{"id":4335,"date":"2025-08-12T07:00:00","date_gmt":"2025-08-12T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4335"},"modified":"2025-08-12T07:00:00","modified_gmt":"2025-08-12T07:00:00","slug":"9-things-cisos-need-know-about-the-dark-web","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4335","title":{"rendered":"9 things CISOs need know about the dark web"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The dark web refers to web pages that are not indexed by commonly used search engines. Under the cloak of anonymity, cybercriminals and threat actors can operate, selling an array of tools and services that can be used to wreak havoc on organizations.<\/p>\n

While major takedowns have disrupted parts of the dark web, it remains resilient, with new technologies and changing criminal strategies. For CISOs, one of the biggest shifts in thinking is that the dark web is no longer just a post-breach problem.<\/p>\n

Threat actors target organizations based on exposed credentials, stale access points, or misconfigured assets advertised or sold. A lot of this information is inexpensive and readily available \u2014 opening the door to attacks.<\/p>\n

Cybercriminals can build a stolen profile with telephone, address and other personal information for less than $10, according to SOCRadar\u2019s 2024 dark web report<\/a>.<\/p>\n

Continuous monitoring of stealer logs, credential leaks, and dark web chatter should be a core function of threat intelligence, not an occasional sweep after an incident. \u201cIt\u2019s a live reconnaissance zone,\u201d says Ensar Seker, CISO at SOCRadar.<\/p>\n

To help understand the changing dynamics, here\u2019s what CISOs need to know about the trade of stolen information, new marketplaces, the availability of malicious tools, and the impact of AI on the dark web.<\/p>\n

International policing efforts are targeting the dark web<\/h2>\n

International policing groups are working to disrupt several major platforms through joint efforts. The Australian Federal Police (AFP) participated in a Europol-led investigation that in 2024 shut down LockBit\u2019s primary platform<\/a> along with 34 servers across the US, the UK, Europe, and Australia.<\/p>\n

\u201cMore than 200 cryptocurrency accounts allegedly owned by the ransomware group were frozen by law enforcement, stripping the group of significant profits,\u201d an AFP spokesperson tells CSO.<\/p>\n

The AFP also joined an international police operation against LabHost that was used to steal PII from victims through persistent phishing attacks sent via texts and emails. \u201cAt the time of the takedown, LabHost had more than 40,000 phishing domains and more than 10,000 global active cybercriminals using its technology to exploit victims,\u201d the spokesperson says.<\/p>\n

Australia has imposed financial sanctions and travel bans<\/a> on several individuals in relation to illicit cyber activity conducted by ZServers. The group provided bulletproof hosting (BPH) services to the cybercriminals that breached health insurer Medibank Private. \u201cBPH providers are resistant, but not immune, to takedown efforts from law enforcement and requests for cooperation,\u201d AFP says.<\/p>\n

New groups form after major marketplaces are disrupted<\/h2>\n

International takedown efforts damage infrastructure and curb cybercrime operations by disrupting larger operations, removing major players from the ecosystem and scattering user bases.<\/p>\n

However, the dark web is highly adaptive and sophisticated actors often maintain contingency plans, including mirrors, backups, and alternative forums, according to Edward Currie, associate managing director of Kroll cyber and data resilience.<\/p>\n

\u201cSome migrate to private forums, other ransomware groups, create new ransomware groups, or adopt decentralized technologies like blockchain-based hosting or intermittent access platforms that are harder to trace and takedown. These peer-to-peer, invite-only, and\/or vouchering networks are faster, cheaper, and less vulnerable to disruption by law enforcement,\u201d Kroll says.<\/p>\n

Nonetheless, takedowns usually result in valuable threat-intelligence grabs that benefit the cybersecurity community and intelligence that cannot be obtained anywhere else. \u201cThe threat intelligence gained from takedowns contributes to other law enforcement investigations. But the pace at which takedowns occur, the evolution of the threat actors will continue to outpace law enforcement capabilities,\u201d Kroll says.<\/p>\n

The dark web is a vibrant marketplace that trades in illicit goods and services<\/h2>\n

In addition to law enforcement actions, dark web activity changes with technological innovation and criminal strategies, according to Matteo Salom, senior cyber threat intelligence analyst, digital risk protection, with BlueVoyant.<\/p>\n

There\u2019s a growing emphasis on scalability and professionalization, with aggressive promotion and recruitment for ransomware-as-a-service (RaaS) operations. This includes lucrative affiliate programs to attract technically skilled partners and tiered access enabling affiliates to pay for premium tools, zero-day exploits or access to pre-compromised networks.<\/p>\n

It\u2019s fragmenting into specialized communities that include credential marketplaces, exploit exchanges for zero-days, malware kits, and access to compromised systems, and forums for fraud tools.<\/p>\n

Initial access brokers (IABs) are thriving, selling entry points into corporate environments, which are then monetized by ransomware affiliates or data extortion groups. Ransomware leak sites showcase attackers\u2019 successes, publishing sample files, threats of full data dumps as well as names and stolen data of victim organizations that refuse to pay.<\/p>\n

