The dark web refers to web pages that are not indexed by commonly used search engines. Under the cloak of anonymity, cybercriminals and threat actors can operate, selling an array of tools and services that can be used to wreak havoc on organizations.
While major takedowns have disrupted parts of the dark web, it remains resilient, with new technologies and changing criminal strategies. For CISOs, one of the biggest shifts in thinking is that the dark web is no longer just a post-breach problem.
Threat actors target organizations based on exposed credentials, stale access points, or misconfigured assets advertised or sold. A lot of this information is inexpensive and readily available — opening the door to attacks.
Cybercriminals can build a stolen profile with telephone, address and other personal information for less than $10, according to SOCRadar’s 2024 dark web report.
Continuous monitoring of stealer logs, credential leaks, and dark web chatter should be a core function of threat intelligence, not an occasional sweep after an incident. “It’s a live reconnaissance zone,” says Ensar Seker, CISO at SOCRadar.
To help understand the changing dynamics, here’s what CISOs need to know about the trade of stolen information, new marketplaces, the availability of malicious tools, and the impact of AI on the dark web.
International policing efforts are targeting the dark web
International policing groups are working to disrupt several major platforms through joint efforts. The Australian Federal Police (AFP) participated in a Europol-led investigation that in 2024 shut down LockBit’s primary platform along with 34 servers across the US, the UK, Europe, and Australia.
“More than 200 cryptocurrency accounts allegedly owned by the ransomware group were frozen by law enforcement, stripping the group of significant profits,” an AFP spokesperson tells CSO.
The AFP also joined an international police operation against LabHost that was used to steal PII from victims through persistent phishing attacks sent via texts and emails. “At the time of the takedown, LabHost had more than 40,000 phishing domains and more than 10,000 global active cybercriminals using its technology to exploit victims,” the spokesperson says.
Australia has imposed financial sanctions and travel bans on several individuals in relation to illicit cyber activity conducted by ZServers. The group provided bulletproof hosting (BPH) services to the cybercriminals that breached health insurer Medibank Private. “BPH providers are resistant, but not immune, to takedown efforts from law enforcement and requests for cooperation,” AFP says.
New groups form after major marketplaces are disrupted
International takedown efforts damage infrastructure and curb cybercrime operations by disrupting larger operations, removing major players from the ecosystem and scattering user bases.
However, the dark web is highly adaptive and sophisticated actors often maintain contingency plans, including mirrors, backups, and alternative forums, according to Edward Currie, associate managing director of Kroll cyber and data resilience.
“Some migrate to private forums, other ransomware groups, create new ransomware groups, or adopt decentralized technologies like blockchain-based hosting or intermittent access platforms that are harder to trace and takedown. These peer-to-peer, invite-only, and/or vouchering networks are faster, cheaper, and less vulnerable to disruption by law enforcement,” Kroll says.
Nonetheless, takedowns usually result in valuable threat-intelligence grabs that benefit the cybersecurity community and intelligence that cannot be obtained anywhere else. “The threat intelligence gained from takedowns contributes to other law enforcement investigations. But the pace at which takedowns occur, the evolution of the threat actors will continue to outpace law enforcement capabilities,” Kroll says.
The dark web is a vibrant marketplace that trades in illicit goods and services
In addition to law enforcement actions, dark web activity changes with technological innovation and criminal strategies, according to Matteo Salom, senior cyber threat intelligence analyst, digital risk protection, with BlueVoyant.
There’s a growing emphasis on scalability and professionalization, with aggressive promotion and recruitment for ransomware-as-a-service (RaaS) operations. This includes lucrative affiliate programs to attract technically skilled partners and tiered access enabling affiliates to pay for premium tools, zero-day exploits or access to pre-compromised networks.
It’s fragmenting into specialized communities that include credential marketplaces, exploit exchanges for zero-days, malware kits, and access to compromised systems, and forums for fraud tools.
Initial access brokers (IABs) are thriving, selling entry points into corporate environments, which are then monetized by ransomware affiliates or data extortion groups. Ransomware leak sites showcase attackers’ successes, publishing sample files, threats of full data dumps as well as names and stolen data of victim organizations that refuse to pay.
“In parallel, some actors are experimenting with blockchain-based hosting, decentralized DNS, and peer-to-peer marketplaces, which offer greater resilience against takedowns and surveillance,” Salom says.
