Deep and dark web sites are a rich source of data for security and law enforcement. Below you’ll find a list of data sources, including popular networks and sites within them. This list is not exhaustive—sites are constantly changing as they are removed or added.

Deep Web Networks 

OpenBazaar is a decentralized, open-source marketplace launched in 2016. The network’s goal is to avoid the “middleman” involved in surface web commerce. Buyers and sellers on OpenBazaar use cryptocurrencies and engage directly to avoid fees associated with typical payment methods like Paypal. There are over 20,000 sellers on OpenBazaar with user activity across 150 countries.

OpenBazaar is not inherently anonymizing, but can be accessed through Tor if users desire anonymity. The network does not cater to illicit exchanges, and the bulk of its transactions are not illegal. However, because it is decentralized, OpenBazaar has no way to accurately track or deal with illegal activity. Illegal OpenBazaar listings are not indexed and are not always accessible by search engines within the marketplace. 

Telegram is a cloud-based instant messaging, voice, and video messaging service similar to WhatsApp. It’s considered to be one of the most secure messaging apps for several reasons:

• Chats can be destroyed when the conversation ends, or be automatically deleted with a self-destruct timer.
• Telegram boasts three layers of encryption, as opposed to the typical two layers touted by other messaging apps.

Telegram offers access to their public API, which opens up endless possibilities for individuals to create games, get alerts, create data visualizations, build custom tools, and even exchange payments between users. API access to Telegram means that many of the conversations in public channels are largely discoverable to organizations gathering open source intelligence from online sources.

With over 200 million active users, it is no surprise that Telegram is a popular place to hold discussions about illegal activity. There have been many reports of phishing scammers using Telegram as their method of contact with victims.

Discord is a voiceover IP and messaging program with 200 million active users. Discord’s user interface looks like a cross between Skype and Slack. It’s free to use, and is available as a web, mobile, and desktop app. Within Discord, users can create their own servers and host private, password protected, or public channels within those servers. 

Discord has been criticized for being vulnerable to attacks from cybercriminals. Beyond security issues, the conversations taking place on Discord have evolved to include adult, narcotic, or NSFW (Not Safe For Work) content. Discord is linked to discussions about illegal activity as well as the alt-right movement. In August 2017, it was discovered as a planning tool for organizing the “Unite the Right” rally in Charlottesville, VA.

The IRC (Internet Relay Chat) is an instant messaging application designed for large numbers of users to communicate in real-time. It was created in 1988 and has declined in popularity since 2003 as more users move to social media platforms and other messaging tools. The IRC still has close to 500 million active users and 250,000 channels. The IRC has been associated with illegal file trading, denial of service (DoS) attacks and trojan/virus infections.

The IRC isn’t inherently designed for anonymity. Users must use a virtual private network (VPN) or access the IRC through Tor to achieve user anonymity. 

The Open Web can be defined as an open network that is decentralized (control is shared by many parties), accessible (anyone can participate without requesting permission) and open-source (anyone can modify or improve it). 

It can also be defined by what it isn’t: the internet’s “walled gardens” where content is centrally controlled and monetized (Facebook and Google, for example). These walled gardens provide an easier and more curated user experience, but at the cost of certain freedoms—algorithms control what content is published, and publishers are restricted to services that are built by the sites.

Content on the open web is publicly accessible but not necessarily indexed by common search engines like Google. The following are site examples on the Open Web with pages that may not be indexed:

• 4chan: an imageboard site with topics ranging from video games to sports. 4chan is also associated with subcultures and activism groups, such as the alt-right and denial of service (DoS) cyber attacks.

• Craigslist: a classifieds site used for hosting discussion forums and advertising goods, services, housing, and employment. Scams and sales of counterfeit or stolen goods are not uncommon on Craigslist.

• Leolist: a classifieds site frequently used by sex workers. It has been linked to human trafficking cases.

• Pastebin: popular for hosting torrents, hacking data dumps and links to darknet sites.

