When the dark web entered public consciousness in the early 2010s, it was widely treated as the sinister underbelly of the internet. On the dark web, anything goes, whether it be illegal drug sales, hacker forums, or things much, much darker.
From an enterprise and security perspective, there were concerns as well. The dark web has been known as a place where stolen information from data breaches would be packaged and sold for anyone with a bit of cryptocurrency. Malware, including ransomware, was also for sale, as was financial info and personally identifiable information (PII).
But experts say the dark web in recent years has changed in significant ways. How prevalent are security threats on this hidden corner of the internet? And how concerned should organizations be with those threats? SearchSecurity spoke with multiple security experts and dark web researchers — and also examined several dark web marketplaces — to determine what can (and can’t) be found there, what the security risks are for enterprises, and whether companies should consider investing in resources like dark web monitoring.
Defining the dark web
The dark web primarily refers to sites and content that reside on overlay networks rather than the traditional internet; these sites, often referred to as “hidden services,” require specialized web browsers to access.
One such browser is Tor, which is a free, open source software that enables virtually anonymous browsing. In addition, Tor users can download software to host relays or nodes for “onion services,” which are websites that are configured to be accessed only by Tor. Onion services are listed with .onion URLs that include an opaque string of characters in the address. For example, one URL of the Silk Road marketplace, a defunct black market and the most famous dark web site, was silkroad7rn2puhj[.]onion.
While defining the dark web — which is different from the deep web — is a bit more complicated than just onion services, and while Tor Browser is not the only anonymous browsing option, onion services represent a significant portion of the dark web. For the purposes of this article, SearchSecurity examined well-known .onion markets and websites (barring those with more extreme content).
There are multiple utilities for onion services. While the dark web is known for black markets, fake hitmen services and abuse content, there is also a significant presence for those who need privacy on the internet for other reasons, including social activism and communication within repressive regimes; journalists (including those working in repressive conditions) who need to safely and securely communicate with sources; and privacy advocates. There are also .onion versions of Facebook, The New York Times, BBC and many others.
Hidden or onion services have existed before the emergence of Silk Road in 2011, but the site was one of the first major darknet markets that helped establish the dark web’s reputation as it’s known today.
What you can (and can’t) find
Since it became publicly known, the dark web has built a mythology for itself and all the things that may — or may not — be found there.
Eileen Ormsby, a longtime dark web expert and author of multiple books on the subject including The Darkest Web, said that when it comes to the darker parts of the dark web, there are generally three types of content found there.
“Most of the dark web is drugs, fraud — your hacked information, your stolen credit cards, that sort of thing — and child exploitation, a massive amount of child exploitation,” she said. “Those are the three things that really are on the dark web. All the other stuff is mostly fluff on the side. It’s fun to go look at on the side, but they’re not real.”
The “mostly fluff” and “not real” content refers to everything from purported hitmen-for-hire services (experts say these are scams) to “red rooms,” which are rumored to offer livestreamed torture and murder (experts say these are also fake). There are sites that claim to offer content regarding human experimentation, secret government files neatly categorized in an online repository, exotic animal sales and many other hoaxes.
“Really the only things that are viable to transact on the dark web are things that are easily transferrable and have repeat customers, so digital goods and things that can be popped into the mail like small quantities of drugs,” Ormsby said. “Anything not easily transferrable there’s not a big market for. There are weapons markets, but they are very, very tiny and very few transactions successfully made on the weapons markets.”
When it comes to the darknet markets, there is some diversity (some stick to things like marijuana or psychedelics while other marketplaces sell harder drugs, malware and/or fraud), but many of the larger markets sell almost everything outside of child exploitation materials and weapons capable of large-scale damage.
For example, one dark web site called “White House Market” is a market that uses an image of Walter White from the TV show Breaking Bad in its logo and advertises all kinds of drugs, as well as some weaponry and defense (including bulletproof vests and 3D printed pistols), stolen financial information, stolen account logins, malware (including ransomware), pirated software and other things, though no exploitation content or significant weaponry.
Another site, Versus Market, offered a similar mixed selection, while Monopoly Market (which had a logo featuring Monopoly mascot Rich Uncle Pennybags) focused primarily on narcotics.
All purchases are made with cryptocurrency. While bitcoin is the most widely used cryptocurrency, numerous darknet markets have moved to Monero because of concerns about a lack of anonymity. Law enforcement’s ability to trace bitcoin transactions has improved over time, so much so that even laundered cryptocurrencies can be tracked.
