Thedark web is theWorld Wide Web content that exists ondarknets (overlay networks) that use theInternet, but require specific software, configurations, orauthorization to access.[1][2][3][4] Through the dark web, private computer networks can communicate and conduct business anonymously without divulging identifying information, such as a user's location.[5][6] The dark web forms a small part of thedeep web, the part of the web notindexed byweb search engines, although sometimes the termdeep web is mistakenly used to refer specifically to the dark web.[7][2][8]
The darknets which constitute the dark web include small,friend-to-friend networks, as well as large, popular networks such asTor,Hyphanet,I2P, andRiffle operated by public organizations and individuals.[6] Users of the dark web refer to the regular web asclearnet due to itsunencrypted nature.[9] The Tor dark web or onionland[10] uses the traffic anonymization technique ofonion routing under the network'stop-level domain suffix.onion.
The dark web has often been confused with thedeep web, the parts of the web not indexed (searchable) by search engines. The termdark web first emerged in 2009; however, it is unknown when the actual dark web first emerged.[11] Many internet users only use thesurface web, data that can be accessed by a typicalweb browser.[12] The dark web forms a small part of the deep web, but requires custom software in order to access its content. This confusion dates back to at least 2009.[13] Since then, especially in reporting onSilk Road, the two terms have often been conflated,[14] despite recommendations that they should be distinguished.[1][7]
The dark web, also known as darknet websites, are accessible only through networks such asTor ("The Onion Routing" project) that are created specifically for the dark web.[12][15] Tor browser and Tor-accessible sites are widely used among the darknet users and can be identified by the domain ".onion".[16] Tor browsers create encrypted entry points and pathways for the user, allowing their dark web searches and actions to be anonymous.[12]
Identities and locations of darknet users stay anonymous and cannot be tracked due to the layeredencryption system. The darknet encryption technology routes users' data through a large number of intermediate servers, which protects the users' identity and guarantees anonymity. The transmitted information can be decrypted only by a subsequentnode in the scheme, which leads to the exit node. The complicated system makes it almost impossible to reproduce the node path and decrypt the information layer by layer.[17] Due to the high level of encryption, websites are not able to trackgeolocation and IP of their users, and users are not able to get this information about the host. Thus, communication between darknet users is highly encrypted allowing users to talk, blog, and share files confidentially.[18]
| Category | % of total | % of active |
|---|---|---|
| Violence | 0.3 | 0.6 |
| Arms | 0.8 | 1.5 |
| Illicit Social | 1.2 | 2.4 |
| Hacking | 1.8 | 3.5 |
| Illicit links | 2.3 | 4.3 |
| Illicit pornography | 2.3 | 4.5 |
| Extremism | 2.7 | 5.1 |
| Illicit Other | 3.8 | 7.3 |
| Illicit Finance | 6.3 | 12 |
| Illicit Drugs | 8.1 | 15.5 |
| Non-illicit+Unknown | 22.6 | 43.2 |
| Illicit total | 29.7 | 56.8 |
| Inactive | 47.7 | |
| Active | 52.3 |
A December 2014 study by Gareth Owen from theUniversity of Portsmouth found that the most commonly hosted type of content on Tor waschild pornography, followed byblack markets, while the individual sites with the highest traffic were dedicated tobotnet operations (see attached metric).[21] Manywhistleblowing sites maintain a presence[22] as well as political discussion forums.[23] Sites associated withBitcoin,fraud-related services, andmail order services are some of the most prolific.[21]
As of December 2020, the number of active Tor sites in .onion was estimated at 76,300 (containing a lot of copies). Of these, 18 000 would have original content.[24]
In July 2017,Roger Dingledine, one of the three founders of the Tor Project, said thatFacebook is the biggest hidden service. The dark web comprises only 3% of the traffic in the Tor network.[25]
