Is the Deep Net Dream market reliable

Dark Web Monitoring: The Many Faces of the Underworld

Dark Web Monitoring - At a glance

In the fight against cyber criminals, access to sources in the deep and dark web can be a powerful weapon for companies - provided they know how to use them in a targeted manner. Above all, strategies that pursue clear goals are successful: These include detecting fraud, monitoring threats and tracking down leaked access data.

But how can these sources be viewed and monitored at all? In fact, there are only a few monitoring tools that provide broad and comprehensive coverage. Basically, the deep and dark web is full of potential sources of information such as marketplaces and criminal forums, messaging services and paste sites. However, there are only a few providers who keep an eye on all of these sources. And even fewer offer more than mere “scraping”, that is, a superficial examination of the website.

Unfortunately, the dark web is still surrounded by a cloud of fear, uncertainty, and insecurity. Everyone knows the comparison with an iceberg, in which the deep and dark web lurks threateningly and hidden under the surface of the water. In truth, the dark web only makes up a comparatively small part of the cybercriminal world. If you want to get a realistic picture of the threat landscape, you have to include other data sources.

What is the Dark Web?

The Dark Web is an area of ​​the Internet that is only accessible with special browser software such as Tor or I2P. Anonymity is the most important property of this network: the identity and location of a user are protected by means of encryption technology. In addition, data is redirected through various servers around the world - making it extremely difficult to trace individuals.

Its anonymity makes the dark web an attractive place for criminal business. The doors remain firmly closed for normal web visitors. It doesn't just take experience and know-how to gain access. Smart technologies are also necessary to monitor the sources and to check them for misuse and data protection violations.

Anyway, let's get some dark web-related errors out of the way first.

Misconception # 1: The dark web is synonymous with the criminal internet. Yes, the dark web is used by criminals - but not only. Even very legitimate companies such as the New York Times or Facebook offer Tor-based services and publish their content there. Not everything that can be found on the dark web must therefore automatically be criminal.

Misconception # 2: Dark Web and Deep Web are one and the same. The deep web can be defined as the area of ​​the Internet that is not indexed by traditional search engines. It is therefore not surprising that criminals are also active in the deep web. Fraud and cyber crime can also be found in the open network (open or clear web). Or to put it simply: Cybercrime cannot be reduced to part of the Internet.

The deep web is usually completely unknown to most internet users. This does not mean that highly exciting information is necessarily hidden there. In fact, mostly completely banal data is stored there, such as e-mail or Facebook accounts, the contents of which cannot be viewed without registration. Certainly there is more valuable information to be found on some deep and dark web websites. To do this, however, you have to know exactly where. Otherwise, research in the dark and deep web quickly turns into a search for a needle in a haystack.

Gain insight into criminal and fraudulent activities in the dark and deep web that can harm your company and your brand

Read more here

The battle for marketplaces in the dark web

In July 2017, US and Dutch authorities began Operation Bayonet. As part of the campaign, two of the most famous transshipment points on the dark web, AlphaBay and Hansa, were confiscated and the websites were deactivated. US Attorney General Jeff Sessions stated:

“(Operation Bayonet) is one of the top criminal investigations of the year. (...) It made American citizens safer - safer from identity theft and fraud, from malware and from deadly drugs

Before they were dissolved, Alpha Bay and Hansa were among the most important dark web marketplaces in the English-speaking world. Hundreds of thousands of sellers and buyers traded illegal goods there and turned over over a billion US dollars.

But Operation Bayonet was just the beginning. On May 7, 2019, two more marketplaces, Wall Street Marketplace and Valhalla Marketplace (Silkkitie), were closed in an international operation. At the same time, law enforcement agencies managed to deactivate DeepDotWeb. The popular info page did not offer any contraband for sale itself, but it did provide a useful overview of the criminal websites in connection with affiliate links. The actions show that law enforcement agencies all over the world are targeting the illegal trading networks behind the marketplaces and are not letting secondary actors and money launderers escape.

While researching the report Seize and Desist: The State of Cybercrime in the Post-AlphaBay and Hansa Age, the Digital Shadows team examined the end of the marketplaces and its consequences for the dark web. The result: the cybercrime business - especially in Russian-speaking countries - was hardly disrupted. However, the actions triggered a crisis of confidence within the criminal cyber world.

