A study led by scientists from IMDEA Networks and the Carlos III University of Madrid (UC3M) has conducted a large-scale examination of the volatility, content, and actual infrastructure of the hidden pages of the so-called Dark Web. This work has been one of the distinguished in the Research Awards of the Spanish Police Foundation 2025-2026.
Accessing the Dark Web requires specific software and configurations or authorization, as is the case with Tor. Traditionally, this network is shrouded in myths, mysteries, and scrutiny by authorities and the public. However, what really exists behind the hidden .onion domains? Thanks to the research by the Department of Computer Science at UC3M and IMDEA Networks, progress has been made in understanding this digital corner.
The study, published in the IEEE Transactions on Information Forensics and Security journal, is titled Snorkeling in Dark Waters: A Longitudinal Surface Exploration of Unique Tor Hidden Services.
Monitoring
The work represents one of the largest x-rays conducted on the real behavior of this network. Through continuous and systematic analysis over several months, computer engineers Alfonso Rodríguez Barredo-Valenzuela, Sergio Pastrana, and Guillermo Suárez-Tangil managed to monitor and classify thousands of hidden web pages automatically, debunking some of the most widespread legends about their size and persistence.
Contrary to the usual narrative that describes the Dark Web as an infinite and uncontrollable ocean of criminal activities, the results show that the real ecosystem is overcrowded with replicas of .onion sites and is extremely unstable. The researchers point out that a large part of the hidden services created on Tor disappear shortly after being born.
To achieve this mapping, the team developed a monitoring infrastructure they named Mimir, in reference to the guardian of the well of wisdom in Norse mythology. Thanks to this tool, they analyzed the textual content and images of the sites, but also key variables such as their security certificates, server technologies used, and the match of infrastructures in the traditional internet universe.
Crime, but also freedom of expression
The detailed taxonomy on the uses of Tor constitutes one of the main values of the study. This network emerged with the purpose of ensuring the anonymity of activists, journalists, and citizens under oppressive regimes, but the research has detected a complex duality. On one hand, it reveals a significant volume of portals dedicated to black markets (selling drugs, weapons, and leaked data), financial fraud, and cybercrime forums. But on the other hand, the study also shows the presence of replicas of legitimate media outlets, secure communication platforms, and privacy tools that justify the importance of preserving this network protocol against global censorship attempts.
This work assists police forces: the researchers have reported all illegal content on child sexual pages to the National Police in Spain (several of which were unknown) and have met with them to maintain collaboration. Additionally, in a subsequent work using this tool, common patterns in the configuration of Dark Web servers were identified, uncovering how many hidden services make “mistakes” that expose their true IP addresses or physical commercial servers. This opens new avenues to more efficiently combat organized cybercrime globally.