A February 2016 study from researchers atKing's College London gives the following breakdown of content by an alternative category set, highlighting the illicit use of .onion services.[17][26]
Ransomware groups rely on dark web infrastructure across the attack lifecycle. Ransomware-as-a-Service (RaaS) operators recruit affiliates through dark web forums such as RAMP and, prior to bans imposed after the 2021Colonial Pipeline attack, Exploit and XSS, where they advertise toolkits, commission structures typically offering affiliates 60–80% of ransom proceeds, and vet prospective partners.[27][28][29] Most prominent ransomware groups also operate dedicated data leak sites on theTor network as part of a double extortion model pioneered by the Maze ransomware group in November 2019, in which stolen data is published or threatened to be published if victims refuse to pay, with groups such asLockBit, ALPHV/BlackCat, andCl0p hosting data from hundreds of victim organizations.[30][31][32] Rather than conducting the full attack lifecycle independently, many ransomware affiliates purchase pre-established network access frominitial access brokers (IABs), specialized threat actors who compromise organizations through methods such as exploiting vulnerable systems, phishing, or leveraging credentials frominfostealer malware, and sell that access on underground forums, with listings typically priced by factors including victim revenue, access type (VPN, RDP, Active Directory), and geographic location.[33][34][35] This division of labor has created an efficient criminal supply chain that lowers the technical barrier to entry for ransomware attacks.[36]
Botnets are often structured with theircommand-and-control servers based on a censorship-resistant hidden service, creating a large amount of bot-related traffic.[21][37]
Commercialdarknet markets mediate transactions for illegal goods and typically useBitcoin as payment.[38] These markets have attracted significant media coverage, starting with the popularity ofSilk Road and its subsequent seizure by legal authorities.[39] Silk Road was one of the first dark web marketplaces that emerged in 2011 and has allowed for the trading of illegaldrugs,weapons andidentity fraud resources.[38] These markets have no protection for its users and can be closed down at any time by authorities.[38] Despite the closures of these marketplaces, others pop up in their place.[38] As of 2020, there have been at least 38 active dark web market places, even though there can be many more.[38] Thesemarketplaces are similar to that ofeBay orCraigslist where users can interact with sellers and leave reviews about marketplace products.[38]
Examination of price differences in dark web markets versus prices in real life or over the World Wide Web have been attempted as well as studies in the quality of goods received over the dark web. One such study was performed on Evolution, one of the most popularcrypto-markets active from January 2013 to March 2015.[40] Although it found the digital information, such as concealment methods and shipping country, "seems accurate", the study uncovered issues with the quality of illegal drugs sold in Evolution, stating that, "the illicit drugs purity is found to be different from the information indicated on their respective listings."[40] Less is known about consumer motivations for accessing these marketplaces and factors associated with their use.[41] Darknet markets have also provided leaked credit card information that was made available for free.[42]
Bitcoin is one of the maincryptocurrencies used in dark web marketplaces due to the flexibility and relative anonymity of the currency.[43] With bitcoin, people can hide their intentions as well as their identity.[44] A common approach was to use adigital currency exchanger service which converted bitcoin into an online game currency (such as gold coins inWorld of Warcraft) that will later be converted back into fiat currency.[45][46]Bitcoin services such astumblers are often available onTor, and some – such asGrams – offer darknet market integration.[47][48] A research study undertaken by Jean-Loup Richet, a research fellow atESSEC, and carried out with theUnited Nations Office on Drugs and Crime, highlighted new trends in the use of bitcoin tumblers formoney laundering purposes, usingescrows.