After the end of AlphaBay, Hansa and Silk Road there are still marketplaces like Tochka and Empire. However, they could not achieve a similar level of awareness. The new marketplaces are still showing little growth or are deliberately keeping a low profile for fear of criminal actions and takedown procedures. As in the legal world, newbies depend on a good reputation and long-term funding to secure user trust and expand their customer base.

A good example of this was Marketplace. The site was run by a former administrator of the renowned Exploit [.] In hacking forum, who coincidentally also ran the emerging XSS forum (formerly Damagelab). 100% focused on cybercrime, MarketMS was almost unrivaled. But despite the initial success, marketMS did not succeed in remaining profitable in the long term and establishing the site as a viable marketplace.

Cyber ​​criminals never just rely on one website, they operate on different platforms and marketplaces. In this way you can be sure that your name is known to all potential buyers. The escrow service provided on marketplaces is an important argument for both buyers and sellers in the unsafe world of cybercrime. Parallel to the new marketplaces in the dark web, messaging services such as Telegram and Jabber are also increasingly being used to negotiate deals and check the credibility of offers.

No end in sight: innovative cybercrime

Despite all the efforts of the law enforcement authorities, the extent of cybercrime is growing steadily - and in ever new variations. Automated Vending Carts (AVCs), for example, refer to websites that deal with large amounts of credit card data and login data and require little interaction between seller and dealer. Its activities have remained largely unaffected, apart from the closure of XDedic in January 2019. Joker’s Stash, a prominent AVC for stolen credit cards, continues to operate while experimenting with new technologies like blockchain DNS.

The AVC site Enigma-Markt gained popularity just as quickly and even doubled its offers between February and July 2019. Its founder operates under the name Stackz420 and pursues aggressive marketing on criminal forums and marketplaces. The success proves him right: The initial portfolio of 11,000 hacked login data quickly grew to 20,000.

Read more on this topic: Heir to the AlphaBay and Hansa throne?

How Cybercriminals are using Blockchain DNS

A Growing Enigma: New AVC on the Block

Criminal Trust: Mutual Control

Cybercriminals are not only troubled by criminal prosecution by the authorities. There are black sheep and fraudsters in their own ranks as well.

A good example of this was the successful Olympus Marketplace. When AlphaBay and Hansa disappeared from the scene, Olympus established itself as a serious, English-speaking trading center. Many expected him to fill the void. But the opposite was the case: the marketplace ceased operations because the administrators were reportedly planning an exit fraud - and in the process embezzled funds from their users. Olympus shows that the place as the # 1 marketplace has its price and is associated with a lot of effort, costs and increasing risk, which not all operators are equal to.

Dream Market, once the largest competitor of AlphaBay and Hansa, also ceased operations after several DDoS attacks. The attackers were able to gain access to user accounts by repeatedly assigning passwords. It is widely believed that this was a police operation. The authorities did not succeed in completely taking over the site. However, the action led to the administrators finally giving up the marketplace.

With the disappearance of reliable marketplaces, the number of cases of fraud in one's own criminal ranks has risen. Specially developed phishing kits make it possible to steal from users on dark web marketplaces and to resell the goods yourself. Tried and tested fraudulent schemes such as the manipulation of web links (typosquatting) are also used. Since Tor links are usually longer and more complex than clear web links, it is all the easier to replace “m” with “rn” or to forge complex strings in order to deceive other fraudsters.

Scammers who deceive other cyber criminals are referred to as "rippers" in the cyber world. In the Russian-speaking community in particular, groups and services have established themselves that want to protect their websites from these rippers. The website Ripper [.] Cc, for example, offers a comprehensive database of known rippers - including their scams. That scammers take action against scammers may seem bizarre. But the world of cyber crime is also based on an ecosystem of services and partners that must be protected if it is to generate profit.

