like an offer for something a bit more shady. The red arrow in the screen shot points to the link to flag projects as suspicious or as spam.
Tendell is counting on the community to flag bad actors so their posts can be deleted. But there are so many of them.
The workflow for how a project gets assigned, approved, and paid.

To quickly fix and scale up the site's filtering, Tendell ultimately decided to rely on a hybrid human vetting process. Today, the founder says Hacker's List has some in-place mechanisms to discourage illegal and unethical hacking requests, including its escrow system for transactions and documentation requirements from both the customer and hacker up front. However, moderation request buttons were also added so that users can flag bad projects. This allows Tendell's small team to be more efficient, getting a little guidance from the community about where it should spend time and energy reviewing. Tendell noted that despite a stream of questionable postings, a large number of possible blackhat projects have been caught this way.

"The reason that it was done that way was that we tried using automated filters, then we tried manual review processes on our own, and it became unduly burdensome for my team to keep up with that," he said. "When we were using the automated filtering, a portion of it basically closed the website, and that's counterproductive. Now we have a flagging system much like that of Craigslist—once [a project] gets flagged, it gets manually reviewed by my team, and the process [of contacting the poster] begins. Based on that conversation, the project gets deleted or it gets revised."