The dark web (also called the darknet) is often associated with images of midnight hackers and secretive villains working in solitude. In reality, the deep web and darknet are hives of communal activity spanning all hours. These areas of the internet are used by people seeking anonymity for a variety of reasons, both illicit and lawful in nature.
Security professionals and public safety officials have a vested interest in discovering threat intelligence on the deep web and darknet. This intelligence allows organizations to detect and prevent threats of all kinds—But first, what exactly are the deep web and dark web?
The deep web, sometimes called the invisible web, includes websites and data sources that are unindexed and non-discoverable by search engines, such as Google, within the surface web. The deep web is estimated to be at least 400-500 times the size of the surface web.
The deep web includes online pages that are restricted by passwords and paywalls (such as personal social media accounts and online banking dashboards), or dynamic and encrypted networks. The term “deep web” is not interchangeable with the darknet/dark web—it includes the darknet/dark web.
The darknet/dark web is a more hidden subsection of the deep web and requires special software, such as a Tor browser, to access. The dark web offers users total anonymity. This is why a great deal of nefarious activity, including illegal goods sales, human exploitation, and discussion around illegal topics, happens there.
Accessing the dark web is not illegal in itself, even though dark web activities are often illegal. User anonymity means that the dark web is also sometimes used for less destructive activities, such as circumventing government censorship and protecting whistleblowers.
Contrary to popular belief, darknet data is not difficult to access—but it is very difficult to navigate, since pages are not indexed or regulated. Inexpert darknet browsing can be dangerous, and discovering anything specific or useful is extremely time-consuming.
How Does The Darknet Achieve User Anonymity?
Darknet users achieve anonymity with onion routing. A user’s data is sent through multiple layers of encryption before reaching its destination, making its origin anonymous. These encryption layers are analogous to the layers of an onion.
Tor (acronym for “The Onion Router”), the most popular dark web browser, uses this encryption method. Tor is a free software browser that conceals the user’s IP address, which then inhibits any personal or metadata collection.
What Do Deep Web And Darknet Sites Look Like?
Most sites and published information on the deep and dark web take the shape of either a marketplace, discussion forum, or breached data dump:
Read more:
Eliminate Threats and Mitigate Risk: Dark Web Search for Your OSINT Strategy
What is Tor and the Deep Web?
Deep and dark web sites are a rich source of data for security and law enforcement. Below you’ll find a list of data sources, including popular networks and sites within them. This list is not exhaustive—sites are constantly changing as they are removed or added.
OpenBazaar is a decentralized, open-source marketplace launched in 2016. The network’s goal is to avoid the “middleman” involved in surface web commerce. Buyers and sellers on OpenBazaar use cryptocurrencies and engage directly to avoid fees associated with typical payment methods like Paypal. There are over 20,000 sellers on OpenBazaar with user activity across 150 countries.
OpenBazaar is not inherently anonymizing, but can be accessed through Tor if users desire anonymity. The network does not cater to illicit exchanges, and the bulk of its transactions are not illegal. However, because it is decentralized, OpenBazaar has no way to accurately track or deal with illegal activity. Illegal OpenBazaar listings are not indexed and are not always accessible by search engines within the marketplace.
Telegram is a cloud-based instant messaging, voice, and video messaging service similar to WhatsApp. It’s considered to be one of the most secure messaging apps for several reasons:
Telegram offers access to their public API, which opens up endless possibilities for individuals to create games, get alerts, create data visualizations, build custom tools, and even exchange payments between users. API access to Telegram means that many of the conversations in public channels are largely discoverable to organizations gathering open source intelligence from online sources.
With over 200 million active users, it is no surprise that Telegram is a popular place to hold discussions about illegal activity. There have been many reports of phishing scammers using Telegram as their method of contact with victims.
Discord is a voiceover IP and messaging program with 200 million active users. Discord’s user interface looks like a cross between Skype and Slack. It’s free to use, and is available as a web, mobile, and desktop app. Within Discord, users can create their own servers and host private, password protected, or public channels within those servers.
Discord has been criticized for being vulnerable to attacks from cybercriminals. Beyond security issues, the conversations taking place on Discord have evolved to include adult, narcotic, or NSFW (Not Safe For Work) content. Discord is linked to discussions about illegal activity as well as the alt-right movement. In August 2017, it was discovered as a planning tool for organizing the “Unite the Right” rally in Charlottesville, VA.