Read more on this topic:

Cybercriminal Marketplaces: Olympus Has Fallen

Dark Web Typosquatting: Scammers v. goal

Reducing the Risk of Ripper Fraud

An extensive ecosystem: criminal services & support

The service page of Ripper [.] Cc illustrates the extensive ecosystem of services and support that has grown in the deep and dark web. The fact is, cyber criminals cannot work completely in isolation from one another. Rather, they are supported by a diverse and mature network that provides money laundering, malware and the necessary infrastructure.

Outsourcing money laundering enables cyber criminals to generate and process financial profits. There are services relating to digital currencies, illegal money exchangers, transfer specialists and so-called "money mules". AlphaBay had integrated the online money laundering service Mixer into its marketplace. Today, cyber criminals and fraudsters can increasingly turn to outside services to launder their money.

In addition to money laundering, access to the latest malware is extremely important for cyber criminals. Services offered include the development and deployment of malware as well as cryptography services and exploit kits. While exploit kits have lost popularity after their preliminary peak in 2016, they are still widely used to deliver malware. For example, the distribution of Nemty ransomware via the RIG exploit kit.

And finally, cyber criminals are also dependent on an infrastructure that reliably protects their "operations". This includes attack-proof hosting, counter anti-virus services and tools to ensure anonymity. Such services are very popular as they reduce the risk of website confiscation and criminal penalties.

Secure, invulnerable hosting (bulletproof hosting) is actually more important than a Tor browser for online trading in illegal goods. This provides people or groups with a protected internet structure that creates largely free space for illegal activities. As a rule, such an infrastructure is hosted on servers in countries where criminal prosecution of cybercrime is difficult and access via western law enforcement agencies is only possible to a limited extent. This allows users to easily circumvent legal regulations on content and its distribution.

There are certainly voices that argue in favor of bulletproof hosting as a kind of civil right in the context of privacy, data protection, freedom of expression and freedom of the press. In reality, their existence is critical to the functioning of cybercrime as they provide protection from law enforcement. There are two sides to consider here: the providers of such hosting services and the customers who operate illegal websites with their help.

Many bulletproof hosting providers operate their servers in China, Russia and the former Soviet states. The world's largest provider operates under the pseudonym “Yalishanda” (Mandarin: Alexander). His real identity and whereabouts are known to security authorities. Since he is protected by his residence in Russia, he has so far been able to avoid arrest.

The hosting services are bought or rented by users all over the world. The intention behind this is usually clear: You want to protect your criminal services and offers relating to phishing, malware and access data. Magecart, a group of criminals in the financial sector, use servers in the Ukraine, for example, in order to be able to trade access data unmolested.

Even if the prosecution turns out to be difficult, the authorities do not stand idly by the goings-on. In a hitherto unique case, US authorities, with government support from their home country Romania, were able to arrest and arrest the bulletproof hosting provider for the Gozi banking malware.

Actions that lead to the takedown of dangerous services such as counter antivirus or bulletproof hosting are therefore more than just an interesting headline. Rather, the authorities act tactically and target central nerve points that hit the criminal ecosystem as a whole.

The criminal ecosystem is continually developing strategies and tactics to evade law enforcement. And cyber criminals are always finding new and innovative ways to turn their specialist knowledge into money. Experienced fraudsters and traders of login data are now even offering cybercrime courses in which they teach various techniques to an interested audience. These range from credit card fraud, tampering with ATMs and money laundering to social engineering, botnets and exploiting security holes.

The introductory event is usually free and is advertised via peer-to-peer networks such as Telegram or Jabber - together with other (course) relevant dark web marketplaces and AVC sites. Beginners can book the seminar for 75,000 rubles (approx. 1,080 euros) and thus get access to further e-learning courses, including training and information material as well as contact with “tutors”. Payment is made in bitcoins. For organizations and companies, the training opportunities on the dark web are extremely dangerous, as amateurs now also receive the training they need to start a successful criminal career.

How you can use dark web monitoring

Monitoring the dark web effectively is not easy. It requires extensive knowledge of the threat landscape, access to closed forums and marketplaces, and the right technology for monitoring.

The coverage of all sources in the dark web alone is complex. In addition to relevant Tor and I2P pages, Telegram channels and chats, criminal forums and paste pages must also be examined - pages that can also be found outside of the dark web.

