The dark web represents a hidden portion of the internet associated with criminal activity, stolen data marketplaces, and anonymized communication. For cybersecurity professionals, understanding the dark web is essential for threat hunting, monitoring compromised credentials, and protecting organizations from dark web-originated threats. This comprehensive guide explains what the dark web is, how it works, associated risks, and how organizations can leverage dark web intelligence for security.
Table of Contents
- What is the Dark Web?
- Surface Web vs Deep Web vs Dark Web
- How the Dark Web Works
- Accessing the Dark Web
- What's on the Dark Web
- Criminal Activity on the Dark Web
- Risks and Dangers
- Dark Web Threat Intelligence
- Dark Web Monitoring for Organizations
- Legal Considerations
- Frequently Asked Questions
What is the Dark Web?
The dark web is a portion of the internet intentionally hidden from standard search engines and web browsers, requiring specific software (primarily Tor) to access. It uses encryption and anonymization techniques to obscure user identities and hosting locations, creating an environment where users can communicate and transact with significant anonymity.
Unlike regular websites indexed by Google or Bing, dark web sites use special top-level domains (primarily .onion for Tor) and are not discoverable through traditional search. This anonymity serves both legitimate purposes, protecting journalists, whistleblowers, and activists in repressive regimes, and facilitating illegal activities including stolen data sales, drug trafficking, weapons trading, and cybercrime services.
According to research, the dark web represents less than 0.01% of total internet content, yet generates significant security concerns due to its role as a marketplace for stolen credentials, personal data, corporate intelligence, and cybercrime tools. Organizations monitoring the dark web detect data breaches, compromised employee credentials, and planned attacks against their infrastructure.
Surface Web vs Deep Web vs Dark Web
Understanding the internet's layers clarifies the dark web's position within broader internet architecture:
| Layer | Size | Access Method | Searchable | Examples |
|---|---|---|---|---|
| Surface Web | ~4% of internet | Standard browsers | Yes (Google, Bing) | Public websites, blogs, news sites |
| Deep Web | ~96% of internet | Login/authentication | No | Email, banking, medical records, databases |
| Dark Web | ~0.01% of internet | Special software (Tor) | No (specialized search) | Anonymous forums, marketplaces, .onion sites |
Surface Web
The surface web includes all content indexed by standard search engines, public websites, blogs, news sites, and openly accessible information. This represents the smallest portion of internet content but receives the most public attention.
Deep Web
The deep web comprises all unindexed internet content including password-protected sites, subscription services, medical records, legal documents, academic databases, and corporate intranets. This content isn't hidden for nefarious purposes, it simply requires authentication or isn't meant for public indexing. Your email inbox and online banking portal exist on the deep web.
Dark Web
The dark web is a small subset of the deep web specifically designed for anonymity, requiring special software like Tor to access. It intentionally obscures user and host identities through encryption and routing techniques. While hosting legitimate privacy-focused services, it's also known for criminal marketplaces, stolen data sales, and illegal content.
How the Dark Web Works
Tor (The Onion Router)
Tor is the primary technology enabling dark web access. It works through onion routing, a technique encrypting data in multiple layers and routing traffic through random volunteer-operated servers worldwide. Your connection bounces through three nodes:
- Entry Node: Knows your IP address but not your destination
- Middle Node: Relay that knows neither source nor destination
- Exit Node: Knows the destination but not your original IP
Each node only decrypts enough information to pass data to the next node, no single point knows both your identity and destination. This architecture provides significant anonymity, though not perfect security as operational mistakes can expose users.
.onion Domains
Dark web sites use .onion top-level domain, only resolvable within the Tor network. These domains are cryptographic hashes rather than memorable names (e.g., "3g2upl4pq6kufc4m.onion" for DuckDuckGo's dark web search). Some sites use vanity addresses with recognizable patterns, though these require significant computing power to generate.
Cryptocurrency Transactions
Dark web marketplaces primarily use cryptocurrencies (Bitcoin, Monero, Zcash) for transactions, providing additional anonymity. Monero has become increasingly popular due to its built-in privacy features masking transaction details, sender, and receiver information, unlike Bitcoin where transactions are publicly visible on blockchain.
