In late 2025, Proton launched a Dark Web Data Breach Observatory and immediately began tracking something that most people do not know about themselves: their data. Within the first weeks of operation, the observatory had catalogued nearly 800 breaches involving more than 300 million records — credentials, financial data, personal identifiers — available for purchase on hidden networks that ordinary browser users never see and search engines never index. The data in those records belongs to real people who did nothing wrong. They signed up for services that were later breached, and their information was sold to cybercriminals who use it to conduct account takeovers, commit identity fraud, target phishing campaigns, and access corporate networks as if they were legitimate employees.
The dark web is simultaneously one of the most misunderstood and most consequential parts of the internet. It is misunderstood because it is most often described in the most dramatic possible terms — a lawless digital underworld of hitmen, hackers, and horrors — that obscure what it actually is and how it actually threatens ordinary people. It is consequential because its criminal economy is directly linked to the breaches, frauds, and ransomware attacks that affect hundreds of millions of people and billions of dollars of economic value every year. Over 703 million personal data records were discovered on dark web marketplaces in 2024, a 28 percent increase from 2023. Around 65 percent of active cybercriminals use dark web data in their attacks. Approximately 90 percent of cyberattacks involve credential theft or abuse of stolen credentials — and the marketplace for those credentials is the dark web.
Understanding the dark web is not about knowing how to access it. Most people never should, and there are few legitimate reasons to do so. Understanding the dark web is about knowing what it is, how it operates, what is sold there, how your data ends up on it, and what you can do to monitor and reduce the risk that the dark web poses to your accounts, your finances, and your identity. This guide covers all of it — honestly, accurately, and without either sensationalising a complex reality or understating a genuine threat.
The Three Layers of the Internet: Surface, Deep, and Dark
The confusion between the dark web and the deep web is so common that it is worth clearing up before anything else — because conflating them produces a distorted picture of both the scale and the nature of the risk.
The surface web is the internet most people use every day: everything that can be found through a search engine, accessed without authentication, and indexed by Google, Bing, or any other crawler. News sites, social media, e-commerce, Wikipedia, YouTube, this article — all of this is surface web. Despite being the portion of the internet that feels most expansive to ordinary users, the surface web represents roughly 4 to 5 percent of all internet content. It is the smallest layer by volume, though the most visible.
The deep web is simply everything that search engines cannot index — and it is enormous. Your email inbox is deep web: Google cannot crawl it. Your bank’s account portal is deep web. Your company’s internal document management system is deep web. Netflix’s streaming library is deep web. Academic databases, medical records systems, government databases, corporate intranets — all deep web. The deep web represents approximately 95 percent of all internet content, and the vast majority of it is entirely mundane, legitimate, and necessary for modern digital life. The deep web is not inherently dangerous or illicit; it is simply unindexed.
The dark web is a small subset of the deep web — approximately 0.01 percent of all internet content — that is hosted on overlay networks designed specifically for anonymity. These networks require specialised software to access and are deliberately engineered to make it difficult to identify the servers hosting content or the users accessing it. The Tor network (The Onion Router) is by far the most widely used dark web infrastructure; I2P (Invisible Internet Project), Freenet, ZeroNet, and Lokinet are smaller alternatives with different architectural approaches. The dark web is not the same as the deep web — the deep web is simply unindexed, while the dark web is actively hidden using anonymisation technology. This distinction matters enormously for understanding the risk profile of each.
How the Tor Network Works: Anonymity Through Onion Routing
Understanding why the dark web is both resilient to law enforcement and attractive to privacy-conscious users requires understanding the technical architecture that makes it work. Tor — originally developed by the US Naval Research Laboratory in the mid-1990s for secure government communications, and released as an open-source project in 2002 — provides anonymity through a technique called onion routing.
When a Tor user requests a web page, the request does not travel directly from their device to the destination server. Instead, it is wrapped in multiple layers of encryption and routed through a series of volunteer-operated relay nodes — typically three: an entry node, a middle relay, and an exit node. Each relay in the chain knows only the identity of the node before it and the node after it. The entry node knows who the user is but not what they are requesting. The exit node knows what is being requested but not who is requesting it. No single node in the chain has the complete picture. The destination server sees the exit node’s IP address, not the user’s. This is the “onion” metaphor: each layer of encryption is peeled away at each relay, like the layers of an onion, until the final layer is removed at the exit node to reveal the actual request.
