Darknet - Definition & Explanation

The Darknet is not the mystical "dark internet" of pop culture—it is a technical reality that security teams need to be aware of. Ransomware groups operate their leak sites there, stolen credentials are sold on marketplaces, and cybercrime-as-a-service offerings are available to anyone.

Clearnet, Deep Web, Darknet – Differences

These three terms are often confused, but they describe fundamentally different parts of the internet:

Clearnet (Surface Web): Publicly accessible and indexed by Google – Wikipedia, news sites, online stores. Accounts for approximately 5% of the entire internet.

Deep Web: Not indexed by search engines, but used legitimately—banking portals, email accounts, Netflix. No Tor required; standard browsers suffice. Accounts for approximately 90% of the internet.

Darknet (Dark Web): Intentionally hidden, requires special software such as Tor (.onion domains) or I2P. Used for legitimate purposes (freedom of the press, whistleblowers) but also for illegal activities (cybercrime, drug trafficking, data trafficking). Accounts for approx. 5% of the internet.

Tor Network: Technical Basics

Tor (The Onion Router) routes connections through a network of over 7,000 volunteer relay nodes worldwide. Each connection is routed through three nodes, each of which knows only its upstream and downstream nodes. The multi-layered encryption—like the layers of an onion—ensures that no single node knows both the source and destination of a connection:

User → Entry Guard → Middle Relay → Exit Node → Destination

.onion domains are accessible exclusively within the Tor network. They consist of a 56-character cryptographic address followed by .onion. Even Facebook officially operates a Tor mirror at facebookwkhpilnemxj7ascrwwwg6zfznzf5jnqlkbqeybmklnwf5ad.onion.

What is traded on the dark web

Combo lists: Millions of email/password combinations from data breaches
Corporate VPN access: €500 to €10,000 per company
Admin credentials for servers: €1,000 to €50,000
Session cookies (stolen browser sessions): €5 to €100

Credit card data

Carding shops sell stolen credit card data with complete additional information (Fullz) for €1 to €20 per card, depending on the credit limit and bank.

Malware and Exploit Kits

Ransomware-as-a-Service (RaaS): Established groups such as LockBit and BlackCat
Initial Access Brokers: Sell access to compromised companies
Zero-day exploits: €50,000 to over €2,000,000, depending on the target

Cybercrime-as-a-Service

DDoS attacks: starting at €50 per hour
Phishing kits: €100 to €1,000 (ready-made phishing sites)
Money Mule Networks: Money laundering as a service

Ransomware leak sites

Ransomware-as-a-Service groups operate their own leak sites where they publish stolen data to put pressure on victims: "Pay up or we’ll publish everything." These sites are continuously indexed by threat intelligence services.

Darknet Monitoring for Businesses

Why Darknet Monitoring?

Early monitoring makes it possible to detect compromised credentials before attackers exploit them, identify signs of ongoing attack preparation, and detect your own data in circulation before an attack occurs.

What is monitored?

Email addresses and passwords for your own domains
Company names on marketplaces and leak sites
IP ranges and domains in botnet sales
Mentions of the company in hacker forums

Tools and Services

Commercial Solutions:

Provider	Features
Recorded Future	Enterprise-grade, global threat intelligence
Digital Shadows (ReliaQuest)	Comprehensive external risk management
Flare.io	Suitable for SMEs, good value for money
Cyble Vision	Broad darknet coverage

HIBP Enterprise (HaveIBeenPwned): Domain-wide breach monitoring with alerts when emails from your own domain appear in a breach.

Free Options (Limited):

HIBP.com for individual email addresses
Breach Directory (CSV-based)
IntelligenceX for darknet search

Internal Research (OSINT)

Darknet monitoring is legal in Germany. Accessing and reading darknet content is not a criminal offense—downloading or using stolen data, however, is. The Tor Browser is required for conducting your own research. Without the necessary prior knowledge, however, it is easy to make mistakes—professional services are therefore the better choice for most companies.

Initial Access Brokers – A Specific Threat

What is an Initial Access Broker (IAB)?

Initial Access Brokers are specialized attackers who compromise and sell access to corporate networks rather than carrying out ransomware or other attacks themselves. Their customers include Ransomware-as-a-Service groups, APT actors, and other criminals.

How do IABs obtain access?

Phishing: Credentials are stolen
Exposed RDP: Brute-force attacks on publicly accessible RDP services
VPN vulnerabilities: CVEs affecting Pulse Secure, Citrix, Fortinet, and others
Stealer malware: Installed on endpoints, exfiltrates credentials

Prices for corporate access

Company size	Price range
Small business (50 employees)	€500 - €5,000
Mid-sized business (500 employees)	€5,000 - €50,000
Enterprise (Fortune 500)	€50,000 - €500,000+

Detection indicators

Unknown VPN logins from unusual countries
New devices in conditional access logs
Stealer malware on endpoints: signs of credential exfiltration

After purchase by a ransomware group, an average of 5–7 days (RansomHub, 2024) elapses between the purchase of access and the deployment of ransomware—first comes reconnaissance, then the actual attack.

Legal Information

Darknet Use in Germany

Activity	Legal
Downloading and using Tor	Legal
Accessing darknet sites (reading)	Legal
Downloading/using stolen data	Illegal (§202a StGB)
Purchasing/using exploit kits	Illegal
Child pornography, drugs, weapons	Serious criminal offenses

For Businesses

Darknet monitoring by service providers: Legal
Checking for your own stolen data on leak sites: Legal
Paying ransom: Legal in Germany, but must be reported to BaFin
Ransomware payments to sanctioned groups: Illegal – OFAC sanctions also apply to EU companies