What is the dark web?

The dark web is home to web pages, messaging channels, file-sharing networks and other services similar to the regular, or “open,” web. The difference is that dark web content resides on darknets, anonymous subsections of the internet with particular access requirements. Some darknets are invite-only. Others can be reached with the right network settings or software, such as the Tor browser. 

Anonymity is the major draw of the dark web. Dark web networks use methods such as multilayered encryption and indirect routing to hide users’ identities. Both the people visiting dark websites and the people hosting them cannot be easily identified. 

Cybercriminals take advantage of this anonymity to cloak their illegal activities. Journalists, whistleblowers and everyday internet users can use the dark web to avoid being tracked by hostile governments, big businesses, advertising networks, predictive algorithms and other prying eyes.

Cybersecurity professionals also monitor the dark web as an important source of threat intelligence. They can see what hackers are up to, stay updated on cyberattack targets and techniques and track new and ongoing data breaches.  

Despite its association with illicit activity and illegal content, simply accessing the dark web is not necessarily illegal in many jurisdictions.

The darknet is the network infrastructure—the interconnected computers and other devices—that enables access to dark web content.

The terms “darknet” and “dark web” are often used as synonyms, much the same way that “internet” and “web” are used interchangeably. But technically, the internet is a network of connected devices, and the web is a layer of information (websites, apps and other services) that people can access through the internet. 

The same distinction holds for the darknet and the dark web. The darknet is the infrastructure, and the dark web is the content that is accessible through that infrastructure.

There are many different darknets, with the Tor network being the most famous. (For more information, see “What is Tor?”) Other darknets include the Invisible Internet Project (I2P) and Hyphanet. 

Most darknets are overlay networks, distinct subnetworks that exist within a larger network. That larger network is, typically, the internet itself. 

But darknets are insulated from the public internet, and users cannot easily reach them through regular browsers such as Google Chrome, Mozilla Firefox or Microsoft Edge. Users need special software, permissions or configurations to get on a darknet.

Many darknets, such as Tor, are run by volunteers and nonprofits, with people freely donating their own machines to act as network nodes. Others are decentralized peer-to-peer networks or invitation-only private networks.

One other thing makes darknets different from the broader internet and other overlay networks. Darknets intentionally hide users’ identities through multilayered encryption, onion routing and other methods. 

Tor, short for “The Onion Router” can refer to a network, a browser and an organization.

The Tor browser is perhaps the most popular dark web browser, but it’s not the only way to access the dark web. Nor is the Tor network the only network for dark web content. People sometimes treat Tor and the dark web like the same thing, but Tor is one darknet among many.

That said, understanding how Tor works can help shed light on how the dark web works in general.

The core principle of the Tor network is onion routing, which is how Tor masks IP addresses and keeps users anonymous. First developed by the US Naval Research Laboratory in the 1990s, onion routing applies multiple layers of encryption to traffic. These layers give the technique its “onion” name. 

Instead of routing users directly to their destination, onion routing sends them first through a series of intermediate nodes. Each node can decrypt only a single layer of the traffic’s encryption, so no individual node knows the traffic’s journey from beginning to end.  

Even the proprietors of darknet sites don’t know where their visitors are coming from, nor do visitors know where these sites are hosted. 

The dark web, deep web and surface web are three difference parts of the web. The surface web is what users can find on any search engine. The deep web is hidden from search engines, but much of it can be accessed through any browser with the right authentication. Dark web content requires a special setup.

The surface web, also called the open web, is the part of the internet that gets indexed by regular search engines, such as Google and Bing. Social media sites, YouTube videos, public blogs and Amazon listings: All of these things are examples of surface web content.

The surface web is one of the smallest parts of the web, accounting for an estimated 5% of the content on the internet. 

The deep web is the part of the internet that search engines do not index—which encompasses most web content. The deep web does include the dark web, but most of the deep web is accessible through a regular web browser with default configurations: password-protected websites, paywalled news articles and private databases.

While the dark web is part of the deep web, they are distinct in important ways.

The dark web is the part of the deep web that exists on darknets. As such, it can be accessed only through dark web browsers, properly configured proxies or other means. Most deep web content can be reached from the open internet with the right credentials. The dark web intentionally anonymizes users, while the deep web does not. 

The dark web looks a lot like the open web: discussion forums, news sites, marketplaces and more. Some surface websites—such as Facebook—even have official dark web versions.

Dark websites often have fewer bells and whistles than open websites, in part because darknet performance tends to be less reliable. Techniques such as onion routing preserve anonymity, but at the cost of slowing down connections. 

“You can think of the dark web as a chaotic alternative web ecosystem,” says Robert Gates, senior X-Force threat intelligence analyst at IBM. “It’s a stripped-down version of the ecommerce sites commonly found on the internet, with product pages, vendors and feedback. There are even some escrow services and rating systems, but these systems are often gamed by the sellers.”

Dark websites usually have long, complicated URLs, which can make them hard to remember. To navigate the dark web, users typically turn to dark web search engines or link lists such as the Hidden Wiki. 

Common types of dark websites include:

Dark web marketplaces sell many things.

