Dark Web

The Dark Web refers to encrypted networks that cannot be accessed via conventional browsers and require special software. It is part of the "Deep Web"—all content not indexed by search engines—but with a particular focus on anonymity.

Technical Basis: Tor Network

The most well-known Dark Web network is based on Tor (The Onion Router). The principle:

1. Data is encrypted multiple times (like onion layers)
2. Each packet passes through at least 3 Tor nodes (Entry Guard, Middle Relay, Exit Node)
3. No single node knows both the sender and the recipient
4. .onion addresses are Tor-specific domains (cannot be resolved via DNS)

In addition to Tor, other anonymous networks exist: I2P (Invisible Internet Project), Freenet, and ZeroNet.

The Dark Web from a Security Perspective

What Attackers Trade There

Stolen Credentials: Following data breaches, email/password combinations often appear on Dark Web marketplaces within hours. Prices: €0.50–€10 per account. High-value corporate VPN access credentials are traded for €500–€5,000.

Stealer log records: Info stealers (RedLine, Vidar, Raccoon, LummaC2) collect the following from infected systems: browser-stored passwords, session cookies, cryptocurrency wallets, and VPN credentials. These "logs" are sold on the Dark Web.

Initial Access Brokers (IABs): Specialized criminal actors who sell network access (VPN credentials, shell access, RDP access) to ransomware groups. Professionalization of the cybercriminal ecosystem.

Ransomware-as-a-Service (RaaS): Ransomware groups operate platforms where affiliates rent the malware, carry out attacks, and split the ransom proceeds. LockBit, ALPHV/BlackCat, Cl0p—all had .onion presences.

Leaked Data Sites (Extortion Sites): Ransomware groups operate .onion sites where they publish stolen data from victims who do not pay—double extortion.

Zero-Day Exploits: Undocumented vulnerabilities are traded for large sums (€100,000–€1,000,000+). Buyers: state actors, exploit brokers such as Zerodium.

Dark Web Monitoring as a Security Measure

What Companies Should Monitor:

• Their own email domains in credential dumps
• Company names in ransomware leaks
• Their own IP addresses in lists of compromised systems
• VPN access credentials and domain controller credentials

Services:

• Have I Been Pwned (HIBP): Checks email addresses against known data breaches (free for the public, enterprise API requires a fee)
• Flare, SpyCloud, Recorded Future: Commercial platforms for continuous dark web monitoring
• Kela, DarkOwl: Specialized threat intelligence from the dark web

Value of Monitoring: A company that learns that employees’ VPN credentials have appeared on the dark web can act immediately: reset passwords, invalidate sessions, enforce MFA—before an attacker uses the credentials.

The Dark Web and Legitimate Use

The dark web is not exclusively a criminal space:

• Journalists and activists: Communication in repressive regimes via SecureDrop (.onion)
• Whistleblowers: Secure transmission of documents (WikiLeaks .onion mirror)
• Law enforcement: Undercover operations, marketplace takeovers (Hive Takedown 2023 by FBI/Europol)
• Security research: Threat intelligence, malware sample collection

Legal situation in Germany

Accessing the Dark Web per se is legal in Germany. The following are punishable:

• Purchase/sale of illegal goods and services (drugs, weapons, stolen data)
• Operation of criminal services
• Downloading illegal material

Security researchers who visit Dark Web sites for research purposes operate in a gray area—clear criminal liability arises only upon the active consumption of illegal content or transactions.

For Businesses: What to Do

1. Implement Dark Web monitoring: Continuously check whether your own credentials have been compromised
2. Enable MFA: Stolen passwords alone are then insufficient for access
3. Plan an incident response: What happens if company credentials surface?
4. Train employees: Do not use company email for personal services (prevents credential overlap)