The dark web (also called the darknet) is often associated with images of midnight hackers and secretive villains working in solitude. In reality, the deep web and darknet are hives of communal activity spanning all hours. These areas of the internet are used by people seeking anonymity for a variety of reasons, both illicit and lawful in nature.

Security professionals and public safety officials have a vested interest in discovering threat intelligence on the deep web and darknet. This intelligence allows organizations to detect and prevent threats of all kinds—But first, what exactly are the deep web and dark web?

DARK WEB SEARCH: DOWNLOAD THE BEACON OVERVIEW

The deep web, sometimes called the invisible web, includes websites and data sources that are unindexed and non-discoverable by search engines, such as Google, within the surface web. The deep web is estimated to be at least 400-500 times the size of the surface web.

The deep web includes online pages that are restricted by passwords and paywalls (such as personal social media accounts and online banking dashboards), or dynamic and encrypted networks. The term “deep web” is not interchangeable with the darknet/dark web—it includes the darknet/dark web.

The darknet/dark web is a more hidden subsection of the deep web and requires special software, such as a Tor browser, to access. The dark web offers users total anonymity. This is why a great deal of nefarious activity, including illegal goods sales, human exploitation, and discussion around illegal topics, happens there. 

Accessing the dark web is not illegal in itself, even though dark web activities are often illegal. User anonymity means that the dark web is also sometimes used for less destructive activities, such as circumventing government censorship and protecting whistleblowers.

Contrary to popular belief, darknet data is not difficult to access—but it is very difficult to navigate, since pages are not indexed or regulated. Inexpert darknet browsing can be dangerous, and discovering anything specific or useful is extremely time-consuming.

How Does The Darknet Achieve User Anonymity?

Darknet users achieve anonymity with onion routing. A user’s data is sent through multiple layers of encryption before reaching its destination, making its origin anonymous. These encryption layers are analogous to the layers of an onion. 

Tor (acronym for “The Onion Router”), the most popular dark web browser, uses this encryption method. Tor is a free software browser that conceals the user’s IP address, which then inhibits any personal or metadata collection. 

What Do Deep Web And Darknet Sites Look Like?

Most sites and published information on the deep and dark web take the shape of either a marketplace, discussion forum, or breached data dump:

• Marketplaces allow users to anonymously buy and sell illegal goods on the dark web.
• Discussion forums allow users to anonymously discuss illegal topics, such as how to conduct cyberattacks, or how to manufacture illicit substances.
• Breached data dumps, including breached personal or company information, are common on deep web sites like Pastebin.

Read more: 
Eliminate Threats and Mitigate Risk: Dark Web Search for Your OSINT Strategy
What is Tor and the Deep Web?

Deep and dark web sites are a rich source of data for security and law enforcement. Below you’ll find a list of data sources, including popular networks and sites within them. This list is not exhaustive—sites are constantly changing as they are removed or added.

Deep Web Networks

OpenBazaar is a decentralized, open-source marketplace launched in 2016. The network’s goal is to avoid the “middleman” involved in surface web commerce. Buyers and sellers on OpenBazaar use cryptocurrencies and engage directly to avoid fees associated with typical payment methods like Paypal. There are over 20,000 sellers on OpenBazaar with user activity across 150 countries.

OpenBazaar is not inherently anonymizing, but can be accessed through Tor if users desire anonymity. The network does not cater to illicit exchanges, and the bulk of its transactions are not illegal. However, because it is decentralized, OpenBazaar has no way to accurately track or deal with illegal activity. Illegal OpenBazaar listings are not indexed and are not always accessible by search engines within the marketplace. 

Telegram is a cloud-based instant messaging, voice, and video messaging service similar to WhatsApp. It’s considered to be one of the most secure messaging apps for several reasons:

• Chats can be destroyed when the conversation ends, or be automatically deleted with a self-destruct timer.
• Telegram boasts three layers of encryption, as opposed to the typical two layers touted by other messaging apps.

Telegram offers access to their public API, which opens up endless possibilities for individuals to create games, get alerts, create data visualizations, build custom tools, and even exchange payments between users. API access to Telegram means that many of the conversations in public channels are largely discoverable to organizations gathering open source intelligence from online sources.

With over 200 million active users, it is no surprise that Telegram is a popular place to hold discussions about illegal activity. There have been many reports of phishing scammers using Telegram as their method of contact with victims.

Discord is a voiceover IP and messaging program with 200 million active users. Discord’s user interface looks like a cross between Skype and Slack. It’s free to use, and is available as a web, mobile, and desktop app. Within Discord, users can create their own servers and host private, password protected, or public channels within those servers. 

