The darknet isn’t as hidden as it used to be. The seamy digital underbelly of the internet, according to some sources, may be shrinking or entering the mainstream. After all, any digitally savvy person can figure out how to download a Tor browser and use cryptocurrency.

Risks are certainly higher than ever for cybercriminals who use the darknet to openly sell narcotics, stolen data or illegal services. The original Silk Road founder, Ross Ulbricht, has lost appeals against a double life sentence plus 40 years for crimes of drug trafficking and money laundering beneath the surface of the web. And it’s easy to believe that the darknet isn’t as sketchy as it once was based on media stories. Narcotics traffickers are voluntarily banning sales of the synthetic opioid fentanyl due to safety concerns. Even Facebook has gone dark with an onion site accessed by 1 million Tor browser users each month.

While the darknet is more heavily trafficked than ever, the battle isn’t over. True threat intelligence lurks in hard-to-access corners of the web, far away from major marketplaces and media headlines. Threats to the enterprise beneath the surface web aren’t shrinking. In fact, according to recent studies, hidden threats to your organization are growing rapidly.

7 Darknet Threat Trends to Keep an Eye On

International law enforcement agencies are operating with coordinated agility to shut down darknet marketplaces. As reported by Bitcoin Magazine, the recent shutdown of the popular dark site Wall Street Market involved the cooperative efforts of the German Federal Criminal Police, the Dutch National Police, Europol, Eurojust, and various U.S. government agencies, including the FBI, IRS and DOJ. While these efforts are laudable, new marketplaces prove criminal commerce is not so easily stopped.

“Instability has become sort of baked into the dark-web market experience,” darknet expert Emily Wilson told The New York Times. “People don’t get quite as scared by [raids] as they did the first few times.”

Unpredictable odds and heightened threats of prosecution clearly aren’t enough to deter cybercriminals. More importantly, the most important enterprise threats operate deep beneath the surface.

1. The Darknet Is More Than Tor

There’s a common misconception that the darknet is a term for websites accessible by a Tor browser. However, there’s more beneath the surface than .onion extensions.

“The ‘darknet,’ in general, means it’s a space or community on the internet that’s not readily accessible to regular people,” said Andrei Barysevich of Recorded Future.

Barysevich noted that many criminal sites, communities and forums predate the creation of Tor. While some of these hubs have moved to Tor, others remain online with alternative protocols such as I2P, GNUnet or Riffle.

2. Enterprise Threats Are Growing

It’s a dangerous mistake to exclusively associate the darknet with well-known threats, such as the sale of narcotics or script kiddies purchasing distributed denial-of-service (DDoS) attacks as a service. Between 2016 and 2019, there was a 20 percent increase in the number of darknet listings that have potential to cause harm to organizations, according to a recent academic study with Bromium. Growing threats include:

  • Targeted malware;
  • Enterprise-specific DDoS services;
  • Corporate data for sale; and
  • Brand-spoofing phishing tools.

The most effective cybercriminals are also highly guarded. Seventy percent of vendors that engaged with academic researchers were only willing to communicate through private channels.

3. Darknet Trends Mirror Enterprise Threats

Darknet threat trends closely mirror the evolution of the enterprise threat vector. One such example involves the recent growth of whaling attacks. Last year, 13 percent of attacks analyzed by IBM X-Force Incident Response and Intelligence Services (IRIS) involved business email compromise (BEC) or whaling, according to the “2019 IBM X-Force Threat Intelligence Index Report.” Access to business email accounts can be cheaply purchased if whalers can’t buy the credentials they need from credential merchants. The average cost of compromising a business email account is just $150, according to Digital Shadows.

4. Social Engineering Fodder Is Openly Exchanged

In 2019, there’s been a disturbing trend toward the sale of entire digital identities belonging to individuals infected by malware, according to ZDNet. Each digital profile includes login credentials for online banking, file sharing and social networking. Web cookies, browser user-agent details, HTML5 canvas fingerprints and other details are also included for a cost ranging from $5 to $200.

Social engineering attacks are becoming more targeted. The latest wave is resistant to any form of defense aside from sophisticated behavioral analytics. This year has seen a rapid increase in direct extortion attempts against high-profile individuals, as well as pretexting attacks in which someone assumes the identity of a trusted party. It’s easy for threat actors to slip on another likeness after purchasing an entire digital identity in one transaction.

5. Network Access Can Be Bought and Sold

The range of services that can be purchased is broad, and threat actors willing to pay for direct access can have it. According to the aforementioned academic study with Bromium, researchers were offered backdoors into corporate networks — although vendors refused to provide details on these backdoors without a substantial upfront fee. At least 60 percent of backdoor vendors openly offered access to more than 10 high-profile corporate networks via remote access Trojans (RATs), exploits and keyloggers.

6. Your Intellectual Property May Be for Sale

The darknet is a haven for the exchange of corporate trade secrets and intellectual property. It’s also a hangout for malicious insiders who offer access to trade secrets. Forums even sometimes host discussions about enterprise employees likely to be vulnerable to extortion attempts. When the researchers behind the Bromium report asked one vendor about gaining network access to three leading enterprises, they discovered it was both cheap and easy. One darknet seller offered “access to the CEO” or to “get whatever we wanted from their servers” for fees that varied from between $1,000–$15,000.

If your intellectual property has been compromised or you’re employing a malicious insider, it’s not easy to tell because most approaches to darknet threat monitoring focus on keywords or industry alerts.

7. Threats Hide in the Recesses of the Darknet

The majority of cybercriminals and the most sophisticated threat actors operate outside view. The corners of the darknet include criminal social networks, web forums and password-protected communities. These haunts are likely even more obscure than you think.

The number of inbound links to web communities can be used as one measure of accessibility. Popular surface websites may have millions of linking domains. Recorded Future recently performed an analysis of “top-tier criminal sites with significant barriers to entry and a high level of obscurity.” These websites had an average of 8.7 inbound links, with a maximum number of 15 inbound links. The darkest sites contain the most valuable threat intelligence.

The Darknet Is Only Shrinking Away From the Surface

The most significant threats to the enterprise operate in the hidden corners of the web. Cybercrime collectives and highly skilled hackers share password-protected platforms, invitation-only forums and private messaging systems. Digital communities with high barriers to entry are ideal for communication between cybercrime collectives or the open transfer of corporate intellectual property.

As the darknet slips further underneath the surface, it’s time for the enterprise to look deeper than surface-level cyberthreat intelligence. The ability to monitor, identify and profile threats requires organizations to use threat intelligence streams that reach into the corners of the hidden web. Darknet data is a viable intelligence source, but only if your data access is as wide-reaching and quick to evolve as cybercriminals.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…