This blog provides an introduction to the Dark Web including an exploration of Dark Web content and its relevancy to intelligence investigations. This blog is authored by Erika Sonntag, Cyber Threat Intelligence Analyst and Training Lead at Bluestone Analytics.
What is the Dark Web?
The Dark Web is a series of encrypted networks containing websites that are unreachable through standard web browsers. Originally designed to provide a secure communication channel for journalists and individuals in high-risk countries, the Dark Web has evolved into a dynamic ungoverned environment where threat actors coordinate cyberattacks, leak sensitive documents, traffic drugs, and weapons, and spread propaganda.
Our White Paper discusses the defining characteristics and best practices for collecting, analyzing and filtering Dark Web data, and the importance of data correlation across the Surface, Deep and Dark Web.
The Deep Web vs. The Dark Web
The terms “Deep Web” and “Dark Web” are often conflated but they are not the same. The Deep Web contains content that is hidden behind a pay wall or sign-in and is not directly accessible via search engines. Subscription-only content, corporate intranets, and sites that have blocked web-crawlers are all examples of the Deep Web, which is estimated to make up about 90% of the total internet.
The Dark Web, which is estimated to make up about 6% of the internet, requires specific technology such as browsers or encryption algorithms to access. Dark Web content is varied, and the most popular site types include forums, chans, pastebins, markets, and databases. Due to the anonymous nature of the Dark Web, illicit and covert activity is prevalent.
Dark Nets – The Infrastructure of the Dark Web
Dark nets are the infrastructure that hosts the Dark Web— the nodes, relays, and servers– while the Dark Web is the content hosted across these dark nets. There are many dark nets, with Tor, OpenBazaar, I2P, and Zeronet being the most popular. Each dark net has a unique architecture and requires distinct technology and protocols to access.
- Tor – The Most Popular Dark Net
Tor is the most widely used dark net, with over 2 million daily users and more than 145,000 unique sites. Its origins stem from research conducted at the U.S. Naval Research Lab on encrypting communications in layers to ensure user anonymity. These layers of encryption inspired the name Tor, which stands for The Onion Routing. Tor is relatively user-friendly, as it can be downloaded from the Open Web and configured quickly. Once installed, users can anonymously access Tor-specific .onion URLs or out-proxy to Open Web content.
- OpenBazaar – Unregulated Trade
OpenBazaar is a peer-to-peer marketplace that allows users to host stores, browse products, and make purchases easily. Unlike many Dark Web markets, OpenBazaar offers a clean and standardized interface, making it attractive to users with limited Dark Web experience. Due to its decentralized nature and ability to use network connections over Tor, transactions on OpenBazaar are challenging to track.
The Dark Web is incredibly dynamic, and major shifts in infrastructure and site availability occur frequently. At the time of this publication, OpenBazaar is no longer accessible. It is possible it may come back online in the future.
- I2P – The Invisible Internet
I2P is an open-source dark net that utilizes peer-to-peer connections to facilitate communications over the Dark Web. The platform requires technical aptitude for initial configuration but offers its users increased security through direct peer-to-peer communications and end-to-end encryption. Accessing I2P is more complicated than accessing other dark nets, which may deter non-technical users from using it.
- ZeroNet—The Bitcoin Internet
ZeroNet utilizes Bitcoin cryptography and BitTorrent technology to support a decentralized censorship-resistant network that relies on users to “seed” or host site files. The ZeroNet platform can be downloaded from the Open Web and configured in minutes. Once installed, users can easily browse to ZeroNet sites and begin hosting content on the network.
Dark Web Content
Chan-style forums enable users to post anonymously without registering for an account. Chan users can give themselves any author name when posting, but most users post under some variation of the name “anonymous” or “anon.” Conversations on chans are frequently centered around violence, illegal activity, racism, and extremism.
Pastebins act as digital dead-drops where users can post sensitive information or links. Pastebins often automatically delete posts after a set amount of time.
On Dark Web markets, users can easily buy and sell a wide range of illicit goods, including drugs, weapons, and cyber exploits. Dark Web vendors often take pride in their reputations and may list products across multiple markets.
Much like Open Web content, Dark Web sites are incredibly diverse and include shops, link directories, communication platforms, and content hosting. Unlike the Open Web, however, the vast majority of Dark Web sites contain controversial or illicit content.
Dark Web Relevancy for Security Objectives
Because the Dark Web is designed to provide anonymity, it is a haven for threat actors looking to communicate openly while obfuscating their identity. Within the Dark Web, illicit goods are bought and sold, hackers develop malware and release data leaks, sensitive information is distributed, and extremist organizations communicate globally and spread propaganda. Illuminating this activity enables defense, security, and intelligence organizations to identify and mitigate complex threats, including terrorism, drug, and human trafficking, emerging cyber threats, fraud, and organized crime.
The range of actors and activities, coupled with the technical expertise needed to operate in the space, makes navigating the Dark Web a challenge for any organization. To overcome this challenge, Bluestone Analytics provides secure access to elusive data sources, including Dark Web forums, marketplaces, paste sites, and databases from across Tor, OpenBazaar, I2P, and ZeroNet, as well as key Deep and Open Web sites and social media. This data augments Fivecast’s AI-enabled risk analytics and investigation capabilities, delivering a powerful solution to quickly identify high-risk data, speed investigations, and progress law enforcement initiatives.