Account Takeover (ATO)

An attack technique where a threat actor takes over a legitimate user account using stolen passwords and usernames, which have often been purchased from the dark web.

Active Directory

An internal directory service (think digital phone book) that allows administrators to manage user permissions and control user access to network resources. Developed by Microsoft for Windows domains.

Advanced Persistent Threat Group (APT)

Groups that carry out attacks on a nation's cybersecurity or economic assets through acts of cyberespionage or sabotage.


A type of dark web marketplace that specializes in the sale of credit card, debit card or bank account information, as well as the credentials, cookies and remote access needed to take over online accounts. The term “autoshop” refers to the transaction process being automated. Autoshops sell digital products, which means that the purchased item can be delivered instantly to the buyer with little to no input required from the vendor. Click here to find out more.


Back Door

Refers to a concealed vulnerability or exploit in a system that can be used to bypass security features and gain access to restricted data. This can be added on purpose by developers for later access or by accident, for example by leaving a testing password in the release version that was intended to be removed.


A collection of infected computers that form a network, which is remotely controlled by a threat actor. Botnets can be used to perform coordinated functions, combining their computing power to conduct DDoS attacks or sending spam emails. Botnets attacks originate from many different IP addresses, making them difficult to trace.

Browser fingerprints

Browser Fingerprints are harvested from computers that have been infected with information stealer malware. They often include data such as credentials, payment information, cookies, IP addresses and user-agent strings, which can be used to bypass anti-fraud solutions by making the browser session appear identical to the victim’s.

Brute Force Attack

A technique where the attacker uses computing power and time to gain access to a network. These attacks often follow a loose set of rules. For example, in the case of brute-forcing a password, an attacker might start at 0 and progress incrementally trying each possible combination before moving onto the next option.



A PGP-signed message, usually posted by dark web market or forum administrators to signify that they are still in control of the site (not to be confused with a warrant canary, which is a method used to alert people that a gag order has been served on a site or provider).


The process of stealing personal and banking card details. These are either sold to the highest bidder or used for identity fraud, to extract as many funds as possible from an individual's accounts.

Clear Web

The clear (or surface) web comprises all the publicly available websites that are indexed in search engines, where anyone can find and access them.


Combinations of credentials, usually names, emails, and passwords, that all relate to a single individual.

Command and Control (C2) Server

Cybercriminals use command-and-control servers to remotely control compromised devices. This server is used to move laterally through systems and exfiltrate stolen data from an affected network.

Credential Stuffing

Using credentials from previous cyberattacks or leaks  to try and gain access to a different account linked to the same user.

Critical National Infrastructure (CNI)

Infrastructure that is vital to the functioning of a society or a state, including water supply, transport, networks, and energy companies.

Cross-Site-Scripting (XSS)

Cross-Site-Scripting (XSS) is a cyberattack technique where malicious code is “injected” into trusted, legitimate websites.


A type of software that can encrypt, obfuscate, and manipulate malware, making it more difficult for security programs to detect it. Threat actors use it to create malware that can bypass security programs as it appears to be a harmless program until it is installed on the victim’s system.


A digital currency used as an alternative form of payment. Usually built on the blockchain and created using encryption algorithms, with an emphasis on anonymity.

Cryptocurrency Exchange

A business that allows users to exchange different cryptocurrencies or change their cryptocurrencies for traditional (fiat) currency such as USD.

Cyber Kill Chain

Originally developed by Lockheed Martin, the Cyber Kill Chain is a framework to explain the series of steps a cybercriminal must complete in order to execute their attack. Click here to find out more.


Dark Web

The dark web is a subset of the deep web, which is deliberately obfuscated and often requires specialized software, such as Tor, to access. It accounts for approximately five percent of the internet and, while it is also used for ethical purposes, the majority of traffic on the dark web is explicitly illegal. Click here to find out more about the dark web.

Dark Web Forum

A dark web forum is a website, accessible only via networks such as Tor and I2P, where users post and participate in discussion threads. Forums can cover a broad range of topics or be focused on a specific niche. Popular dark web forum discussion topics include the sale and use of drugs, carding and fraud, and hacking.

Dark Web Marketplace

Derived from “black market”, a dark web market is a site only accessible via anonymity networks such as Tor and I2P, that offers products and services in exchange for payment. The vast majority of dark web markets focus on the sale and purchase of illicit products and services, ranging from drugs, to hacking services, to weapons. Payments are typically made using cryptocurrencies, due to the increased anonymity associated with their use compared to traditional e-commerce transactions.

Data Leak

The release of data, giving unauthorized parties access to confidential information. This could be the result of a cyberattack, data deliberately stolen by a malicious insider, or an accidental leak due to human error. The information in data leaks can be used to execute further attacks.

Deep Web

The deep web refers to parts of the internet not accessible using standard search engines. It is made up of pages that are not indexed, including fee-for-service sites (like Netflix and Spotify), private databases (such as Dropbox and Paypal), and portals (for example, for Universities or organizations). It accounts for roughly 80 percent of the internet. Click here to find out more about the differences between the clear, deep, and dark web.

Distributed-Denial-of-Service (DDoS) Attacks

A DDoS attack makes a service unavailable by flooding it with requests, to the point where legitimate requests cannot be dealt with. 

Dox Sites

Doxxing is the practice of finding and sharing personal or identifying information about a person or organization on the internet, usually with malicious intent. Dox sites are websites specifically dedicated to sharing these details, which could include their full name, home address, or phone number.



