The dark web has grown in popularity over the years, as people become increasingly technologically savvy. Using a darknet browser like Tor or I2P enables users to remain anonymous while browsing the internet.

 People seek anonymity online for many legitimate reasons. For example, they might have concerns about large companies' abilities to track their online activity, or they might not feel comfortable giving Google all their data. Alternatively, they might live in a place with restrictions on freedom and free speech and necessarily turn to dark web anonymity to access world news or freely share journalism.

However, that same anonymity also protects criminals. It allows them to operate across borders, organize crime and trade in illegal items, both physical and digital. Dark web forums also host discussions on topics including extremist ideas, hate speech, threats of violence, or even plans for cyberattacks.

This wide range of dark web activity is a key concern for security professionals. By monitoring the dark web with OSINT tools, such as Signal, security professionals can discover exploit kits targeting their organization, get early alerts of data breaches, and even prevent physical attacks on assets or employees.

In this article, we examine a few of the more common dark web forums and explore how security professionals can utilize OSINT tools, such as Signal, to more efficiently and effectively monitor threats on the dark web.

About dark web forums as data sources

Because of the anonymity afforded by the dark web, people feel comfortable discussing all manner of things. As such, the dark web – especially dark web forums – is a valuable source of intelligence for security professionals. Monitoring these channels can help expose real and potential threats, ranging from planned attacks, both physical and digital, to fraud, data breaches and more.

Below, we examine 7 of the largest dark web forums that professionals should be aware of as potential sources of security data.

BreachForums

Despite multiple takedowns by law enforcement and rumours that it may now be a ‘honeypot’ (a site compromised by law enforcement or security researchers), BreachForums and the mirror sites that pop up are still a major threat. BreachForums and its mirrors are still one of the most visible places for selling or leaking corporate databases and credentials. If your company data is compromised, it is highly likely it will appear here.

DarkForums

This is a relatively new forum, emerging as a successor to BreachForums. With a rapidly growing user base, this English-language site specializes in data leaks, malware and access sales.

Cracked / Nulled

Cybercriminals mostly use these forums to trade and purchase leaked or hacked information. Despite a significant law enforcement action in mid-2025 (Operation Talent), these forums still have millions of members. They are able to remain in operation in much the same way as BreachForums, by spawning mirror sites.

Dread

Dread is a forum on the darknet that mirrors Reddit’s functionality. It provides the same familiar community discussion boards. The forum takes many ideas from Reddit, such as sub-communities and user moderation responsibilities. The site mimics this functionality without any JavaScript. The primary goal of Dread is to offer a censorship-free forum; however, it also provides hacking guides, software and carding tools, as well as drugs and stolen data. Dread also serves as a place for news on the latest dark web marketplaces.

XSS

A longstanding Russian language forum. XSS has a reputation for high-quality content and is a closed forum with restricted access to approved members. Access to compromised systems is frequently sold and traded on this site.

Exploit

Exploit has been in existence even longer than XSS, for many of the same reasons (high-quality content and restricted access). Due to its longevity, most types of cybercriminal activity can be found in dedicated sections.

RAMP

This is another Russian-language forum that has quickly gained prominence on the dark web. It functions as both a forum and a marketplace for criminal activity with a particular focus on financial fraud.

Other prominent forums

Other active forums with substantial membership include:

• LeakBase

• Crax

• Germania (a German-language forum)

• Infinity

• HackForums

• Sinister.ly

• Mirror sites for older forms, such as RaidForums, also persist on the dark web.

The dark web is no longer the only location for this type of activity. Apps such as Telegram and Discord, which sit on the unindexed deep web, are also becoming increasingly popular for cybercriminals to trade exploits, swap information and organize activities.

Related: How Can 4chan be Used as a Data Source for Security Intelligence?

Why dark web monitoring is difficult

Security professionals face numerous challenges when it comes to monitoring the dark web. For a start, there is the sheer volume of posts. With each of these forums and marketplaces operating across numerous time zones, they experience continuous activity. The most popular get tens of thousands of posts a day. Manually monitoring these sites is just not a feasible task.