Dark web sites — those hosted on the Tor network rather than merely accessed through it — use “.onion” addresses that are not registered with any domain registrar and cannot be resolved by standard DNS. They are cryptographic hashes of the site’s public key, meaning the address itself is proof of the site’s identity. Accessing a .onion site keeps both the user’s and the server’s location hidden: the server does not know where users are connecting from, and users do not know where the server is physically located. This bidirectional anonymity is what makes .onion sites particularly difficult for law enforcement to locate and shut down, even when their activities are known.
By early 2026, Tor’s daily user base had grown to more than 3 million — up from approximately 2 million a few years prior. The growth reflects two distinct trends: increasing use by privacy-conscious individuals, journalists, activists, and citizens in countries with internet censorship, and increasing use by criminal actors taking advantage of the same anonymity infrastructure for commercial purposes. The United States leads the world in dark web traffic, contributing approximately 20 percent of global Tor entry relays. Russia and Germany follow at approximately 12 and 9 percent respectively. Users from politically censored countries including Iran, Russia, and China comprise a significant share of non-criminal traffic — a reminder that the same anonymisation technology serves both oppressive governments’ critics and criminal enterprises simultaneously.
What Is Actually on the Dark Web
The popular image of the dark web as a place where you can hire assassins, purchase nuclear materials, and access content too disturbing to describe is shaped more by media coverage of edge cases than by the statistical reality of what is actually there. The actual composition of dark web content is both more mundane and, in some ways, more directly threatening to ordinary people than the dramatic version suggests.
The number of actively operational .onion websites grew by 44 percent year-over-year in 2025, reaching approximately 30,000 — though many of these are short-lived or intermittently operational. Approximately 60 percent of all dark web websites engage in illegal activities or contain stolen data. The most significant categories by volume are not hitman-for-hire services or exotic illegal goods — they are leaked data and illegal file sharing. Around 29 percent of dark web content involves illegal file sharing. Approximately 28 percent consists of leaked data. Financial fraud-related content represents another significant share. Drug marketplaces are active but represent a smaller fraction of overall content than popular perception suggests.
Stolen credentials and personal data are the dark web’s most commercially significant commodity in terms of direct impact on ordinary people and organisations. Over 703 million personal data records were found on dark web marketplaces in 2024. The 15 billion stolen credentials estimated to be circulating across dark web forums and markets represent accumulated inventory from years of data breaches — and they are the primary raw material for the credential stuffing attacks, account takeovers, and targeted intrusions that affect millions of people annually. Individual credential sets — a username and password combination, often with associated personal information — sell for very small amounts: sometimes less than a dollar each in bulk. Their value is volume and freshness: recently breached credentials from active accounts command premium prices; older credentials from inactive accounts sell cheaply.
Financial fraud instruments include stolen payment card data, compromised bank account access credentials, and fraudulent identity documents. Approximately 60 million compromised credit card details were estimated to be on the dark web in 2022, fed by physical card skimming devices and e-commerce breaches. Dark web marketplaces specialise in “fullz” — complete identity packages including name, date of birth, Social Security or national ID number, address history, and payment card details — used by fraudsters to open new accounts, apply for loans, or commit tax fraud in the victim’s name. The price of a fullz varies based on the country of origin and the credit score of the associated individual: US fullz for individuals with high credit scores command higher prices than those for individuals with poor credit histories, reflecting their utility for obtaining larger fraudulent credit lines.
Malware and hacking tools have been transformed by the Cybercrime-as-a-Service model into a comprehensive catalogue of ready-to-deploy attack capabilities. Ransomware-as-a-Service platforms, phishing kit templates, credential harvesting tools, exploit code for known vulnerabilities, and access to compromised corporate networks are all available for purchase or rent on dark web forums. In 2025, markets for cybercrime-as-a-service were estimated to generate around $700 million annually. AI-based tools for automatic phishing kit generation have begun appearing in dark web advertisements, reflecting the same AI capability expansion that is transforming other technology sectors — except in this case applied to the automation of criminal attack infrastructure. Smaller threat actors can now access sophisticated attack tools through dark web subscriptions, dramatically lowering the technical sophistication threshold for launching effective attacks.
Network access listings represent one of the most directly dangerous dark web product categories for organisations. Thousands of dark web listings offer remote access to compromised corporate networks — not the data that has been extracted from those networks, but active, ongoing access to the network itself. These listings are maintained by Initial Access Brokers: criminal specialists who compromise network access through various means (credential theft, vulnerability exploitation, phishing) and then sell or auction the access to other criminal actors who lack the skills to achieve initial access themselves but have the capability to monetise it through ransomware deployment, data exfiltration, or further compromise. The existence of this market means that a successful ransomware attack on a company may have begun months earlier with an access broker quietly selling entry to the corporate network to the highest bidder.
