Fighting cybercrime requires visibility into much more than just the Dark Web. Here’s where to look and a glimpse of what you’ll find.
The now-shuttered DeepDotWeb, which was a uniquely centralized and trusted repository of Dark Web links and information, had long made it easier for threat actors — and consequently, law enforcement and other defenders — to keep track of which Dark Web sites are active, and where. The repository’s takedown left a void that no comparable alternative seems to be able to fill, at least for the near future.
There are other sites, known as hidden wikis, that can appear to be comprehensive directories and are often referred to as such by defenders. In reality, they tend to be little more than human-assembled catalogs that harken back to the early days of the Internet. All this volatility is largely why threat actors who operate on the Dark Web also typically frequent a number of other channels.
It’s also why fighting cybercrime requires visibility into much more than just the Dark Web. Contrary to popular belief, the Dark Web accounts for just a minor subset of the many online venues that facilitate cybercrime. Even if the Dark Web were somehow to be eliminated, its absence would simply cause threat actors to rely more heavily on the various other online venues in which many, if not most, already operate.
Encrypted chat platforms are one such venue — and in fact, they support far more illicit activity than any other, including the Dark Web. Threat actors are increasingly using platforms such as Telegram and Discord, among many others, to communicate more securely and to share mirrors, which are sites that contain nearly identical information but are hosted on different URLs. If one URL faces downtime for any reason, the secondary URL acts as a backup to help minimize operational disruption and consequential profit losses.
Mirrors, Services, and Uptime
It’s important to note that threat actors generally aren’t using mirrors to attract new clients but to provide services and additional uptime to existing clients in the event that the original site is down for reasons such as a distributed denial-of-service (DDoS) attack or law enforcement action through the often-enhanced security and privacy afforded by encrypted chat platforms. In most cases, mirrors are only distributed to select clients or groups. While this practice doesn’t typically present material issues for more-tenured threat actors, it does — and is intended to — make it more difficult for law enforcement and other defenders to locate and monitor these sites.
Another venue popular among attackers is the Deep Web, which refers to the broad swath of sites conventional search engines cannot access, including, but not limited to, the entirety of the Dark Web. But unlike much of the Dark Web, the myriad illicit communities that exist elsewhere on the Deep Web are password-protected and highly exclusive. A number of these communities, including popular platforms for fraud, are located on Deep Web forums supported by bulletproof hosting services in countries unlikely to respond to law enforcement subpoenas.
Other online venues for cybercrime include decentralized marketplaces such as Joker’s Stash, a longtime fixture of the stolen payment card ecosystem. Rather than using the Dark Web’s Tor network, these types of marketplaces rely on blockchain-DNS (BDNS), which is a peer-to-peer network that helps administrators keep their sites online during attempted takedowns or DDoS attacks. And because there are technical barriers to entry that may deter novice threat actors, BDNS-hosted sites tend to be more popular among tenured threat actors.
The Geography Factor
The online venues in which threat actors operate are also heavily influenced by geography. Cybercrime is global and while the Dark Web is viable for most threat actors based in Western countries, Internet infrastructure in certain other regions is less conducive to accessing the Dark Web. For example, mobile networking has a high adoption rate in countries such as Brazil, largely because of the relatively low costs of mobile phones compared with computers. Usage of mobile applications for daily communication is also high throughout the region, as is the availability and uptime of major applications, including encrypted chat platforms frequented by threat actors around the world.
For defenders, an obvious challenge in combating cybercrime is figuring out where, if not solely the Dark Web, threat actors are operating. But just as most people, in general, use different communication channels for different interactions, so do threat actors. Much of it comes down to what a threat actor is seeking to accomplish. For example, threat actors who operate decentralized marketplaces outside the Dark Web often run targeted advertisements on the Dark Web in order to attract new customers. Threat actors seeking guidance on carrying out fraud, meanwhile, may be more likely to visit the various Deep Web forums that offer fraud tutorials.
Above all else, it’s important to recognize that while the Dark Web is integral to facilitating cybercrime and other illicit activity, much more of the threat landscape exists elsewhere on the Internet. While the recent Dark Web takedowns shine additional light on threat actor behavior and will likely have a sizable impact on the underground drug trade, they are unlikely to curb the plethora of other illicit activities that occur online — particularly the development of new malware. Combating such activity requires defenders to be agile and realistic about the many ways and venues in which threat actors operate.
Ian W. Gray is Director of Americas, Research and Analysis, at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime … View Full Bio