Secondly, the fluid nature of the dark web community means that forums and marketplaces are forever becoming the victims of law enforcement action, internal troubles or scams. For example, XSS may have become compromised even as this blog is being published. These forums and marketplaces are like a Hydra – when one is cut off, new sites or mirror sites sprout up almost immediately.

Thirdly, the more explicit dark web forums and marketplaces (such as XSS or Exploit) will require you to create an account and may even go some way to verifying that you have the necessary skills to be allowed in. While the anonymity of the dark web means administrators of these forums likely can't work out exactly where you came from or what your true purpose is on their platform, those that are interested might attempt to determine your real identity. When creating an account, it’s essential to make sure it holds no relevance to any other online account you have, if you want to maintain your complete anonymity and avoid becoming a target of those same criminals you are looking to monitor.

Once inside, you must remain active on the platform without arousing suspicion; otherwise, your hard-won access could be revoked.

Finally, a lot of hackers on the dark web would be more than willing to turn their talents and attention to you, should you accidentally cross them. Some websites will infect your device with malware, so treat all links or downloads with suspicion. Additionally, clicking those links may take you to disturbing material. So, unless you’re confident you can safely and securely navigate the dark web, it may be better to look for safer, more efficient alternatives.

How Signal makes dark web monitoring safer and smarter

The Signal OSINT platform works by continuously scanning the surface, deep, and dark web. You can run custom Boolean searches across multiple data sources. These search results can then be filtered using our advanced AI and natural language processing (NLP), which enables you to search across languages, determine location, analyze copy in images and even assess the emotional intent behind text through our NLP software, Spotlight.

The benefits of having a tool like this for monitoring the dark web include efficient, continuous monitoring and assessment of a multitude of sites, allowing security teams to monitor more of the web to catch more threats faster. Because Signal’s searches are across the dark web, rather than specific sites, they do not rely on security teams having up-to-the-minute intelligence about which forums or marketplaces are active and popular. Additionally, security professionals can access this data without ever having to hunt down and access the various dark web forums and marketplaces, which is both more secure and much more time-efficient.

This lets you automate dark web monitoring – cutting costs, while expanding coverage and relevance.

Dark web marketplaces are online platforms, where people can buy and sell illegal goods and services while remaining anonymous. The offerings include leaked credit card details, exploit kits, hackers for hire and advertisements for hitman services.

Because of the range of goods and services available, as well as the conversations that occur around these transactions, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are typically under intense scrutiny from both law enforcement and security professionals.

These marketplaces have become increasingly sophisticated, with slick user interfaces that resemble familiar online storefronts, such as Amazon, along with seller ratings and escrow services for secure payment. This makes the barrier for users lower than ever before.

5 dark web marketplaces

People have been organizing illicit trades via the internet since the 1970s. Those early examples were through closed networks, with actual exchanges of money and goods usually taking place in person. With the advent of cryptocurrencies, it has become easy to complete online trades without leaving a trail. As a result, the online trade of illegal goods has become increasingly commonplace, and vast dark web marketplaces have emerged.

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road, created by Ross Ulbricht in February 2011. Over the following two years, the Silk Road set the standard for dark web marketplaces. By the time it was shut down in October 2013, and Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.

Torzon Market

Torzon is one of the largest general-purpose darknet markets still active in 2025. It offers a familiar mix of narcotics, fraud tools and digital services. The site operates on Tor and supports Bitcoin and Monero, utilising escrow to facilitate transactions. Torzon also imports vendor feedback from other platforms, providing some continuity for buyers and sellers who have migrated after past shutdowns.

STYX Market

STYX has carved out a role as a hub for stolen data rather than drugs. Its listings focus on stealer logs, initial access and financial credentials, making it highly relevant for financial security professionals. Unlike older drug-oriented markets, STYX looks more like a specialized cybercrime exchange than a bazaar.

STYX is a great example of a ‘new model’ market with a searchable structure and trusted vendor processes, which helps buyers quickly filter for fresh data. The market grew through 2023-24 and remains active in 2025, underscoring how access and credentials have become commodities on par with drugs in the dark web economy.

