How dark web insights illuminate cyber-defences

Michael Freeman at Armis discusses how AI-powered early warning insights are empowering security teams to stay a step ahead of cyber-criminals

 

The dark web is often sensationalised, but its underlying mechanics are well understood by those in threat intelligence. At its core, it refers to parts of the internet that aren’t indexed by standard search engines and require purpose-built software - primarily Tor (The Onion Router) - to access.

 

Tor anonymises user traffic by routing it through a three-hop circuit: an entry (guard) node, a middle relay, and a final destination. For .onion services, traffic never exits the Tor network, keeping both client and host pseudonymous. Sites in this ecosystem use the .onion top-level domain and are typically discovered through manually shared links or directories like the Hidden Wiki, which catalogues marketplaces, forums, data leak sites, and more.

 

But the dark web is just one part of a broader pseudonymous communications landscape exploited by cyber-criminals, ransomware affiliates, and APT groups. Encrypted messaging platforms like Telegram, Threema, Wickr, and Session, alongside invitation-only Discord and IRC channels, now function as distribution hubs for buying malware, compromised data, and operational coordination.

 

Many ransomware operators bypass Tor entirely in favour of Telegram bots that automate victim communication, payload delivery, or affiliate coordination. Even mainstream platforms like X (Twitter) and YouTube are used for exfiltration staging, C2 instructions, and marketing of criminal toolkits under innocuous names.

 

Taken together, these decentralised and encrypted ecosystems, dark web infrastructure, closed forums, and private messaging apps form the backbone of the modern cyber-crime supply chain. They enable adversaries to move quickly, scale operations globally, and evade traditional network-based detections.

 

Any effective threat intelligence operation must account for activity across all of these layers - not just Tor - if it hopes to detect, attribute, and disrupt threats before they materialise.

 

A playground for cyber-criminals

AI has dramatically reshaped the cyber-security landscape. In particular, the plethora of AI-fuelled toolkits, now available on the dark web, are significantly lowering the bar of entry for cyber-criminals and allowing individuals with limited knowledge to carry out sophisticated attacks at scale.

 

Just like ChatGPT is a shortcut for us to access knowledge, AI is providing shortcuts for cyber-criminals to carry out attacks. Zero-day exploits, once taking weeks to develop, can now be weaponised in a matter of days. AI-driven tools scan the likes of emails and Slack channels to identify high-value targets within organisations, while social media is mined for personal details that can be used for extortion.

 

Moreover, “leak sites” on platforms like Internet Relay Chat (IRC) or Telegram channels serve as forums for criminals to exchange tactics, sell services and spotlight potential victims.

 

Ransomware attacks have also evolved, thanks in part, to the dark web. The rise of “triple extortion” schemes highlights this shift: attackers encrypt an organisation’s data, demand payment for decryption and then extort individuals within the organisation by threatening to expose sensitive personal information.

 

New AI tools take this a step further, helping criminals profile individuals by analysing their communications and online behaviour to identify weaknesses to exploit.

 

The dark web has become a bustling marketplace for cyber-crime, where threat actors can provide a wide array of AI tools and services to proxy groups driven by political ideology.

 

While some criminal networks demonstrate a high level of operational security - leveraging encrypted infrastructure, bulletproof hosting, and compartmentalised communications - no threat actor is without fault.

 

Even advanced operators make operational mistakes that can expose their identities or infrastructure. In one case tracked by Armis, an actor inadvertently revealed a personal Spotify session while sharing a demonstration of their exploit code with potential buyers. Despite using anonymisation tools and hosting services designed to obscure attribution, this small lapse provided a pivot point for investigators. Incidents like these reinforce a critical truth: behind every campaign is a human operator, and human behaviour, no matter how disciplined, can introduce exploitable gaps.

 

While the dark web may empower cyber-criminals, it’s ultimately just a tool. To stay ahead of these evolving threats, organisations must make sure they’re using the right technologies and processes to protect themselves.

 

Staying ahead of threats

Staying ahead in today’s threat landscape requires organisations to move beyond reactive security models and instead adopt strategies that anticipate attacker behaviour. One of the most direct ways to do this is by understanding which vulnerabilities are actively being targeted by threat actors, before those exploits make contact with your environment.

 

Rather than focusing on theoretical risk scores or passive vulnerability scans, security teams need timely insight into real-world exploitation trends. This is the foundation of early warning-focused solutions: identifying which CVEs are being discussed, tested, or deployed in the wild, and mapping that intelligence to the technologies present in your organisation.

 

With this approach, defenders are no longer guessing which of the thousands of vulnerabilities to prioritise. They’re responding to facts - what adversaries are actively using, and how.

 

This form of operational early warning allows organisations to move left of boom - intervening before initial access is achieved. It shortens response time, directs remediation to the most relevant exposures, and enables teams to shift from reacting to containing to pre-empting.

 

Shoring up defences

Once organisations know which vulnerabilities are under active exploitation, the next step is internal validation. This means mapping known exploited CVEs to your specific environment, understanding which assets are affected, how critical those assets are, and whether exploit paths exist.

 

With insights from Early Warning solutions, teams can quickly assess whether they are exposed to vulnerabilities being actively leveraged by ransomware affiliates, APTs, or criminal marketplaces. From there, they can elevate those exposures within existing vulnerability management workflows, assigning remediation tasks to the appropriate teams with full threat context.

 

This targeted prioritisation enables security operations to evolve. Rather than treating all vulnerabilities as equal, or waiting for scanning tools to catch up to emerging threats, teams can work from confirmed attacker behaviour. That clarity results in faster mean-time-to-remediation (MTTR), fewer false positives, and a measurable reduction in risk exposure.

 

Maturing security through threat-led prioritisation

A security strategy informed by real-world threat activity leads to faster decision-making and more focused remediation. It’s not just about visibility - it’s about relevance. Knowing which threats matter right now, to your specific environment, allows you to direct limited resources where they’re needed most.

 

By monitoring the global exploitation landscape and identifying which vulnerabilities are being actively used in the wild, it enables organisations to anticipate threats, act pre-emptively, and drive maturity across the security lifecycle. This is how organisations move from being reactive to proactive, strengthening defences not just after compromise, but before attackers gain a foothold.

 

In today’s environment, where the time from vulnerability disclosure to exploitation is often measured in days or even hours, this kind of intelligence is not a luxury. It’s a necessity. 

 

---

 

Michael Freeman is Head of Threat Intelligence at Armis

 

Main image courtesy of iStockPhoto.com and wildpixel