Our collection.
Not someone else's.

Most dark web tools resell the same handful of upstream feeds. ThreatCluster runs its own collection stack across ransomware leak sites, underground forums, and Tor markets. We discover, enrich, and surface the content directly.

Open the page How it works

Three independent scrapers.

One scraper covers ransomware and data-leak group sites. The second covers underground forums. That includes paste sites, initial-access broker boards, combolists, and defacement archives. The third covers Tor and clearnet marketplaces.

Running them independently means a Tor outage on the marketplace side doesn't blind us to leak-site updates, and a forum being seized doesn't take down the ransomware tracking.

Scraper 1
Leak sites
Ransomware and data-leak group victim listings
Scraper 2
Forums
Paste sites, IAB boards, combolists, defacements
Scraper 3
Markets
Tor and clearnet marketplaces
Dark Web Intelligence dashboard with stat strip click to expand
image · 1
Dark Web dashboard
/dark-web stat strip with ransomware groups / victims / markets / breaches / underground sites / mentions counters and country map.

We find our own sites.

Four sources find new sites in parallel. Curated CTI repositories, Tor search engines, GitHub-published onion lists, and Telegram channels.

New candidates go through liveness probing, a depth-1 link harvest, and automated classification. Most competitors buy a list. We build ours.

  • Curated CTI repositories
  • Tor search engines
  • GitHub-published onion lists
  • Telegram channels
Discovery pipeline status click to expand
image · 2
Discovery pipeline
Pipeline diagram or admin view showing source -> liveness probe -> classification -> publish.

Every page, enriched twice.

We pull out the unambiguous indicators first. Crypto wallets, emails, Tox IDs, XMPP and Telegram handles, PGP blocks, CVE references. Anything with a predictable shape gets captured with a script, not a model.

AI then handles the contextual layer. Victim names, tools, attribution, language, and a one-paragraph summary. Everything cross-references into the main entity graph, so a victim domain or a tool name surfaces on its own entity page alongside the news.

Per-page enrichment showing extracted entities click to expand
image · 3
Enrichment output
Captured page detail with extracted entities sidebar (crypto, emails, victims, tools, summary).

Surfaced the way an analyst reads it.

Group profile pages with active campaigns and historical victims. Per-victim detail pages with the enriched data attached. Markets with category tags. Underground forum posts with screenshots, captions, and metadata. Breach indexes filterable by country, sector, group, status, or freshness.

Group profiles Victim detail Market listings Breach index
Victim detail page click to expand
image · 4
Victim detail page
Ransomware victim record with data size, posted date, country, industry, victim profile, source group, leak page, recent group victims.

Alerts when a client's domain hits a list.

Set the domains and supplier names you care about. When they appear in a ransomware victim post, a forum drop, a combolist, or a market listing, an alert fires through the same webhook and digest channels that the rest of the platform uses.

For MSSPs, alerts route per customer. Each client's mentions stay in their own channel, so the right team gets notified without one client ever seeing another client's hits.

Domain match alert routed via webhook click to expand
image · 5
Breach match alert
Notification card showing "domain X appeared in leak from group Y" with link to the source page.

More of the platform

Exposure ManagementAsset inventory ranked by CISA SSVC Threat HuntingIndustry threat models with SIEM-ready queries The Exploits DatabaseCVEs ranked by what defenders care about IOCs and ExportsSTIX, MISP, SIEM ingestion CLI and HeadlessREST API, tc command, agent tool For MSSPsPer-customer scoping across the platform

Watch the leak sites,
not the news cycle.

Live coverage of the leak sites, forums, and markets that matter, with alerts when your clients show up. No reseller, no curation lag.

Open the page Read the brochure