Keeping safe in the internet’s underground economy

The dark web has always carried an air of mystery. Many still imagine it as a hidden space, found in the dark corners of the internet, accessible only through Tor where shady operators sell stolen data in the shadows.  

 

The dark web has evolved into a vast underground economy that now incorporates messaging apps and encrypted communications. It mirrors many legitimate business practices, but operates covertly, where cyber-criminals thrive on perceived anonymity. 

 

While often associated with criminal activity, the dark web itself isn’t inherently malicious and supports those who value privacy and free expression. The issue lies with cyber-criminals who have sought refuge in its structure and tools. It is essential that we understand exactly how this marketplace works in order to disrupt reach and protect the broader digital economy. 

 

The dark web: beyond onion domains 

The dark web is no longer confined to traditional onion sites.  Today, smaller and more fragmented communities, such as dedicated crime channels on Telegram and Discord in decentralised networks, have replaced the once-dominant large marketplaces as the hub for criminal activity. 

 

Following a series of high-profile law enforcement takedowns and exit scams, cyber-criminals have scattered into invite-only groups - ones that come with the promise of secrecy and speed.  

 

The shift toward smaller fragmented groups has created a volatile environment. 

 

As these groups splinter, new dark markets that facilitate criminal activity emerge as quickly as they disappear but are often left without the same level of organisation or visibility. 

 

Confronting the ongoing evolution of the dark web demands a unified strategy. Collaboration between the public and private sectors—particularly through intelligence sharing, remains essential for mounting coordinated, large-scale responses to cyber-attacks. 

 

A recent example is the takedown of the BlackSuit ransomware group in July of 2025. With the help of Bitdefender’s Draco Team and more than a dozen law enforcement agencies, the US Department of Homeland Security Investigations managed to seize the group’s extortion site. BlackSuit had demanded over $500 million in ransom payments before its operations were disrupted. 

 

Lessons from a criminal e-commerce empire 

If we take a closer look at dark-web marketplaces, we see structures that appear to be nearly identical to online mainstream retailers. Vendors have detailed profiles and customers (other criminals) can review their purchases and leave star ratings. Disputes are even resolved through ticketing systems and strong escrow. Dark web storefronts have been seen to provide loyalty discounts and seasonal sales to build and maintain a customer base. 

 

This familiar structure is not coincidental. In an environment built on anonymity, trust is fragile, and these features help establish a sense of credibility. To help build trust among criminals, these marketplaces take inspiration from the psychology of mainstream commerce. Just as you would check reviews before buying a new shirt, cyber-criminals check reviews before buying stolen data.  

 

In effect, the dark web’s ecosystem holds a mirror to legitimate trade but operates entirely outside of the law. The same behavioural cues that build loyalty and trust in the open market now drives transactions conducted in the shadows. 

 

Currency and attribution challenges 

Money is the dark web’s lifeblood, with Bitcoin remaining the primary currency across most markets. However, privacy-enhancing cryptocurrencies, such as Monero and Ethereum, are seeing increased adoption. In particular, Monero’s design is ideal for high-risk deals (where exposure could mean arrest) as it hides all incriminating details including the sender, recipient, and transaction amount. 

 

Following the money is no longer the hard part. The challenge now is connecting anonymous wallets to real-world identities. Criminals create complicated webs to cover their tracks, mixing services and using disposable accounts. This complicates investigations and attribution efforts. 

 

Commodification of access and data 

Beyond currency, the dark web runs on data. Many marketplaces specialise in digital identities, offering everything from forged documents to complete “personas” built from stolen credentials. Access-as-a-service models allow buyers to rent networks that have been compromised, remote desktop connections, and corporate VPN access – all of which are frequently used by ransomware operators. 

 

To add another layer onto this, deepfake technology allows criminals to use voice and video impersonations. Together, these tools fuel large-scale digital fraud. Once a dataset is stolen, it rarely disappears. It circulates endlessly through resellers, combo lists, and giveaways designed to build a vendor’s credibility.  

 

A single breach creates an infinite resale value, feeding an economy that never truly stops moving. 

 

Disrupting the ecosystem 

Effectively addressing the dark web economy requires partnerships that mirror its complexity. A balanced collaboration between law enforcement (who bring legal authority and jurisdictional power) and cyber-security organizations (who provide threat intelligence and technical expertise) to identify and disrupt criminal operations quickly. 

 

Several operations have demonstrated the impact of this collaborative approach. In 2017, for instance, Bitdefender worked alongside Europol, the FBI, and the US Department of Justice to dismantle Hansa, one of the largest online hubs for illegal trade at the time. Authorities secretly operated the marketplace for weeks before shutting it down, collecting valuable intelligence on users and their networks. The takedown marked a pivotal moment, proving that coordinated global action can expose and dismantle even the most resilient criminal infrastructures. 

 

The 2024 shutdown of the Sipulitie market showed how public and private partnerships are continuing to evolve. The operation targeted a notorious dark web storefront that facilitated the sale of narcotics and showed how strong cooperation can unearth markets that might otherwise fly under the radar. 

 

And most recently, the disruption of the BlackSuit ransomware group highlighted how sharing intelligence between teams accelerates enforcement efforts. 

 

With every successful takedown, trust amongst criminals deteriorates, forcing them to invest more resources into rebuilding their infrastructure. They must re-establish secure communication channels, migrate to new platforms, and implement stronger security measures – all of which increase the cost and complexity of continued activity. While this disruption might not result in permanent eradication, the ecosystem is weakened over time, becoming more and more fragile. 

 

Turning insight into  action 

Dark web intelligence directly shapes and influences security strategies and outcomes. For CISOs, IT leaders, and security practitioners, dark web monitoring needs to function as a continuous component of their broader security visibility, not just an activity triggered during incident responses. Using automated tools to detect stolen credentials and leaked assets can facilitate immediate action. 

 

When a compromise has been detected, organisations need to move fast. They should:  

• Reset affected accounts 
• Update access controls 
• Reinforce authentication measures  

Taking these steps closes the window of opportunity for attackers to exploit stolen information. 

 

Organisations aren’t the only ones at risk. This preparation must also extend to individuals. Taking simple, proactive steps such as using multi-factor authentication, unique passwords, and regular credit monitoring are powerful defences. One should make the assumption that, when personal data gets leaked to the dark web, it is permanently exposed. 

 

Security strategies must focus on anticipating the threats just as much as reacting to them. Building proactive defences through employee training and continuous monitoring helps to strengthen resilience before an attack begins. 

 

The path forward 

As AI reshapes the cyber-security landscape, allowing criminal operators to automate content generation, create more convincing phishing messages, and craft highly realistic impersonations at scale, pre-emptive approaches, such as dynamic attack surface reduction, help reduce cyber-threat exposure and business risk. Every step towards anonymity and automation on one side prompts an equally creative counter defence on the other.  

 

The key to staying ahead and fighting cyber-crime lies in constant collaboration between regulators, cyber-security experts, and law enforcement, while staying alert and implementing multi-layered cyber-security practices including managed detection and response (MDR) and extended detection and response (XDR).  

 

---

 

Bogdan Botezatu is Senior Director Threat Research and Reporting at Bitdefender

 

Main image courtesy of iStockPhoto.com and s-cphoto