- Table of contents
The author
Sources Development Team Lead at Cyberint
Table of contents
Related Articles
Why 2023 Requires a New Approach to Dark Web Monitoring
Dark Web monitoring strategies need to evolve. Gone are the days when the Dark Web was a haven mostly only for people who wanted to post illicit content anonymously. Today, the Dark Web has expanded into a hotbed for threat actors, who use Dark Web forums and apps to distribute malware and sell the fruits of their hacking activities.
Dark Web Usage Has Changed
The Dark Web has been around at least since 2000, when U.S. Navy efforts to create an anonymous Internet space for espionage purposes gave birth to the first Dark Web communities.
In its early years, the Dark Web was a relatively small and uncomplicated space. The introduction of cryptocurrency, which debuted when Bitcoin launched in early 2009 led to a significant increase in anonymous business transactions both on the Dark Web and elsewhere.
The Dark Web combined with crypto created the perfect environment for threat actors to operate in. They could use the Dark Web as a base for planning their operations, then use it to sell the data they exfiltrated when they completed a Dark Web data breach.
The distribution of stolen data on the Dark Web “happens a lot,” according to Bruce Schneier of Harvard’s Berkman Center for Internet and Society. “There’s a big data breach, and then someone will try the same username and password at a bank, at Google.”
The shift of cybercrime to the Dark Web also reflects increased awareness over the past decade of how government agencies can track people on the conventional Web – a fact underlined by the Snowden revelations of 2013 – this gave threat actors added incentive to move their operations to the Dark Web.
Fast forward to today and the Dark Web has become a massive, dynamic space. Analysts estimate that about $1.5 billion changed hands on the Dark Web in 2022, and that around 2.5 million people visit Dark Web sites or apps every day.
Recent Dark Web Changes Impacting Dark Web Monitoring
Key recent trends include:
1. Increase in Volume of Malware on the Dark Web
Increased use of the Dark Web to share not just items like stolen passports or to buy and sell illegal drugs, but also to sell malware and PII stolen by threat actors. This change reflects increased reliance on the Dark Web by threat actors. “The Dark Web now has hundreds of thriving marketplaces where a wide variety of professional ransomware products and services can be had at a variety of price points,” as cybersecurity writer Jai Vijayan notes.
2. A Shift to Deep Web Forums
The shift to DeepWeb forums. In the past the majority of criminal activity occurred on the DarkWeb, but in recent years there has been a significant shift to Deep Web forums such as BreachForums, etc. Users can access these forums with a regular internet browser, such as Chrome, and VPNs are supposed to hide the threat actor’s true IP address from deep web applications, such as closed threat actor forums or marketplaces. This is meant to provide enough of a veil for them to keep their true identity concealed without needing to use Tor. But there are many cases of VPNs not providing the necessary anonymity, such as when NordVPN was hacked and when SuperVPN was hacked.
3. Increased Use of Apps – such as Telegram or Discord
Apps help to protect users’ anonymity because they can prevent some tracking techniques that are possible within browsers. Threat actors can purchase a prepaid sim or use a virtual number to remain anonymous. There are several reasons for this shift:
-
-
- The FBI is shutting down more and more illegal deep & dark web forums and threat actors are looking for new ways to maintain anonymity.
- As Telegram’s popularity increases more and more can be found there – from credit cards to leaked databases to passportss.
-
4. A Greater Rate of Change
New Dark Web forums appear on a regular basis as part of threat actors’ efforts to circumvent the closure of existing forums (like BreachForums and Genesis) by government authorities. Whereas in the past you might see one or two new forums appear in a year, over the past 12 months we have seen more than 4 leading forums appear/disappear. First there was RaidForums, then BreachForums, then Genesis Market and now ExposedVC Forum (Although Genesis Market is still live and up to date on Tor).
5. Growing Internationalization
There has been a growth in the internationalization of the Dark Web, specifically more movement from the US to Chinese Dark Web Forums. The FBI closures have also triggered a migration to forums outside of the US for many threat actors.
6. ChatGPT and the Dark Web
Information security experts generally agree that the rise of ChatGPT will lead to an increase in the volume of malware being exchanged on the deep and dark web. ChatGPT has the potential to speed up the malware production process, increasing the amount of threat actor activity that must be tracked on the DarkWeb.
7. Increasing Business Partnerships
Now organizations need to monitor what is being said and sold about their vendors on the Dark Web too. With the boom in vendors and suppliers over the past 5 years, the supply chain is becoming many organizations weak point. Now, they not only need to monitor what is being said about them, they also need to know if their vendors are being targeted too.
The Challenges to Dark Web Monitoring in 2023
All of these usage changes have led to two main challenges. They are only exacerbated by the fact that many cyber teams are currently stretched thin due to the economic slowdown.
- There are more forums, apps and areas of activity to monitor and these forums are turning over and evolving more quickly.
- There’s much more Dark Web content to monitor and sort through. Suppliers need monitoring too, only adding to the volume of content to monitor.
A Dark Web Cybersecurity Strategy for 2023
Despite the above challenge and the emerging trends, monitoring the Dark and Deep Web remains critical. Since the Dark/Deep Web is the place threat actors both plan breaches and sell data, you need to monitor Dark Web forums and apps if you want to stay ahead of attackers
Effective Dark Web monitoring as of 2023 requires the ability to do the following:
- Monitor not just forums, but also social channels and apps.
- Track Dark Web content in multiple languages in all parts of the world.
- Assess the severity of Dark Web threats and threat actor activity on the Dark Web by monitoring communication channels to understand what threat actors are up to and which types of attacks they are planning.
- Prioritize the threats by pairing with the organization’s attack surface to determine what threats are most pressing for them and reducing the amount of false positives.
- Automate the processing of Dark Web monitoring data so that risks are easy to detect quickly.
- Provide context to the threats so mitigation steps are clear.
- Identify not only Dark Web threats that could affect your business directly, but also threats to your vendors, partners and other parts of your supply chain.
- And finally dark web monitoring needs to ensure each source is crawled and scraped at least once a week (with the majority of forums being scraped much, much more) according to the allowed policies on it. For example, if a dark web forum is monitored for suspicious scraping activity, a good monitoring solution will make sure information is collected at a pace that does not raise any suspicion.
When you do these things, you turn the Dark Web into an asset for your cybersecurity strategy, not for threat actors. If you can gain visibility into the Dark Web and use it as a source of insight into cyber threats, it becomes a great way of anticipating emerging threats.
At Cyberint, we know a thing or two about Dark Web monitoring, and we want to help businesses incorporate it into their cybersecurity strategies. Learn more by downloading our free eBook, The Big Book of Deep and Dark Web, 2023 Edition.
Beyond Digital Risk Protection
tailored with human expertise that turn intelligence into proactive cyber defense to better protect your business.
Demo Exposed Credentials Results 