Different technologies offer an insight into the dark web. OnionScan, for example, supports security experts and government investigators in identifying and tracking pages on the dark web.Digital Shadows provides free 7-day access to its monitoring solution, which users can use to navigate the dark web using a search engine.

However, visibility alone is not enough.

It is equally important to eliminate irrelevant sources and to filter out results that do not pose an imminent threat to your company or the industry. Which sources are actually to be monitored depends on the company's internal "threat model". Once defined, it means to proactively search for company assets, mentions, unprotected access data or fake websites - either in tedious manual work or via an automated solution.

Anyone who wants to gain access to an exclusive, criminal forum is dependent on special know-how. For example, to understand the nuances of the different languages, to access certain locations or to search for company-specific data. Some websites even specifically ask for supposed expertise in the field of IP or whitelisting / blacklisting before they allow visitors. Infiltrating closed groups and platforms costs a lot of time, expertise and money. If there is a lack of effectiveness here, the advantage of dark web monitoring for the company is also missing.

In our experience, it pays off as a company to set three main focuses for dark web monitoring:

  1. Detect and track threats
  2. Identify unprotected login data
  3. Discover attempted fraud

With the focus on these three points, the monitoring of the dark web becomes more efficient and relevant for companies.

Dark web monitoring for companies

The comprehensive coverage of sources in the open, deep and dark web is of little use if companies threaten to drown in the flood of irrelevant and banal search results. Dark web monitoring can be extremely valuable for a company - as long as it is clear where and what is being searched for. Digital Shadows has defined three areas of focus: identifying threats, finding login data and discovering fraud campaigns.

Detect threats

Who is targeting my company, your own brand, the CEO or the board of directors? An effective investigation of the sources for this question enables an initial overview of the tools used, the tactics, techniques, processes (TTPs) as well as the attackers and their motives. The information gained can in turn be used for the company's security strategy.

Understanding your attackers is vital. In order to be able to assess how seriously actors have to be taken, additional information is required. What and who is behind the forum on which the provider is active? How is its reputation on the dark web? How does he do business and what is his focus? And what is his preferred tactic? Continuously collecting and tracking such data helps to put threat actors in context. If this succeeds, attacks can be better predicted and defense strategies can be planned at an early stage.

The same applies to so-called “insiders” who trade sensitive and valuable data on forums and marketplaces. This type of threat cannot be resolved quickly and easily; it is a real challenge for security teams.

A “threat” can also refer to a tool or malware. Observing trends and current incidents can represent a real knowledge advantage here - regardless of whether it is malware for a recently discovered vulnerability or a new variant of ransomware (see screenshot below).

The knowledge of actors and the criminal landscape of the dark web gives the tracking and monitoring of threats new clout: Companies can proactively uncover who is targeting their brand or their employees.

Read more about insider threats here:

Login data

Dark web monitoring also reduces the risk of leaked or stolen data, v. a. sensitive access data. Many users still use the same passwords to log on to different platforms. Credential stuffing makes use of this recurring login data and gives cybercriminals access to websites and sensitive data. Once leaked or stolen login data are sold on the dark web at a package price. The combination of user name and password is then used for automated attacks on accounts (e.g. by resetting the password). The monitoring tool from Digital Shadows, SearchLight, has tracked down more than 14 billion such unprotected login data and was able to significantly reduce the attack surface for companies as well as their partners and customers.

According to the observations of the Digital Shadows team, however, not only access data is for sale. The Genesis Store marketplace, for example, sells bots that can bypass access controls with biometric fingerprints. In addition to fingerprints, buyers also receive cookies, protocol logs, saved passwords and other personal information in order to imitate users and circumvent security precautions. The offer seems to be well received. With the start of the Richlogs service, the Genesis Market even got competition.

Read more about the Genesis botnet here:


Buying login credentials is mostly for one purpose: fraud. This can be the trade in credit card details, counterfeit branded goods or use in phishing campaigns. A collection of login data, such as can be found in the Genesis Store, allows criminals to test out new and effective ways to impersonate online users and handle fraudulent schemes.

