How to surf the Dark Web for fun and profit

Life is tough if you're a criminal.

Sure, one big score can set you up for life. If you're smart and disciplined, you can retire early. But the flip side of that is that the smart and disciplined cybercriminals cash out and retire early, leaving you with an increasingly undisciplined and dumb selection of partners to work with.

Then, if you're in the business of selling malware, botnets, and other illegal goods and services, you've got to do some sales and marketing, to make it easier for your customers to find you. The flip side of that, of course, is that the easier it is for your customers to find you, the easier it is for the authorities as well.

Yes, you've got your anonymity to protect you. On the Dark Web, nobody knows who you are. The flip side of that, however, is that you also don't know who your business partners are. Worst case -- your customers, suppliers or business partners are cops building a case against you. Best case -- your customers, suppliers or business partners are criminals who rob and cheat people for a living.

Even the double-secret invitation-only criminal mastermind forum you finally got access to might be a front run by the cops, set up specifically for the purpose of gathering intel on you and all your most trusted confederates.

Maintaining anonymity and security requires constant vigilance. You can't afford a single mistake. A single loose threat is enough for authorities to pull apart your entire operation. And it's not just the authorities you have to watch out for -- according to TrendMicro, when competing criminal groups have a falling out, it's common for one group to try to unmask -- "dox" -- their rivals.

If you make a mistake, and you're lucky, you'll have time to run and hide, spending the rest of your life in the shrinking part of the world with no extradition. If you're unlucky, you'll spend a few years in prison. If you're really unlucky, one of your drug trafficking or money laundering business partners will have you killed.


Sonatype's crown jewels is its database of descriptions of over 1.2 million open source packages.

"If that is lost, it could be an existential outcome," said Wayne Jackson, CEO of the Fulton, Maryland-based software supply chain management company.

To shut down any such leak quickly, Sonatype has decided to start monitoring the Web for any indications that this data has been stolen and is now being shared on line.

That monitoring will include the Dark Web, as well.

The Internet's dark side isn't actually all that big. Media accounts frequently overestimate the size of the Dark Web by lumping in everything that's not accessible by search engines, and that includes corporate intranets and password-protected sites like online forums, bank websites, and email platforms.

But according to the FBI, there are only about 800 criminal Internet forums worldwide, and while their impact might be large, the number of people using them often isn't.

For example, last week law enforcement agencies from 20 countries worked together to shut down Darkode, a major computer hacking forum with about 300 users. Authorities infiltrated the invitation-only group and arrested 63 members.

One of them, Johan Anders Gudmunds, also known as "Mafi aka Crim," operated a botnet that stole data from innocent on approximately 200,000,000 occasions, according to the FBI.

A scan of TOR earlier this summer by the PunkSpider Web vulnerability scanner found around 7,000 TOR sites -- only 2,000 of which were active. And not all of these sites are run by criminals, of course. Dissidents who live under repressive regimes, security-conscious agencies and companies, and individuals very concerned about privacy also use TOR, Freenet, and the Invisible Internet Project, or I2P.

And when it comes to criminally-oriented Dark Web sites, not all of them are of interest to enterprise infosec professionals.

A TrendMicro scan last month found approximately 8,000 suspicious sites on the Dark Web, of which about a third were connected to malware download pages on the public web, just under a third were proxy avoidance sites that help users get around school, company, or government filters, and a quarter were related to child pornography. Just 5 percent were related to hacking.

TrendMicro also analyzed commerce on the Dark Web, and found that only 5 percent of sellers and 6 percent of buyers wanted to trade in user account credentials, a similar number were trading in video games, and the almost all of the rest were all about the drugs. Other services available included fake documents and beatings and murder for hire.

So, while the Dark Web is typically illustrated by an iceberg where the small tip that's showing is the public Web -- in fact the part of it that's of particular interest to security researchers is fairly small and manageable.

A company can set up a Dark Web data mining operation and start being productive in about a day, said Jason Polancich, founder and chief architect of SurfWatch Labs, Inc.

"Most businesses already have all the tools on hand for starting a low-cost, high-return Dark Web intelligence operations, within their own existing IT and cybersecurity teams," he said. "And most large enterprises are either starting this, or already have it in place."

According to Terbium Labs, there are a "few dozen" forums, mainly on TOR, that traffic in stolen information such as bank account numbers.

To make the Dark Web even more accessible to enterprise security researchers, several vendors -- including SurfWatch and Terbium -- are offering monitoring, indexing or alerting services, helping companies react to, or stay ahead of, Dark Web threats.

That could be someone posting sensitive company records, or discussing a planned attack, or selling a vulnerability in software a company uses.

Old sites do go down, or get taken down, and new ones pop up, said Terbium Labs CEO Danny Rogers.

"But they're typically discussed on other forums, so our crawler will naturally discover them," he said. "It changes more on a monthly pace rather than a weekly or daily pace. It's actually not too hard to keep up with it."

Rogers declined to explain how his company accessed members-only forums, but did say that they're able to automatically collect the information shared on these sites.

More than that, Terbium offers a search service Matchlight that allows enterprise customers to search for proprietary information via a fingerprint.

"It's a blind search technology," said Rogers. "We give clients the ability to search this index in an automated way without revealing to us what they're searching for."

The core feature of Matchlight allow enterprises to set up alerts for data that they want to monitor for, such as customer lists, or trade secrets.

"The faster they can find out that there's a data leak, the faster they can kick off their response, and the less damage will occur," he said.

For example, if the scan shows that the data is being distributed on a legitimate, law-abiding site, the enterprise can request that it be taken down. If the data is credit card numbers, they can be canceled quickly, before criminals can make fraudulent charges.

And if a company is aware that there's a leak, they can find it and shut it down before more damage is done.

One of the customers using Matchlight is Sonatype, which will be using the service to keep and eye out for any sign of its open source software database.

"The golden asset for us is our metadata which describes the attributes of open source code," said Sonatype's Jackson. "Our plan is to use Matchlight to make sure that this metadata doesn't show up on either the dark or light web."

Another vendor, Somerville, Mass.-based Recorded Future, Inc., can create a fingerprint based on the hardware and software that an enterprise has deployed, then search the Dark Web for new vulnerabilities identified in those systems as well as also looking for mentions of the company or its employees, IP addresses, or email addresses.

"We also help people look at industry-level trends," said Nick Espinoza, the company's product engineer.

Recorded Future senior analyst Scott Donnelly added that cybercriminals don't just limit themselves to forums on the Dark Web.

"Bad guys have to stick their heads out if they want to sell what they stole," he said. They're even on Twitter, he added. "They love their hashtags."

Starting points for exploring the Dark Web:

The Reddit DarkNetMarkets Superlist:

DarkNet Stats:

Deep.Dot.Web List of Dark Net Markets:

Gwern Branwen's Dark Net Market archives:

The Onion subreddit:

Tor Hidden Wiki:

The Hidden Wiki:

Another Hidden Wiki:

Yet another Hidden Wiki:

Grams search engine:

Ahmia search engine:

Vendors offering Dark Web monitoring or investigation services:


Digital Shadows:

Recorded Future:


Join the CSO newsletter!

Error: Please check your email address.

Tags Torcyber attacksespionageno companysecuritycrimecyber crime

More about FBIInc.Twitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts