Cyber Threats #dark web#Tor#cybercrime

The Dark Web Explained: Tor, Hidden Services, and Cybercrime

Understand the dark web—how Tor hidden services work, what's on dark web marketplaces, cybercrime ecosystems, and how to browse safely and legally.

7 min read

The “dark web” is part of the internet only accessible through the Tor network (and to a lesser extent I2P), not indexed by search engines, and not accessible via standard browsers. It’s a topic surrounded by both genuine security relevance and considerable media exaggeration. Understanding what the dark web actually is — and what it isn’t — is important for cybersecurity professionals, privacy advocates, and anyone trying to assess their digital risk exposure.

Surface Web, Deep Web, and Dark Web

These three terms are frequently confused:

  • Surface web: Everything indexed by search engines (Google, Bing). Public websites, news, social media. Represents roughly 4–5% of total internet content.

  • Deep web: Everything not indexed by search engines. Your email inbox, bank account, internal corporate portals, paywalled content. Represents ~96% of the internet. The “deep web” is not dangerous — it’s just private or login-protected content.

  • Dark web: A subset of the deep web accessible only through special anonymizing networks, primarily Tor. Contains both legitimate privacy uses and significant criminal activity.

How Tor Hidden Services Work

Tor routes traffic through at least three volunteer-operated relay nodes, encrypting traffic at each hop. The destination only sees the last relay’s IP, not the originating IP.

Hidden services (.onion domains) go further: both the user and the server anonymize their connections through Tor, meeting at a “rendezvous point” without either side knowing the other’s IP address. This makes hidden services difficult to take down and difficult to attribute to operators.

An .onion address looks like: dread...xxxxx.onion — a 56-character string based on the service’s cryptographic public key.

The Tor Browser is a modified Firefox configured to route all traffic through Tor. Download it from the official Tor Project site (torproject.org) — it’s legal in most countries and used by journalists, activists, privacy advocates, and law enforcement worldwide.

What’s Actually on the Dark Web

Legitimate Uses

  • Journalism and whistleblowing: SecureDrop (used by major newspapers for anonymous source communication), The New York Times, BBC, and other outlets operate .onion mirrors
  • Privacy services: ProtonMail, Riseup, and other privacy-focused email services maintain .onion addresses for maximum anonymity
  • Censorship circumvention: In countries that block news sites and social media, Tor and .onion mirrors provide access
  • Security research: Researchers monitor dark web forums to identify emerging threats, leaked credentials, and sold exploits
  • Law enforcement: Dark web forums are heavily monitored by FBI, Europol, and other agencies

Criminal Marketplaces

Dark web criminal marketplaces are a real and significant cybersecurity concern. They trade in:

Stolen credentials and data: Breached databases containing usernames, passwords, credit card numbers, and SSNs are sold in bulk. A database of 1 million email/password combinations might sell for $200–500. Have I Been Pwned monitors these sales and alerts users whose credentials appear.

Ransomware-as-a-Service: RaaS operations like LockBit (before its 2024 takedown), BlackCat/ALPHV, and others operate as businesses with affiliate programs. Ransomware operators recruit affiliates who deploy ransomware and split ransoms 70/30 or 80/20.

Exploit markets: Zero-day exploits, malware source code, and automated attack tools are sold. A working ransomware kit might sell for $200–1,000; a RaaS affiliate kit may cost $200–500 upfront.

Initial Access Brokers: Attackers who compromise corporate networks sell access to those networks — a foothold in a Fortune 500 company sells for $500–50,000 depending on the access level.

Drugs, fraud, and other illegal goods: These markets make up a significant portion of dark web volume but are outside the primary security focus.

Dark Web Intelligence in Cybersecurity

Monitoring the dark web is a legitimate and valuable security practice. Security teams and threat intelligence platforms:

  • Monitor for credential dumps: Alert when their company’s domain appears in leaked credential databases
  • Track ransomware groups: Follow leak sites where ransomware groups publish stolen data from victims who don’t pay
  • Gather threat intelligence: Learn about emerging attack tools, TTPs (tactics, techniques, procedures), and targeted sectors
  • Identify initial access sales: Detect if their organization’s systems are being advertised for sale

Paid services like Recorded Future, Digital Shadows, and Intel 471 automate dark web monitoring for enterprises. Individuals can use free tools like dehashed.com or haveibeenpwned.com to check if their credentials have been exposed.

Dark Web Forum Culture

Major dark web forums include (historically): XSS, Exploit.in, and Raidforums (seized by FBI in 2022). BreachForums emerged as a successor and was later seized as well. New forums appear regularly.

These forums operate with reputation systems, escrow for transactions, and moderators — structured marketplaces despite their illegal nature. Research from Chainalysis and others has traced hundreds of millions in cryptocurrency transactions through these platforms.

Law Enforcement and Dark Web

The dark web is heavily monitored by law enforcement globally. Notable takedowns:

  • Silk Road (2013) — Ross Ulbricht arrested after FBI de-anonymized him through operational security failures
  • AlphaBay and Hansa (2017) — Europol/FBI operation, both markets seized simultaneously, Hansa run as honeypot by Dutch police for 27 days
  • RaidForums (2022) — seized by DOJ; operator arrested
  • BreachForums (2023/2024) — seized by FBI
  • LockBit (2024) — infrastructure seized, indictments issued

Most dark web arrests come from operational security failures — using personal emails, shipping to real addresses, reusing usernames — rather than Tor itself being broken.

Staying Safe When Researching the Dark Web

If you access the dark web for legitimate research (security research, journalism, academic study):

  1. Use the official Tor Browser from torproject.org — don’t use Chrome/Firefox with Tor proxy
  2. Use Tails OS — a live boot OS that routes all traffic through Tor and leaves no trace
  3. Never log into personal accounts over Tor — correlation attacks can de-anonymize you
  4. Disable JavaScript where possible in the Tor Browser security settings
  5. Never download files — malware distribution is common, and opening files can leak your real IP
  6. Don’t share identifying information in any forums or communications

The dark web is a real tool with real criminal ecosystems, but it’s also a critical platform for privacy, journalism, and free speech in restrictive environments. Understanding it clearly is more useful than treating it as either a mythological monster or a routine destination.

#onion sites #hidden services #cybercrime #Tor #dark web

// related articles

cyber-threats Botnets Explained: How They Work, Famous Examples, Prevention 7 min read cyber-threats Inside Phishing Kits: How Attackers Build Credential Harvesting Sites 7 min read cyber-threats Cloud Account Takeover Attacks: Techniques and Defenses 7 min read