\u201cIn parallel, some actors are experimenting with blockchain-based hosting, decentralized DNS, and peer-to-peer marketplaces, which offer greater resilience against takedowns and surveillance,\u201d Salom says.<\/p>\n

With info-stealer logs, there\u2019s a surge in demand for VPNs, SaaS platforms, and corporate credentials. Logs are monetized directly and used for phishing, privilege escalation, and ransomware deployment, according to SOCRadar\u2019s Seker. \u201cWhat\u2019s notable is the commoditization, $2 to $5 can buy access to an enterprise account with full browser session cookies, MFA bypass options, and crypto wallet access,\u201d Seker says.<\/p>\n

Popular malicious tools or services also include OTP bypass bots that automate voice or SMS to steal 2FA codes, crypto drainer kits that empty victims\u2019 wallets, and deepfake services, according to Ian Ahl, SVP at P0 Labs.<\/p>\n

Private communications are becoming commonplace<\/h2>\n

As dark web operations fragment into smaller, granular communities, cybercriminals are developing their own identities to market their activities and illicit tools.<\/p>\n

After disruptions to major ransomware players such as AlphV\/BlackCat and LockBit, smaller affiliates have moved on to RansomHub or DragonForce<\/a> or created their own brand name as a partner to a larger ransomware name or on their own, according to Nick Carroll, manager, cyber incident response at Nightwing.<\/p>\n

\u201cThreat actors are wanting to drive focus on their own brand names to gain more notoriety for themselves, such as the regular launching of new ransomware group brand names and leak sites,\u201d says Carroll.<\/p>\n

So far in 2025, Nightwing has tracked more than 90 ransomware and data extortion groups active in just the past six months, with 16 of these groups having leak sites that are only about 90 days or less old. However, this fragmented operation makes it harder to track. \u201cSmaller, fragmented groups create challenges in jurisdictional complexity for law enforcement attempting to track and make arrests across borders as well as challenges in cyber threat intelligence for attribution and tracking,\u201d he says.<\/p>\n

Changes in leadership make it challenging for policing and threat monitoring to keep track. For example, in 2022 BreachForums<\/a> replaced RaidForums and after admin shifts relaunched in 2024 but has had multiple admin changes since then, according to Carroll. \u201cChurn is a major issue in attribution and tracking, and it\u2019s often purposeful from threat actors who don\u2019t want to get caught.\u201d<\/p>\n

Fragmentation is also driving private communications. \u201cMany cybercriminals are migrating to encrypted messaging platforms such as Telegram, TOX, and Matrix, as well as invite-only forums, reducing their reliance on traditional Tor-based marketplaces,\u201d Salom adds.<\/p>\n

The scale and popularity of DDoS-for-hire services is on the up<\/h2>\n

While DDoS-for-hire services have existed for years, their scale and popularity are growing. \u201cMany offer free trial tiers, with some offering full-scale attacks with no daily limits, dozens of attack types, and even significant 1 Tbps-level output for a few thousand dollars,\u201d Richard Hummel, cybersecurity researcher and threat intelligence director at Netscout, says.<\/p>\n

The operations are becoming more professional and many platforms mimic legitimate e-commerce sites displaying user reviews, seller ratings, and dispute resolution systems to build trust among illicit actors.<\/p>\n

Cybercriminals are also innovating in the ways they grow their botnet infrastructure. Notorious pro-Russian hacktivist group NoName057(16)<\/a> gamifies its DDoS by offering digital currency payments via a service called Project DDoSia and even created its own cryptocurrency token, dCoin, which can be used to pay for other illicit services, according to Hummel. \u201cThe botnet\u2019s distribution is facilitated through a streamlined onboarding process on Telegram, where individuals register and are rewarded with cryptocurrency payments in exchange for supplied attack traffic.\u201d<\/p>\n

DDoS-for-hire services are now adding AI and automation features that make it easier to launch highly sophisticated attacks. For example, some services enable AI to bypass CAPTCHA systems, making it harder for sites to filter out legitimate traffic from abusive traffic. \u201cThis powerful combination of AI and automation renders many traditional defenses obsolete, sidestepping conventional protective measures like rate-limiting,\u201d Hummel says.<\/p>\n

The \u2018as a service\u2019 marketplace is thriving<\/h2>\n

Ransomware as a service, stealer malware as a service (SMaaS), and phishing-as-a-service operations are thriving and helping fuel illicit add-on services. There are also myriad support services that help lower the barrier to entry in executing these attacks, or to help make attacks more efficient. These include crypting services, dropper services, and exploit kits for RaaS and SMaaS, according to Carroll.<\/p>\n

Exploit kits help the uninitiated exploit a publicly exposed, unpatched service; AI-powered phishing toolkits create convincing phishing messages and attack chains; and crypters obfuscate malware through numerous techniques including packing, encoding, and steganography so attacks are stealthier and harder to stop.<\/p>\n

In one case, the Rhadamanthys stealer developer explicitly states they want purchasers to crypt the malware, with posts from the developer highlighting partnerships with crypting services. \u201cThis proliferation of a niche services ecosystem makes cybercrime more accessible to less technical actors while enabling more sophisticated attacks through specialization,\u201d tells Carroll.<\/p>\n

