The "dark web" is the part of the internet that needs special software — usually Tor — to reach. It's a small slice of the wider internet, but a disproportionate amount of the threat-actor economy operates there.
Surface, deep, dark — the standard split
- Surface web — anything Google indexes. The public-facing internet.
- Deep web — anything behind authentication or paywalls. Your webmail inbox, your bank's portal, internal corporate sites. Huge volume, completely benign.
- Dark web — sites that deliberately hide their server location, accessible only via anonymising networks like Tor or I2P. The .onion address space.
The dark web is not the same as the deep web, even though people use the terms interchangeably. The deep web is most of the internet. The dark web is a tiny corner of it.
What CTI teams actually monitor
Most dark-web CTI value comes from a handful of source types:
- Ransomware leak sites — almost every active ransomware group runs a Tor-hosted blog where they post victim names. Real-time monitoring catches breaches before the victim discloses publicly.
- Underground forums — XSS, Exploit, RAMP and others where IAB (Initial Access Broker) listings, exploit sales, and recruitment happen.
- Credential markets — Genesis, 2easy, Russian Market and successors selling stealer-log credential dumps. Match against your domain to know which employees are compromised.
- Combolist drops — large credential dumps shared on forums and Telegram. Mostly recycled, but still worth checking against your domains.
- Marketplaces — harder to maintain since AlphaBay and Hansa takedowns. Still active for malware, exploits, fraud services.
Telegram — the new "dark web"
A lot of what was historically Tor-only has migrated to Telegram channels. It's not technically the dark web (Telegram is on the clear web), but the threat-actor activity is similar: leak channels, credential drops, ransomware chatter, hacktivist coordination. Most modern CTI dark-web stacks include Telegram coverage.
How ThreatCluster does it. Our dark-web stack is built in-house — not a reseller integration. We discover, scrape, deduplicate, and enrich leak sites, forums, credential markets, and Telegram channels. Match against your tracked domains and you get alerted the moment a breach or credential dump touches you.
Common misconceptions
- "The dark web is huge" — it's not. Estimates put it at well under 1% of the visible internet.
- "Everything on the dark web is illegal" — not true. Tor itself is used legitimately by journalists, dissidents, and privacy-conscious users.
- "You need to go on the dark web to find this stuff" — most enterprise users shouldn't. Use a CTI platform that does the monitoring on your behalf and surfaces only the matches.
What good dark-web CTI looks like
- Coverage across the right surfaces (leak sites + forums + credential markets + Telegram).
- Domain-match alerts that fire in real time, not weekly.
- Per-customer scoping — a client A breach mention should not trigger a client B webhook.
- Source links so a SOC analyst can verify the finding without going onto Tor themselves.