Besides the overwhelming amount of perfectly legal content on the dark web, its unsavory side tends to be known for drugs, credit card fraud, and other illicit classifieds. But what about hacking?

A quick perusal through any popular market or forum will reveal that there is a market for hacking, or “hacking-as-a-service,” on the dark web. Vendors offer distributed denial of service (DDoS) attacks, social engineering, doxing, and more.

But evaluating the legitimacy of the listings in the hacking-as-a-service market is difficult; most posts seem over-zealous (“I can hack anything”) and usually lack the genuine reviews that guide customers in other markets, like drugs and credit cards.

Gaining unauthorized access into others’ networks and accounts can be a profitable venture and much of the illegal trade on the dark web focuses on profit. If hacking services aren’t highly sought after though, it may be because they’re too risky.

When purchasing a hacking service, legal risk is present at nearly every stage during – and after – the transaction. Customers assume the standard risk of communicating and negotiating with an individual offering an illegal product or service. They then proceed to rely on the vendor’s stealth and tradecraft, and these services don’t exactly come with a preview. After the victim is attacked, should an investigation follow, it is not impossible for the attacker, and those who purchased their services, to be brought to justice.

This model stands in stark contrast to some of the dark web’s more established markets. When an individual buys drugs, the risk lies in the purchase and shipping, and disappears once the substance is consumed. Likewise, an individual purchasing stolen credentials from a popular carding site assumes risk in the purchase and delivery of the data, but then is in total control of what they choose to do with it.

However, recent attacks with a strain of malware known as “Mirai” which uses the Internet-of-Things (IoT) to overwhelm servers, may be the catalyst for the maturation of hacking services on the dark web.

The IoT is comprised of common, every-day networked devices that have hardcoded passwords in them, like “root.” These DVRs, cameras, and even crock-pots can be used as part of a botnet to send a massive influx of requests to a site, preventing legitimate users from accessing the information.

Most people aren’t actively checking to see if their gadgets have been compromised, as they don’t seem to warrant the same level of attention one would give to a smart phone or computer. But as IoT malware is continuously improved, taking control of connected – but not personal – devices will be easier, and will introduce less risk.

These hundreds of millions of devices have no way to be automatically updated, and that isn’t likely to change; the debate for regulation has begun, but legislation will always be playing catch up to security. In the meantime, hackers are already selling space in their coveted botnets on the dark web.