Digital Mercenaries: The Rise of Private Cyber Forces in International Conflicts

Author: Jordan Rinaldi

Battlegrounds in the twenty-first century are coded in algorithms, servers, and encrypted networks rather than being delineated by physical boundaries or soldiers on the ground. Private cyber mercenaries are a new type of fighter that has evolved as states compete to control cyberspace. These actors operate in the hazy area between organized crime, defence, and espionage. They range from state-sponsored hacking collectives to for-profit cybersecurity firms. In the digital age, their ascent is changing the laws of responsibility, diplomacy, and conflict.

Unlike traditional private military companies, today’s cyber mercenaries don’t need weapons or uniforms to wage war. Their arsenals are composed of lines of code capable of paralyzing infrastructure, stealing classified data, or manipulating elections. In recent years, state-linked hacking groups such as Russia’s Sandworm, China’s APT41, and North Korea’s Lazarus Group have launched devastating cyberattacks across borders. But beyond these state-directed campaigns lies a subtler and more troubling trend—the outsourcing of cyber warfare to private or semi-independent entities.

Private firms are increasingly being contracted to carry out politically motivated operations that grant states plausible deniability. The Israeli company NSO Group, for instance, developed the Pegasus spyware used by several governments to surveil journalists, activists, and political opponents. Similarly, Russian-aligned hacker collectives like Killnet have launched attacks against Western infrastructure in retaliation for sanctions over Ukraine—operating with clear political intent but no formal chain of command. These digital mercenaries act as extensions of state power while existing outside any legal or military accountability.

This privatization of cyber conflict mirrors the rise of private military companies but poses far greater risks. In cyberspace, attribution is elusive—attacks can be launched anonymously, routed through compromised servers, or disguised to implicate other actors. This ambiguity allows states to exploit attacks for strategic gain while avoiding blame. Observes, such “grey actors” inhabit a dangerous in-between space: too deniable for war, yet too consequential for peace.

The proliferation of cyber mercenaries also undermines long-standing norms of restraint. Without a “Geneva Convention for cyberspace,” there is little agreement on what constitutes a legitimate target. Power grids, hospitals, and financial systems, once considered off-limits, have become fair game. The Oxford Journal of Cybersecurity warns that as these actors become more sophisticated, the temptation for pre-emptive or retaliatory digital strikes will only increase, escalating the risk of full-scale cyber conflict.

Efforts to establish accountability are emerging but remain limited. The Tallinn Manual on the International Law Applicable to Cyber Operations offers a framework for interpreting existing international law in cyberspace, but enforcement is weak and non-binding. Meanwhile, cybersecurity firms themselves often walk a fine line—acting as both defenders and, in some cases, quiet aggressors for hire.

The commodification of hacking skills and intelligence capabilities has created a global marketplace for cyber aggression. In this new economy of conflict, loyalty is fluid, and the line between patriot, contractor, and profiteer is increasingly blurred.

The rise of digital mercenaries exposes a dangerous gap in international security: the absence of clear rules for invisible wars. As both governments and corporations continue to weaponize cyberspace, the gravest threat may not be one catastrophic cyberattack—but the normalization of constant, privatized digital warfare fought just below the surface of global politics.