• Malware, such as infostealers, loaders, Trojans and ransomware. Many cybercriminals use malware-as-a-service (MaaS) arrangements. MaaS gangs develop and maintain malware tools and infrastructure, which they sell to other hackers, known as “affiliates.” The affiliates use the malware to attack victims, often splitting their spoils with the MaaS gang. Ransomware as a service (RaaS) is especially popular. 

• Other cyberattack tools and techniques, such as botnet rentals for DDoS attacks and phishing kits.

• Access. Access brokers break into networks, usually by exploiting vulnerabilities and planting back doors, and then sell these access points to other cybercriminals.

• Data such as stolen bank accounts, credit card details, login credentials and other sensitive information criminals can use to commit identity theft.  

• Illegal goods, including counterfeit documents and illegal drugs.

Most dark web marketplace transactions use cryptocurrencies such as bitcoin to preserve the anonymity of buyers and sellers.

Launched in 2011, Silk Road is widely considered the first and most well-known darknet marketplace. In 2013, the FBI seized it and shut it down.

Career cybercriminals and hobbyist hackers congregate in dark web forums, where they share tips, new vulnerabilities and intel on potential targets—and brag about their successes.

Cybersecurity pros watch these forums, too, to keep tabs on the cyberthreat landscape.

Leak sites are where hackers flaunt the data they’ve stolen in breaches. Cybercriminals post samples of what they have and demand the victims pay a ransom—or else they will release the rest.

Some gangs maintain their own leak sites. Others have adopted a model called “extortion as a service,” where bigger gangs allow affiliates and allies to host stolen data on their sites. Using a bigger gang’s higher-profile leak site can put more pressure on victims to pay. As with other as-a-service arrangements, the bigger gang usually takes a cut of the ransom.

Whistleblowers—whether reporting on corporations, government agencies or other institutions—often use dark web forums and messaging services to anonymously get their information to the public. 

Likewise, journalists often use dark web services to connect with sources who need anonymity. Activists can use the dark web to evade government censorship and surveillance.

Other dark websites are much more mundane. They’re social media sites, news sites and other typical services that use the dark web to help their owners and users avoid being tracked.

In the absence of any legal or regulatory oversight, in a network where everyone is anonymous, the dark web operates on what Gates calls a “reputation economy.” Hackers and dealers use their past activities to build credibility. Many marketplaces feature review systems, and some offer escrow services to help ensure people get paid.

However, this reputation economy also gives cybercriminals incentive to lie to both their victims and one another. For example, they might claim to have stolen more impressive datasets than they really have in an attempt to drum up business, pressure victims or seem more accomplished. 

And with the advent of generative AI, they can make their lies even more convincing, creating fake data to make breaches appear bigger than they are. 

“They can feed an AI the documents and data they do have and say, ‘Expand on this set and make it look like a larger collection,’” Gates explains. “A lot of the data turns out to be fake, but you can’t really tell the difference.” 

And cybercriminals are not above pulling outright scams on one another. 

“We’ve seen cases where the admins of a particular forum do some sort of exit scheme where they’ve collected enough money and they just leave,” Gates says. “The market shuts down, and everybody’s at a loss as to what happened.”

The result of all this dirty dealing and double crossing is that the dark web experiences a significant amount of churn. Websites and cybercrime gangs appear and disappear all the time. Partly because law enforcement agencies take them down, but often because they’re stabbing each other in the back.

“The balance of power is always shifting in the dark web,” Gates says. “Burned affiliates split off to form their own enterprises. Somebody’s ego gets in the way, or some sort of interpersonal conflict happens between them.”  

While anonymity is the major draw of the dark web, there are ways to uncover a user’s identity. For example, by correlating the traffic someone sends to the Tor network with traffic to a particular site based on timestamps, law enforcement agencies and security professionals can hypothetically determine what that user is doing. 

Poisoned nodes—compromised nodes on a network that secretly surveil traffic—can also poke a hole in anonymity. Users can also betray their own identities by misconfiguring or improperly using a dark web browser or network. 

Dark web monitoring is a core component of many threat intelligence efforts. By keeping an eye on dark web forums and social networks, threat intelligence analysts can stay updated on the latest malware, vulnerabilities that are being exploited in the wild and other trends. 

Cybersecurity pros can also take advantage of the fallout from intergang rivalries, which often lead to hackers defacing one another’s websites, selling each other out or leaking source code. For example, in February 2025, a rival gang leaked the code for the latest version of the infamous Lockbit group’s ransomware.

“It creates opportunities for the defenders, “ Gates says. “Suddenly you have a lot of copycat software, but maybe their OPSEC or their understanding of how the malware itself works is not as proficient as the people that developed it. So maybe they don’t use it correctly.” 

Defenders can then get their hands on the source code—or other leaked information—and study it themselves. 

Keeping a close eye on the dark web can also help cybersecurity teams identify hacks sooner. The sooner organizations know that a breach has happened, the sooner they can move to contain it. Every second matters, as it takes, on average 241 days to identify and contain a breach, according to the IBM Cost of a Data Breach Report.