Dark web monitoring provides critical intelligence about threat actors, leaked credentials, ransomware operations, and emerging threats. This guide covers safe monitoring techniques, key sources, and operational security considerations.
Legal and Safety Warning
Dark web research carries legal and security risks. Only monitor for legitimate security
purposes, maintain strict operational security, and never engage with illegal markets or
services. Many organizations use commercial threat intelligence services instead of direct
access.
Dark Web Intelligence Sources
🔒 Ransomware Leak Sites
Ransomware groups publish victim data and operational updates on dedicated .onion sites.
- • Victim announcements and countdown timers
- • Leaked data samples and full dumps
- • Affiliate recruitment postings
- • Group manifestos and rules
💬 Underground Forums
Russian, English, and Chinese forums where threat actors trade tools and services.
- • XSS, Exploit.in, BreachForums
- • Initial access broker listings
- • Malware-as-a-Service offerings
- • Vulnerability discussions
📋 Paste Sites
Text-sharing sites used to dump credentials, exploits, and sensitive data.
- • Pastebin and alternatives
- • Ghostbin, Rentry, Privatebin
- • Credential dump announcements
- • Doxing and leak previews
📱 Telegram Channels
Increasingly popular for threat actor communications and data sales.
- • Ransomware group announcements
- • Credential and stealer logs
- • Carding and fraud channels
- • Hacktivist coordination
Operational Security for Dark Web Research
OPSEC is Critical
Improper operational security can expose your identity, compromise investigations, or
trigger unwanted attention from threat actors.
Environment Setup
text
# Never use your personal or work network directly
Research Environment Options:
├── Dedicated Hardware
│ ├── Air-gapped laptop for high-risk research
│ ├── Separate network connection (mobile hotspot)
│ └── Hardware write blockers for media analysis
│
├── Virtual Environment
│ ├── Whonix (Tor-routed Debian VMs)
│ ├── Tails (amnesic live system)
│ └── Qubes OS (compartmentalized VMs)
│
├── Network Isolation
│ ├── VPN (non-logging, paid with crypto)
│ ├── Tor Browser (never maximize window)
│ └── Multi-hop: VPN → Tor → (VPN)
│
└── Identity Separation
├── Dedicated research personas
├── Separate email (ProtonMail, Tutanota)
└── Cryptocurrency for any transactionsWhonix Setup for Research
bash
# Whonix is recommended for dark web research
# Two-VM architecture: Gateway (Tor) + Workstation
# Download from whonix.org
# Import both OVA files into VirtualBox
# Gateway VM settings:
# - Network Adapter 1: NAT
# - Network Adapter 2: Internal Network "Whonix"
# Workstation VM settings:
# - Network Adapter 1: Internal Network "Whonix"
# All traffic from Workstation routes through Tor Gateway
# Even if Workstation is compromised, real IP is protected
# Update Whonix (in Gateway and Workstation)
sudo apt-get update && sudo apt-get dist-upgrade
# Install additional tools (Workstation)
sudo apt-get install mat2 bleachbit keepassxcRansomware Leak Site Monitoring
Ransomware groups maintain "leak sites" where they list victims and publish stolen data. Monitoring these sites provides early warning of breaches and insight into threat actor operations.
Major Ransomware Groups (2024)
| Group | Model | Notable Targets | Status |
|---|---|---|---|
| LockBit | RaaS (Affiliates) | Healthcare, Government, Manufacturing | Disrupted 2024 |
| BlackCat/ALPHV | RaaS (Rust-based) | Healthcare, Critical Infrastructure | Exit Scam 2024 |
| Cl0p | Big Game Hunting | MOVEit victims, Enterprise | Active |
| Play | RaaS | Government, Telecom | Active |
| Akira | RaaS | SMB, Education | Active |
| RansomHub | RaaS (Ex-ALPHV) | Healthcare, Critical Infra | Active |
Monitoring Tools & Services
Commercial Services
- Recorded Future - Comprehensive threat intel platform
- Flashpoint - Deep/dark web monitoring
- Intel471 - Underground marketplace monitoring
- DarkOwl - Dark web data aggregation
- Kela - Targeted threat intelligence
- SpyCloud - Credential exposure monitoring
Open Source & Free Tools
- RansomWatch - Ransomware leak site tracker
- Ransomware.live - Real-time ransomware tracking
- Have I Been Pwned - Breach notification service
- IntelligenceX - Search engine (free tier)
- DarkFeed - Ransomware group Twitter feeds
- vx-underground - Malware sample repository
Credential Monitoring
Stolen credentials from infostealers, phishing, and breaches are traded extensively on the dark web. Monitoring for your organization's exposed credentials is critical for proactive security.