Generative AI is making attacks easier for those less schooled in technology<\/h2>\n

AI has the ability to accelerate the scale and sophistication of cyber attacks and it\u2019s starting to be incorporated into tools and services on the dark web.<\/p>\n

Generative AI is being used to fabricate synthetic identities, including deepfake voices, forged credentials, and AI-generated backstories. \u201cIdentity fraud is enhanced through synthetic persona generation and deepfakes, aiding criminals in bypassing know your customer (KYC) and biometric checks,\u201d says Kroll\u2019s Currie.<\/p>\n

AI-as-a-service (AIaaS) platforms offer many of these capabilities that lower the barriers for cybercriminals to carry out these attacks.<\/p>\n

Zero-interaction chatbots on illicit forums can guide apprentices via malware development, creating dynamic, adversarial training environments. \u201cMalware authors also employ AI-assisted code synthesis to generate polymorphic payloads, malicious binaries that change signatures on every compilation cycle, which render static detection obsolete,\u201d says Nic Adams, co-founder and CEO of 0rcus.<\/p>\n

eSentire\u2019s Threat Response Unit has also observed<\/a> AI integrated into the StealC admin panel to help filter stolen logs. There are also reports of \u201cevil GPT\u201d products sold on dark forums or via private messaging, according to Vishavjit Singh, senior threat intelligence researcher at eSentire. \u201cWormGPT (a chatbot built on open source GPT) is marketed as a phishing and malware assistant, while FraudGPT, DarkBard, WolfGPT and others are used to craft scam pages and phishing campaigns, create malware code, build hacking tools, and more,\u201d Singh says.<\/p>\n

The authorities, meanwhile, are in a game of cat and mouse, working to keep up with the changing modes of attack. While they won\u2019t disclose details of their operations, many have dedicated cyber units with specialized training, intelligence sharing, partnerships with industry, and joint operations. \u201cThe AFP is constantly developing new and innovative solutions to ensure we are equipped to tackle all criminal methodologies,\u201d the AFP spokesperson says.<\/p>\n

Crypto dominates payments but there are new players<\/h2>\n

Transactions overwhelmingly rely on cryptocurrencies like Bitcoin (BTC). \u201cCriminal entities choose this method due to a misconception that cryptocurrency is anonymous and untraceable by law enforcement,\u201d says the AFP.<\/p>\n

Increasingly, privacy-focused coins such as Monero (XMR) and Zcash (ZEC) are being adopted to protect anonymity and make tracing funds difficult for law enforcement. Between 2023 and 2024, the share of new darknet marketplaces accepting only Monero rose from just over one-third to nearly half, reflecting a clear trend toward anti-surveillance tactics, according to Kurrie.<\/p>\n

The use of mixers and tumblers to obfuscate transaction trails is also on the rise. Privacy coins like Zcash and emerging protocols leveraging zero-knowledge proofs are gaining attention for their ability to further mask transactions. \u201cThis shift complicates law enforcement\u2019s ability to track illicit financial flows, pushing agencies to invest in new blockchain forensic tools and cross-chain analytics,\u201d Kurrie says.<\/p>\n

Many platforms now offer multiple currencies, escrow services, and automated laundering tools, with niche services that support the illicit payment ecosystem. \u201cThese days, dark web payment systems mirror legitimate e-commerce with customer protection and dispute resolution mechanisms,\u201d Carroll says.<\/p>\n

This is in part a response to exit scams, such as what AlphV\/BlackCat and other marketplaces have pulled. \u201cBut much of this appears to be driven around a need for criminal threat actors to get convenient access to quick payments from victims in order to support further operations,\u201d he adds.<\/p>\n

What could CISOs do now?<\/h2>\n

\u201cIt\u2019s essential for security professionals to approach the dark web with a strategic mindset focused on intelligence gathering rather than fear,\u201d says Currie.<\/p>\n

Where it\u2019s legal, accessing the dark web can serve legitimate purposes<\/a> for threat analysts, privacy advocates, and security practitioners.<\/p>\n

\u201cThe true value lies in proactive dark web monitoring to identify compromised credentials, leaked data, and emerging threats in real time. Equally important is maintaining strong operational security by using trusted Tor browsers, VPNs, dedicated devices, and disabling scripts that could expose identity,\u201d says Currie.<\/p>\n

To bolster foundational cybersecurity measures, security teams need to incorporate dark web insights into broader threat intelligence programs. These insights provide context around cyber risks and help security teams adjust their defenses. \u201cBy having insights into the dark web, security professionals have a better understanding of threat actor behaviors and motivations,\u201d Currie says.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The dark web refers to web pages that are not indexed by commonly used search engines. Under the cloak of anonymity, cybercriminals and threat actors can operate, selling an array of tools and services that can be used to wreak havoc on organizations. While major takedowns have disrupted parts of the dark web, it remains […]<\/p>\n","protected":false},"author":0,"featured_media":4336,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4335"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4335"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4335\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4336"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4335"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4335"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4335"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}