Dark Web Threat Intelligence by subrosa
subrosa provides continuous dark web monitoring identifying compromised credentials, data breaches, and emerging threats specific to your organization.
Get Dark Web MonitoringAccessing the Dark Web
Tor Browser
To access the dark web, download Tor Browser from the official Tor Project website (torproject.org). The browser bundles Firefox with Tor network integration, providing anonymous access to both regular internet and .onion sites. Installation is straightforward on Windows, macOS, and Linux systems.
Security Precautions
If accessing the dark web for legitimate security research or threat intelligence, implement these controls:
- Use dedicated virtual machine or separate computer
- Connect through VPN before launching Tor
- Never log into personal accounts
- Disable JavaScript in Tor Browser
- Don't download files from untrusted sources
- Don't resize Tor Browser window (fingerprinting risk)
- Use disposable email addresses
- Document all activities for security team
- Coordinate with legal and compliance teams
Alternative Access Methods
Beyond Tor, other anonymization networks exist:
- I2P (Invisible Internet Project): Alternative anonymous network with .i2p domains
- Freenet: Peer-to-peer platform for censorship-resistant communication
- ZeroNet: Decentralized network using Bitcoin cryptography and BitTorrent
However, Tor remains the dominant platform for dark web access with largest user base and most developed ecosystem.
What's on the Dark Web
Legitimate Uses
Not all dark web content is criminal. Legitimate uses include:
- Privacy Protection: Whistleblowers and activists avoiding surveillance
- Journalism: SecureDrop and similar platforms for anonymous source communication
- Circumventing Censorship: Access to blocked content in repressive regimes
- Research: Academic studies on anonymity and online behavior
- Privacy-Focused Services: Email, chat, and file sharing with enhanced privacy
Criminal Marketplaces
Dark web marketplaces operate similar to eBay or Amazon but sell illegal goods and services:
| Category | Items Sold | Typical Prices |
|---|---|---|
| Stolen Credentials | Usernames/passwords, email access | $1-$1,000 |
| Financial Data | Credit cards, bank accounts, PayPal | $5-$110 |
| Identity Packages | Full identity (SSN, DOB, documents) | $20-$200 |
| Corporate Access | VPN credentials, RDP access, domain admin | $200-$10,000+ |
| Malware/Exploits | Ransomware, exploit kits, zero-days | $100-$500,000 |
| Criminal Services | DDoS attacks, hacking-for-hire | $50-$10,000 |
Forums and Communities
Dark web forums serve as communities where cybercriminals share knowledge, trade intelligence, recruit collaborators, and build reputation. Notable forum categories include:
- Hacking techniques and tutorials
- Vulnerability disclosures and exploits
- Stolen database sales
- Carding (credit card fraud) discussion
- Ransomware affiliate recruitment
- Money laundering services
Criminal Activity on the Dark Web
Data Breaches and Stolen Credentials
One of the most significant cybersecurity threats from the dark web is the sale of stolen credentials and breached data. When organizations suffer data breaches, stolen information often appears on dark web marketplaces within days or weeks. This data includes:
- Employee email/password combinations
- Customer databases with PII
- Corporate VPN and remote access credentials
- Cloud service account details
- Domain administrator credentials
- Intellectual property and trade secrets
Organizations implementing SOC monitoring and dark web threat intelligence detect these compromises early, enabling rapid response before credentials are exploited.
Ransomware-as-a-Service (RaaS)
Dark web marketplaces host ransomware-as-a-service operations where developers license ransomware to affiliates who conduct attacks, splitting profits (typically 70/30 or 80/20). This model has democratized ransomware attacks, enabling non-technical criminals to launch sophisticated operations. Notable RaaS families include LockBit, BlackCat (ALPHV), and Cl0p.
Zero-Day Exploit Sales
High-value zero-day vulnerabilities (unknown to vendors with no patches available) sell for $5,000 to $500,000+ on dark web marketplaces. Prices depend on target software, exploitation difficulty, and detection likelihood. iOS and Android zero-days command premium prices due to widespread deployment and security value.