Russian Market

Often written as RussianMarket, this is the largest marketplace for stealer logs. It aggregates credentials, cookies and session data harvested by malware such as RedLine, Raccoon and Vidar, and sells them in bulk. This makes it both a goldmine for attackers seeking account takeovers and a persistent monitoring target for security professionals.

Researchers estimate that millions of logs are for sale, with new ones added daily. Its endurance shows how cybercriminal demand has shifted from physical contraband to stolen identity data. For enterprises, Russian Market illustrates why compromised credentials remain one of the most common entry points for intrusions.

2easy

Sometimes branded 2easy.shop, this site has become known as the budget marketplace for stolen logs. Rather than focusing on premium access, it thrives on low-cost, high-volume sales. Individual log packages are often priced between $5 and $25, making them accessible to a wide spectrum of buyers. 2easy's persistence highlights the democratization of cybercrime. Criminals no longer need large budgets to obtain working credentials, just a few dollars.

BriansClub

BriansClub is a long-running carding shop, best known for selling stolen credit card ‘dumps’ and CVVs. Despite a 2019 breach (and law enforcement action) that exposed millions of its records, the shop has remained active and continues to attract buyers in 2025.

Estimates before the breach suggested a nine-figure annual turnover and, while its exact scale today is harder to verify, it remains one of the most recognisable carding brands.

Other markets include Abacus market, BidenCash, Exploit, Exodus Marketplace and more.

The diffusion of dark web marketplaces

With the rise of encrypted communication apps, such as Telegram and even Discord, some of the trade previously undertaken on the dark web has ‘surfaced’ to the unindexed deep web. Channels such as CrdPro Corner, AsCarding Underground and Daisy Cloud are flourishing on Telegram, with thousands of users in each channel trading everything from logs to bots. These channels often operate as subscription services, providing fresh dumps of material daily.

How to keep track of evolving darknet marketplaces

There are various active dark web marketplaces. One of our data providers estimates there are approximately 20 active, leading dark web marketplaces and dozens of smaller, additional marketplaces. With the diffusion to the unindexed deep web, this number becomes even greater.

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons. For example, law enforcement might close them down; or, perhaps to help avoid this fate, they frequently change their domain address. It could even be because the admin implemented an exit scam, as happened with Empire Market, where the admin team is estimated to have made off with approximately $30 million worth of Bitcoin in August 2020. Almost none of the marketplaces featured in the 2020 version of this article are in existence now.

Due to this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found; as such, there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find forums and marketplaces on the dark web, as well as in the deep web, you need to know what you’re looking for and how to look for it.

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to gather usable intelligence effectively. Doing this manually requires vast amounts of resources; however, you also can't simply scrape the website, as such activity can quickly get you banned from a site.

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The role of OSINT tools when monitoring the dark web

OSINT tools allow security professionals to effectively and efficiently monitor the surface, deep and dark web. Using Signal, you can create targeted searches with Boolean logic and run the results through intelligent filters powered by our advanced AI. The process can be automated with real-time SMS and email alerting.

This reduces the need for skilled professionals to spend all their time manually monitoring the entire web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted upon without ever actually having to go onto the dark web or painstakingly gain access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on autopilot; reducing costs, while simultaneously increasing efficacy. As cyber-criminals embrace new technologies, it’s becoming increasingly necessary for security professionals to do the same to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in real-time.

The deep and dark web continues to provide a breeding ground for illicit activity. As cybercriminals, extremists, and data thieves become more sophisticated, these online underworlds have evolved into major hubs for bad actors and nefarious online behavior.

The dark web has grown to serve as a breeding ground for ransomware attacks, data breaches, and a variety of other malicious activities that can strike at the heart of any organization.

In August 2024, a cybercriminal group known as USDoD leaked a database on the dark web, offering it for sale at $3.5 million. The compromised data, originally gathered by National Public Data, includes sensitive details like names, addresses, Social Security Numbers, and information about siblings. A class-action lawsuit was filed against National Public Data in Florida, accusing them of failing to adequately protect the data and collecting information from non-public sources without consent.

This is just one of the many recent security incidents tied to activity on the dark web. The issue is no longer whether threats are lurking in these spaces, but rather how businesses can keep an eye on them in an ever-evolving landscape.