Due to its relevance in the digital world, bitcoin has become a popular product for users to scam companies with.[43] Cybercriminal groups such as DDOS"4" have led to over 140cyberattacks on companies since the emergence of bitcoins in 2014.[43] These attacks have led to the formation of other cybercriminal groups as well as Cyber Extortion.[43]
Manyhackers sell their services either individually or as a part of groups.[49] Such groups includexDedic,hackforum, Trojanforge,Mazafaka,dark0de and theTheRealDeal darknet market.[50] Some have been known totrack andextort apparent pedophiles.[51] Cyber crimes and hacking services for financial institutions and banks have also been offered over the dark web.[52] Attempts to monitor this activity have been made through various government and private organizations, and an examination of the tools used can be found in theProcedia Computer Science journal.[53] Use of Internet-scale DNS distributed reflection denial of service (DRDoS) attacks have also been made through leveraging the dark web.[54] There are many scam .onion sites also present which end up giving tools for download that are infected withtrojan horses orbackdoors.
Recently, around 100,000 compromisedChatGPT users' login information was sold on the dark web in 2023. Additionally, the logs showed, in the opinion of the researchers, that the majority of the compromised ChatGPT passwords had been extracted by the data-stealing virus Raccoon.[55]
Scott Dueweke the president and founder of Zebryx Consulting states that Russian electronic currency such asWebMoney and Perfect Money are behind the majority of the illegal actions.[44] In April 2015, Flashpoint received a 5 million dollar investment to help their clients gather intelligence from the deep and dark web.[56] There are numerouscardingforums,PayPal andbitcoin trading websites as well as fraud and counterfeiting services.[57] Many such sites are scams themselves.[58]Phishing via cloned websites and otherscam sites are numerous,[59][60] withdarknet markets often advertised with fraudulent URLs.[61][62]
The type of content that has the most popularity on the dark web is illegal pornography—more specifically,child pornography.[43] About 80% of its web traffic is related to accessing child pornography despite it being difficult to find even on the dark web.[43] A website calledLolita City, which has since been taken down, contained over 100 GB of child pornographic media and had about 15,000 members.[43]
There is regularlaw enforcement action against sites distributing child pornography[63][64] – often via compromising the site and tracking users'IP addresses.[65][66] In 2015, theFBI investigated and took down a website calledPlaypen.[43] At the time, Playpen was the largest child pornography website on the dark web with over 200,000 members.[43] Sites use complex systems of guides, forums and community regulation.[67] Other content includessexualised torture and killing of animals[68] andrevenge porn.[69] In May 2021,German police said that they had dismantled one of the world's biggest child pornography networks on the dark web known asBoystown; the website had over 400,000 registered users. Four people had been detained in raids, including a man fromParaguay, on suspicion of running the network.Europol said several pedophile chat sites were also taken down in the German-led intelligence operation.[70][71]
Terrorist organizations took to the internet as early as the 1990s; the birth of the dark web attracted these organizations due to the anonymity, lack of regulation, social interaction, and easy accessibility.[72] These groups have been taking advantage of the chat platforms within the dark web to inspire terrorist attacks.[72] Groups have even posted "How To" guides, teaching people how to become and hide their identities as terrorists.[72]
The dark web became a forum for terrorist propaganda, guiding information, and most importantly, funding.[72] With the introduction of Bitcoin, anonymous transactions were created which allowed for anonymous donations and funding.[72] By accepting Bitcoin, terrorists were now able to fund purchases of weaponry.[72] In 2018, an individual named Ahmed Sarsur was charged for attempting to purchase explosives and hire snipers to aid Syrian terrorists, as well as attempting to provide them financial support, all through the dark web.[43]
There are at least some real and fraudulent websites claiming to be used byISIL (ISIS), including a fake one seized inOperation Onymous.[73] With the increase of technology, it has allowed cyber terrorists to flourish by attacking the weaknesses of the technology.[74] In the wake of theNovember 2015 Paris attacks, an actual such site was hacked by anAnonymous-affiliated hacker group,GhostSec, and replaced with an advert forProzac.[75] TheRawti Shax Islamist group was found to be operating on the dark web at one time.[76]
