Make the dark web your early warning system
With the right tools and team, you can turn the dark web into an early warning system—the canary in the coal mine that detects attacks before they do major damage.
Imagine that you’re an airline executive, sitting down at your desk with a fresh cup of coffee on an uncharacteristically peaceful Monday morning. You’re feeling refreshed, relaxed and ready for the week ahead.
As you’re catching up on your inbox, the familiar tap-tap-tap of a Slack notification catches your attention.
You pull up the window. It’s a message from your security operations center (SOC) lead, and not a good one: “There’s a data broker on the dark web advertising a massive trove of our customer records for sale.”
What do you do? Convene an emergency meeting of company leaders? Call the police?
Your first instinct might be to panic. Our data is on the dark web. This is bad.
But, ideally, you would ask your threat intelligence analysts to dig a little deeper before reacting.
Because cybercriminals are not exactly trustworthy, and those records they’re hawking might not be what they claim to be. Maybe what they really have is third-party data from a travel website that is only loosely connected to you. Maybe they’re just using your organization’s very recognizable name to attract buyers.
Which would mean that your customer data is safe and sound, and you don’t need to launch a massive, costly, public response. You might not need to do anything at all.
The point of this thought exercise—adapted from a real incident that IBM X-Force handled—is that the dark web is much more mundane than its sinister reputation might have you believe.
Mundane, and knowable.
Certainly the dark web is home to a lot of shady and outright malicious activity, but the lore surrounding this shadowy corner of the internet can cloud people’s judgment.
By closely, calmly and rationally monitoring dark web activity, organizations can cut through the myths and get an accurate picture of what really happens in the famed hacker’s haven.
That said, the dark web can be a tricky terrain to navigate. In fact, criminals might even infect one another to gain insights or access to data and bank accounts. It helps to have the support of qualified cybersecurity professionals who can separate the empty threats from real risks.
Think Newsletter
Would your team catch the next zero-day in time?
Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
Look past the ominous name and the urban legends. The dark web is, ultimately, just a particular section of the internet—albeit one that is intentionally obscure.
At a high level, we can say that the internet has three layers.
- The open web, which includes all the public-facing sites you can find on a search engine.
- The deep web, which includes the things that search engines don’t index. The deep web is much larger than the open web, and most of it is harmless. Your online bank account? Paywalled content? That’s the deep web.
- The dark web is a subsection of the deep web, which requires special browsing software, such as the Tor browser, to access.
What does the dark web look like? It’s not all that different from the open web. People congregate in forums. They sell things on marketplaces. The big difference is that the things they discuss and sell require a certain amount of anonymity.
Not everything that happens on the dark web is malevolent. Journalists, for example, can use it to source and share confidential information.
But, yes, many dark web denizens are cybercriminals. Their forums are dedicated not to TV shows and niche hobbies, but to trading exploits and recruiting new gang members. Instead of selling clothes and video games, they sell malware, credit card numbers and stolen credentials. Lots of stolen credentials.
According to the X-Force Threat Intelligence Index, valid account hijacking is one of the most common initial data breach vectors, accounting for 30% of cyberattacks.
In the fourth quarter of 2024 alone, X-Force saw 1.2 million sets of credentials for sale on the dark web, often for as little as USD 14 per record. Other hackers buy these credentials and use them to commit identity theft or break into enterprise networks.
Some cybercriminals offer what we call “malware as a service,” which applies the classic software as a service (SaaS) model to ransomware and other malicious software. These threat actors sell proprietary malware to affiliates, who use the malware to launch attacks and share a portion of their ill-gotten proceeds with the creators.
And then there are the access brokers, who gain footholds into target systems and sell entry to other cybercriminals to do as they please.
Whether they’re selling data, access or malware, these cybercriminals usually organize themselves in gangs rather than going it alone. But keeping tabs on these gangs is hard. They tend to form, rise and fade rather quickly. For example, more than half of the most active ransomware gangs on the dark web in the first quarter of 2025 had been around for a year or less.
The balance of power is always shifting in the dark web. Law enforcement takes down gangs. Burned affiliates split off to form their own enterprises. Sometimes intergang competition leads to direct attacks. Such was the case in February of this year, when a rival gang leaked the code for the latest version of the infamous Lockbit group’s ransomware.
This fast pace of change and the intricate dynamics between gangs and marketplaces are just a couple of the reasons why it pays to work with dedicated threat intelligence analysts who can keep an eye on dark web dealings for your organization. In the chaos of it all, it’s all too easy to miss the red flags that might signal an active threat to your business.
Most of us know better than to take the unsourced social media posts of strangers at face value. Yet when cybercriminals say that they have sensitive data, without a shred of proof, we’re inclined to believe them.
We really shouldn’t. And this is another area where expert threat intelligence analysts can come in handy: telling fact from fiction on the dark web.
Cybercriminals lie. A lot. They routinely claim to have data from large, leading organizations—data they do not actually have. Why? To seem more accomplished than they really are and thus build an unwarranted reputation as a skilled hacker. Or they might be trying to drum up business for some less attractive data that they do have.
For example, a gang might claim to have data from a major global brand. When potential customers come along, the gang says that data was already sold—but they can offer some other data from a lesser-known organization instead. It is essentially a form of social engineering directed at other cybercriminals.
Alternatively, cybercriminals don’t always openly advertise the data they do have. To avoid being caught, they often obfuscate their victims. Instead of saying they have data from Company X, they might say: “We have data from a company of X size in Y industry worth Z valuation.”
What organizations need is a sophisticated surveillance program that can accurately identify both fake leaks and real-but-disguised threats.
The ultimate value of putting resources toward dark web monitoring is not simply dispeling myths and seeing through cybercriminals’ lies. Rather, with the right tools and team, organizations can turn the dark web into an early warning system, the canary in the coal mine that detects attacks before they do major damage.
Now, if an organization’s data or network entry points are being sold on the dark web, that does mean it has been compromised already. But sometimes that’s the earliest point at which an attack can be detected.
This is especially true today, when threat actors are increasingly adopting stealthier attack methods, such as taking over user accounts or even partnering with malicious insiders who abuse their legitimate permissions. We’ve seen access brokers on the dark web who claim to be employees, or partners with employees, of the companies they’ve compromised.
Attackers have also started to use minor, so-called “nuisance” malware to deliver bigger payloads, such as sneaking ransomware in through an infostealer. When they get inside a network, they often “live off the land.” That is, they use legitimate network infrastructure, such as PowerShell scripts and real user accounts, to move around the network and access sensitive assets.
Standard network security tools often miss this activity because it doesn’t look malicious; it looks like authorized users and systems doing authorized things.
So, sometimes, it’s not until data hits the dark web that anyone knows anything is amiss. By catching that data when it appears, organizations can take swift action to minimize the impact. They can change the credentials of compromised accounts or shut down servers with known backdoors. The data dumps become worthless, and the full extent of the attack never materializes.
Achieving this level of monitoring requires more than buying some threat intelligence feeds or a self-service platform. It requires dedicated analysts who know what to make of all that data and how to find the threats cybercriminals are purposefully hiding. These analysts can interpret findings, add context, prioritize real risks and steer the organization toward effective action.