“The whole idea that bitcoin is anonymous is not true and has never been true. Absolutely every transaction that has ever existed can be seen on the blockchain by anybody at any time. The thing was you didn’t know who was on either side of those transactions, and it used to be the case that sending bitcoin through a couple different addresses would obfuscate you enough that no one would be able to trace it,” Ormsby said. “But now, [law enforcement has] such good tracing technology that they can trace bitcoin through a whole lot of different addresses. A lot of people are being brought down now even after many, many years because of that better bitcoin tracing.”
Monero has a public ledger similar to bitcoin’s blockchain, but Monero’s ledger obfuscates the details of the transaction with encryption (Monero’s open source team has said transactions are completely confidential and untraceable, but security researchers have uncovered several vulnerabilities and weaknesses that contest those claims). The privacy focus goes beyond cryptocurrency now too; using PGP to encrypt communications is now considered a necessity due to fears of market shutdowns by law enforcement and government takeovers. Both are regular occurrences on the dark web.
Other, nonmarket sites SearchSecurity visited include Dread, a dark web forum inspired heavily by Reddit, and Riseup, a collective aimed at bringing secure online communication methods and tools to social activists.
Asked about how the dark web has evolved since she started browsing it in 2011, Ormsby called the current state of the dark web a “devolution” of sorts.
“In a lot of ways, I think it has devolved. Back then, there was a certain amount of technical knowledge needed to get onto the dark web and to transact on it back then, even though it was simpler back then. It was really the domain of a certain few types of people, and most of those types of people, they were pretty much led by Dread Pirate Roberts — Ross Ulbricht — the author of Silk Road; he was very much a philosopher and wanted to create almost this new community, and so a lot of the people back then were all part of the cypherpunks and the whole part of that philosophy, that we’re trying to build this new online life,” she said. “It tended to be very civil, very high-level discussions and now, you’ve got every man and his dog on there. It’s very much like Reddit or 4chan or those sorts of things where there’s a lot of noise to get to the gold.”
Malware, stolen information and data breaches
The trading of malware, stolen personal information, and data breach leaks are primary concerns from a security perspective. Marketplaces, hacker forums and ransomware group sites are all home to this kind of content. Ransomware sites have become a top priority for law enforcement agencies lately, thanks to the growing number of attacks and million-dollar ransoms. For example, last month the Department of Justice, in partnership with Bulgarian authorities, disrupted the NetWalker ransomware operation by disabling “a dark web hidden resource used to communicate with NetWalker ransomware victims” and charging a Canadian citizen, Sebastien Vachon-Desjardins of Gatineau, Quebec, in connection with the attacks.
Enterprises have long been concerned about sensitive data, be it internal emails or customer information, ending up on cybercriminal forums and marketplaces. But John Shier, Sophos senior security advisor and dark web researcher, explained that it’s not just a dark web issue.
“Any breach that gets made public, it will get carved up and resold and repackaged a million different ways and then get sold on marketplaces, forums both clear and dark web, all over the place. It’s ever-present. There’s always going to be this kind of stuff on the markets, on the forums on the dark web. One of the reasons criminals flock to the dark web [is that] they see it as a safer way to trade this information,” he said. “This offers an opportunity for criminals who don’t know each other to find common ground in a ‘secure’ way through forums and marketplaces to trade their ill-gotten goods.”
The same goes for malware; Shier said most of the malicious code being sold and traded on the dark web can be found on the public web as well.
Roman Sannikov, director of cybercrime and underground intelligence at threat intelligence vendor Recorded Future, said that dark web discussions have moved away from traditional malware and more toward ransomware-related topics.
“In recent years we have seen a shift in dark web discussions away from things like DDoS, exploit kits, Android malware, malware in general, and discussion of fraud, carding and similar topics. That is not to say that they have completely disappeared — the topics are still very much there — but the focus has shifted more toward topics that relate to ransomware, including breaches, cryptocurrencies, and extortion. So, while threat actors may not advertise the major malware strands on the dark web very openly, there is a lot of focus on the breaches and access that facilitate the ransomware attacks,” he said.
Sannikov also said that cybercriminal discussions are moving away from dark web forums and more toward private chat services. This has prompted some predictions about the “death” of dark web forums, though he said that’s premature.
“One of the things that have changed over the last few years is that many of these discussions are carried out and finalized on more private chat services like Telegram, Discord and others,” he said. “While the death of the dark web forums has been greatly overstated, and they are still very much needed for the initial postings and initial contact as well as for trust-building, the existence of very private and highly vetted channels on chat services has made it even more difficult and time-consuming to get access to the sensitive areas where some of the most interesting content is discussed.”
