2FA or two-factor authentication is a method for further securing accounts, more so than the traditional password-only authentication. Users usually have a separate device or service that gives them a code based on a shared algorithm or asks for verification that it is them trying to access the account, therefore providing higher levels of security. 



Software designed to forcibly show users adverts that would not otherwise show up.

Air gapped

Used to describe a network security measure where certain machines are not connected to the rest of the network or to the outside world. This makes many non physical attacks impossible as the machine requires the user to be physically present to use it.


An altcoin describes a cryptocurrency that is not mainstream such as Bitcoin. 


An API key (application programming interface key) is used to grant access and authenticate a user. They are often used to set a standard way of getting two programs to communicate and interface properly, allowing users to easily communicate with a service without having to be too knowledgeable about how it works.  


An Autoshop is a feature that is found on some markets and forums. Instead of having each transaction dealt with manually by the vendor, Autoshops have automatic transactions, not requiring user input from the vendor once set up. These are most commonly used to sell details from carding with one of the best-known carding Autoshops being SLILPP.


Back door

A back door is a concealed vulnerability or exploit in a system where users can bypass implemented security features such as login and gain access to restricted data/features. This can be added on purpose by developers to access later or by accident, for example leaving a testing password in the release version that was intended to be removed.

Bitcoin exchange

A bitcoin exchange or cryptocurrency exchange is a business that allows users to exchange their cryptocurrencies for other cryptocurrencies and centralised currencies such as USD.

Bitcoin tumbler

A bitcoin tumbler or a mixer is a service where users input their bitcoins that may have been acquired from illegal means such as markets, these bitcoins are all held in a central account that then redistributes a similar amount back to the user. This makes tracking a cryptocurrencies movement through the Blockchain much harder.


A ledger or list containing the cryptographic hash of previous blocks. Once a miner solves the hash as the proof of work, they add the next block and therefore the next set of transactions onto the blockchain. This blockchain ledger is shared amongst all users to enable verification.


A collection of infected computers that form a network controlled through the internet, this can be used to perform coordinated functions, using the computers in unison, combining their computing power to become effective. Examples for the applications of Botnets are DDoS attacks and sending spam emails. Botnets are effective as the attacks originate from many different IP addresses.

Brute force

A type of attack where the attacker uses computing power and time to gain access to something in a near stochastic manner. These attacks often following a loose set of rules, for example in the case of brute-forcing a password, the attacker might start at 0 and go up incrementally trying each possible combination before moving onto the next option.



the process of stealing peoples personal and banking card details. Either selling them to the highest bidder or through identity fraud, impersonating them and extracting as many funds as possible.


The term Clearnet is used to describe parts of the internet that are accessible with a standard web browser. Eg.


Digital storage systems that are available through the internet or some other network. Compared to local storage that is only available on the device it is installed on.

Cold storage

Cold storage is a secure method of storing cryptocurrency. To do this the crypto of choice is first put into a digital wallet, the wallet is then stored on an external storage device such as a USB drive and disconnected from the computer. This makes the wallet air-gapped and therefore lowers the risk of the cryptocurrency being stolen.

Text strings used to collect and store personal information such as browsing habits and user settings.


Combinations of credentials that usually include names, emails, passwords and other identifiable information all relating to a single person.

Controlled delivery

when LE intercept a package containing illicit substances and instead of seizing it, they go forward with the delivery, often collecting evidence of the recipient for the case against them and either arresting them upon delivery or continuing the surveillance.

Cracked (software)

The modification of software by a third party where certain features or parts are removed. Often cracked software has the digital rights management (DRM) that verifies that the owner owns the software removed, allowing it to be shared with users that do not own the software.

Credential stuffing

Credential stuffing is the process of attempting to use known previous credentials, gained from previous attacks or leaks to try and gain access to a different service. As some users reuse passwords across services.


Something, often an algorithm used to encrypt and obfuscate a string.



A distributed denial of service (DDoS) attack is where a service is made unavailable by flooding it with requests to the point where legitimate requests can not be dealt with by the site and it therefore becomes unavailable.

Dictionary attack

A type of brute force attack where the attacker uses a set wordlist or combination of words that it tries before attempting the next on the list. Often used when attempting to login to a service where the password is unknown.


Finding, discovering and sharing of personal information about someone that they would normally not want to have publicly accessible, for example, home address or phone numbers.