Dark web drug markets operate as sophisticated e-commerce platforms complete with product listings, search functions, vendor rating systems, escrow services, dispute resolution mechanisms, and customer support. An estimated 20 percent of all drugs sold globally are now distributed through dark web platforms — a figure that reflects genuinely global supply chains operating through Tor-accessible marketplaces and fulfilled through international postal services. The professionalism of modern dark web drug markets exceeds that of many legitimate e-commerce operations in terms of user experience design, with some platforms offering money-back guarantees and responsive customer service that would be unremarkable in a legitimate retail context.
The Dark Web Criminal Economy in 2026
The dark web’s criminal economy is no longer chaotic or amateur — it is organised, adaptive, professionally managed, and built to persist despite ongoing enforcement pressure. By mid-2026, dozens of active dark web marketplaces operate simultaneously, many now resembling legitimate online retailers in their feature sets and operational sophistication. Invitation-only access, multi-factor authentication, escrow services for buyer protection, vendor verification processes, and customer support have become standard features. The illicit dark web economy generates an estimated $1.5 billion in annual revenue from the sale of stolen data, drugs, counterfeit goods, and cybercrime services.
The professionalisation extends to the criminal services sector. The dark web intelligence market that enterprises invest in to monitor and counter these threats — valued at $520.3 million and projected to grow toward $1.3 billion by 2028 — reflects the investment required to track and counter an adversary that operates with commercial-grade infrastructure and professional accountability systems within its own ecosystem. Cyble’s Research and Intelligence Labs tracked 6,046 global data breach and leak incidents in 2025 alone, with thousands of enterprise credentials circulating on dark web marketplaces — harvested by infostealer malware and sold to cybercriminal buyers in a supply chain that moves from infection to sale in hours.
AI is accelerating the dark web economy’s capability expansion. AI tools are being deployed to generate high-quality phishing lures in multiple languages for less technically skilled criminal actors, automate the testing of stolen credentials against multiple platforms simultaneously, assemble personalised fraud packages from identity data at machine speed, and create novel malware variants that evade existing detection signatures. The pattern documented across multiple research sources is consistent: AI is not replacing criminals in this ecosystem but amplifying their scale and lowering the skill threshold required to conduct sophisticated attacks.
Geographic decentralisation is another defining trend of 2026. Criminal operations are spreading across multiple jurisdictions with varying cybercrime enforcement capabilities, making international cooperation more difficult and allowing operations to relocate rapidly when enforcement pressure increases in one jurisdiction. The shift toward smaller, more resilient groups operating in private invite-only communities — or migrating to encrypted messaging platforms like Telegram — represents adaptation to the increasingly effective takedowns that law enforcement conducted against larger centralised markets in 2024 and 2025.
Law Enforcement: Significant Wins, Persistent Challenges
Law enforcement agencies globally have made significant investments in dark web disruption capability, and the results are measurable — though not definitive. Operation RapTor in May 2025 resulted in 270 arrests and the seizure of over $200 million in currency and cryptocurrency, representing one of the most significant coordinated international dark web enforcement actions in history. In 2023, authorities seized counterfeit currency worth approximately $22 million via dark web operations. The takedown of AlphaBay, Hansa, and several subsequent major markets demonstrated that law enforcement can infiltrate, monitor, and dismantle even the most professionally operated dark web marketplaces.
The persistent challenge is that takedowns do not eliminate demand — they redistribute it. When a major dark web market is taken down, its user base migrates to alternatives that typically emerge within days. The decentralised architecture of Tor makes it practically impossible to disrupt the underlying infrastructure the way a centralised service can be disrupted by seizing servers. Law enforcement can take down specific sites; they cannot take down the network itself. Each successful takedown is followed by a fragmentation of the ecosystem into more numerous and more specialised successors, which are collectively more difficult to monitor comprehensively than the single centralised market they replaced.
The regulatory and legislative response to dark web threats has also evolved. Governments are increasing monitoring capabilities, enhancing penalties for cybercrime, and strengthening international cooperation frameworks. The EU’s Network and Information Security Directive (NIS2) and the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) both reflect legislative responses to the reality that dark web-facilitated cybercrime is causing measurable national economic harm. Cryptocurrency tracing — once considered the Achilles’ heel of law enforcement’s ability to follow dark web financial flows — has improved dramatically through the work of blockchain analytics firms including Chainalysis and Elliptic, which have developed tools capable of tracing transactions through mixing services and privacy coins that were previously considered untraceable.