Actors use phishing and other fraud techniques to trick their victims into disclosing their sensitive information. Phishing kits look deceptively similar to the original websites and can block certain IP addresses of well-known security companies - so that security warnings do not even arrive. Identifying fraudulent websites, products or activities at an early stage can therefore contribute significantly to better security practices.

One example is fraud with gift cards or vouchers. In 2019, Digital Shadows identified thousands of gift cards traded on criminal forums, dark web marketplaces and websites, IRC and Telegram in just six months.

A scam can also change and adapt over time. The well-known Telegram marketplace “OL1MP”, for example, uses a bot to automate the search for specific information - holiday offers, hotels, taxis, driver's licenses and documents. OL1MP uses the privacy and encryption of the Telegram chat, but is an automated marketplace where buyers can chat with a reputable dealer without any risk of fraud.

OL1MP is just one example of the many criminal chat platforms used to smuggle goods. Encrypted chat services, such as Telegram and Discord, host numerous chat channels that promote illegal practices. After AlphaBay and Hansa ended, Digital Shadows discovered around 5,000 mentions and advertisements referring to Telegram sites. The dark web has long since adapted to the new market conditions and, despite all efforts on the part of the authorities, remains a threat to legitimate companies and people. Conversely, this means for companies that they too have to keep an eye on the market in order to protect themselves.

How does Digital Shadows monitor the dark web?

SearchLight continuously monitors and indexes hundreds of millions of pages on the dark web, Telegram, IRC and I2P, as well as paste pages and criminal forums. The monitoring tool is programmed to look for specific risks for your organization.

Dark web pages
Our proprietary Spider software searches Tor and I2P pages and identifies new content and sources of relevant information.

Tracking of around 50 million indexed Tor and I2P pages

IRC and Telegram
Our technology monitors services used by groups and individuals to chat about planned campaigns, scams, and the latest tactics and techniques.

Monitor more than 30 million conversations

Digital Shadows focuses on automated, customer-specific collection in exclusive forums and can identify a variety of activities there, from exploit kits to the sale of leaked data. Many of these forums are hosted on Tor or I2P, others can also be found on the open and deep web. Our special team for forums that are difficult to access develop personas and join the forums covertly for further research.

Access to more than 23 million indexed forums

Paste pages
Another source of information that is not limited to the dark web is paste pages. There are different types that exist both in the open and in the dark web. Malicious actors use these websites to exchange disclosed data and create lists of targets for attack.

Around 60 million indexed paste pages at a glance

Dark web marketplaces
Since the end of AlphaBay and Hansa, the number of marketplaces in the dark web has increased significantly. The tireless criminal prosecution by the authorities makes similarly long-lasting and successful marketplaces unlikely. New providers such as MarketMS are in the starting blocks and receive support from respected personalities from the Russian scene.

Observe around 1 million indexed marketplace entries

Digital Shadows' industry-leading technology (according to Forrester) is complemented by a dedicated team of security experts and white hats. You gain access to criminal forums, interact with criminals using specially developed personas and report on the latest cybercriminal trends in Threat Intelligence.

With the integrated ShadowSearch search function, companies can also search the indexed data themselves and track threat actors, campaigns and cases of fraud.

Curious? Take a tour of the dark web now with the free Test Drive version.

Dark Web Monitoring: Effective and Relevant

The task of monitoring the dark web can be daunting for businesses at first. Finding internal data on criminal sites and having to take action against it is tricky. But it doesn't have to be.

Dark web monitoring is successful when the monitoring is continuously expanded to new sources. The technology does the hard work by collecting the data and concentrates on previously defined focal points. At the same time, security experts act as undercover agents in criminal forums and establish contact with providers and hackers. This combined approach allows a deep look into the darkest corners of the dark web. This enables companies to quickly and safely track down insider trading, fraud, fake and phishing websites and leaked company data.

The conscientious observation of digital risks in the dark web can have a positive effect on the business. With an eye on current threats, compliance problems, financial losses and reputational damage can be better cushioned or even prevented. Digital Shadows works with companies to jointly develop an effective security strategy and protect against data exploitation in the open, deep and dark. This means that companies are ahead of the game in the cat-and-mouse game of the cybercriminal world.

Download the overview of Dark Web Monitoring from Digital Shadows.

More about dark web monitoring