On large marketplaces like White House Market, listings for stolen data and malware are both widely available.
Ransomware was on sale for around $15-20 USD (in Monero); a listing for WannaCry had it being offered for approximately $50; and there was something called “The Complete and Utter 2020 Dangerous Viruses Pack” being advertised for $10. It offered a VPN, a “phishing pack,” remote administration tools, password cracking tools, DDoS tools and more. There was also a listing titled, “Ransomware Pack with Source Code,” that claimed to offer nine different types of ransomware, including CryptoLocker, BasicLocker and Jigsaw ransomware among them.
As for stolen information, White House Market featured many account logins, from services like Netflix and Disney+ to financial accounts, as well as “fullz,” referring to comprehensive packages of an individual’s PII. SearchSecurity could not verify the authenticity of any listings for stolen data or malware. It’s unclear how many of these listings are legitimate since scams and fraudulent listings are not uncommon on many dark web marketplaces.
Potential security risks for enterprises
Shier said that while things occur on the dark web that may be of interest to enterprises, they’re not necessarily problems exclusive to the dark web. One example is cracked software.
“One time I was on a forum, and I saw something about a Sophos activation key — it was all bogus. It was alongside McAfee and Symantec and Kaspersky and some of the other ones. It was an activation key for our endpoint product; I looked into it, and it was a scam. That’s the kind of thing as an enterprise you may want to look out for,” he said. “The dark web is not a unique place for that kind of thing. You can see that stuff on the clear web. Cracked software is on the clear web. Keygens are available on the clear web as well. Does that represent a clear and present danger for companies? I don’t think so,” Shier said.
Then, there is the matter of illegally obtained information from data breaches. Shier said organizations should indeed be concerned about such data being sold or exposed — but not just on the dark web. He pointed to the recent example of “SolarLeaks,” a site on the public web that claimed to have sensitive data from companies breached in the SolarWinds attacks.
“SolarLeaks is advertising a bunch of source code for sale that came out of the SolarWinds hack. Microsoft code, some FireEye tools in there. I don’t know the validity of this stuff, but there’s a clear web address and an onion address that offer the exact same thing,” he said. “I don’t know that the dark web offers any extra risk for companies.”
In reality, while the dark web offers greater privacy and can facilitate more open criminality, just about everything on the dark web can be found on the clear web, too. Malware, stolen data (both personal and enterprise), ransomware leaks, cracked software and even abuse content are all things not exclusive to opaque .onion addresses.
However, Sannikov said that companies should pay more attention to the dark web because it can be a harbinger of threats to come — or offer clues to breaches or attacks that are already in progress.
“Finding yourself discussed on the forums or having credentials leaked on shops is often the first sign that an enterprise will have that they are being targeted by threat actors and are a forerunner to things like significant data theft, ransomware attacks or other types of malicious action. If a threat actor is advertising a banking inject for a bank, chances are, that bank will see an increase in attacks or fraud attempts that are facilitated by that banking inject,” he said.
Dark web monitoring services
While dark web monitoring is a broad term that covers different services at different companies, it can generally be defined as a service that monitors the dark web for signs of stolen data, whether it’s stolen personal information for identity theft or administrator credentials for corporate networks.
Some vendors specialize in enterprise-focused services. For example, Recorded Future offers dark web monitoring as one of its threat intelligence services; the offering combines intelligence gathered by human researchers within Recorded Future’s Insikt Group with technology that’s automated to scan for everything from privileged credentials and proprietary software code to simple mentions of a corporate brand.
Aamir Lakhani, global security strategist and researcher at Fortinet, said that automation is key for monitoring the dark web, but he also cautioned against relying solely on such technology without human researchers and analysts.
“There are many darknet and deep web sites. Most of the data is not challenging to search after an organization has the experience, but it can be time-consuming. Enterprises need to develop techniques that secure the organization from cyber attacks, do not attract threat actors’ attention, and don’t introduce any liability to you or your organization. Many darknet sites shut down, change addresses, or change requirements on how to access the sites. Automation is vital to collecting information in searchable indexes. However, it’s not as infallible as it may sound.”
There are other vendors that offer dark web monitoring services that cater to consumers. David Putnam, NortonLifeLock’s head of identity protection products, said that compared to free services like Have I Been Pwned?, LifeLock’s dark web monitoring service — which is offered for individual use, as well as to companies as an employee benefit — allows the user to “set it and forget it.” The service checks not just for an individual’s email, but 120 types of information, including things like college degrees and personal healthcare data, alerting users when such information is found.