The Legitimate Uses of the Dark Web
A complete and honest account of the dark web must acknowledge the genuinely legitimate uses that the same infrastructure enables — because understanding these uses matters both for accurate risk assessment and for appreciating why the dark web cannot simply be shut down without meaningful harm to people who depend on it for their safety.
Journalists, whistleblowers, and activists operating in authoritarian or censorship-heavy environments use Tor and .onion services as essential tools for communicating securely, publishing information that domestic governments would suppress, and receiving documents from sources whose physical safety depends on their anonymity being maintained. SecureDrop — the open-source whistleblower submission system used by The New York Times, The Washington Post, The Guardian, and dozens of other major news organisations — operates as a .onion service specifically because Tor’s anonymity architecture provides the source protection that email and normal web forms cannot guarantee. In this context, the dark web is not a threat to democratic societies — it is a tool that enables democratic journalism to function in conditions where authoritarian pressure would otherwise silence it.
Privacy-conscious individuals who are not engaged in any illegal activity use Tor because they genuinely do not want their browsing activity monitored by ISPs, advertising networks, or government surveillance programmes. This is not a paranoid concern: commercial web tracking is pervasive and persistent, and many people’s objection to it is principled rather than indicating anything nefarious. Users from politically censored countries — Iran, Russia, China — comprising approximately 19 percent of non-criminal dark web traffic represent people accessing ordinary information that their governments have blocked, not criminals seeking illegal goods.
Security researchers and threat intelligence professionals use dark web access as part of legitimate professional practice — monitoring forums and marketplaces to identify emerging threats, collect indicators of compromise, and understand the criminal ecosystem they are defending against. Without this monitoring, organisations’ threat intelligence would be delayed by the time required for dark web activity to manifest in real-world attacks, reducing defenders’ window for proactive response.
How Your Data Ends Up on the Dark Web
Most people whose data appears on the dark web did not do anything to put it there. Understanding the pipeline from breach to dark web listing to attack explains why dark web monitoring matters even for individuals who have no intention of ever accessing the dark web themselves.
The most common pipeline begins with a data breach at a service the individual uses. A company’s database is compromised — through a vulnerability in their web application, a phishing attack on an administrator, an unpatched server, or a supply chain compromise — and the user records are exfiltrated. The attacker then either sells the breach data directly to dark web buyers or posts it on a forum to establish criminal credibility, or both. The data appears on dark web markets as a database dump, available for purchase in bulk or searched by specific email address or username. Credential brokers purchase bulk dumps and make them available for credential stuffing — automated attacks that test the email/password combinations from the breach against every major service, exploiting the reality that 94 percent of passwords are reused.
A second pipeline runs through infostealer malware — malicious software installed on a victim’s device, often through a malicious download, a phishing email attachment, or a compromised software installer — that silently records credentials, browser cookies, stored passwords, and form data, transmitting them to the attacker’s infrastructure and eventually to dark web markets. Infostealer logs — packages of data harvested from a single infected device — include not just username and password combinations but session cookies that can be used to bypass authentication entirely, including multi-factor authentication, by impersonating an already-authenticated session. The sophistication of infostealer markets on the dark web reflects the scale and commercial maturity of this attack vector.
A third pipeline is direct social engineering: phishing attacks that harvest credentials directly, aided by AI-generated phishing emails with 54 percent click-through rates. The credentials collected are sold or used directly, with the most valuable (email accounts, financial services access) commanding premium prices on dark web markets that specialise in “fresh” credentials — those obtained recently and not yet widely circulated.
Dark Web Monitoring: What It Is and Whether You Need It
Dark web monitoring is a service that continuously scans dark web forums, marketplaces, and data breach aggregator sites for specific identifiers — email addresses, usernames, phone numbers, Social Security numbers, credit card numbers — and alerts the user when those identifiers appear in newly discovered breach data or dark web listings. It is not a way of preventing your data from appearing on the dark web; it is an early warning system that allows you to respond — changing compromised passwords, freezing credit, monitoring for fraud — before the data is actively exploited.
Dark web monitoring is now available through multiple channels. Major password managers including 1Password, Dashlane, and Bitwarden premium plans include breach monitoring as a core feature, alerting users when stored credentials appear in known breach databases including Have I Been Pwned, which maintains a database of over 850 million compromised passwords from major breaches. Google’s dark web report (which monitored Gmail addresses and associated personal information) was being retired in 2026 as Google shifted its monitoring capabilities. Identity protection services including LifeLock, Aura, and various cybersecurity platforms offer more comprehensive dark web monitoring covering a broader range of personal identifiers beyond email addresses.