The IRC (Internet Relay Chat) is an instant messaging application designed for large numbers of users to communicate in real-time. It was created in 1988 and has declined in popularity since 2003 as more users move to social media platforms and other messaging tools. The IRC still has close to 500 million active users and 250,000 channels. The IRC has been associated with illegal file trading, denial of service (DoS) attacks and trojan/virus infections.
The IRC isn’t inherently designed for anonymity. Users must use a virtual private network (VPN) or access the IRC through Tor to achieve user anonymity.
The Open Web can be defined as an open network that is decentralized (control is shared by many parties), accessible (anyone can participate without requesting permission) and open-source (anyone can modify or improve it).
It can also be defined by what it isn’t: the internet’s “walled gardens” where content is centrally controlled and monetized (Facebook and Google, for example). These walled gardens provide an easier and more curated user experience, but at the cost of certain freedoms—algorithms control what content is published, and publishers are restricted to services that are built by the sites.
Content on the open web is publicly accessible but not necessarily indexed by common search engines like Google. The following are site examples on the Open Web with pages that may not be indexed:
Read more:
Open Source Threat Intelligence
Social Media Monitoring
Tor was created by the U.S. Naval Research Laboratory in the 1990’s aiming to enable secure government communications. It’s now the most commonly used network for navigating the dark web. Tor sites have .onion as their top-level domain. The following are well-known .onion sites:
The site is also associated with the 2019 Christchurch mosque and San Diego synagogue shootings. The latter’s perpetrator posted links to his manifesto and Facebook page before committing the attack. The site has 35,000 daily users.
I2P (Invisible Internet Project) is an anonymizing network that focuses on secure internal connections and user communication rather than exchanging goods. Its primary function is to be a “network within the internet” with traffic contained within its borders. In the I2P network, hosted websites are known as “eepsites” and have .i2p as their top-level domain.
ZeroNet is a peer-to-peer network launched in 2015. Every network peer acts as a server, making it decentralized and immune to censorship. ZeroNet is not inherently anonymous—but users can achieve anonymity through Tor. It’s also open-source; any user can clone and create their own versions of sites within ZeroNet.
ZeroNet sites are based on the following ZeroNet sample sites:
What exactly are criminals doing on the dark web? Most corporate security professionals and public safety officials are seeking crimes and evidence of crimes related to stolen and illegal goods, conducting drugs and human trafficking, planning attacks, selling and leaking data and information, money laundering, and fraud.
The following are some specific examples of darknet activity:
Read more:
Darknet Market Shutdowns and the Future of Threat Intelligence
10 Ways Cybercriminals Put Your Data Security at Risk
The most effective way to extract crucial intelligence from the deep web and dark web is to use a discovery tool. This tool allows organizations to get aggregated deep web and darknet threat intelligence quickly and without the risk of manually searching through the dark web.
The following are specific industries that actively use deep web/darknet discovery tools to find and mitigate common threats:
Public Safety Professionals (police agencies and federal defense):
Corporate Security Agencies:
Financial Institutions:
Retail Security:
Read more:
4 Reasons Why Your Retail Security Team Needs to Be on the Dark Web
There are many dark web tools on the market, both free and with costs associated. The truth is, not one intelligence tool is 100% effective as a standalone strategy. Rather, combining a selection of niche solutions to use in tandem is the best practice.
Beacon is a dark web discovery platform designed for threat intelligence. Beacon allows security teams to pull fully indexed data from deep and dark web sources such as Onion from their own surface web browser. Unlike many other dark web discovery tools, no Tor browser is required.
Beacon also allows users to search data by marketplaces, discussion forums, or breached data. Retrieved posts can be filtered by the type of information they’re looking for—such as specific emails, credit card or other personal identifying information, drugs, date posted, and other criteria. When a user finds a post of interest, they can view content details within Beacon, or copy and paste the post link into a Tor browser.
Have I Been Pwned? is a free online resource to check if your email address has been put at risk due to a data breach. It’s a good place to start if you are looking for specific email addresses targeted in a data breach.
Whether or not you search for them, security threats are prevalent on the deep and dark web. Deep web threat intelligence is crucial to organizational security and public safety—but locating and analyzing it safely and efficiently requires advanced discovery tools.
Data sources on the deep and dark web are extensive and constantly changing. A discovery tool that efficiently aggregates data across a range of deep web and dark net providers is essential to any threat intelligence strategy. Darknet discovery can help industries ranging from public safety to retail discover and mitigate threats related to data breaches, illicit goods exchange, and human exploitation.
Learn more about how Beacon can be used in your threat detection and crime investigation strategy