Initial Access Brokers
Initial access brokers compromise corporate networks then sell access to other criminals (ransomware operators, data thieves). Access prices vary based on:
- Organization size and revenue
- Industry (healthcare, finance, manufacturing)
- Access level (user vs. administrator)
- Network size and data value
This ecosystem enables specialized criminal operations where access brokers handle initial compromise while ransomware operators focus on extortion.
Risks and Dangers
Malware and Exploits
Dark web sites frequently contain malware attempting to compromise visitors. Common threats include:
- Drive-by downloads exploiting browser vulnerabilities
- Malicious Tor exit nodes intercepting traffic
- Fake marketplaces stealing cryptocurrency
- Trojanized tools and software
- JavaScript-based attacks
Scams and Fraud
Despite reputation systems, dark web marketplaces are rife with scams. Exit scams (operators disappearing with escrow funds) are common. Buyers and sellers both face risks, no legal recourse exists for fraudulent transactions involving illegal goods.
Law Enforcement Monitoring
Major law enforcement agencies (FBI, Europol, DEA) actively monitor dark web activity, infiltrate marketplaces, and track users. High-profile takedowns include:
- Silk Road (2013): First major dark web marketplace shutdown, founder sentenced to life imprisonment
- AlphaBay & Hansa (2017): Coordinated international operation shutting down two largest marketplaces
- Welcome to Video (2019): Largest child exploitation site takedown
- DarkMarket (2021): 500,000-user marketplace taken down by German authorities
Psychological and Legal Risks
Exposure to disturbing content on the dark web can have psychological impacts. Additionally, even accidentally accessing illegal content can create legal liability. Organizations should establish clear policies for dark web access, limiting it to trained security professionals with legitimate business justification and appropriate oversight.
Protect Your Organization from Dark Web Threats
subrosa provides comprehensive threat intelligence and managed detection and response protecting against dark web-originated attacks.
Learn About Threat IntelligenceDark Web Threat Intelligence
For cybersecurity professionals, the dark web is valuable threat intelligence source providing early warning of:
Compromised Credentials
Monitoring for organization-specific email addresses and domains in credential dumps enables proactive password resets before attackers exploit access. Stolen credentials remain one of the most common initial access vectors for breaches.
Data Breach Indicators
Data breaches often appear on dark web forums before organizations become aware through other channels. Early detection enables faster incident response, forensic investigation, and customer notification.
Planned Attacks
Threat actors sometimes discuss targets, vulnerabilities, or planned attacks on dark web forums. Intelligence teams monitoring these discussions can identify threats before attacks occur, implementing preventive controls.
Emerging Vulnerabilities
Zero-day vulnerabilities and exploit details sometimes appear on dark web forums before public disclosure. Organizations monitoring these sources gain advance warning to implement workarounds or enhanced monitoring before exploits become widespread.
Threat Actor Attribution
Dark web forums provide insight into threat actor capabilities, motivations, and targets. Understanding adversary infrastructure, tools, and techniques (MITRE ATT&CK framework) enables better defensive strategies.
Dark Web Monitoring for Organizations
Automated Monitoring Services
Professional dark web monitoring services continuously scan marketplaces, forums, paste sites, and chat channels for organization-specific indicators:
- Corporate email addresses and domains
- Executive names and titles
- Customer databases
- Intellectual property
- Brand mentions
- Product discussions
- Industry-specific threats
When matches are detected, organizations receive alerts enabling rapid investigation and response. Leading solutions integrate with security operations centers and MDR platforms for automated response workflows.
Manual Intelligence Gathering
Automated tools miss context and nuance, dedicated threat intelligence analysts manually investigate dark web sources, participate in relevant forums (with legal oversight), and correlate findings with other intelligence sources. This human analysis identifies subtle indicators automated tools miss.
