Welcome to Searchlight Cyber’s Dark Web Hub, the digital companion to our book, The Practitioner’s Guide To The Dark Web. This site is designed to provide you with the latest updates on the marketplaces, forums, and ransomware leak sites mentioned in the book – so you can keep up to date with the dark web as it evolves.
One of the key aspects of the dark web is that it is always changing. Threat actors appear, disappear, and reappear with new names; cybercriminal tactics change as they find new products to sell; and law enforcement takedown sites and arrest the operators. This site will be updated to help investigators stay on top of the latest developments on the dark web. Scroll down to read on.
Searchlight presents
The practitioner’s guide to the Dark Web
Welcome to Searchlight Cyber’s Dark Web Hub, the digital companion to our book, The Practitioner’s Guide To The Dark Web. This site is designed to provide you with the latest updates on the marketplaces, forums, and ransomware leak sites mentioned in the book – so you can keep up to date with the dark web as it evolves. Scroll down to read on.
Part One
Escrow Marketplaces
As the name suggests, a dark web marketplace is a site that offers (mostly illegal) products and services in exchange for payment. On escrow marketplaces, anyone with enough cash to pay the “vendor bond” can sign up and start selling. Imagine the dark web equivalents of Amazon or eBay, except with less reputable products and payments typically made anonymously using cryptocurrencies. As these examples demonstrate, there are a vast variety of goods and services for sale - ranging from hacking services, to counterfeit goods, to weapons - but especially drugs. Click on the marketplace names to learn more.
Part One
Escrow Marketplaces
As the name suggests, a dark web marketplace is a site that offers (mostly illegal) products and services in exchange for payment. On escrow marketplaces, anyone with enough cash to pay the “vendor bond” can sign up and start selling. Imagine the dark web equivalents of Amazon or eBay, except with less reputable products and payments typically made anonymously using cryptocurrencies. As these examples demonstrate, there are a vast variety of goods and services for sale - ranging from hacking services, to counterfeit goods, to weapons - but especially drugs. Click on the marketplace names to learn more.
Nemesis
Nemesis is the only escrow market on this list without drugs as the top product category – though there are of course still plenty for sale. Instead, the most common listing classifications are guides and tutorials for carding. Nemesis is notable for the ongoing feud between itself and the operators of dark web forum Dread (see “Hacking Forums” below!).
Update: In September 2023 the Tor2Door site closed and its administrators have been unresponsive. It is widely believed that the operators have exit-scammed. As well as drugs, Tor2Door also had an active market for fraud and cybercriminal activity.
Update: Launched in May 2021, Bohemia is primarily a drugs market skewing heavily towards cannabis. Since the closure of AlphaBay, ASAP, and Tor2Door, Bohemia has had an influx of new users as the next largest, most established market. It appears to have struggled with increased demand, experiencing downtime that could have been the result of its infrastructure not being ready to support so many new visitors.
Update: AlphaBay has been inaccessible since February 2023 (likely exit scammed) but was the most popular dark web marketplace by number of vendors in 2022. The most common products listed on AlphaBay were drugs, guides and tutorials, mainly focused on fraud methods.
Update: After an impressive three year run, ASAP’s administrator announced on the dark web forum Dread in July 2023 that the marketplace was retiring and urged users to withdraw their coins. As ASAP was the biggest market by listing volume and second biggest by number of vendors it left a big gap to fill.
Autoshops are a particular type of dark web marketplace that specialize in the sale of digital products - such as financial data, login credentials, remote access, and cookies. They differ from escrow marketplaces in two main ways. Firstly, the transaction is automated (hence the name), meaning that there is little to no contact with the seller. Secondly, there are usually far fewer vendors active on the site, suggesting a somewhat closed ecosystem unlike the “open applications” ethos of escrow marketplaces. Autoshops are also more likely to operate on the clear web but often have some form of entry barrier, such as requiring a minimum account balance or an invite from a known user.
Part Two
Autoshop Marketplaces
Autoshops are a particular type of dark web marketplace that specialize in the sale of digital products - such as financial data, login credentials, remote access, and cookies. They differ from escrow marketplaces in two main ways. Firstly, the transaction is automated (hence the name), meaning that there is little to no contact with the seller. Secondly, there are usually far fewer vendors active on the site, suggesting a somewhat closed ecosystem unlike the “open applications” ethos of escrow marketplaces. Autoshops are also more likely to operate on the clear web but often have some form of entry barrier, such as requiring a minimum account balance or an invite from a known user.
Genesis
UPDATE: In April 2023 Genesis was seized by international law enforcement agencies in a multinational takedown dubbed “Operation Cookie Monster”. Genesis had specialized in “browser fingerprints” – information that can be used by criminals to bypass anti-fraud solutions (such as MFA or device fingerprinting) by making the browser session appear identical to the victim’s.
2Easy specializes in the sale of “logs”. This is typically data that is stored in the web browser, such as site credentials, cookies, and autofill form data, which can be used to digitally impersonate an individual and steal from their accounts.
RussianMarket also specializes in the sale of “logs” – records harvested by information-stealing malware – as well as CVVs, dumps and remote desktop protocol access. Unsurprisingly, it is suspected to be of Russian origin.
BlackPass specializes in stolen login details needed to hijack e-commerce accounts – which often have associated payment data – rather than the card details directly. While all listings include at least the credentials required to log into accounts for sites like Amazon, Venmo, and Instagram, some accounts have PII associated with them such as the victim’s full name, country, ZIP code, bank and card details, and phone number.
BidenCash specializes in payment card data. In spite of the use of his name and image, it is highly unlikely to be associated with the president of the United States. In fact, it is probably a reference to Trump’s Dumps, a predecessor that used former President Donald Trump’s likeness.