The dark web monitoring market itself is growing rapidly, valued at $520.3 million in 2025 and projected to reach $762 million by the end of that year, driven by demand across financial services, healthcare, and government sectors. For enterprises, dark web intelligence platforms like Cyble Hawk provide more comprehensive monitoring: not just breach data notification but active monitoring of dark web forums for mentions of the organisation’s name, credentials, and infrastructure, providing early warning of planned attacks and active compromises before they manifest in operational damage.
Whether individual dark web monitoring is worth the cost depends on individual risk profile and the comprehensiveness of the free options already available. For most individuals, the free monitoring available through Have I Been Pwned (haveibeenpwned.com) — where entering an email address reveals whether it appears in any known data breach — combined with the breach monitoring built into a good password manager, provides meaningful coverage of the most common dark web threat to individual accounts. For individuals with higher risk profiles — executives, public figures, people who have previously been victims of identity theft, people with high-value financial accounts — paid identity monitoring services provide more comprehensive coverage and more immediate response support.
Practical Steps to Reduce Your Dark Web Risk
The appropriate response to the dark web threat is not panic, and it is not fatalism. It is the same set of practical security measures that address the credential and identity threats that the dark web facilitates — measures that are accessible to any individual or organisation willing to invest modest time and attention.
Check immediately whether your email addresses and passwords have appeared in known breaches at haveibeenpwned.com. This free service indexes breach data from thousands of known incidents and provides a clear picture of which of your credentials have already been compromised and need to be changed. For any account where a compromised password was used and has not yet been changed, the credential stuffing clock is running — change it now.
Use a password manager to ensure every account uses a unique, manager-generated password. If your email address is in 50 different breaches but every service you use has a different password, the impact of any individual breach is contained to that one service. If you reuse passwords, a breach at a low-value service potentially compromises every account that uses the same password — which is exactly the attack model that credential stuffing exploits.
Enable multi-factor authentication on every account that supports it, prioritising email, financial services, and work accounts. Even compromised credentials cannot be used against an account protected by app-based MFA or passkeys (SMS-based MFA is significantly weaker and should be upgraded where alternatives are available). Enable passkeys wherever they are offered — they are phishing-resistant by design and provide the strongest available protection against the credential theft pipeline that feeds dark web markets.
Monitor your financial accounts and credit reports for signs of fraudulent activity. In the United States, all three major credit bureaus (Equifax, Experian, TransUnion) offer free annual credit reports, and a credit freeze — which prevents new credit accounts from being opened in your name — is free to implement and free to lift temporarily when you legitimately need to open new credit. For individuals whose Social Security numbers or equivalent national identifiers have appeared in known breaches, a credit freeze is one of the highest-impact protective measures available.
For organisations, the critical investment is dark web intelligence monitoring — a security capability that provides visibility into dark web activity involving the organisation’s credentials, infrastructure, and identity before that activity manifests in an operational breach. The 34 percent of data breach incidents in 2024 that involved content eventually shared on the dark web illustrates the scale of the monitoring opportunity: organisations with dark web intelligence capability can identify leaked credentials and active network access listings in the criminal marketplace before attackers exercise them, providing a window for defensive response that passive security monitoring cannot create.
The Dark Web in Perspective
The dark web is real, it is consequential, and it poses genuine and well-documented threats to individuals’ digital security and organisations’ cybersecurity posture. It is also frequently misrepresented in ways that either make it sound more exotic and dramatic than it is, or that make ordinary people feel that the threat is so vast and technical that there is nothing they can do about it. Both misrepresentations are wrong.
The dark web accounts for 0.01 percent of internet content. Its criminal economy generates roughly $1.5 billion annually — significant, but a small fraction of the global cybercrime cost estimated at $10.5 trillion in 2026. Its threats to individuals are primarily channelled through credential theft and identity fraud — threats that are meaningfully mitigated by the password hygiene and MFA practices that security practitioners have been recommending for years, and that are more effectively enforced by the password management and passkey technologies that are now widely available and often free.
The dark web is not a parallel internet that only criminals inhabit. It is a technical architecture that provides anonymity, and anonymity is a tool that can serve both harmful and beneficial purposes depending on who is using it and why. The journalists who use SecureDrop to protect their sources, the activists in authoritarian countries who use Tor to access uncensored information, and the security researchers who monitor criminal forums to protect their clients are all using the same technical infrastructure as the criminals who sell stolen data and deploy ransomware. Understanding this complexity — rather than reducing the dark web to a simple villain — is what produces accurate risk assessment and appropriate defensive response. The dark web is a threat to be monitored, managed, and defended against, not a mystery to be feared.
0 Comments
No comments yet. Be the first to share your thoughts!