Dumps are collections of multiple sets of credentials belonging to people. These normally include credit/debit card information, names and addresses.



Escrow is a popular payment method and is mostly seen when MultiSig is not used. It functions in a similar way to MultiSig where the user sends their money to a third party, usually the marketplace, to hold onto until the transaction is complete and the user has their product. This used to be the most popular method however, after the frequent occurrences of alleged exit scams, trust towards marketplaces is low, leading buyers to desire the additional security that MultiSig claims to offer.

Exit scam

An exit scam is when a darknet market quietly shuts down whilst withdrawing as many funds as possible from the market, sometimes under the guise of technical issues. This is often done by disabling withdrawals from accounts but allowing deposits to continue the influx of cash without letting any of it leave. This is usually combined with heavy censorship on forums and such to try and keep it a secret for as long as possible.


A technique where users abuse a flaw in a system or code to give unintended results.


FE payments (finalise early)

Usually, once a vendor gains enough trust within the marketplace they are given the option of utilising Finalise early payments. These are by far the simplest method of payments as a buyer just transfers the funds directly to the vendor without any involvement of a third party such as the market. This method requires a much higher level of trust between the vendor and the buyer, however, buyers often get their product faster through this method as the vendor usually prioritises the shipping of FE orders.


Freenet is another decentralised network using peer-to-peer connections to avoid censorship. The service is mostly used for file distribution such as blogs and publishing data that would otherwise be removed on the Clearnet.


Fear, uncertainty and doubt.




A hash is an algorithmically generated string where the same input will always give the same output hash, this makes it useful for verification as users can check that two hashes match. It is also realistically impossible to reverse a hash to show what was used to create it, making it good for sensitive content.


A honeypot is where a fake server or service is set up to try and imitate a real service. This is then used to try and capture information that would be sent if the user were on the real service because they think that the fake service they are connected to is the real one.



The invisible internet project is similar to Tor as in it is a network for privacy advocates to communicate. Compared to Tor, I2P splits each request up into many packets, similar to how torrents work. These packets are then sent separately through the network before being rejoined at the end.

ICO (Initial coin offering)

Initial coin offerings are a way of crowdfunding the launch of a novel cryptocurrency. Users often attempt to get into the market early by buying the cryptocurrency for a reduced price in the hopes that it is adopted by many and raises in value over time.


An internet protocol address (IP) is an identifying string that is given to a network that is connecting to the internet. Multiple users of the same network, for example a family using the same WiFi will have the same IP address as they are using the same network. IP’s are given by internet service providers (ISP’s) and can be used to approximate a users location, however addresses often change for many reasons.


Internet relay chat is a messaging service that allows users to easily communicate to many other users on a lightweight framework. Most IRC’s are split up into what are known as channels were users set a category for example fraud, users then can join these channels and talk to anyone else who is connected. Client software is available for download and installation although most IRC chats are accessed through web browsers.



Jabber is an open source all in one chat program, based off of XML protocols, It features one to one chat as well as group chats. It is mostly supported by groups that need to run an open-source IM program or need to modify one to their needs. It is not as easy to set up as some other IM clients however it is much more flexible and customisable.



A piece of software that monitors and logs key presses of the keyboard. These are often then uploaded to a server where an attacker can extract sensitive information that has been typed, for example, banking logins.



These are all acronyms that represent law enforcement.


A data leak is the release of data, allowing non authorised parties access to what would be considered confidential information. This could be through a breach of systems or released by a disgruntled employee. An example of this would be an unsecure transfer of information, allowing other parties to gain access to the information that is contained within the transfer.


An operating system that is built to be much more lightweight and stripped back than OS’s like windows. For this reason, they are often used on servers and by privacy advocates as it is much more user-configurable.

Logic bomb

A script that is usually hidden in a piece of software, it is used as a trigger, activating when a certain variable has been met such as system time or running of a certain file.

Love letter

A love letter is usually sent from a government to a user that has been caught trying to get drugs or other darknet market items delivered to their house. Normally warning them of legal repercussions if they attempted it again.



MD5 (message-digest algorithm) is one of the most popular hashing algorithms in use. For more information on hashes see Hashing. An example is, the MD5 hash of “MD5” is e1820691a2124a9512eee0606159f60b. One major downside is that unlike its intention, two different messages can give the same MD5 hash and cause a collision.