Dark web forums are very similar to their clear web counterparts in almost every way, except for the content they discuss. Indeed, some began life on the clear web before migrating to the dark web to evade surveillance or censorship, though others continue to maintain a clear web presence. As with marketplaces, forums cover the breadth of wider criminal activity. However, these examples show that in particular there is a thriving community of cybercriminals on dark web forums, sharing information, tutorials, access, and exploits. Some of these forums have been around for decades and, while
the cybercriminal landscape has changed drastically, the perseverance of the markets shows that the dark web community remains very much the same.
Part Three
Hacking Forums
Dark web forums are very similar to their clear web counterparts in almost every way, except for the content they discuss. Indeed, some began life on the clear web before migrating to the dark web to evade surveillance or censorship, though others continue to maintain a clear web presence. As with marketplaces, forums cover the breadth of wider criminal activity. However, these examples show that in particular there is a thriving community of cybercriminals on dark web forums, sharing information, tutorials, access, and exploits. Some of these forums have been around for decades and, while
the cybercriminal landscape has changed drastically, the perseverance of the markets shows that the dark web community remains very much the same.
Xss
Active since at least November 2004, XSS is probably the longest-running dark web forum on this list, although back then it went by DaMaGeLaB. XSS is very business-oriented, with sections on hacking, corporate access, database leaks, and even competitive intelligence. It also acts as an important recruitment and PR tool for Ransomware-as-a-Service (RaaS) schemes.
Exploit and other Russian forums tend to view themselves as more professional than other dark web communities, often shunning non-Russian speakers and those perceived as unskilled or inexperienced. The site acts as a network for career cybercriminals to connect with potential collaborators on illegal business ventures, be it hacking, scamming, or working on Ransomware-as-a-Service (RaaS) schemes.
Cracked takes its name from the act of “cracking”, slang for breaking into accounts or software (usually with the intention of circumventing payment). Users trade in tools, configs, tutorials and other resources to achieve this end as well as discussing how to monetize their illicit activities.
UPDATE: While BreachForums was shut down in March 2023 but then re-emerged in June 2023 when Baphomet, one of its administrators announced the return of BreachForums via PGP-signed message on Telegram. After an initial difficult period, the site has reclaimed its position as the top forum for leaked database trading.
Dread is a dark web forum that was born out of Reddit’s clampdown on discussions around dark web markets and scamming techniques. Almost since its inception, has been plagued by denial-of-service (DDoS) attacks that have at times left it virtually unusable. Nevertheless, it remains a popular hub for dark web netizens interested in cybercrime.
As ransomware groups have become increasingly prolific over the past five years, one of the “newer” aspects of the dark web has been ransomware leak sites. These are effectively publicity sites where ransomware groups share the details of their latest victims. However, they also play an important role in how these groups orchestrate and monetize their attacks. Traditional ransomware tactics of encrypting data and holding it “ransom” changed when the groups realized that
organizations were equally as fearful of the data being leaked. This has led to the rise of “double extortion”, where groups
encrypt an organization’s data and also threaten to publish it - on their dark web leak sites. These sites provide the ransomware operators with a platform to accept payments from the victims, and a space to shame them if they don’t pay.
Part Four
Ransomware Leaksites
As ransomware groups have become increasingly prolific over the past five years, one of the “newer” aspects of the dark web has been ransomware leak sites. These are effectively publicity sites where ransomware groups share the details of their latest victims. However, they also play an important role in how these groups orchestrate and monetize their attacks. Traditional ransomware tactics of encrypting data and holding it “ransom” changed when the groups realized that
organizations were equally as fearful of the data being leaked. This has led to the rise of “double extortion”, where groups
encrypt an organization’s data and also threaten to publish it - on their dark web leak sites. These sites provide the ransomware operators with a platform to accept payments from the victims, and a space to shame them if they don’t pay.
Clop
Update: Cl0p’s approach of targeting multiple organizations and then announcing them in quick succession distinguishes it from most other ransomware operations. This tactic made it especially infamous in June 2023 when it attacked hundreds of organizations through a vulnerability in the file transfer software, MOVEIt. The group’s activity has significantly dropped off since this attack.
Vice Society primarily targets the education sector but also counts healthcare organizations, hospitals, and enterprises among its victims. It exploits these companies by threatening to release their stolen data on its leak site. Unlike the other groups on this list, Vice Society is not a ransomware-as-a-service operation. However, with the recent discovery of a custom ransomware builder dubbed PolyVice, it is possible that Vice Society could be moving in that direction.
BlackBasta is a Ransomware-as-a-Service (RaaS) operation that is notable for its high volume of attacks, use of custom tools, and suspected links to cybercriminal group FIN7. The group uses “double extortion” tactics to incentivize its victims to pay the demanded ransom, which means that as well as encrypting an organization’s data, it also exfiltrates it and threatens to publish the information on its dark web leak site.
BlackCat, also known as ALPHV or Noberus, is a Ransomware-as-a-Service (RaaS) group. It is noteworthy for being one of the first high-profile ransomware families to be written in Rust, a relatively modern programming language with features that make the malware harder to reverse engineer and defend against. It has also been reported that BlackCat lets its affiliates keep a larger share of the profits than other RaaS platforms.
Since the closure of Conti in 2022, LockBit has become the most prolific Ransomware-as-a-Service operation currently active. On its latest leak site, LockBit 3.0, there are options on some victims’ listings to either extend the countdown timer by 24 hours, “destroy” the stolen data, or download the stolen data, for varying price points. LockBit also actively engages with its fans and – more commonly – detractors over dark web forums like XSS.
Active Since: September 2019
Victims Posted in the Past Year: 541
Known Aliases: LockBitSupp (XSS, Exploit forums), LockBit (XSS, Exploit forums)