Discord has been criticized for being vulnerable to attacks from cybercriminals. Beyond security issues, the conversations taking place on Discord have evolved to include adult, narcotic, or NSFW (Not Safe For Work) content. Discord is linked to discussions about illegal activity as well as the alt-right movement. In August 2017, it was discovered as a planning tool for organizing the “Unite the Right” rally in Charlottesville, VA.

The IRC (Internet Relay Chat) is an instant messaging application designed for large numbers of users to communicate in real-time. It was created in 1988 and has declined in popularity since 2003 as more users move to social media platforms and other messaging tools. The IRC still has close to 500 million active users and 250,000 channels. The IRC has been associated with illegal file trading, denial of service (DoS) attacks and trojan/virus infections.

The IRC isn’t inherently designed for anonymity. Users must use a virtual private network (VPN) or access the IRC through Tor to achieve user anonymity. 

The Open Web can be defined as an open network that is decentralized (control is shared by many parties), accessible (anyone can participate without requesting permission) and open-source (anyone can modify or improve it). 

It can also be defined by what it isn’t: the internet’s “walled gardens” where content is centrally controlled and monetized (Facebook and Google, for example). These walled gardens provide an easier and more curated user experience, but at the cost of certain freedoms—algorithms control what content is published, and publishers are restricted to services that are built by the sites.

Content on the open web is publicly accessible but not necessarily indexed by common search engines like Google. The following are site examples on the Open Web with pages that may not be indexed:

• 4chan: an imageboard site with topics ranging from video games to sports. 4chan is also associated with subcultures and activism groups, such as the alt-right and denial of service (DoS) cyber attacks.

• Craigslist: a classifieds site used for hosting discussion forums and advertising goods, services, housing, and employment. Scams and sales of counterfeit or stolen goods are not uncommon on Craigslist.

• Leolist: a classifieds site frequently used by sex workers. It has been linked to human trafficking cases.

• Pastebin: popular for hosting torrents, hacking data dumps and links to darknet sites.

Read more:
Open Source Threat Intelligence 
Social Media Monitoring

Dark Web Networks

Tor was created by the U.S. Naval Research Laboratory in the 1990’s aiming to enable secure government communications. It’s now the most commonly used network for navigating the dark web. Tor sites have .onion as their top-level domain. The following are well-known .onion sites:

Tor Discussion Forums

• 8chan was launched in 2013 and gained traction after 4chan banned posts affiliated with Gamergate (a widespread harassment campaign against women and progressivism in the gaming community). 8chan serves as an online hate-group for nationalists, neonazis, alt-righters, and misogynists to hold anonymous discussions.
  
  Read more: 
  What was 8chan and why should you care about 8kun?

The site is also associated with the 2019 Christchurch mosque and San Diego synagogue shootings. The latter’s perpetrator posted links to his manifesto and Facebook page before committing the attack. The site has 35,000 daily users.

• The Daily Stormer is similar to 8chan: it’s an anonymous commentary forum for white-supremacists, anti-semites, and neo-nazis. It was founded in July 2013 and moved to the dark web in August 2017. The site is known for internet trolling and organizing harassment campaigns. It was used to help organize the “Unite the Right” rally in Charlottesville, Virginia in 2017.
• Dread is like the dark web's Reddit. It is modelled closely after Reddit, containing sub-communities and user moderators. The site is a forum, not a marketplace—but contains discussions on producing illegal substances, recommended dealers, and which other Tor sites are run by scammers or have been dismantled.

Tor Marketplaces

• Hydra is a Russian-language Darknet marketplace with individual vendor shops. The site takes measures to keep scammers and law enforcement from entering; it favours Russian vendors who are willing to pay hosting fees, and encourages trusted vendor-buyer communication before transactions take place.
• Nightmare Market was launched in 2018 and contains listings for drugs, stolen data, counterfeit goods, and a variety of other illegal transactions. The Market supports escrow (third-party transaction arrangements) and has an affiliated discussion forum.
• Silk Road 3.1 is a widely-used replacement for the original Silk Road, which was shut down in 2013. Of 50,000 listings, over half are related to illegal substances.

I2P (Invisible Internet Project) is an anonymizing network that focuses on secure internal connections and user communication rather than exchanging goods. Its primary function is to be a “network within the internet” with traffic contained within its borders. In the I2P network, hosted websites are known as “eepsites” and have .i2p as their top-level domain. 

ZeroNet is a peer-to-peer network launched in 2015. Every network peer acts as a server, making it decentralized and immune to censorship. ZeroNet is not inherently anonymous—but users can achieve anonymity through Tor. It’s also open-source; any user can clone and create their own versions of sites within ZeroNet.