What Is the Dark Web?

Many people mistakenly believe that the dark web is a single, cohesive network, but this is inaccurate. It is a sprawling collection of decentralized platforms, each built with the intention of preserving anonymity and secrecy. These platforms are essential to understand if companies are to effectively monitor and mitigate potential threats.

• Tor (The Onion Router): The most widely recognized of dark web networks, Tor provides users with layers of encryption designed to conceal their online activity. This network serves as a key venue for cybercriminals to operate undetected.

• I2P (Invisible Internet Project): Though less well-known, I2P offers a similarly anonymous environment that’s often used for secure communication, particularly in covert operations or illicit dealings.

• ZeroNet: An alternative to traditional web hosting, ZeroNet uses peer-to-peer hosting technology, which further complicates monitoring efforts due to its decentralized nature.

What Is the Deep Web?

While the dark web tends to grab the headlines, the deep web encompasses a much broader and more general collection of online content that is not indexed by search engines. This content is not inherently dangerous, but it often includes areas where illicit activities take place.

• Paste sites like Pastebin or Ghostbin are often used to dump and share large datasets, including sensitive or stolen information.

• Encrypted messaging apps, including platforms like Telegram and Discord, have become favorites among criminals for their ability to facilitate communication in relative secrecy.

• Alternative social media platforms, such as Gab or BitChute, have carved out spaces for extremist groups and the spread of misinformation, far removed from the moderation standards of more mainstream platforms.

• Breach forums like Cracked and Nulled have emerged as key marketplaces for stolen credentials, malware, and hacking tools, further fueling the dark web ecosystem.

The Challenge of Accessing and Monitoring the Dark Web

For most businesses, monitoring the deep and dark web is a daunting task. First, internal network policies often block direct access to these areas, leaving security teams with limited insight into potential threats.

Even when access is available, security professionals may lack the specialized tools or expertise necessary to navigate these murky waters.

The sheer volume and unstructured nature of data on these platforms add another layer of complexity. Without the proper resources, businesses can easily miss critical indicators of a cyberattack, a data leak, or a vendor compromise.

Why an Enterprise OSINT Platform Is Essential

This is where an enterprise-level OSINT (Open-Source Intelligence) collection platform like Signal becomes an indispensable asset. A robust OSINT solution gives security teams the ability to proactively monitor threats across the deep and dark web without exposing themselves to unnecessary risks. Here's how a comprehensive platform can support your organization:

• Secure, Compliant Access: OSINT platforms like Signal offer compliant, secure access to restricted content. This ensures that security teams can gather intelligence on potential threats without violating company policies or compromising internal network security. They can analyze dark web content without needing to actually access the dark web.

• Automated Data Collection: Instead of relying on manual searches and outdated methods, OSINT solutions automate the process of tracking emerging threats. This includes everything from detecting stolen credentials and tracking extremist threats, to identifying ransomware incidents in real time.

• Advanced Search and Filtering: With advanced tools for parsing and analyzing vast amounts of unstructured data, an OSINT platform enables analysts to cut through the noise. They can extract relevant intelligence with precision, helping them focus on the most immediate threats.

• The Rising Importance of Dark Web Monitoring

As cyber threats become increasingly sophisticated and frequent, simply relying on internal cybersecurity measures is no longer enough. Threat actors can infiltrate via third-party vendors, supply chains, or business partners. A breach in a vendor's system and subsequent dump on the Dark Web, for example, could put your organization at risk, but you might not even know until it’s too late.

Organizations can no longer afford to wait until after the fact to find out if their partners or suppliers have been compromised. As the business landscape becomes more interconnected, proactive intelligence is essential to understand where the vulnerabilities are—and whether your organization is at risk.

Conclusion

The deep and dark web continue to evolve and fuel a vast range of cybercrime and malicious activity. For businesses, this reality requires a shift in how threats are monitored. Relying on traditional methods to keep track of digital dangers is no longer sufficient. The need for comprehensive, proactive OSINT collection solutions is clear.

