Look past the ominous name and the urban legends. The dark web is, ultimately, just a particular section of the internet—albeit one that is intentionally obscure.
At a high level, we can say that the internet has three layers.
- The open web, which includes all the public-facing sites you can find on a search engine.
- The deep web, which includes the things that search engines don’t index. The deep web is much larger than the open web, and most of it is harmless. Your online bank account? Paywalled content? That’s the deep web.
- The dark web is a subsection of the deep web, which requires special browsing software, such as the Tor browser, to access.
What does the dark web look like? It’s not all that different from the open web. People congregate in forums. They sell things on marketplaces. The big difference is that the things they discuss and sell require a certain amount of anonymity.
Not everything that happens on the dark web is malevolent. Journalists, for example, can use it to source and share confidential information.
But, yes, many dark web denizens are cybercriminals. Their forums are dedicated not to TV shows and niche hobbies, but to trading exploits and recruiting new gang members. Instead of selling clothes and video games, they sell malware, credit card numbers and stolen credentials. Lots of stolen credentials.
According to the X-Force Threat Intelligence Index, valid account hijacking is one of the most common initial data breach vectors, accounting for 30% of cyberattacks.
In the fourth quarter of 2024 alone, X-Force saw 1.2 million sets of credentials for sale on the dark web, often for as little as USD 14 per record. Other hackers buy these credentials and use them to commit identity theft or break into enterprise networks.
Some cybercriminals offer what we call “malware as a service,” which applies the classic software as a service (SaaS) model to ransomware and other malicious software. These threat actors sell proprietary malware to affiliates, who use the malware to launch attacks and share a portion of their ill-gotten proceeds with the creators.
And then there are the access brokers, who gain footholds into target systems and sell entry to other cybercriminals to do as they please.
Whether they’re selling data, access or malware, these cybercriminals usually organize themselves in gangs rather than going it alone. But keeping tabs on these gangs is hard. They tend to form, rise and fade rather quickly. For example, more than half of the most active ransomware gangs on the dark web in the first quarter of 2025 had been around for a year or less.
The balance of power is always shifting in the dark web. Law enforcement takes down gangs. Burned affiliates split off to form their own enterprises. Sometimes intergang competition leads to direct attacks. Such was the case in February of this year, when a rival gang leaked the code for the latest version of the infamous Lockbit group’s ransomware.
This fast pace of change and the intricate dynamics between gangs and marketplaces are just a couple of the reasons why it pays to work with dedicated threat intelligence analysts who can keep an eye on dark web dealings for your organization. In the chaos of it all, it’s all too easy to miss the red flags that might signal an active threat to your business.
Look past the ominous name and the urban legends. The dark web is, ultimately, just a particular section of the internet—albeit one that is intentionally obscure.
At a high level, we can say that the internet has three layers.
- The open web, which includes all the public-facing sites you can find on a search engine.
- The deep web, which includes the things that search engines don’t index. The deep web is much larger than the open web, and most of it is harmless. Your online bank account? Paywalled content? That’s the deep web.
- The dark web is a subsection of the deep web, which requires special browsing software, such as the Tor browser, to access.
What does the dark web look like? It’s not all that different from the open web. People congregate in forums. They sell things on marketplaces. The big difference is that the things they discuss and sell require a certain amount of anonymity.
Not everything that happens on the dark web is malevolent. Journalists, for example, can use it to source and share confidential information.
But, yes, many dark web denizens are cybercriminals. Their forums are dedicated not to TV shows and niche hobbies, but to trading exploits and recruiting new gang members. Instead of selling clothes and video games, they sell malware, credit card numbers and stolen credentials. Lots of stolen credentials.
According to the X-Force Threat Intelligence Index, valid account hijacking is one of the most common initial data breach vectors, accounting for 30% of cyberattacks.
In the fourth quarter of 2024 alone, X-Force saw 1.2 million sets of credentials for sale on the dark web, often for as little as USD 14 per record. Other hackers buy these credentials and use them to commit identity theft or break into enterprise networks.
Some cybercriminals offer what we call “malware as a service,” which applies the classic software as a service (SaaS) model to ransomware and other malicious software. These threat actors sell proprietary malware to affiliates, who use the malware to launch attacks and share a portion of their ill-gotten proceeds with the creators.
And then there are the access brokers, who gain footholds into target systems and sell entry to other cybercriminals to do as they please.
Whether they’re selling data, access or malware, these cybercriminals usually organize themselves in gangs rather than going it alone. But keeping tabs on these gangs is hard. They tend to form, rise and fade rather quickly. For example, more than half of the most active ransomware gangs on the dark web in the first quarter of 2025 had been around for a year or less.
The balance of power is always shifting in the dark web. Law enforcement takes down gangs. Burned affiliates split off to form their own enterprises. Sometimes intergang competition leads to direct attacks. Such was the case in February of this year, when a rival gang leaked the code for the latest version of the infamous Lockbit group’s ransomware.
This fast pace of change and the intricate dynamics between gangs and marketplaces are just a couple of the reasons why it pays to work with dedicated threat intelligence analysts who can keep an eye on dark web dealings for your organization. In the chaos of it all, it’s all too easy to miss the red flags that might signal an active threat to your business.
Click Here For The Original Source.