text
Credential Sources to Monitor:
│
├── Stealer Logs (Redline, Raccoon, Vidar, LummaC2)
│ ├── Full browser data (passwords, cookies, autofill)
│ ├── Cryptocurrency wallets
│ ├── VPN and RDP credentials
│ └── Sold in bulk on Telegram and markets
│
├── Breach Databases
│ ├── Collections (Collection #1-5, COMB)
│ ├── Service-specific breaches
│ ├── Combo lists (email:password pairs)
│ └── Sold or leaked on forums
│
├── Phishing Kits
│ ├── Real-time credential capture
│ ├── Session cookies (MFA bypass)
│ └── Often sold to other actors
│
└── Initial Access Brokers (IABs)
├── VPN/RDP access to corporate networks
├── Web shell access
├── Citrix, VMware, Pulse Secure credentials
└── Priced by company revenue/sizeAutomated Monitoring Script
python
#!/usr/bin/env python3
"""
Credential exposure monitoring using public APIs
For educational purposes - use commercial services for production
"""
import hashlib
import requests
import time
def check_hibp(email: str, api_key: str = None) -> dict:
"""Check Have I Been Pwned for email breaches"""
headers = {
'User-Agent': 'CredentialMonitor/1.0',
'hibp-api-key': api_key # Required for production use
}
url = f"https://haveibeenpwned.com/api/v3/breachedaccount/{email}"
try:
response = requests.get(url, headers=headers, timeout=10)
if response.status_code == 200:
return {'breached': True, 'breaches': response.json()}
elif response.status_code == 404:
return {'breached': False, 'breaches': []}
else:
return {'error': f"API returned {response.status_code}"}
except Exception as e:
return {'error': str(e)}
def check_password_pwned(password: str) -> int:
"""Check if password appears in breach databases using k-anonymity"""
# Hash password with SHA-1
sha1_hash = hashlib.sha1(password.encode('utf-8')).hexdigest().upper()
prefix = sha1_hash[:5]
suffix = sha1_hash[5:]
# Query HIBP Passwords API (anonymous, no API key needed)
url = f"https://api.pwnedpasswords.com/range/{prefix}"
response = requests.get(url, timeout=10)
# Check if our suffix is in the results
hashes = (line.split(':') for line in response.text.splitlines())
for h, count in hashes:
if h == suffix:
return int(count)
return 0
def monitor_domain(domain: str, api_key: str) -> list:
"""Get all breaches affecting a domain"""
headers = {
'User-Agent': 'CredentialMonitor/1.0',
'hibp-api-key': api_key
}
url = f"https://haveibeenpwned.com/api/v3/breacheddomain/{domain}"
response = requests.get(url, headers=headers, timeout=30)
if response.status_code == 200:
return response.json()
return []
# Example usage
if __name__ == "__main__":
# Check password (safe - uses k-anonymity)
count = check_password_pwned("password123")
print(f"Password found in {count:,} breaches")
# Note: Email/domain checks require HIBP API key
# Get one at: https://haveibeenpwned.com/API/KeyUnderground Forum Intelligence
Forum Taxonomy
text
Forum Classification:
│
├── Tier 1: Elite/Exclusive
│ ├── Invite-only, vouched membership
│ ├── Exploit developers, APT-linked actors
│ ├── Zero-day sales, nation-state tools
│ └── Examples: (invite-only Russian forums)
│
├── Tier 2: Professional Criminal
│ ├── Vetted membership, deposits required
│ ├── Malware devs, ransomware affiliates
│ ├── Corporate network access sales
│ └── Examples: XSS, Exploit.in, RAMP
│
├── Tier 3: Mid-Level
│ ├── Registration + activity requirements
│ ├── Carding, fraud, DDoS services
│ ├── Credential sales, RaaS affiliates
│ └── Examples: BreachForums, Cracked.io
│
└── Tier 4: Entry Level
├── Open or easy registration
├── Script kiddies, low-skill actors
├── Tutorials, leaked tools, HQ sharing
└── Examples: Various clearnet forumsCommon Forum Terminology
Access & Credentials
- Logs - Stolen data from infostealers
- Fullz - Complete identity package
- Combo - Email:password pairs
- RDP/VPN - Remote access credentials
- Shell - Web shell access
- Root - Full system access
Services & Tools
- FUD - Fully Undetectable (malware)
- Crypter - AV evasion tool
- Loader - Malware delivery service
- Bulletproof - Abuse-tolerant hosting
- Drop - Money mule or delivery address
- Escrow - Transaction middleman
Financial Terms
- CC/CVV - Credit card with security code
- Dump - Magnetic stripe data
- Track 1/2 - Card magnetic data
- BIN - Bank Identification Number
- Cash out - Converting to real money
Reputation & Trust
- Vouch - Reputation endorsement
- Ripper - Scammer who doesn't deliver
- Verified - Admin-confirmed seller
- Deposit - Bond held by forum
- Feedback - Transaction reviews
Telegram Intelligence
Telegram has become a major hub for threat actor communications due to perceived anonymity, encryption, and resistance to law enforcement takedowns.