Read more: Open Source Threat Intelligence and Social Media Monitoring

Dark Web Networks

Tor was created by the U.S. Naval Research Laboratory in the 1990’s aiming to enable secure government communications. It’s now the most commonly used network for navigating the dark web. Tor sites have .onion as their top-level domain. The following are well-known .onion sites:

Tor Discussion Forums

• 8chan was launched in 2013 and gained traction after 4chan banned posts affiliated with Gamergate (a widespread harassment campaign against women and progressivism in the gaming community). 8chan serves as an online hate-group for nationalists, neonazis, alt-righters, and misogynists to hold anonymous discussions. Read more: What was 8chan and why should you care about 8kun?

The site is also associated with the 2019 Christchurch mosque and San Diego synagogue shootings. The latter’s perpetrator posted links to his manifesto and Facebook page before committing the attack. The site has 35,000 daily users.

• The Daily Stormer is similar to 8chan: it’s an anonymous commentary forum for white-supremacists, anti-semites, and neo-nazis. It was founded in July 2013 and moved to the dark web in August 2017. The site is known for internet trolling and organizing harassment campaigns. It was used to help organize the “Unite the Right” rally in Charlottesville, Virginia in 2017.
• Dread is like the dark web's Reddit. It is modelled closely after Reddit, containing sub-communities and user moderators. The site is a forum, not a marketplace—but contains discussions on producing illegal substances, recommended dealers, and which other Tor sites are run by scammers or have been dismantled.

Tor Marketplaces

• Hydra is a Russian-language Darknet marketplace with individual vendor shops. The site takes measures to keep scammers and law enforcement from entering; it favours Russian vendors who are willing to pay hosting fees, and encourages trusted vendor-buyer communication before transactions take place.
• Nightmare Market was launched in 2018 and contains listings for drugs, stolen data, counterfeit goods, and a variety of other illegal transactions. The Market supports escrow (third-party transaction arrangements) and has an affiliated discussion forum.
• Silk Road 3.1 is a widely-used replacement for the original Silk Road, which was shut down in 2013. Of 50,000 listings, over half are related to illegal substances.

I2P (Invisible Internet Project) is an anonymizing network that focuses on secure internal connections and user communication rather than exchanging goods. Its primary function is to be a “network within the internet” with traffic contained within its borders. In the I2P network, hosted websites are known as “eepsites” and have .i2p as their top-level domain. 

ZeroNet is a peer-to-peer network launched in 2015. Every network peer acts as a server, making it decentralized and immune to censorship. ZeroNet is not inherently anonymous—but users can achieve anonymity through Tor. It’s also open-source; any user can clone and create their own versions of sites within ZeroNet.

ZeroNet sites are based on the following ZeroNet sample sites:

• ZeroBlog: for creating and editing decentralized blogs
• ZeroTalk: for creating decentralized forums
• ZeroMail: for engaging in encrypted peer-to-peer communication
• ZeroMe: for decentralized microblogging, similar to Twitter
• ReactionGIFs: for peer-to-peer file sharing
• ZeroChat: for engaging in real-time peer-to-peer chat messaging
• Zeropolls: allows users to create, vote in, and view polls
• ZeroWiki: a ZeroNet-focused wiki where users can create and edit topics

What exactly are criminals doing on the dark web? Most corporate security professionals and public safety officials are seeking crimes and evidence of crimes related to stolen and illegal goods, conducting drugs and human trafficking, planning attacks, selling and leaking data and information, money laundering, and fraud. 