Integrating Dark Web Intelligence
Effective dark web monitoring requires integration with existing security programs:
- SIEM Integration: Feed indicators into security information and event management platforms
- Threat Intelligence Platforms: Correlate dark web findings with other threat data
- Incident Response: Trigger incident response procedures for high-risk discoveries
- Vulnerability Management: Prioritize patching based on dark web exploit availability
- Identity and Access Management: Automated credential resets for compromised accounts
Response Workflows
When dark web monitoring identifies threats, implement these response actions:
| Finding Type | Immediate Action | Follow-Up |
|---|---|---|
| Compromised Credentials | Reset passwords, revoke sessions | Enable MFA, investigate breach source |
| Data Breach | Activate incident response, preserve evidence | Forensic investigation, notification requirements |
| Corporate Access Sale | Validate access, terminate connections | Hunt for persistence, rebuild compromised systems |
| Planned Attack | Enhance monitoring, implement controls | Threat hunting, vulnerability assessment |
| Executive Targeting | Alert individual, enhance protections | Security awareness training, monitoring |
Legal Considerations
Legality of Dark Web Access
Accessing the dark web is legal in most countries, Tor and similar tools are legitimate privacy technologies. However, activities conducted on the dark web may be illegal. Organizations should:
- Establish clear policies defining acceptable use
- Limit access to trained security personnel
- Document business justification (threat intelligence, security research)
- Coordinate with legal and compliance teams
- Maintain audit logs of all access
- Never engage in transactions or illegal activities
Evidence Handling
Information discovered on the dark web may become evidence in investigations or legal proceedings. Proper evidence handling procedures include:
- Chain of custody documentation
- Forensically sound collection methods
- Preservation of metadata
- Coordination with law enforcement when appropriate
- Legal review before sharing externally
Notification Requirements
Discovering customer data or PII on the dark web may trigger breach notification requirements under GDPR, CCPA, HIPAA, or state laws. Consult legal counsel to determine obligations.
Frequently Asked Questions
What is the dark web?
The dark web is a portion of the internet that requires specific software (like Tor browser) to access and is intentionally hidden from standard search engines and browsers. Unlike the surface web (indexed by Google) or deep web (password-protected content), the dark web uses encryption and routing techniques to anonymize users and hosts. While it has legitimate uses (journalism, privacy advocacy, whistleblowing), it's also used for illegal activities like selling stolen data, malware, credentials, drugs, and weapons, making it a significant threat intelligence source for cybersecurity professionals.
How do you access the dark web?
The dark web is primarily accessed through Tor (The Onion Router) browser, which routes traffic through multiple encrypted nodes to anonymize users. Download Tor Browser from the official torproject.org website, install it, and connect to the Tor network. Dark web sites use .onion domains only accessible through Tor. However, accessing the dark web carries significant risks, malware, scams, illegal content exposure, and potential legal issues. Organizations should only access the dark web for legitimate threat intelligence purposes using dedicated systems, VPNs, and security controls.
Is the dark web illegal?
Accessing the dark web itself is not illegal in most countries, Tor and similar tools are legal privacy technologies. However, many activities conducted on the dark web are illegal: buying/selling drugs, weapons, stolen data, hiring criminals, distributing illegal content, etc. Law enforcement actively monitors dark web marketplaces and has successfully shut down major operations (Silk Road, AlphaBay, Hansa). Simply visiting the dark web doesn't break laws, but participating in illegal transactions or possessing illegal content obtained there does. Organizations monitoring the dark web for threat intelligence operate legally within defined security purposes.
What's the difference between deep web and dark web?
The deep web includes any internet content not indexed by search engines, medical records, banking portals, email, subscription content, databases, representing 96% of internet content. The dark web is a small subset of the deep web specifically designed for anonymity requiring special software (Tor) to access. Surface web (4% of internet) is indexed by search engines. Deep web is mostly legitimate private content. Dark web intentionally hides identity and location, hosting both legitimate privacy-focused services and illegal marketplaces. Key difference: deep web is simply unindexed, dark web is intentionally hidden and anonymized.
Why would organizations monitor the dark web?
Organizations monitor the dark web for threat intelligence: detecting stolen credentials before use, identifying data breaches early, discovering planned attacks or leaked intellectual property, tracking threat actor discussions about vulnerabilities, and identifying compromised employee accounts. Dark web monitoring provides early warning of security incidents, organizations can reset credentials, patch vulnerabilities, and implement controls before attackers exploit intelligence. Many security operations centers integrate dark web threat intelligence into detection strategies, and services like subrosa's threat intelligence include continuous dark web monitoring for client-specific indicators.
