The big, scary Dark Web may not be as big or scary as many believe.
Over the years, the Dark Web has garnered a reputation as a nebulous platform for cybercrime. Highly publicized arrests and news stories have fueled the idea there is a massive network of cybercriminals plotting scams in this corner of the Web. But the actual amount of live, reachable onion sites makes up less than 0.005% of about 200 million surface Web domains.
It's worth noting the Dark Web is defined as any Internet content that requires specific software, configurations, or authorization to access. Oftentimes it's conflated with the Deep Web, which refers to all parts of the Web not indexed by search engines. The Dark Web includes the Tor network, which consists of onion domains and direct links between them.
"The term has a little bit of a life of its own," says Garth Griffin of the Dark Web. Griffin is the director of data science at Recorded Future, where analysts recently set out to characterize the entire Tor network as part of a new study. "Anybody can figure out how to use Tor but most people haven't bothered to do that, so it sort of has this aura of mystique around it."
To provide clarity on the Dark Web, researchers crawled some 260,000 onion pages to estimate the full reachable Tor network from a starting set of onion sites they pulled from public lists and internal content. They found 55,828 onion domains; of these, only 8,400 (15%) were live sites.
"We were not surprised to find the actual extent of the Tor network is not as broad as it's talked about," says Griffin. There are criminal sites where illicit activity happens, he adds, but it's not the massive machine people assume it is. In the report on their findings, Griffin and Recorded Future's Juan Sanchez say the common idea of a hidden, mysterious Dark Web is likely attributable to a tiny portion of unpublicized, invitation-only communities on onion sites.
"There's a set of sites that are kind of obscure, even within the obscurity of the Dark Web," Griffin continues. "These are sites that might be highly respected in the criminal community."
On the surface Web, popular sites attract millions of inbound link counts. Researchers found the most popular Tor site was a market with 3,585. The top eight onion websites most valued in the criminal community had a maximum of 15 inbound link counts, with an average of 8.7 per site. Still, scams abound: one Dark Web typosquatting scheme claims to have defrauded visitors of more than 400 popular onion websites and generated thousands of dollars in Bitcoin.
Dark Web sites are generally unreliable, disorganized, and short-lived as scams and attacks pervade this part of the Internet. When onion servers fall victim to cybercrime, websites follow. Consider Daniel's Hosting, which provided Tor hosting services to about 6,500 onion sites and caused a massive outage when it was hacked in 2018. While it was eventually back up and running, the downtime represents a common pattern in service outages among onion sites.
The gold standard for websites is 99.999% availability, otherwise known as "five nines." Facebook's uptime is about 99.95%, researchers explain for context. Onion sites are typically much lower: even popular markets can have uptime below 90%; one well-known marketplace had 65% uptime at the time the report was published. Some sites simply disappear for good.
It may be smaller than perceived, but the Dark Web is falling under greater scrutiny as law enforcement cracks down on the small slice of cybercrime. Late last week, the world's second-largest Dark Web marketplace was taken down in an international law enforcement operation. "Wall Street Market" had hosted the sale of illegal drugs, stolen data, fake documents, and malicious software. Its shutdown led to the arrested of three German nationals in the US.
In January, another law enforcement operation shut down xDedic, a Russian language site known for selling stolen identity data and access to compromised servers. As officials continue to investigate and dismantle cybercriminal operations, they force operators to rethink their strategies: marketplaces are now being replaced with smaller forums and individual chats. Cybercrime isn't limited to the Dark Web – it's also happening in chat apps and other tools.
- 7 Ways to Get the Most from Your IDS/IPS
- The Big E-Crime Pivot
- Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server
- Attackers Add a New Spin to Old Scams
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.