By incorporating tools like Signal into your security strategy, you gain the ability to navigate the shadows of the internet. It’s a necessity for any organization committed to staying one step ahead of emerging risks.

At Signal, we empower organizations to take control of their cyber defenses with OSINT solutions, enabling you to monitor and respond to dark web threats with speed, accuracy, and confidence.

The dark web isn’t inherently bad or evil. It’s not illegal to be anonymous on the web. However, the unfortunate truth is that there are plenty of people who are willing to take advantage of the anonymity lent by the dark web and to undertake some form of illicit activity.

Cybercriminals use the dark web as a means to communicate about all manner of activities, from planning cyberattacks to the selling of illegal goods or stolen data.

On top of this, with distrust growing towards governing bodies and large corporations around data privacy dark web communities are thriving. More people are becoming familiar with the dark web for both legitimate and illegitimate reasons, a fact that should cause security professionals increasing concern.

On the flip side, many security professionals actually shy away from the dark web. It is an online region surrounded by an ether of mystery and myth. However, while certain parts of the dark web should only be accessed with the utmost skill and caution, the basics of the dark web need to be understood by all members of the security community.

The difficulties of accessing dark web forums

There are numerous challenges that security professionals face when they come face to face with the dark web. The first of which is actually finding the dark web forums where illicit activity is taking place.

The first step to locationg dark websites is through various directory lists. These easy to locate sites and forums, however, are unlikely to be where the really important things are happening. Instead it’s more likely to be filled with amateurs and more innocent activity. Additionally, these lists often become outdated quickly as dark web domains change frequently.

In order to locate more relevant darknet forums for the purposes of security research, there are strategies which can be employed, for example, snowball sampling.

Snowball sampling is a method which involves creating a web crawler that takes a root URL and crawls the website for outgoing links. Generally, this will then return a large number of dark web URLs. This works particularly well for dark web forums as people often link to other sites in comments or posts. Done incorrectly though could draw attention to your bot and have the admin block you.

The dangers of accessing dark web forums

Accessing the dark web should be done with care and caution. It is in some ways like the last frontier, the wild west. It provides a training ground for new techniques and strategies for experienced and inexperienced hackers alike. For a security professional, getting to know these new techniques is vital for the efficacy of your security strategies.

A few key safety concerns and the dangers of the dark web are as follows:

• Breaking the law. Law enforcement officials operate on the dark web to catch people engaged in criminal activity. Like others on the dark web, law enforcement can do their work under a cloak of anonymity. It’s important to remember that you can be prosecuted for things you do on the dark web and thus to behave in an appropriate and legal manner.  

• Viruses. Unsurprisingly a lot of hackers on the dark web would be more than willing to turn their talents and attention to you should you accidentally cross them. Some websites will infect your device with viruses and any and all links or downloads should be viewed with suspicion. There are a lot of viruses to watch for, from ransomware to spyware and everything in between. Additionally, if you do click any links you may be taken to the material you don’t want to see that many people would find disturbing. 

• Webcam hijacking. It’s smart practice to cover your webcam with a piece of tape or plastic when you’re not using it. This is because some people may attempt to gain access to your device’s webcam by using a remote administration tool (RAT). The risk of this happening increases exponentially when you enter the dark web.

Remember: You use the dark web at your own risk and you should take necessary security precautions such as disabling scripts and using a VPN service.

Why do security professionals need to surveil dark web forums?

We’ve talked about the dangers and difficulties of accessing and finding relevant dark web forums for security research. Why though should accessing these dark web forums be a priority for security professionals and how can one effectively monitor these forums for potential threats?

Identify new hack strategies. 

The dark web is where many cyber criminals go to learn as well as to purchase things like exploit kits. Monitoring the dark web, being able to investigate and understand the methods and mindsets of hackers is essential to enable security professionals to develop counter strategies.

Discover physical threats or plans against your organization or executives.

Terrorist organizations, violent far-right dissenters, and others who intend to commit or openly discuss violence against others can be found on dark web forums. One example of this is the shooting which took place in a mosque in New Zealand on the 15 March 2019 which killed 51 people.

