The darknet isn’t as hidden as it used to be. The seamy digital underbelly of the internet, according to some sources, may be shrinking or entering the mainstream. After all, any digitally savvy person can figure out how to download a Tor browser and use cryptocurrency.

Risks are certainly higher than ever for cybercriminals who use the darknet to openly sell narcotics, stolen data or illegal services. The original Silk Road founder, Ross Ulbricht, has lost appeals against a double life sentence plus 40 years for crimes of drug trafficking and money laundering beneath the surface of the web. And it’s easy to believe that the darknet isn’t as sketchy as it once was based on media stories. Narcotics traffickers are voluntarily banning sales of the synthetic opioid fentanyl due to safety concerns. Even Facebook has gone dark with an onion site accessed by 1 million Tor browser users each month.

While the darknet is more heavily trafficked than ever, the battle isn’t over. True threat intelligence lurks in hard-to-access corners of the web, far away from major marketplaces and media headlines. Threats to the enterprise beneath the surface web aren’t shrinking. In fact, according to recent studies, hidden threats to your organization are growing rapidly.

7 Darknet Threat Trends to Keep an Eye On

International law enforcement agencies are operating with coordinated agility to shut down darknet marketplaces. As reported by Bitcoin Magazine, the recent shutdown of the popular dark site Wall Street Market involved the cooperative efforts of the German Federal Criminal Police, the Dutch National Police, Europol, Eurojust, and various U.S. government agencies, including the FBI, IRS and DOJ. While these efforts are laudable, new marketplaces prove criminal commerce is not so easily stopped.

“Instability has become sort of baked into the dark-web market experience,” darknet expert Emily Wilson told The New York Times. “People don’t get quite as scared by [raids] as they did the first few times.”

Unpredictable odds and heightened threats of prosecution clearly aren’t enough to deter cybercriminals. More importantly, the most important enterprise threats operate deep beneath the surface.

1. The Darknet Is More Than Tor

There’s a common misconception that the darknet is a term for websites accessible by a Tor browser. However, there’s more beneath the surface than .onion extensions.

“The ‘darknet,’ in general, means it’s a space or community on the internet that’s not readily accessible to regular people,” said Andrei Barysevich of Recorded Future.

Barysevich noted that many criminal sites, communities and forums predate the creation of Tor. While some of these hubs have moved to Tor, others remain online with alternative protocols such as I2P, GNUnet or Riffle.

2. Enterprise Threats Are Growing

It’s a dangerous mistake to exclusively associate the darknet with well-known threats, such as the sale of narcotics or script kiddies purchasing distributed denial-of-service (DDoS) attacks as a service. Between 2016 and 2019, there was a 20 percent increase in the number of darknet listings that have potential to cause harm to organizations, according to a recent academic study with Bromium. Growing threats include:

  • Targeted malware;
  • Enterprise-specific DDoS services;
  • Corporate data for sale; and
  • Brand-spoofing phishing tools.

The most effective cybercriminals are also highly guarded. Seventy percent of vendors that engaged with academic researchers were only willing to communicate through private channels.

3. Darknet Trends Mirror Enterprise Threats

Darknet threat trends closely mirror the evolution of the enterprise threat vector. One such example involves the recent growth of whaling attacks. Last year, 13 percent of attacks analyzed by IBM X-Force Incident Response and Intelligence Services (IRIS) involved business email compromise (BEC) or whaling, according to the “2019 IBM X-Force Threat Intelligence Index Report.” Access to business email accounts can be cheaply purchased if whalers can’t buy the credentials they need from credential merchants. The average cost of compromising a business email account is just $150, according to Digital Shadows.

4. Social Engineering Fodder Is Openly Exchanged

In 2019, there’s been a disturbing trend toward the sale of entire digital identities belonging to individuals infected by malware, according to ZDNet. Each digital profile includes login credentials for online banking, file sharing and social networking. Web cookies, browser user-agent details, HTML5 canvas fingerprints and other details are also included for a cost ranging from $5 to $200.

Social engineering attacks are becoming more targeted. The latest wave is resistant to any form of defense aside from sophisticated behavioral analytics. This year has seen a rapid increase in direct extortion attempts against high-profile individuals, as well as pretexting attacks in which someone assumes the identity of a trusted party. It’s easy for threat actors to slip on another likeness after purchasing an entire digital identity in one transaction.

5. Network Access Can Be Bought and Sold

The range of services that can be purchased is broad, and threat actors willing to pay for direct access can have it. According to the aforementioned academic study with Bromium, researchers were offered backdoors into corporate networks — although vendors refused to provide details on these backdoors without a substantial upfront fee. At least 60 percent of backdoor vendors openly offered access to more than 10 high-profile corporate networks via remote access Trojans (RATs), exploits and keyloggers.

6. Your Intellectual Property May Be for Sale

The darknet is a haven for the exchange of corporate trade secrets and intellectual property. It’s also a hangout for malicious insiders who offer access to trade secrets. Forums even sometimes host discussions about enterprise employees likely to be vulnerable to extortion attempts. When the researchers behind the Bromium report asked one vendor about gaining network access to three leading enterprises, they discovered it was both cheap and easy. One darknet seller offered “access to the CEO” or to “get whatever we wanted from their servers” for fees that varied from between $1,000–$15,000.

If your intellectual property has been compromised or you’re employing a malicious insider, it’s not easy to tell because most approaches to darknet threat monitoring focus on keywords or industry alerts.

7. Threats Hide in the Recesses of the Darknet

The majority of cybercriminals and the most sophisticated threat actors operate outside view. The corners of the darknet include criminal social networks, web forums and password-protected communities. These haunts are likely even more obscure than you think.

The number of inbound links to web communities can be used as one measure of accessibility. Popular surface websites may have millions of linking domains. Recorded Future recently performed an analysis of “top-tier criminal sites with significant barriers to entry and a high level of obscurity.” These websites had an average of 8.7 inbound links, with a maximum number of 15 inbound links. The darkest sites contain the most valuable threat intelligence.

The Darknet Is Only Shrinking Away From the Surface

The most significant threats to the enterprise operate in the hidden corners of the web. Cybercrime collectives and highly skilled hackers share password-protected platforms, invitation-only forums and private messaging systems. Digital communities with high barriers to entry are ideal for communication between cybercrime collectives or the open transfer of corporate intellectual property.

As the darknet slips further underneath the surface, it’s time for the enterprise to look deeper than surface-level cyberthreat intelligence. The ability to monitor, identify and profile threats requires organizations to use threat intelligence streams that reach into the corners of the hidden web. Darknet data is a viable intelligence source, but only if your data access is as wide-reaching and quick to evolve as cybercriminals.

More from Intelligence & Analytics

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read