With info-stealer logs, there’s a surge in demand for VPNs, SaaS platforms, and corporate credentials. Logs are monetized directly and used for phishing, privilege escalation, and ransomware deployment, according to SOCRadar’s Seker. “What’s notable is the commoditization, $2 to $5 can buy access to an enterprise account with full browser session cookies, MFA bypass options, and crypto wallet access,” Seker says.
Popular malicious tools or services also include OTP bypass bots that automate voice or SMS to steal 2FA codes, crypto drainer kits that empty victims’ wallets, and deepfake services, according to Ian Ahl, SVP at P0 Labs.
Private communications are becoming commonplace
As dark web operations fragment into smaller, granular communities, cybercriminals are developing their own identities to market their activities and illicit tools.
After disruptions to major ransomware players such as AlphV/BlackCat and LockBit, smaller affiliates have moved on to RansomHub or DragonForce or created their own brand name as a partner to a larger ransomware name or on their own, according to Nick Carroll, manager, cyber incident response at Nightwing.
“Threat actors are wanting to drive focus on their own brand names to gain more notoriety for themselves, such as the regular launching of new ransomware group brand names and leak sites,” says Carroll.
So far in 2025, Nightwing has tracked more than 90 ransomware and data extortion groups active in just the past six months, with 16 of these groups having leak sites that are only about 90 days or less old. However, this fragmented operation makes it harder to track. “Smaller, fragmented groups create challenges in jurisdictional complexity for law enforcement attempting to track and make arrests across borders as well as challenges in cyber threat intelligence for attribution and tracking,” he says.
Changes in leadership make it challenging for policing and threat monitoring to keep track. For example, in 2022 BreachForums replaced RaidForums and after admin shifts relaunched in 2024 but has had multiple admin changes since then, according to Carroll. “Churn is a major issue in attribution and tracking, and it’s often purposeful from threat actors who don’t want to get caught.”
Fragmentation is also driving private communications. “Many cybercriminals are migrating to encrypted messaging platforms such as Telegram, TOX, and Matrix, as well as invite-only forums, reducing their reliance on traditional Tor-based marketplaces,” Salom adds.
The scale and popularity of DDoS-for-hire services is on the up
While DDoS-for-hire services have existed for years, their scale and popularity are growing. “Many offer free trial tiers, with some offering full-scale attacks with no daily limits, dozens of attack types, and even significant 1 Tbps-level output for a few thousand dollars,” Richard Hummel, cybersecurity researcher and threat intelligence director at Netscout, says.
The operations are becoming more professional and many platforms mimic legitimate e-commerce sites displaying user reviews, seller ratings, and dispute resolution systems to build trust among illicit actors.
Cybercriminals are also innovating in the ways they grow their botnet infrastructure. Notorious pro-Russian hacktivist group NoName057(16) gamifies its DDoS by offering digital currency payments via a service called Project DDoSia and even created its own cryptocurrency token, dCoin, which can be used to pay for other illicit services, according to Hummel. “The botnet’s distribution is facilitated through a streamlined onboarding process on Telegram, where individuals register and are rewarded with cryptocurrency payments in exchange for supplied attack traffic.”
DDoS-for-hire services are now adding AI and automation features that make it easier to launch highly sophisticated attacks. For example, some services enable AI to bypass CAPTCHA systems, making it harder for sites to filter out legitimate traffic from abusive traffic. “This powerful combination of AI and automation renders many traditional defenses obsolete, sidestepping conventional protective measures like rate-limiting,” Hummel says.
The ‘as a service’ marketplace is thriving
Ransomware as a service, stealer malware as a service (SMaaS), and phishing-as-a-service operations are thriving and helping fuel illicit add-on services. There are also myriad support services that help lower the barrier to entry in executing these attacks, or to help make attacks more efficient. These include crypting services, dropper services, and exploit kits for RaaS and SMaaS, according to Carroll.
Exploit kits help the uninitiated exploit a publicly exposed, unpatched service; AI-powered phishing toolkits create convincing phishing messages and attack chains; and crypters obfuscate malware through numerous techniques including packing, encoding, and steganography so attacks are stealthier and harder to stop.
