To many, the dark web is shrouded in mystery. There’s a good chance I have friends (and maybe you do too) who think Reddit is part of the dark web or that the worst of the web is only accessible overseas. The reality? The dark web is an enormous part of an Underground Economy, full of forums and marketplaces where criminals conduct illegal activity, often anonymously and without interruption. As such, keeping a pulse on dark web forums is a key component in protecting your business, your customers, and yourself, disrupting adversary threats at the source.
In this post, we’ll cover what you need to know about dark web forums and how to integrate dark web forum monitoring into your external cybersecurity strategy.
Who and What Are Dark Web Forums (DWFs)?
The surface web is by far the most familiar and accessible portion of the internet. It is home to public-facing, searchable websites, yet it only contains 0.03% of all information on the WWW. The other 99.7% of the online world is what you’d call the deep and dark web; it’s comprised of restricted networks, web properties, content, and data and can’t be accessed using Google and other conventional search engines.
The dark web isn’t one single website, and it’s not typically accessible to users via the surface web. Instead, the dark web consists of a network of underground marketplaces, forums, and encrypted chat channels.
Specifically, the dark web includes all of the content that exists on darknets, overlay networks that use the internet but can only be accessed by specific browsing software, authorizations, and encryption. Most darknets are small peer-to-peer (P2P) networks, but there are also larger, well-known darknets like Tor, Freenet, and I2P.
A dark web forum (DWF) is a forum or platform where members can freely discuss illegal activity. Often, these criminal activities involve the sale of PII, illicit goods, or drugs; corporate espionage; plans of physical violence; vulnerabilities and phishing kits; and even human trafficking or child pornography. Dark web forums can also be the site of dark web marketplaces for the transactions of illegal or illicit actions.
People often become confused about the dark web vs. dark web forums and marketplaces. For example, during the fall of the Silk Road marketplace in 2013, media outlets repeatedly used the term “Dark Web” in reference to the Tor network on which Silk Road was hosted, and which can only be accessed using the encrypted Tor browser. As a result, many people believe that the Tor browser is the dark web or a dark web forum, when in reality, it’s only one small part of it.
Who is Behind Dark Web Forums?
Often, dark web forums are not owned by a singular entity and are incredibly resilient. They may be owned by individuals, crime groups, or nation-states who are seeking to cause harm.
Dark web forums can be owned and run by anyone. Dark web vendors (and the marketplaces where they operate) take advantage of the encryption and anonymity provided by hidden darknets like The Onion Router (TOR), I2P, and ZeroNet to hide their illicit activities from the FBI or other law enforcement and escape accountability for their actions.
In many cases, when a dark web forum is removed or taken down by law enforcement, it resurges under a new name. This is similar to the actions of ransomware operations.
How do Dark Web Forums (DWFs) Work?
Similar to Reddit-style forums, dark web forums typically consist of a series of subsites for specific topics. These topics may include the sale of personal information (PII), sale or access to malware-as-a-service software, plans for physical attacks, and other nefarious activities.
Dark web forums are hosted on darknets, sometimes only accessible through specific encrypted web browsers. These are largely unmoderated communities with international subscribers or accounts. Law enforcement agencies may attempt to monitor these forums, but are often unable to keep up with the sheer volume of information being posted on a daily basis.
Can You be Tracked on Dark Web Forums?
On the surface web, users are often tracked by website cookies. These cookies track your site visits to better understand and target consumers with ads. But, since the dark web doesn’t function on the surface web, people often have the misconception that they aren’t being tracked.
Your ISP may not be able to track your actions on the dark web, but it can track you to the TOR entry node. Meaning that although your router might not see what you’re doing, it knows you have entered the dark web.
That brings us to another level of tracking. In truth, bad actors can track you on the dark web. Cybercriminals may track your online movement without your knowledge through malware or other points of entry. So, while you may be free of tracking from your ISP on the dark web, there’s a myriad of others who may have eyes on you.
Are DWFs Here to Stay?
Just as crime is here to stay, dark web forums aren’t going anywhere any time soon. Unfortunately, it is often the case that when one dark web forum is removed or shut down, another becomes available.
It’s important to note: accessing darknets using specialized software like the TOR browser is completely legal in the United States. With that being said, users can always face legal consequences for crimes they commit on the internet, including things like purchasing illicit drugs, accessing banned content, and engaging in piracy or fraud.
What Are Some Popular Dark Web Forums?
The ZeroFox Dark Ops team has provided insights on five of the most popular dark web forums and marketplaces in 2022.
Primarily Russian-language deep and dark web forum with a large community of users from CIS countries. Next to Exploit, this is the most serious underground hacker community, knowledgeable in a wide variety of malicious tools, hacking, initial access brokering, data exfiltration, ransomware, etc.
Almost exclusively Russian-language deep and dark web forum with layered tiers of membership based on forum clout. Topics in higher tiers are considered very sensitive where the most well-regarded actors coordinate, including potential nation state actors/groups. This forum is more collaborative with regard to the development of malicious tools, initial access actors, and ransomware actors, but the majority of this communication takes place off-forum in various encrypted chat services. Fewer data and malicious tools sales than XSS, but contains probably the most sophisticated group of threat actors on the planet.
Successor to the now defunct RaidForums, Breached contains a large variety of threat actors, both in sophistication and areas of expertise. The majority of this forum are unsophisticated threat actors (aka script kiddies), that rely on the knowledge and tools of others to carry out malicious attacks. This forum easily contains the largest public trading, sharing and selling of compromised data of any other DDW forum/Marketplace. Since the arrest of the former admin of RaidForums (Omnipotent), Breached is run by a highly respected admin, who enforces arguably better security protocol and has over 134,000 users, as of writing.
Genesis Market is among the more reputable and popular automated marketplaces selling access to data derived from infected devices.Genesis maintains its edge over other botnet marketplaces by providing some logs that update themselves in real time, meaning that if a victim changed their password their updated credentials would be sent to the person who purchased the botnet log.This is accomplished through tools offered to members in the form of their private browser and browser plugin-in that makes it possible for the buyer to imitate the digital signature of the victim’s device.
Russian Market (AKA russianmarket[.]gs) is a large well-regarded Deep Web forum similar to Genesis Market, both of which broker in botnet logs. Russian Market, in addition to selling malware logs, also brokers compromised carding data, RDP (remote desktop protocol) instances, credential stuffing malware, and other similar offerings.
How to Stop Dark Web Forums from Endangering Your Digital Security
Dark web forums pose a risk to businesses and people alike. Shedding light into the activities on these forums is an important part of threat intelligence. However, gaining access to these forums may prove challenging for security teams without experience in dark web intelligence. Additionally, there are thousands of data points in the dark web to monitor, which can quickly become a Herculean task. Dark web monitoring is a key component of proactive external cybersecurity.
ZeroFox Dark Ops team can help take the guesswork out of dark web monitoring. You’ll be able to leverage information from the dark web to find leaked information and attacks before they happen. Learn more about trends in the dark web in our recent paper, Fact vs. Fear.