“We don’t just tell you something’s happened like Have I Been Pwned? does for dark web or Credit Karma does for credit. When something’s found — and it’s being found in the millions now — we’re there to support you. That’s kind of our big play in this. We do all the work, and if something really happens and you’re concerned, you can call us and we’ll help you through it,” he said.
Even as the dark web has changed in recent years, several security vendors have introduced new monitoring products that are tied to meet the demand from enterprise users and consumers alike.
In October, CrowdStrike announced Falcon X Recon, a new module in its threat intelligence offering that provides “situational awareness” by going “beyond the dark web to include forums with restricted access on the deep web, breach data, source code repositories, paste sites, mobile greyware stores, unsecured cloud storage, public social media posts and messaging apps,” according to its press release announcement.
CrowdStrike senior vice president of intelligence Adam Meyers said that Falcon X Recon is not called a dark web monitoring product because, one, the service monitors more than the dark web, and two, “dark web” is a marketing term.
“‘Dark web’ is a marketing term. People say things like, ‘we’re watching the dark web.’ This goes beyond the dark web; it’s also looking at different non-Tor hidden service type sites,” Meyers said. “We don’t want to limit it by saying dark web; it allows more comprehensive situational awareness into threats that are out there.”
Katie Petrillo, senior manager of LastPass product marketing at LogMeIn, said her company’s dark web monitoring service — introduced last August — is provided as part of its overall password management offering for paying LastPass customers, including LastPass Enterprise end users. Petrillo likewise explained that the benefit of the service is that it is an “always-on” feature that doesn’t need to be actively checked.
“The LastPass dark web monitoring feature evaluates all your stored email addresses in your Vault and alerts you immediately — via email notification and within the LastPass Security Dashboard — if any of your email addresses have been found in the database of breached credentials. If you have compromised email addresses, you are guided through steps to change your password for the site associated with the breach. You can also manage the email addresses you want to exclude from being monitored. LastPass makes the whole process easy and intuitive for you, no extra steps needed,” she said.
Do enterprises need to worry about the dark web?
As the dark web continues to evolve — or devolve, as Ormsby said — the question remains for enterprise CISOs: Should enterprises be taking specific actions regarding the dark web, or is maintaining an overall strong security posture enough?
“I think I would have to go with the latter,” Shier said. “To me, the question of, do you start looking at specific — and I’ll call them edge cases — things like the dark web? Before you do that, you have to have your security house in order. You have to have built that solid security foundation.”
He gave several examples, like making sure regular patching is taking place; ensuring that 2FA is enabled on all critical accounts, as well as any others that can have it; utilizing proactive monitoring tools; and “doing continuous awareness training with your userbase.”
Once an organization handles these things, the question of “that last mile” becomes more appropriate.
“As we go further down this spectrum of security maturity, and when you’ve gotten to the point where you’re a well-oiled security machine where you’re doing all the basics, you’re doing these proactive hunts for threats, you’ve got security monitoring 24/7 and a SOC [security operations center] and all this great stuff, then you’re kind of getting to that last mile where every bit of extra stuff might help, but to what degree?” he said.
Many dark web monitoring services are offered as individual solutions in larger platforms and services, so in certain cases, monitoring might not necessarily need to be a specialized choice.
Meyers called specialized dark web services “part of a broader security plan.”
“It’s part of a broader security plan and security model. I think finding breaches is going to be the biggest thing for any enterprise or CISO — to make sure they don’t have an active breach. The way that you do that is basic hygiene, implementing proper principles like principles of least privilege, network segmentation and things of that nature, vulnerability management — really just trying to make yourself a hard target,” he said.
Similar to Shier, Meyers also called attention to making sure one’s “shop” is in order.
“Monitoring the dark web is of utility, but it’s not the only thing of utility. You need to have your shop in order. You need to have an understanding of what threat actors are coming after you, and what they’re going to do.”
Whether enterprises need to pay attention to dark web-focused products depends on their specific needs and whether their “security house is in order,” to Shier’s point. While the dark web has built its own mythology in the decade it has been part of the public consciousness (and while some very dark things worthy of the “dark web” name exist on there), there is nothing exclusive to the dark web other than the potential for greater privacy and anonymity.
And as for the mythology surrounding the dark web, perhaps Ormsby put it best.
“A lot of the things that people think or believe or hope are on the dark web are just not there.”
Alexander Culafi is a writer, journalist and podcaster based in Boston.