What is the dark web?

The internet as most of us know it—the “surface” web—makes up only a small fraction of what’s accessible online. Beneath lies the deep web which includes private databases and internal systems that can’t be found using a traditional search engine like Google or Bing.

Then there's the dark web which operates on encrypted networks, requiring specific tools, know-how, and sometimes even authorization, to access and navigate. This blog explores the dark web, including how and where cybercrime gets carried out on it.

The rise of cybercrime on the dark web

In the early days of the internet, during the 1980s before terms like "cybercrime" were coined, there was email. Email-based scams quickly followed, such as the infamous Nigerian-prince-needs-funds scheme.

By the 1990s, the web started to mature. This era saw the rise of viruses (the early form of today’s malware), hacking, and software pirating.

EBOOK DOWNLOAD

Cybercrime on the dark web

Strip away the mysteriousness of the dark web with this eBook that looks at:

• The anatomy of the dark web and its role in cybercrime
• The real value of dark web monitoring
• Steps you can take to mitigate the risk of exposed data

Download now

In the 2000s, anonymity technologies like The Onion Router—more commonly known as Tor—began to surface. This marked the origins of the dark web, a hidden environment or digital “dark alley” where cybercriminals could conduct business.

In 2009, cryptocurrency emerged. Online crime increased since threat actors now had a more anonymous, secure, and discreet way to buy and sell goods and services.

A few years later, in 2013, law enforcement dismantled a major dark web marketplace called Silk Road. This was the first high-profile action against these hidden online markets and brought widespread attention to the dark web.

In 2024, about 2.5 million people connect to the dark web daily. Cybercrime continues to form its own economy, with organized groups and service-based criminal enterprises.

How cybercrime is carried out on the dark web

Dark web businesses operate much like legitimate ones, with sellers and buyers exchanging money for goods or services. For cybercrime specifically, there are three key pillars—services, distribution, and monetization—and each plays a critical role in driving business forward.

Services

Perhaps the most crucial, this group includes those who provide the tools and infrastructure needed for cybercrime.

These are malware authors, vulnerability researchers who share their findings, brokers who sell access to compromised systems, and ransomware affiliate programs.

Distribution

This group handles the actual deployment of malicious tools and services. It includes spammers, social engineering experts, and operators of exploit kits.

If a tool is easy to use, it's easy to distribute—botnet operators and affiliate programs often take advantage of this.

Monetization

This group converts stolen data or ransom payments into usable assets.

Money mules, fraud networks, and money laundering operations handle transactions, moving stolen money through wire fraud, cryptocurrency, or other means.

The anatomy of the dark web

The dark web resembles the early days of the internet—rough and transient. Some well-established sites and services have stuck around, but the anonymous and deliberately hidden nature of the dark web makes it a hub for privacy advocates, researchers, and criminals.

At a high level, the dark web is largely made up of various cybercrime marketplaces and hacking communities where you can buy items and services. 

Marketplaces

Dark web marketplaces are where items—often data—are mostly bought and sold. The demand for compromised accounts is one of the largest, especially for popular services like Netflix, but there are also opportunities to buy remote desktop protocol (RDP) access to systems.

One study found that credit card details, with an account balance of up to $5000, sell for only $110 on the dark web. Login information for verified ING bank accounts sells for $4255.

Stolen intellectual property is rarely readily listed for sale, but these exchanges do happen and regularly start in the marketplace. Once a buyer and seller have connected, they’ll often direct message or move to another private channel to share IP samples, negotiate, and finish the transaction.

Hacking communities

There are also hacking communities. Essentially, specialists in different areas—malware development, vulnerability research, botnet administration—come together to execute coordinated cyberattacks or collaborate in other ways.

Hacker forums are a central hub for these interactions. You’ll find how-to guides for novice or aspiring hackers and a large “brag and trade” culture in which users willingly share exploits, tools, and general knowledge.

Hacking services

Hacking services on the dark web are widespread, with distributed denial of service (DDoS) attacks being one of the most common offerings. While exact statistics on how often these services are purchased or their reliability are hard to come by, escrow services on these platforms help ensure some level of trust between buyers and sellers.

Other services include hackers offering to smear a person’s name online or offering their skills to breach a targeted business's defenses.

The same study from above found that 1000 installs of premium-quality malware can be bought for $4500, whereas one month of DDoS attacks sells for only $750.

Defending against dark web risks

Even with a comprehensive defense, organizations may fall victim to a data leak without realizing it. Uncontrollable factors such as supply chain attacks, historical breaches, human error, and insider threats may expose data to the dark web, creating risk and opportunity for threat actors to attack. 

This is why dark web monitoring, which involves scanning the dark web for leaked data associated with a company’s domain, is such an important part of a cybersecurity strategy. With that visibility and information, you can:

• Identify unknown breaches: Dark web monitoring helps organizations discover breaches that may have gone undetected, like if the breach occurred through a third-party vendor.
• Minimize risk: Organizations can address vulnerabilities quickly—by changing leaked credentials or ramping up suspicious login monitoring—and stop cybercriminals in their tracks.