An abbreviation of the word Macroinstruction. A small program that converts a combination of simple inputs in a specific order into a program that executes the instructions automatically when desired. This is often used to increase productivity in software such as excel although it can be used for nefarious means such as collecting users data.


Software that has been designed to cause adverse effects on the system it is running on. For example viruses and ransomware.


Advertisements that often have hidden scripts that are used as a delivery method for malware.

Market fees

Market fees are how many markets get their income. Whenever a buyer purchases from a vendor, a small amount of the funds, usually 2-5% is taken by the market.


A mirror, when mentioned in darknet communities, often refers to an alternative link that can be used to access a site. These are often used to help mitigate the effects of DDoS Attacks. Not to be confused with phishing links as mirrors are official alternative links to the site.


A Mnemonic is a technique used to increase memory retention of a specific string of words. However, in darknet terms, a Mnemonic is used as a term to describe 5-10 words that are given to users by markets. These can be used for various reasons, from helping verify that the user is on the correct site to recovering user passwords.


Probably the most popular choice of payments is MultiSig payments, where a buyer and normally up to two others, the vendor and the marketplace enter an agreement. If this method is chosen two of the three people are needed to be in agreement before the funds can be released. This way, if there is a dispute where the vendor and buyer disagree they can dispute it with the market without worrying that the other can run off with the money. This also works if a vendor drops off of the market or stops replying to a buyer, the market can step in and use their signature to release the funds back to the buyer without the vendor's input.




An onion in darknet terms describes a web service that only accepts connections coming from the Tor network. Due to this, onions are only accessible through the Tor browser or via a proxy that is routed through the Tor network.


Operational security, this includes everything that is done to prevent leaking of unwanted data that could be used by unwanted parties. Examples include using a VPN or VM.


Open-source Intelligence is data that is found on publicly accessible sources that can be used as intelligence about the user.



Pastebin’s are sites that make it easy for users to upload text strings, often anonymous for anyone who has the link to see. These often contain items such as URLS or combos of users, as well as many advertisements for data for purchase.


A small update that fixes a specific issue or vulnerability.


A section of information that is sent from one computer to another, often through a network, which also contains the destination address of the packet in addition to the data that is being transmitted.


Penetration testing is where companies hire an external party to attempt to exploit or gain unauthorised access to the companies data or non public resources. This authorised simulated attack is carried out in a similar fashion and using similar techniques that potential attackers would use in a real attack. The aim of this being to highlight any potential security flaws the company has in order to prevent them from being used in a real attack.


Phishing is where a criminal attempts to gain sensitive personal details from users such as passwords and banking details. This is achieved by deceiving the user into thinking that the criminal or a website hosted by the criminal is instead a known trusted entity such as their bank. This gives the user a false sense of security and more likely to give across this information. Either by filling out an online form or other means.


A proxy acts as an extra step that the traffic of a user is routed through before it reaches a website. This gateway provides users with multiple possible benefits such as increased anonymity and reduced censorship depending on their needs.


Personal message/ Direct message. Where users engage in a direct conversation that can only be seen by the two users in question.

Public/Private key/PGP

Used in cryptography, in asymmetric cryptography, the public key is used to encrypt a string before sending, the paired private key is then used to decrypt the message so the intended recipient can read it.




Malicious software that takes over the computer system and locks users out, often requiring a cryptocurrency payment to be made to the hackers unless the data is wiped.


(remote administration tool) A piece of software that tries to remain undetected whilst collecting as much user data as possible such as screenshots, keyloggers, webcam access etc. This information is then sent back to the main server for the hackers to exploit. These tools often also give the attacker full control of the system, allowing them to perform any actions as if they were physically at the computer.

RC/Research chemicals

A Research chemical in the context of the darknet is often used to describe a substance that produces similar effects to a traditional drug whilst being of a different chemical structure and therefore still legal in some countries. Dealers sell these substances as research chemicals that are labelled as not for human consumption in an attempt to circumvent law enforcement attention. Generally, these substances are even more dangerous to the end user however, as the side effects may not be consistent with the drug they are mimicking.


A rootkit is a malicious computer program or sometimes group of programs that give maintained root (admin) access to a computer, usually bypassing security measures that have been put in place and operates unknown to the user.