Within the dark web, there exists emerging social media platforms similar to those on the World Wide Web, this is known as the Dark Web Social Network (DWSN).[77] The DWSN works a like a regular social networking site where members can have customizable pages, have friends, like posts, and blog in forums.Facebook and other traditional social media platforms have begun to make dark-web versions of their websites to address problems associated with the traditional platforms and to continue their service in all areas of the World Wide Web.[78] Unlike Facebook, the privacy policy of the DWSN requires that members are to reveal absolutely no personal information and remain anonymous.[77]
There are reports ofcrowdfunded assassinations andhitmen for hire;[79][80] however, these are believed to be exclusively scams.[81][82] The creator ofSilk Road,Ross Ulbricht, was arrested by Homeland Security investigations (HSI) for his site and allegedly hiring a hitman to kill six people, although the charges were later dropped.[83][84] There is anurban legend that one can findlive murder on the dark web. The term "Red Room" has been coined based on the Japanese animation and urban legend of the same name; however, the evidence points toward all reported instances beinghoaxes.[85][86]
On June 25, 2015, theindie gameSad Satan was reviewed by YouTubersObscure Horror Corner which they claimed to have found via the dark web. Various inconsistencies in the channel's reporting cast doubt on the reported version of events.[87] There are several websites which analyze and monitor the deep web and dark web for threat intelligence.[88]
There have been arguments that the dark web promotes civil liberties, like "free speech, privacy, anonymity".[5] Some prosecutors and government agencies are concerned that it is a haven forcriminal activity.[89] The deep and dark web are applications of integral internet features to provide privacy and anonymity. Policing involves targeting specific activities of the private web deemed illegal or subject tointernet censorship.
When investigating online suspects, police typically use the IP (Internet Protocol) address of the individual; however, due to Tor browsers creating anonymity, this becomes an impossible tactic.[90] As a result, law enforcement has employed many other tactics in order to identify and arrest those engaging in illegal activity on the dark web.[91]OSINT, or Open Source Intelligence, are data collection tools that legally collect information from public sources.[90] OSINT tools can be dark web specific to help officers find bits of information that would lead them to gaining more knowledge about interactions going on in the dark web.[90]
In 2015 it was announced thatInterpol now offers a dedicated dark web training program featuring technical information on Tor,cybersecurity and simulated darknet market takedowns.[92] In October 2013 the UK'sNational Crime Agency andGCHQ announced the formation of a "Joint Operations Cell" to focus on cybercrime. In November 2015 this team would be tasked with tackling child exploitation on the dark web as well as other cybercrime.[93] In March 2017 theCongressional Research Service released an extensive report on the dark web, noting the changing dynamic of how information is accessed and presented on it; characterized by the unknown, it is of increasing interest to researchers, law enforcement, and policymakers.[94] In August 2017, according to reportage, cybersecurity firms which specialize in monitoring and researching the dark web on behalf of banks and retailers routinely share their findings with theFBI and with other law enforcement agencies "when possible and necessary" regarding illegal content. The Russian-speaking underground offering a crime-as-a-service model is regarded as being particularly robust.[95]
Manyjournalists, alternativenews organizations, educators, and researchers are influential in their writing and speaking of the dark web, and making its use clear to the general public.[96][97] Media coverage typically reports on the dark web in two ways; detailing the power and freedom of speech the dark web allows people to express, or more commonly reaffirms the illegality and fear of its contents, such as computer hackers.[77] Many headlines tie the dark web to child pornography with headlines such as, "N.J. man charged with surfing 'Dark Web' to collect nearly 3K images of child porn",[98] along with other illegal activities where news outlets describe it as "a hub for black markets that sell or distribute drugs".[99][77]
SpecialistClearweb news sites such asDeepDotWeb[100][101] andAll Things Vice[102] provide news coverage and practical information about dark web sites and services; however,DeepDotWeb was shut down by authorities in 2019.[103]The Hidden Wiki and itsmirrors andforks hold some of the largestdirectories of content at any given time. Traditional media and news channels, such asABC News (Australia), have also featured articles examining the darknet.[104][105]