text
Telegram OSINT Methods:
│
├── Manual Monitoring
│ ├── Join public channels (use burner account)
│ ├── Search @username or t.me/channelname
│ ├── Use web.telegram.org for screenshot safety
│ └── Monitor channel exports with Telegram Desktop
│
├── Automated Collection
│ ├── Telethon library (Python)
│ ├── TelegramBot API for public data
│ └── Commercial: SocialLinks, Maltego, Babel Street
│
├── Search Tools
│ ├── tgstat.com - Channel statistics
│ ├── lyzem.com - Telegram search engine
│ ├── telegram-group.com - Group directory
│ └── IntelligenceX - Telegram message search
│
└── Key Channel Types
├── Ransomware group announcements
├── Stealer log marketplaces
├── Carding/fraud channels
├── Data breach announcements
└── Hacktivist coordinationTelegram Monitoring Script
python
#!/usr/bin/env python3
"""
Telegram channel monitoring using Telethon
Get API credentials from: https://my.telegram.org
"""
from telethon import TelegramClient
from telethon.tl.functions.channels import JoinChannelRequest
import asyncio
import json
from datetime import datetime
# API credentials (get from my.telegram.org)
API_ID = 'your_api_id'
API_HASH = 'your_api_hash'
PHONE = '+1234567890'
# Channels to monitor (use invite links or usernames)
CHANNELS = [
# Add channel usernames or links
# Example: 'channelname' or 'https://t.me/channelname'
]
# Keywords to alert on
KEYWORDS = [
'your_company',
'your_domain.com',
'ransomware',
'data leak',
'credentials',
]
async def monitor_channels():
async with TelegramClient('monitor_session', API_ID, API_HASH) as client:
await client.start(phone=PHONE)
# Join channels
for channel in CHANNELS:
try:
await client(JoinChannelRequest(channel))
print(f"[+] Joined {channel}")
except Exception as e:
print(f"[-] Failed to join {channel}: {e}")
# Monitor new messages
@client.on(events.NewMessage(chats=CHANNELS))
async def handler(event):
message = event.message.text or ""
# Check for keywords
for keyword in KEYWORDS:
if keyword.lower() in message.lower():
alert = {
'timestamp': datetime.now().isoformat(),
'channel': event.chat.username or str(event.chat_id),
'keyword': keyword,
'message': message[:500],
'message_id': event.id
}
print(f"[ALERT] Keyword match: {keyword}")
print(json.dumps(alert, indent=2))
# Add alerting logic (email, Slack, SIEM, etc.)
break
print("[*] Monitoring started...")
await client.run_until_disconnected()
if __name__ == "__main__":
asyncio.run(monitor_channels())Intelligence Collection Best Practices
Collection Framework
text
Dark Web Intelligence Cycle:
│
├── 1. Planning & Direction
│ ├── Define Priority Intelligence Requirements (PIRs)
│ ├── Identify relevant sources for your industry
│ ├── Establish collection frequency
│ └── Define alerting thresholds
│
├── 2. Collection
│ ├── Automated monitoring (APIs, scrapers)
│ ├── Manual research (forums, channels)
│ ├── Commercial feed subscriptions
│ └── OSINT aggregation
│
├── 3. Processing
│ ├── Normalize data formats
│ ├── Deduplicate entries
│ ├── Translate foreign language content
│ └── Extract structured IOCs
│
├── 4. Analysis
│ ├── Correlate with internal logs
│ ├── Assess credibility of sources
│ ├── Identify patterns and trends
│ └── Prioritize by risk/impact
│
├── 5. Dissemination
│ ├── Executive summaries
│ ├── Technical IOC feeds
│ ├── SOC alerts and tickets
│ └── Threat briefings
│
└── 6. Feedback
├── Track intelligence usage
├── Measure detection rates
├── Refine collection priorities
└── Update source reliability ratingsAttribution Considerations
Attribution is Difficult
Threat actors use multiple personas, share tools, and deliberately plant false flags.
Attribution should be assessed probabilistically and updated as new evidence emerges.
text
Attribution Confidence Levels:
High Confidence (Multiple corroborating sources)
├── Technical: Unique malware, infrastructure overlap
├── Operational: Consistent TTPs, targeting patterns
├── Strategic: Timing with geopolitical events
└── Human: HUMINT, legal/government attribution
Medium Confidence (Some corroboration)
├── Shared infrastructure or tooling
├── Similar operational patterns
├── Consistent victimology
└── Some unique identifiers
Low Confidence (Single source or circumstantial)
├── Forum persona claims
├── Malware similarity only
├── Generic TTPs
└── Could be false flag
Example Assessment:
"We assess with MEDIUM confidence that this campaign
is linked to [Actor] based on:
- Infrastructure overlap with previous campaigns
- Similar phishing lure themes
- Targeting of [sector] consistent with known interests
Caveats: TTPs are not unique and tooling is publicly available."Resources
Tracking Resources
- ransomware.live - Real-time tracking
- ransomlook.io - Ransomware group monitor
- deepdarkCTI - CTI resource collection
- vx-underground - Malware samples & papers