Most people have heard the term "dark web" thrown around in news headlines, cybercrime reports, and security briefings. But beyond the sensationalism, there is a technically fascinating and genuinely dangerous layer of the internet that every cybersecurity professional needs to understand deeply, not just conceptually.
This post breaks down the architecture behind the dark web, what actually lives on it, how threat actors use it, and how defenders and researchers access it safely and legally.
Before diving into the dark web specifically, it helps to understand where it sits within the broader structure of the internet.
The Surface Web is what most people interact with daily. It is indexed by search engines like Google, Bing, and DuckDuckGo. Think news sites, social media platforms, e-commerce stores, and public documentation. This represents only a small fraction of all internet content.
The Deep Web is simply any web content not indexed by standard search engines. This includes online banking portals, private company intranets, academic databases, medical records, and anything sitting behind a login wall. It is not inherently malicious. Most people access the deep web every time they check their email or log in to a banking app.
The Dark Web is a specific, intentionally hidden portion of the deep web. It is not accessible through a standard browser. It requires specialized software, configurations, and often specific credentials or invitations. The dark web is deliberately anonymized and is home to both legitimate privacy-focused communities and serious criminal infrastructure.
The most widely used technology behind the dark web is Tor (The Onion Router), originally developed by the U.S. Naval Research Laboratory and now maintained by the non-profit Tor Project.
Tor works by routing your traffic through a circuit of at least three volunteer-operated nodes: a guard node (entry), a middle relay, and an exit node. At each hop, a layer of encryption is peeled away, hence the onion metaphor. No single node knows both the origin and the destination of the traffic.
Dark web sites specifically use .onion addresses, which are not registered through any public DNS system. They are 56-character base32-encoded strings derived from the site's public key, making them essentially self-authenticating.
A v3 onion address looks like this:
http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion
[cta]
To access onion services, users download the Tor Browser, a hardened fork of Firefox that routes all traffic through the Tor network automatically.
While Tor is dominant, I2P (Invisible Internet Project) is another anonymizing network worth understanding. I2P uses a garlic routing protocol, bundling multiple messages together for additional obfuscation. It is more commonly used for internal dark-net services ("eepsites") than for accessing the broader internet.
Server operators hosting .onion services achieve anonymity by never exposing their real IP address to clients. The server creates a set of introduction points in the Tor network, publishes them to a distributed hash table, and clients connect through a rendezvous point. Neither the client nor the server learns the other's real IP address.
The dark web contains a far wider range of content than most people assume, covering both legitimate and deeply criminal use cases.
Not everything on the dark web is criminal. Journalists, activists, whistleblowers, and citizens living under authoritarian governments use Tor and onion services for genuinely important reasons.
Notable examples include:
This is where the dark web earns its reputation. Over the years, a long succession of criminal markets has operated on Tor, trading in:
Many of these markets have been taken down in joint international law enforcement operations. Hydra, AlphaBay (first iteration), and Genesis Market are prominent examples. However, new markets consistently emerge to replace them.
A particularly dangerous evolution in dark web infrastructure is the rise of dedicated leak sites operated by ransomware groups. Rather than simply encrypting victim data, groups like LockBit, ALPHV/BlackCat, and Cl0p use .onion leak sites to publish stolen data if ransoms are not paid. This tactic is called double extortion.
These sites are publicly accessible over Tor and serve as both a threat mechanism and a reputational tool for ransomware operators. Security researchers and threat intelligence teams monitor these sites as part of their incident response and proactive threat hunting workflows.
One of the most operationally significant dark web ecosystems is the initial access broker (IAB) market. These actors specialize in compromising corporate networks and then selling that access to other threat actors, including ransomware affiliates, rather than deploying payloads themselves.
Access listings typically include the target industry, country, revenue estimate, and the type of access on offer, such as domain admin, local admin, or a low-privileged foothold. Access packages for mid-sized enterprises regularly sell for anywhere from a few hundred to tens of thousands of dollars.
Understanding IAB activity is critical for threat intelligence analysts. If your organization's access is listed on a dark web forum, you may have minutes to hours before a ransomware deployment begins.
If you want to develop the skills to track and respond to this kind of threat intelligence, the courses at Redfox Cybersecurity Academy cover operational threat hunting and dark web OSINT at a practitioner level.
Accessing the dark web for legitimate threat intelligence or research requires significant operational security. Connecting directly from a corporate IP or personal device is never acceptable.