In one case, the Rhadamanthys stealer developer explicitly states they want purchasers to crypt the malware, with posts from the developer highlighting partnerships with crypting services. “This proliferation of a niche services ecosystem makes cybercrime more accessible to less technical actors while enabling more sophisticated attacks through specialization,” tells Carroll.
Generative AI is making attacks easier for those less schooled in technology
AI has the ability to accelerate the scale and sophistication of cyber attacks and it’s starting to be incorporated into tools and services on the dark web.
Generative AI is being used to fabricate synthetic identities, including deepfake voices, forged credentials, and AI-generated backstories. “Identity fraud is enhanced through synthetic persona generation and deepfakes, aiding criminals in bypassing know your customer (KYC) and biometric checks,” says Kroll’s Currie.
AI-as-a-service (AIaaS) platforms offer many of these capabilities that lower the barriers for cybercriminals to carry out these attacks.
Zero-interaction chatbots on illicit forums can guide apprentices via malware development, creating dynamic, adversarial training environments. “Malware authors also employ AI-assisted code synthesis to generate polymorphic payloads, malicious binaries that change signatures on every compilation cycle, which render static detection obsolete,” says Nic Adams, co-founder and CEO of 0rcus.
eSentire’s Threat Response Unit has also observed AI integrated into the StealC admin panel to help filter stolen logs. There are also reports of “evil GPT” products sold on dark forums or via private messaging, according to Vishavjit Singh, senior threat intelligence researcher at eSentire. “WormGPT (a chatbot built on open source GPT) is marketed as a phishing and malware assistant, while FraudGPT, DarkBard, WolfGPT and others are used to craft scam pages and phishing campaigns, create malware code, build hacking tools, and more,” Singh says.
The authorities, meanwhile, are in a game of cat and mouse, working to keep up with the changing modes of attack. While they won’t disclose details of their operations, many have dedicated cyber units with specialized training, intelligence sharing, partnerships with industry, and joint operations. “The AFP is constantly developing new and innovative solutions to ensure we are equipped to tackle all criminal methodologies,” the AFP spokesperson says.
Crypto dominates payments but there are new players
Transactions overwhelmingly rely on cryptocurrencies like Bitcoin (BTC). “Criminal entities choose this method due to a misconception that cryptocurrency is anonymous and untraceable by law enforcement,” says the AFP.
Increasingly, privacy-focused coins such as Monero (XMR) and Zcash (ZEC) are being adopted to protect anonymity and make tracing funds difficult for law enforcement. Between 2023 and 2024, the share of new darknet marketplaces accepting only Monero rose from just over one-third to nearly half, reflecting a clear trend toward anti-surveillance tactics, according to Kurrie.
The use of mixers and tumblers to obfuscate transaction trails is also on the rise. Privacy coins like Zcash and emerging protocols leveraging zero-knowledge proofs are gaining attention for their ability to further mask transactions. “This shift complicates law enforcement’s ability to track illicit financial flows, pushing agencies to invest in new blockchain forensic tools and cross-chain analytics,” Kurrie says.
Many platforms now offer multiple currencies, escrow services, and automated laundering tools, with niche services that support the illicit payment ecosystem. “These days, dark web payment systems mirror legitimate e-commerce with customer protection and dispute resolution mechanisms,” Carroll says.
This is in part a response to exit scams, such as what AlphV/BlackCat and other marketplaces have pulled. “But much of this appears to be driven around a need for criminal threat actors to get convenient access to quick payments from victims in order to support further operations,” he adds.
What could CISOs do now?
“It’s essential for security professionals to approach the dark web with a strategic mindset focused on intelligence gathering rather than fear,” says Currie.
Where it’s legal, accessing the dark web can serve legitimate purposes for threat analysts, privacy advocates, and security practitioners.
“The true value lies in proactive dark web monitoring to identify compromised credentials, leaked data, and emerging threats in real time. Equally important is maintaining strong operational security by using trusted Tor browsers, VPNs, dedicated devices, and disabling scripts that could expose identity,” says Currie.
To bolster foundational cybersecurity measures, security teams need to incorporate dark web insights into broader threat intelligence programs. These insights provide context around cyber risks and help security teams adjust their defenses. “By having insights into the dark web, security professionals have a better understanding of threat actor behaviors and motivations,” Currie says.
No Responses