Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Ian W. Gray
Ian W. Gray
Connect Directly
E-Mail vvv

Cybercrime: Looking Beyond the Dark Web

Fighting cybercrime requires visibility into much more than just the Dark Web. Here's where to look and a glimpse of what you'll find.

The now-shuttered DeepDotWeb, which was a uniquely centralized and trusted repository of Dark Web links and information, had long made it easier for threat actors — and consequently, law enforcement and other defenders — to keep track of which Dark Web sites are active, and where. The repository's takedown left a void that no comparable alternative seems to be able to fill, at least for the near future.

There are other sites, known as hidden wikis, that can appear to be comprehensive directories and are often referred to as such by defenders. In reality, they tend to be little more than human-assembled catalogs that harken back to the early days of the Internet. All this volatility is largely why threat actors who operate on the Dark Web also typically frequent a number of other channels.

It's also why fighting cybercrime requires visibility into much more than just the Dark Web. Contrary to popular belief, the Dark Web accounts for just a minor subset of the many online venues that facilitate cybercrime. Even if the Dark Web were somehow to be eliminated, its absence would simply cause threat actors to rely more heavily on the various other online venues in which many, if not most, already operate.

Encrypted chat platforms are one such venue — and in fact, they support far more illicit activity than any other, including the Dark Web. Threat actors are increasingly using platforms such as Telegram and Discord, among many others, to communicate more securely and to share mirrors, which are sites that contain nearly identical information but are hosted on different URLs. If one URL faces downtime for any reason, the secondary URL acts as a backup to help minimize operational disruption and consequential profit losses.

Mirrors, Services, and Uptime
It's important to note that threat actors generally aren't using mirrors to attract new clients but to provide services and additional uptime to existing clients in the event that the original site is down for reasons such as a distributed denial-of-service (DDoS) attack or law enforcement action through the often-enhanced security and privacy afforded by encrypted chat platforms. In most cases, mirrors are only distributed to select clients or groups. While this practice doesn't typically present material issues for more-tenured threat actors, it does — and is intended to — make it more difficult for law enforcement and other defenders to locate and monitor these sites.

Another venue popular among attackers is the Deep Web, which refers to the broad swath of sites conventional search engines cannot access, including, but not limited to, the entirety of the Dark Web. But unlike much of the Dark Web, the myriad illicit communities that exist elsewhere on the Deep Web are password-protected and highly exclusive. A number of these communities, including popular platforms for fraud, are located on Deep Web forums supported by bulletproof hosting services in countries unlikely to respond to law enforcement subpoenas.

Other online venues for cybercrime include decentralized marketplaces such as Joker's Stash, a longtime fixture of the stolen payment card ecosystem. Rather than using the Dark Web's Tor network, these types of marketplaces rely on blockchain-DNS (BDNS), which is a peer-to-peer network that helps administrators keep their sites online during attempted takedowns or DDoS attacks. And because there are technical barriers to entry that may deter novice threat actors, BDNS-hosted sites tend to be more popular among tenured threat actors.

The Geography Factor
The online venues in which threat actors operate are also heavily influenced by geography. Cybercrime is global and while the Dark Web is viable for most threat actors based in Western countries, Internet infrastructure in certain other regions is less conducive to accessing the Dark Web. For example, mobile networking has a high adoption rate in countries such as Brazil, largely because of the relatively low costs of mobile phones compared with computers. Usage of mobile applications for daily communication is also high throughout the region, as is the availability and uptime of major applications, including encrypted chat platforms frequented by threat actors around the world.

For defenders, an obvious challenge in combating cybercrime is figuring out where, if not solely the Dark Web, threat actors are operating. But just as most people, in general, use different communication channels for different interactions, so do threat actors. Much of it comes down to what a threat actor is seeking to accomplish. For example, threat actors who operate decentralized marketplaces outside the Dark Web often run targeted advertisements on the Dark Web in order to attract new customers. Threat actors seeking guidance on carrying out fraud, meanwhile, may be more likely to visit the various Deep Web forums that offer fraud tutorials.

Above all else, it's important to recognize that while the Dark Web is integral to facilitating cybercrime and other illicit activity, much more of the threat landscape exists elsewhere on the Internet. While the recent Dark Web takedowns shine additional light on threat actor behavior and will likely have a sizable impact on the underground drug trade, they are unlikely to curb the plethora of other illicit activities that occur online — particularly the development of new malware. Combating such activity requires defenders to be agile and realistic about the many ways and venues in which threat actors operate.

Related Content:

Ian W. Gray is Director of Americas, Research and Analysis, at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/11/2019 | 3:03:23 AM
As the technology is growing gradually, the number, as well as the chance of the cybercrime, has also been increased randomly. We have to take immediate action for it so that it can be stopped. The cyberhackers are also concern about this. They are also inventing new things for it. To get all these updates, keep your eyes on epson printer error code 0xf3 and be careful. 
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.