Selective scamming

Selective scamming is when a vendor fulfils most orders correctly, however for a few customers they will intentionally not fulfil their orders. This is often done to increase profits whilst attempting to keep a good reputation.


A “Shill” is someone who presents themselves as one of the audience/ a genuine customer, however, they are working with the seller. This is done in an attempt to increase trust from other customers.

Social engineering

Using social methods to manipulate someone into performing tasks or giving out sensitive information. For example, phoning the user up and pretending to be a bank asking for details that can be used to steal their identity.


A socks proxy is similar to a normal HTTP proxy, where users can use them to access censored content. However, Socks proxies only establish a TCP connection and do not interact with the users network traffic, allowing for the use of multiple different protocols for this data.


The act of obfuscating details in order to imitate a certain domain or sender.


Software that hides and records the user’s actions, often sending them back to the main server.

SQL injection

SQL is a language that is used to manage databases and manipulate them. Injection is the process of adding unintended instructions onto a process that is expecting data and therefore getting results that were not intended as there are now additional instructions for it to run. In order to avoid this, the best way to transmit this information is to separate them so that instructions and data can not be confused.


Tails (The Amnesic Incognito Live System)

Is a Linux based OS that focuses on security and anonymity. All incoming and outgoing data is forced to route through the Tor network and the OS reverts to a previous state with all data being wiped upon shutdown. Tails is designed to be booted from an external data source such as a USB drive or DVD, once booted, the OS lives on the systems RAM, leaving no identifying information behind on the machine it was booted from once shut down, due to RAM being a non-persistent data storage type.

Tor (The Onion Router)

Tor is a free piece of software that allows for anonymous communication between users. The service routes and conceals users connections by passing it through a few of the thousands of relays available on the network. This is achieved by using nested encryption to obfuscate data on a need to know basis, decrypting each layer like an onion as information such as the next nodes IP address is needed. Overall this reduces the amount of information that can be obtained from users, making it hard for parties such as law enforcement to trace users locations and identities.


A tumbler or a mixer is a service where users input their cryptocurrency that may have been acquired from illegal means such as markets, these Bitcoins are all held in a central account that then redistributes a similar amount back to the user. This makes tracking a payment much harder through the Blockchain as it would be difficult to conclude where the Bitcoins came from before this transaction due to it being mixed with multiple others.




Often used on the darknet to describe a user that is offering goods or services for sale such as Cocaine.

VPN (Virtual private network)

A VPN allows users to connect to a local network remotely as if it was physically connected to the rest of the local network. These can often be used in similar ways to proxies where users can utilise a VPN connection to hide their real IP address, as their connection is first routed through the VPN before being sent to the requested server.


Wallet (Cryptocurrency)

A cryptocurrency wallet is a term used to describe software, hardware or another medium that stores the keys that prove ownership of the cryptocurrency. Essentially Wallets provide a place for users to easily store their cryptocurrency.


A whistleblower is someone who exposes sensitive or incriminating data from within an organisation. An example of a whistleblower is Edward Snowden who leaked sensitive information from the NSA in 2013.


To prevent unauthorised access to a service, a whitelist can be utilised. This is a list of usernames, ID’s, IP addresses or other identifying information that only allows access to the service if the users information matches an entry of the whitelist. If a users datapoint does not match a record on the whitelist then they are denied access.


A worm is a computer program that infects computers normally within a network and uses the infected computer to propagate itself to spread further. Most worms are spread for nefarious means although some such as the Nachi worms used computer exploits to install patches for the same exploits that were used to gain access in the first place.



XSS (cross-site scripting)

Xss is an often web-based attack where the service does not properly validate or sanitise users input. If this input contains code that can be run, any other browsers that load said content can not differentiate between the sites code and the XSS attack, therefore also running the potentially malicious XSS code when loading the page. An example of this would be the injection of JavaScript that forwards cookies to an external server controlled by the hacker, meaning that when users load a page containing the script, their cookies are forwarded, potentially giving the hacker access to sensitive information.


Zero day

A zero-day exploit is a computer vulnerability that exists but has not been addressed or so far fixed by those responsible for maintaining the software. This means that the exploit can be abused by any nefarious parties until a fix for the issue is released. The term “Zero day” is used due to its indication of how long the developers have to fix the issue before it becomes an issue for its customers.