Dark webs, primarily Tor “.onion” websites–provides criminals with anonymity, reliable hosting, as well as access to markets which sell drugs malware, stolen data and “initial access” to corporate networks. Crypto is still the foundation of many trades despite the fact that law enforcement takedowns (Hydra, Genesis Market, Archetyp Market, BreachForums) are constantly changing the structure of the market. For those who defend themselves, the best advice is to be on the lookout for posts that leak data, cut off reuse of credentials and strengthen identity since the majority of attacks begin by stealing access.
Deep web, dark web and Tor – what’s the difference?
-
“Deep web” means everything that isn’t indexed in search engine results (e.g. your inbox for emails, SaaS dashboards).
-
Dark-web means intentionally hidden services accessible only through specific software, most notably Tor addresses begin with “.onion.” Tor onion services allow inbound connections that hide the location of the user and provide end-to-end encryption. There are legitimate uses for them (e.g. confidential whistleblowing) However, anonymity can be a draw for criminals.
The reason criminals make use of it
-
Security and anonymity: Infrastructure and users are more difficult to track and takedowns require international coordination.
-
Built-in markets: Dark-web marketplaces offer escrow, ratings, and vendor reputations–lowering the barrier to enter cybercrime.
-
Blockchains for crypto: Bitcoin dominates darknet-market sales Monero usage is increasing, but it is more difficult to analyze.
What exactly is sold at the store?
1.) Precursors and drugs
Dark-web drug markets are an important element. As of 2025, the authorities smashed Archetyp Market which is one of the most long-running marketplaces for drugs and highlighting the ongoing law enforcement pressure on the sales of opioids/fentanyl. Prior to that, Hydra Market–once the largest, was seized and sanctioned.
2.) Stolen information, “logs,” and identity kits
Genesis Market (seized in 2023’s Operation Cookie Monster) specialized in the selling of device-level “fingerprints” (cookies, credentials, autofill information) which allow buyers to pretend to be victims–fuel accounts and fraud.
3.) IABs are the initial Access Brokers (IABs)
IABs sell pre-made footholds such as RDP/VPN accounts, cloud tenants or web-shells. So ransomware affiliates as well as other actors can bypass the intrusion stage and move straight into revenue. Europol’s IOCTA exposes the way IAB specificization determines the victims who are targeted.
4.) Support for Ransomware and data leak websites
The majority of big ransomware teams run websites for leaks of data (DLS) on Tor to shame victims and demand for payment. If the demands are not met, stolen data is frequently disclosed on the site.
5.) Children sexual assault material (CSAM) and the act of exploitation
Law enforcement agencies continue to find the infiltrators, disrupt, and destroy CSAM communities that operate on the dark internet and determine the identities of users on a massive scale, proving that anonymity isn’t always absolute.
Pay attention to the digital currency: crypto in the shadow web
-
Scale and mix: Chainalysis’ 2025 data shows that, while overall, crypto-crime revenues fluctuate, ransomware and darknet-market revenues remain primarily Bitcoin-based as well as Monero as well (and it is harder to gauge).
-
Marketplace flows: After major operations, darknet inflows can dip; in 2024, DNMs still took in just over $2B in BTC on-chain.
-
Hydra’s footprint Before the 2022 confiscation, Hydra accounted for an estimated 80 percent of darknet market cryptocurrency operations in 2021 and raked in $5.2B since 2015–illustrating the power of a single platform to dominate criminal economies.
-
Hacks fuel the ecosystem: 2024 saw $2.2B stolen in crypto hacks. The funds usually are laundered by mixers OTC brokers and an unspecified set of exchanges.
Takedowns that changed the landscape
-
Hydra (2022): U.S. DOJ and Treasury (OFAC) together alongside German partners, smashed down the biggest Russian-language market an important turning point for cyber-services and drug sales.
-
Genesis Market (2023): Operation Cookie Monster seized domains and arrested suspects across 17 countries; a major blow to the credentials-as-a-service economy.
-
The Archetyp Market (2025): Coordinated actions across Europe and the U.S. removed one of the longest-running fentanyl permissive markets.
-
BreachForums (2024-2025): Repeated searches reveal how forums that store stolen data and markets are targeted and disrupted through international teams.
EUROPOL’s IOCTA-2024 connects these issues to more general trends like crime-as-a service and ransomware affiliate models and the sale of stolen data that drives everything from corporate email hacks to massive breaches.
What does this mean for companies?
1) Expect stolen information to come out. If you’re breached or extorted by criminals, be aware that they might publish samples on Tor leak websites to create the pressure. Make a plan to verify authenticity, inform regulators and customers when necessary, and mitigate the threat (e.g. reset credentials or rotate keys, and disable tokens).
2) The 2 format is designed to make it harder for users to identify themselves and gain access. Most dark-web offerings are monetizing the access:
-
Make sure you enforce phishing-resistant MFA as well as conditional access.
-
Eliminate password reuse using SSO and password managers.
-
Be on the lookout on unusual logins connected to known breaches of data.
3) Reduce The “initial access” attack surface. Patch external-facing apps and disable accounts that are stale, and ensure that you have the minimum privilege. IABs thrive in areas with weak protection of the perimeter.
4) Keep an eye on your data–smartly. Dark-web monitoring can assist identify credential vulnerabilities and breaches chatter however it’s not a panacea. Make sure you are monitoring Tor leak sites and the major forums that are linked to ransomware and data-trade activities; pair alarms and an effective reaction runbook.
5) Co-operate and coordinate with the law enforcement. Recent operations (Hydra, Genesis, Archetyp) demonstrate that cross-border cooperation is effective. Save evidence, make timely reports, and follow guidelines from the government regarding incident response.
How law enforcement continues to gain ground
-
Focus on the enablers: Seizing markets, droppers/botnets as well as the laundering hub disrupts a variety of actors at the same time (e.g., Operation Endgame targeting malware droppers).
-
International playbooks: Joint operations, sanctions (OFAC), and asset seizures increase the cost of doing crime and erode trust among criminals–especially when backend servers and escrow databases are captured.
U.S. Department of the Treasury
-
However, it is quick to adapt: Markets splinter, change, or even rebrand which is why the speed of detection and resilience on the side of the defender are important.
Bottom line
It’s not really the cause of cybercrime, but its megaphone and marketplace–a location where stolen data can be made monetizable, access is purchased or sold and the victims are targeted. The nature of its economics (anonymity and crypto-reputation systems) create a sticky situation and its weak point is that the markets as well as forums and infrastructure are accessible enough for hackers to access and map out, as well as take down. Develop your program around the concept of identity hardening, data-leak response as well as rapid reports–and believe that your adversaries are buying, not creating.
