Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


What is the Darknet?

Author: Jarrod Suffecool

We all hear about the “Darknet” and the “Deepweb” all the time when referring to the places where threat actors are hanging out online, but what do these terms really mean? While they are very similar, some differences exist. The Deepweb refers to websites which are not indexed by services like Google and are difficult to navigate to without already knowing of the website’s existence. The Darknet often refers to websites on the “Tor” network, these sites utilize “.onion” URLs and require your browser to be specially configured to access them or the use of the Tor browser. Darknet can also refer to the less commonly-used I2P network which uses what are called “eepsites.” The common unifying factor between the Darknet and the Deepweb is that hackers and criminals enjoy the anonymity they receive on these websites. For simplicity we will be using the term “Darknet” to describe both for the remainder of this blog.

Tor and I2P networks and their uses—not all are bad

Both Tor and I2P seek to allow users to communicate in a protected way to maintain their anonymity online. The Tor browser utilizes relays (internal and external) to hide a user’s traffic as they navigate to services on the Tor network. I2P, on the other hand, exists as a network within the internet. While both provide reliable and valuable anonymity service to their users Tor is the more predominantly used of the two.

On the surface it may seem to many that these services are meant for criminal intent and that there is no reason for non-criminals to utilize these systems. The truth is that the Darknet provides valuable anonymity to a number of legitimate users on a regular basis. Journalists, whistleblowers, human rights activists in dangerous locations, and security professionals regularly use the Darknet. The anonymity provided by the Tor network allows users who are in fear of monitoring by oppressive governments in different areas of the world to protect their online activity. Secure messaging services allow journalists to communicate with sources and whistleblowers in a way that protects their source’s identity.

A few examples of some popular Darknet sites and their uses are shown below.

Secure Drop is a secure messaging and file sharing page utilized by journalists and criminals alike
Distributed Denial of Secrets is a popular site which is similar to Wiki Leaks. It shares information from both whistleblowers and stolen data from criminals.
SecMail is a Darknet email service which provides an encrypted email service to its users and allows for a more anonymous email solution.

Restricted access to Darknet sites based on skills, activity, paid subscribers

While a number of Darknet sites can only be found by users who know of their existence, many sites have further layers of security involved as well. Many of these sites require registration and a certain level of activity before users can access the entirety of the site. Other sites restrict the use of their full site to those who have purchased access. And, a small subset of sites on the Darknet require users to either prove their abilities in programming and hacking or to receive an invite code from trusted users prior to being able to register with the site.

Once a person finds their way onto the Darknet, they can access a variety of websites full of information, including forums focused on hacking, security, programming, stolen data, and geopolitical issues, to name a few. These forums are frequented by criminals, security professionals, journalists, and those who wish to learn about hacking. While a number of forums specialize in a specific topic, many forums offer users the ability to discuss a wide range of topics with each other. Often times the sale of access to various organizations’ servers are done through forums rather than marketplaces as it offers buyers and sellers a better chance to communicate prior to the sale taking place. See below for a few examples.

Raid Forums is commonly used by criminals to share and sell stolen data as well as selling access to servers which have already been compromised by hackers.
Criminals will regularly utilize forums sites like Torum to sell access to servers and systems which they have compromised. Shortly after writing this blog post the operator behind Torum took it offline.

Darknet marketplaces

Marketplaces give users the ability to purchase stolen information or various tools and services. The amount and type of information available on Darknet marketplaces is seemingly endless— stolen credit cards, website logins, personal information, malware, hacking tools, encryption services, hacking services, unregistered guns, drugs, or even hitman services (though many of the openly posted ones are scams). Even old data has its value on these sites as many will purchase old credentials in the hopes of exploiting a user’s poor password hygiene to use the stolen credential to log into multiple websites. A few examples of marketplaces on the Darknet are shown below.

Empire Market offers its users drugs, stolen credentials, toll kits, training guides, and various other physical and digital goods.
MagBo allows users to buy and sell compromised websites, scans of identification documents, stolen credit cards, and various other documents.

A number of legitimate websites can be accessed through the Darknet as well. Both Facebook and the New York Times have Darknet webpages in addition to their publicly available websites. Having a presence on the Tor network allows users in other countries who might not be able to access these sites in their home country to make their way to these legitimate websites.

The New York Times “.onion” site allows users from around the world, including those in nations that censor the internet to access the information they publish.

Community mentality found on Darknet forums

Many of the sites on the Darknet help criminals to expand their abilities, make money from the sale of their services and data that they have stolen and coordinate with other criminals to expand the scope of their activities. These sites have a very strong sense of community among the users who offer each other advice on how to improve what they are doing as well as working together to try and weed out security and law enforcement members. This community mentality makes it difficult for many to maintain access on these sites without special knowledge and skills to blend in effectively with the criminal elements on these sites.

The Darknet poses a risk to a wide range of individuals as many hackers do not discriminate against whose personal information they sell on the Darknet. Many users who have their online accounts compromised by hackers have previously had their account details sold or leaked online as the result of a data breach, such as those that were suffered by sites like LinkedIn, or they were the previous victims of widespread phishing campaigns against users of specific websites.

Often times these data leaks make valuable tools for other criminals to not only compromise personal accounts for the listed individuals but also to target members of businesses in spear phishing campaigns. Anytime that someone uses their corporate email address to register on a website and that website is compromised, information is gained by attackers on people who work at various companies. These users whose work emails are leaked in data breaches are now at an increased risk for phishing attacks. Websites like LinkedIn make it a simple task for criminals to be able to look up information on an individual and tailor phishing emails to ensure that a user is more likely to open it.

While hackers do pose a significant risk to organizations there are also many instances where individuals within an organization will offer to help criminals gain access, especially immediately following termination of employment. Other times people and organizations become compromised by disgruntled former employees or by people who feel personally wronged by an individual at that organization–their former boss, for example. These disgruntled individuals sometimes begin to either publicly post personal information about the person they are targeting, called doxing, or offer to sell information about this individual to criminals in the hopes that they will be targeted by criminals.

How to keep your information off the Darknet

An important way to stay protected against some of the most common risks posed by information on the Darknet is to utilize a monitoring service, and to create unique and complex passwords for every account. Password managers, such as LastPass, make it simple for users to create complex and unique passwords for every site that they use without the need to memorize each password. A wide variety of monitoring services are available for personal use. These services notify an individual if their name, social security number, email, or passwords have been leaked online. Businesses can hire a cybersecurity company to monitor for information about their organization being posted on the Darknet for criminal use. Some organizations offer solutions at both levels, such as Binary Defense’ Counterintelligence Service and Executive Monitoring.