The following are some specific examples of darknet activity:

• Discussing and selling “How-To” guides. Guides can cover everything from how to produce an illicit substance, to how to conduct fraud against an organization.
• Releasing or selling personal data. Personal data breaches are commonly used to gain access to financial accounts, or can be used to target individuals for harassment (known as “doxxing”).
• Buying and selling fraudulent tax documents. Cybercriminals will often purchase and submit fraudulent tax documents before the real taxpayer is able to.
• Exposing national security data, such as defense strategies, weapon plans or building blueprints pertinent to national security.
• Leaking or stealing source code. This makes it easier for hackers to determine if there are any vulnerabilities in your organizations’ operating systems or security software.
• Selling “spoofing” templates. Spoofing templates allow scammers to create fake websites or forms on behalf of an organization as a means to collect personal data.
• Exposing company databases. This leaks sensitive information about employee accounts, as well as a company’s overall footprint, including partnerships and private contracts.
• Hiring for illegal activities, such as hitman services or human trafficking.
• Buying and selling illegal goods or substances.
• Viewing and exchanging child pornography.

Read More: Darknet Market Shutdowns and the Future of Threat Intelligence and 10 Ways Cybercriminals Put Your Data Security at Risk

The most effective way to extract crucial intelligence from the deep web and dark web is to use a discovery tool. This tool allows organizations to get aggregated deep web and darknet threat intelligence quickly and without the risk of manually searching through the dark web. 

The following are specific industries that actively use deep web/darknet discovery tools to find and mitigate common threats:

Public Safety Professionals (police agencies and federal defense):

• Discover drug, weapon, and human trafficking cases
• Find discussions and marketplace listings related to cybercrime
• Monitor communications between threat actors (planning attacks or other crime)
• Find fraudulent passports and other documents

Read More: Why Cyber Investigations are the New Focus For Law Enforcement
Read More: Police Investigations and Cyber Crime: How To Find Intelligence Safely

Corporate Security Agencies:

• Protect brand reputation
• Discover insider threats
• Discover data breaches
• Protect executives and enforce personal information security 
• Detect and avoid DDoS attacks

Financial Institutions:

• Discover and protect against:
• Money laundering
• Counterfeit currency
• Credit card fraud
• Internal attacks
• Data breaches
• Employee-directed phishing attacks
• Ransomware, malware, and cryptojacking
• Unsecure third-party vendors and cloud-based service providers 
• Spoofing and DDoS attacks
• ATM attacks

Retail Security:

• Discover stolen goods and counterfeit sales
• Find fraudulent gift cards
• Conduct post-burglary investigations
• Discover company-branded credit card fraud

Read More: 4 Reasons Why Your Retail Security Team Needs to Be on the Dark Web
Read More: Gift Card Fraud: A Guide for Retail Security Teams

There are many dark web tools on the market, both free and with costs associated. The truth is, not one intelligence tool is 100% effective as a standalone strategy. Rather, combining a selection of niche solutions to use in tandem is the best practice.

Beacon is a dark web discovery platform designed for threat intelligence. Beacon allows security teams to pull fully indexed data from deep and dark web sources such as Onion from their own surface web browser. Unlike many other dark web discovery tools, no Tor browser is required. 

Beacon also allows users to search data by marketplaces, discussion forums, or breached data. Retrieved posts can be filtered by the type of information they’re looking for—such as specific emails, credit card or other personal identifying information, drugs, date posted, and other criteria. When a user finds a post of interest, they can view content details within Beacon, or copy and paste the post link into a Tor browser.

Have I Been Pwned? is a free online resource to check if your email address has been put at risk due to a data breach. It’s a good place to start if you are looking for specific email addresses targeted in a data breach.

Whether or not you search for them, security threats are prevalent on the deep and dark web. Deep web threat intelligence is crucial to organizational security and public safety—but locating and analyzing it safely and efficiently requires advanced discovery tools.

Data sources on the deep and dark web are extensive and constantly changing. A discovery tool that efficiently aggregates data across a range of deep web and dark net providers is essential to any threat intelligence strategy. Darknet discovery can help industries ranging from public safety to retail discover and mitigate threats related to data breaches, illicit goods exchange, and human exploitation.

Learn more about how Beacon can be used in your threat detection and crime investigation strategy