ZeroNet sites are based on the following ZeroNet sample sites:

• ZeroBlog: for creating and editing decentralized blogs
• ZeroTalk: for creating decentralized forums
• ZeroMail: for engaging in encrypted peer-to-peer communication
• ZeroMe: for decentralized microblogging, similar to Twitter
• ReactionGIFs: for peer-to-peer file sharing
• ZeroChat: for engaging in real-time peer-to-peer chat messaging
• Zeropolls: allows users to create, vote in, and view polls
• ZeroWiki: a ZeroNet-focused wiki where users can create and edit topics

What exactly are criminals doing on the dark web? Most corporate security professionals and public safety officials are seeking crimes and evidence of crimes related to stolen and illegal goods, conducting drugs and human trafficking, planning attacks, selling and leaking data and information, money laundering, and fraud. 

The following are some specific examples of darknet activity:

• Discussing and selling “How-To” guides. Guides can cover everything from how to produce an illicit substance, to how to conduct fraud against an organization.
• Releasing or selling personal data. Personal data breaches are commonly used to gain access to financial accounts, or can be used to target individuals for harassment (known as “doxxing”).
• Buying and selling fraudulent tax documents. Cybercriminals will often purchase and submit fraudulent tax documents before the real taxpayer is able to.
• Exposing national security data, such as defense strategies, weapon plans or building blueprints pertinent to national security.
• Leaking or stealing source code. This makes it easier for hackers to determine if there are any vulnerabilities in your organizations’ operating systems or security software.
• Selling “spoofing” templates. Spoofing templates allow scammers to create fake websites or forms on behalf of an organization as a means to collect personal data.
• Exposing company databases. This leaks sensitive information about employee accounts, as well as a company’s overall footprint, including partnerships and private contracts.
• Hiring for illegal activities, such as hitman services or human trafficking.
• Buying and selling illegal goods or substances.
• Viewing and exchanging child pornography.

Read more: 
Darknet Market Shutdowns and the Future of Threat Intelligence 
10 Ways Cybercriminals Put Your Data Security at Risk

The most effective way to extract crucial intelligence from the deep web and dark web is to use a discovery tool. This tool allows organizations to get aggregated deep web and darknet threat intelligence quickly and without the risk of manually searching through the dark web. 

The following are specific industries that actively use deep web/darknet discovery tools to find and mitigate common threats:

Public Safety Professionals (police agencies and federal defense):

• Discover drug, weapon, and human trafficking cases
• Find discussions and marketplace listings related to cybercrime
• Monitor communications between threat actors (planning attacks or other crime)
• Find fraudulent passports and other documents

Corporate Security Agencies:

• Protect brand reputation
• Discover insider threats
• Discover data breaches
• Protect executives and enforce personal information security 
• Detect and avoid DDoS attacks

Financial Institutions:

• Discover and protect against:
• Money laundering
• Counterfeit currency
• Credit card fraud
• Internal attacks
• Data breaches
• Employee-directed phishing attacks
• Ransomware, malware, and cryptojacking
• Unsecure third-party vendors and cloud-based service providers 
• Spoofing and DDoS attacks
• ATM attacks

DOWNLOAD BANKING CASE STUDY

Retail Security:

• Discover stolen goods and counterfeit sales
• Find fraudulent gift cards
• Conduct post-burglary investigations
• Discover company-branded credit card fraud

Read more:
4 Reasons Why Your Retail Security Team Needs to Be on the Dark Web

There are many dark web tools on the market, both free and with costs associated. The truth is, not one intelligence tool is 100% effective as a standalone strategy. Rather, combining a selection of niche solutions to use in tandem is the best practice.

Beacon is a dark web discovery platform designed for threat intelligence. Beacon allows security teams to pull fully indexed data from deep and dark web sources such as Onion from their own surface web browser. Unlike many other dark web discovery tools, no Tor browser is required. 

Beacon also allows users to search data by marketplaces, discussion forums, or breached data. Retrieved posts can be filtered by the type of information they’re looking for—such as specific emails, credit card or other personal identifying information, drugs, date posted, and other criteria. When a user finds a post of interest, they can view content details within Beacon, or copy and paste the post link into a Tor browser.

Have I Been Pwned? is a free online resource to check if your email address has been put at risk due to a data breach. It’s a good place to start if you are looking for specific email addresses targeted in a data breach.

Whether or not you search for them, security threats are prevalent on the deep and dark web. Deep web threat intelligence is crucial to organizational security and public safety—but locating and analyzing it safely and efficiently requires advanced discovery tools.

Data sources on the deep and dark web are extensive and constantly changing. A discovery tool that efficiently aggregates data across a range of deep web and dark net providers is essential to any threat intelligence strategy. Darknet discovery can help industries ranging from public safety to retail discover and mitigate threats related to data breaches, illicit goods exchange, and human exploitation.

Learn more about how Beacon can be used in your threat detection and crime investigation strategy