A type of dark web marketplace where multiple sellers sell to buyers through one site. Buyers transfer their money to the marketplace, who holds the funds until the seller provides the goods or services.

Exit scam

An exit scam is when a dark web market’s administrators withdraw the funds they are holding on behalf of the buyers and sellers and disappear.



A decentralized dark web network that uses peer-to-peer connections to avoid censorship. Freenet is mostly used for file distribution such as blogs and publishing data that would otherwise be removed from the clear web.


Dark web slang for a "full" packet of financial and personal information needed to commit fraud against an individual. "Fullz" are commonly sold on dark web marketplaces.


Incident Response (IR)

The process of containing and recovering from a data breach or cyber attack, with the objective of mitigating the damage to the organization.

Indicators of Compromise (IOC)

Forensic data, such as data found in system log entries or files, that identifies malicious activity on a system or network. Indicators of compromise aid information security and IT professionals in detecting data breaches, malware infections, or other threat activity.


Short for information stealing malware, infostealers are designed to extract valuable victim data hat could be used to conduct fraud or other cyberattacks.

Internet Protocol (IP) Address

Every device connected to the internet is assigned a unique numerical identifier, an IP address, created by internet service providers (ISPs). Multiple users of the same network have the same IP address and it can be used to approximate a user's location.

Invisible Internet Project (I2P)

The Invisible Internet Project (I2P) is an anonymous network layer designed to facilitate private communication between its users. As it intentionally obfuscates activity, it fits the definition of what is commonly referred to as a dark web network. Click here to find out more about how I2P works.



Advertisements containing hidden programs that are used as a delivery method for malware.


A piece of software designed to cause adverse effects on the system it is running on. Examples include viruses and ransomware.


The MITRE ATT&CK framework is a free tool for organizations to map their defenses against the Tactics, Techniques and Procedures (TTPs) cybercriminals.

Multi-Factor Authentication (MFA)

An extra layer of protection used to ensure the security of online accounts beyond just a username and password. Can take the form of an authentication app, token, text message or other such additional security feature. Also known as Two-Factor Authentication (2FA).



Websites on the Tor dark web network are known as onions or hidden services. Domains on Tor end in .onion, proceeded by a random combination of characters.

Open Source Intelligence (OSINT)

Data gathered from publicly available sites such as social media, government websites, arrest records, and news outlets. This intelligence is collected and disseminated for specific intelligence requirements.

Operational Security (OPSEC)

Originally a military term, OPSEC describes the process of identifying and obscuring information that could be gathered and exploited by an adversary.


Paste Bins

Text repository sites usually hosted on the clear web. These often contain items such as URLS or credential combos, as well as advertisements of data for sale.


An update to a program or its code that fixes a bug or vulnerability.

Penetration Testing (Pentest)

Simulated attack exercises, usually carried out by an external consultant, to identify security vulnerabilities and inform defense.


A social engineering attack over email, text message, or direct message, which tricks the victim either to enter their credentials or to download a malware via a malicious attachment.

Pre-Attack Intelligence

Threat intelligence that relates to the pre-attack tactics of threat actors, i.e. the actions they take before they breach the network of an organization. These tactics are defined in the MITRE ATT&CK framework as Reconnaissance and Resource Development. Click here to find out more about pre-attack intelligence.

Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) refers to an encryption program used for communication and authentication purposes. A public PGP key is used to encrypt a message before sending and the corresponding private key is then used to decrypt the message for its intended recipient. As each public key is unique, dark web users, especially market or forum admins, often use PGP keys to verify their identity and assure fellow users that their account has not been compromised.


A proxy IP address is an online server that accepts and forwards requests for different devices on the internet. Hiding the user's true IP address, they are often used by threat actors trying to blend in with normal traffic while conducting malicious activity like data exfiltration.



A type of malware designed to deny a user or organization access to files on their computer by encrypting them. The malicious actors then demand a ransom payment in exchange for the decryption key, often also threatening to publish or sell potentially damaging information online if victims do not pay. Click here to find out more about ransomware groups on the dark web.

Ransomware-as-a-Service (RaaS)

A subscription-based ransomware model that enables affiliates to use already-existing ransomware tools to carry out attacks, while the RaaS operators take a percentage of every ransom payment.


The pre-attack techniques of cybercriminals as they gather information on their target, before executing their attacks. This may include details of the victim organization, infrastructure, or staff/personnel. 

Resource Development

The pre-attack techniques of cybercriminals, as they gather the resources they need to execute their attack on a victim. This includes creating, purchasing, or compromising/stealing resources that can be used to support targeting.


The Onion Router (Tor)

The Onion Router (Tor) is a dark web network accessed through free browser software. It enables more anonymous use of the internet and also hosts sites (known as onions) that are inaccessible through standard web browsers. Tor achieves this anonymization via a process called onion routing through thousands of relays – also called nodes – all over the world. Click here to find out more about how Tor works.

Threat Intelligence

Gathering information and data on cyber threats and threat actors to help inform defenses, to mitigate or prevent potential cyberattacks.

Threat Modeling

A process for identifying and prioritizing potential threats, based on threat intelligence, so that countermeasures can be developed.


Zero Day

A vulnerability that hasn't been either identified or addressed by those responsible for maintaining the technology, which can be abused by malicious actors until a patch is released. The term “zero day” refers to how long developers have to fix the issue before it becomes an issue for their customers.