A safe research setup includes:
Here is how you would launch Tor Browser from the command line on a Linux research VM after downloading and verifying it:
# Verify the GPG signature of the Tor Browser download
gpg --verify tor-browser-linux64-13.0_ALL.tar.xz.asc tor-browser-linux64-13.0_ALL.tar.xz
# Extract and launch
tar -xvf tor-browser-linux64-13.0_ALL.tar.xz
cd tor-browser/
./start-tor-browser.desktop
[cta]
For command-line research workflows, torsocks wraps standard network utilities to force them through the Tor SOCKS5 proxy (default port 9050):
# Route curl through Tor for onion site retrieval
torsocks curl -s http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion
# Verify your exit node / anonymized IP before research
torsocks curl -s https://check.torproject.org/api/ip
[cta]
OnionScan is a purpose-built open-source tool for analyzing onion services. It checks for misconfigurations that can deanonymize hidden services, including Apache mod_status exposure, server-side includes leaking real IP addresses, and correlation through Bitcoin addresses or PGP keys.
# Install OnionScan (requires Go)
go install github.com/s-rah/onionscan@latest
# Run a basic scan against a target onion address
onionscan --torProxyAddress 127.0.0.1:9050 --verbose exampleonionaddresshere.onion
[cta]
This tool is used by researchers to identify when hidden services are poorly configured and inadvertently exposing their operators' real infrastructure.
Structured threat intelligence research on dark web actors draws on several professional-grade tools and platforms:
For teams building out dark web monitoring capabilities as part of a broader threat intelligence program, the structured intelligence and OSINT curriculum at Redfox Cybersecurity Academy is designed to take analysts from foundational concepts through to hands-on operational techniques.
Most dark web criminal activity is denominated in cryptocurrency, specifically Monero (XMR) for serious operational security, since Monero uses ring signatures, stealth addresses, and confidential transactions to make on-chain analysis extremely difficult. Bitcoin is still used, but its transparent ledger makes it traceable by law enforcement using blockchain analytics platforms like Chainalysis and Elliptic.
Understanding basic blockchain forensics is increasingly part of the cybersecurity analyst skill set, particularly for incident responders working ransomware cases.
# Simple Python example using the requests library to query a Monero node's RPC
# for transaction verification in a research context
import requests
import json
rpc_url = "http://127.0.0.1:18081/json_rpc"
headers = {"Content-Type": "application/json"}
payload = {
"jsonrpc": "2.0",
"id": "0",
"method": "get_info"
}
response = requests.post(rpc_url, headers=headers, data=json.dumps(payload))
print(json.dumps(response.json(), indent=2))
[cta]
This type of node interaction is used in research settings to understand transaction structures without relying solely on third-party block explorers that may log queries.
Stolen credentials sourced from phishing campaigns, info-stealers like RedLine and Lumma, or data breaches end up packaged and sold on dark web markets within hours of collection. For security teams, this means continuous monitoring of credential exposure is no longer optional.
Tools like SpyCloud, Have I Been Pwned's enterprise API, or custom integrations against dark web data feeds allow security teams to detect and rotate compromised credentials before they are exploited.
Threat actors actively share internal documents, org charts, employee directories, and network diagrams stolen during prior intrusions. This reconnaissance data gives attackers significant advantages in subsequent operations, including highly targeted spear-phishing and social engineering.
Many commodity and custom malware families use onion services for their command-and-control (C2) infrastructure. Tor-based C2 is particularly difficult to block at the network perimeter because Tor traffic blends with HTTPS and because blocking the entire Tor network by IP is an arms race that defenders rarely win sustainably.
Understanding how to identify and respond to Tor-based C2 activity in endpoint and network telemetry is a key skill for detection engineers and incident responders. Hands-on training that covers these detection techniques is part of the advanced curriculum at Redfox Cybersecurity Academy.
Accessing the dark web for security research is legal in most jurisdictions as long as you are not purchasing goods, accessing CSAM (which is a serious criminal offense globally), or interacting with criminal services in any transactional way. Passive monitoring, OSINT, and academic research are generally permissible.
That said, organizations should have a clearly documented research policy and legal sign-off before any team member conducts dark web research in a professional capacity. Evidence handling, chain of custody for captured pages, and proper disclosure procedures all need to be established in advance.
Some threat intelligence teams operate under specific legal frameworks or law enforcement information-sharing agreements that provide additional protections, particularly when research involves active criminal infrastructure.
The dark web is not a single place, but rather a collection of anonymized, intentionally hidden networks, primarily built on Tor, that serve a wide range of users from political dissidents to ransomware operators.
For cybersecurity professionals, the dark web is operationally relevant in several concrete ways: it is where stolen credentials and initial access are sold, where ransomware groups publish victim data, where criminal tradecraft is developed and shared, and where threat intelligence can be gathered with the right tools and methodology.
Safe and effective dark web research requires proper operational security, purpose-built tooling, legal awareness, and a structured intelligence methodology. Treating it as a curiosity rather than a serious threat intelligence domain is a gap that threat actors are happy to exploit.
Building these skills systematically, from Tor architecture and OSINT methodology through to dark web monitoring and threat actor tracking, is exactly what the practitioner-focused courses at Redfox Cybersecurity Academy are designed to do. Whether you are working in a SOC, building out a threat intelligence capability, or pursuing a career in offensive security research, understanding the dark web at this level is a baseline competency in modern cybersecurity.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