What gets sold on the dark web?
Dark web marketplaces sell: stolen credentials ($1-$1,000 depending on access level), credit card data ($5-$110), full identity packages ($20-$200), ransomware-as-a-service ($40-$5,000/month), DDoS-for-hire services, exploit kits, zero-day vulnerabilities ($5,000-$500,000), compromised corporate network access ($200-$10,000+), malware, phishing kits, counterfeit documents, drugs, and weapons. Cybersecurity-related sales dominate commercial dark web activity, credentials, access, and tools representing multi-billion dollar underground economy. Prices vary based on target organization value, access level, and data recency.
Can you be tracked on the dark web?
While Tor provides significant anonymity, users can be tracked through operational security mistakes: revealing personal information, reusing usernames, JavaScript exploitation, browser fingerprinting, timing analysis, compromised exit nodes, malware infections, and coordination with internet service providers. Law enforcement has successfully de-anonymized dark web users through sophisticated techniques and long-term investigations. Perfect anonymity is difficult, most dark web arrests result from OPSEC failures, not breaking Tor encryption. Organizations accessing the dark web should use dedicated systems, VPNs, avoid logging in to personal accounts, and implement strict security controls.
What is Tor and how does it work?
Tor (The Onion Router) is free, open-source software enabling anonymous internet communication by routing traffic through worldwide volunteer-operated servers (nodes). Your connection bounces through three random nodes: entry (knows your IP but not destination), middle (relay), and exit (knows destination but not your IP). Each layer is encrypted like onion layers, hence the name. This process makes tracking very difficult since no single node knows both source and destination. Tor Browser bundles Firefox with Tor network access, blocking trackers and fingerprinting. While primarily associated with dark web, Tor also anonymizes regular internet access.
How do cybercriminals use the dark web?
Cybercriminals use the dark web for: selling stolen data and credentials, recruiting accomplices for attacks, purchasing malware and exploit tools, laundering cryptocurrency, coordinating ransomware operations, selling network access to compromised organizations, sharing hacking techniques and vulnerabilities, advertising criminal services (DDoS, hacking-for-hire), and communicating anonymously. Dark web forums serve as cybercriminal communities where threat actors build reputation, trade intelligence, and collaborate on operations. Understanding these ecosystems helps security teams anticipate threats, monitoring discussions about your organization or industry provides early warning of planned attacks or emerging vulnerabilities.
Should businesses use dark web monitoring services?
Yes, dark web monitoring provides valuable threat intelligence identifying compromised credentials, data breaches, and emerging threats before they're exploited. Services continuously scan dark web marketplaces, forums, and paste sites for organization-specific indicators: employee emails, domain credentials, customer data, intellectual property, and planned attacks. Early detection enables proactive response, resetting credentials, investigating breaches, patching vulnerabilities, and alerting affected parties. Dark web monitoring is particularly valuable for organizations in regulated industries, those with high-value data, or frequently targeted sectors. subrosa's threat intelligence includes comprehensive dark web monitoring integrated with incident response capabilities.
Conclusion
The dark web represents a complex ecosystem serving both legitimate privacy needs and facilitating criminal activity. For cybersecurity professionals, understanding the dark web is essential, not for accessing illegal content, but for threat intelligence gathering, monitoring compromised credentials, detecting data breaches, and protecting organizations from dark web-originated threats.
Professional dark web monitoring provides early warning of security incidents, enabling proactive response before attackers exploit stolen intelligence. Organizations benefit from integrating dark web threat intelligence with existing security programs including SOC operations, incident response, vulnerability management, and identity governance.
While the dark web carries significant risks, malware, scams, legal exposure, organizations with proper controls, trained personnel, and legitimate security purposes can safely leverage dark web intelligence to strengthen security posture and detect threats before they materialize into breaches.
subrosa provides comprehensive threat intelligence including continuous dark web monitoring, identifying compromised credentials, data breaches, and emerging threats specific to your organization, integrated with managed detection and response for automated investigation and response.