This attack was talked about before and during the attack on forums such as 8chan. Pictures of the weapons that would be used were shared along with a 74 page manifesto. Conversations around the event appeared with numerous like-minded individuals actively in support.

This is an extreme, worst-case scenario. But it absolutely highlights the necessity for security teams to have the tools to effectively monitor dark web forums.

Listen and filter noise around your organization’s name. 

There is a lot of noise on the internet. Inevitably some of it may be about your organization and it’s more than likely that not all of it will be good noise. Because of the nature of dark web forums, there is an increased likelihood of discovering negative noise about or relating to your organization.

With the right tools, such as Signal paired with our emotional analysis tool Spotlight, you can identify persons of interest and more closely monitor future activity around them. 

Additionally, discussions around stolen data for sale, as well as things like exploit kits are often discussed on the dark web. Identifying these threats as soon as they appear will allow you to take appropriate action to mitigate these threats and reduce any potential damages.

Dark web monitoring solutions: Signal OSINT platform

With an ever increasing amount of Cyber activity it is more important than ever for organizations to mitigate the potential risks of cyber threats, attacks, and data breaches. As the traditional Physical Security and Cyber Security worlds converge, Signal cyber feeds provide the ability to expand areas of interest and boost potential Cyber threat intelligence.

Cyber feeds that are accessible with a Signal subscription include:

• Onion/Tor – Anonymous network requiring Tor browser (AKA as Dark Web)

• I2P – Invisible Internet Project

• ZeroNet – decentralized web-like network of peer-to-peer users

• Open Bazaar – a fully decentralized marketplace

• Telegram – a cloud-based instant messaging and voice over IP service

• Discord – a VOIP application and digital distribution platform

• IRC Chat – instant relay chat

The information available on these additional Cyber feeds can help identify a number of potential scenarios including;

• Hacking for hire

• Compromised accounts & servers

• Sale of financial data

• Sale of counterfeit and/or stolen goods

• Money laundering

• Sale and/or publication of personal information such as SSN, email, phone numbers

• Discussions on and/or exposure of data breaches

Related: What is OSINT and how is it used for Corporate Security?

The dark web is a layer of the internet that is only accessible through an encrypted browsing software such as a Tor browser. This software makes the user anonymous. It is this anonymity which is so beneficial to criminals who are able to trade illegal items and services.

Cybercriminals are known to buy and sell stolen data, for example, which can be used to commit identity theft and fraud. Many of the overtly criminal websites require membership logins that you can only gain if you are active as an online criminal making it challenging for companies and security forces to access and monitor these websites.  

However, with the right tools, like Signal threat intelligence software, monitoring and filtering through these websites is entirely possible without ever needing to download a Tor browser yourself. 

What is dark web scanning?

A dark web scan monitors open-source information available on the dark web, using both human and artificial intelligence to scan things like criminal chat rooms, blogs, forums, private networks and other sites. In doing this it helps organizations detect potential security threats. 

Examples of activities that have been identified from dark web content using Signal Threat Intelligence software include;

• Online markets selling stolen and fake goods;

• Hackers selling non-sensitive data for use in credential stuffing attempts;

• Impersonation of individuals or organizations;

• Details in regard to hacking or incitement to hack;

• Reputational risk via fake news or impersonation;

• Illegal activities such as drugs and drug paraphernalia;

• Information regarding a previously undetected sensitive data breach.

What happens during dark web monitoring?

There are some 55,000 dark websites, however, many of these are inactive and even fewer of them are actually used for overtly criminal activity. During dark web scanning our security software monitors and detects any data that is relevant to the particular search queries that have been set up. This allows you to create a customised highly relevant stream of data and information around key points of interest for your company.

The information can also be run through a sentiment filter to create an even further refined stream of data, we explore this in further detail below.

Why is dark web monitoring with Signal Corp important for businesses?

1. Detecting data breaches

Our software has been used to identify stolen credentials and other personal information that is circulating on dark web networks and other channels.

To identify relevant data you are able to set up specific search queries within the software. These constantly monitor the open, dark and deep web and then filter these searches using our AI technology to determine what is and isn’t relevant. We then add a human touch to the remaining data to further filter using human intelligence to identify what is highly relevant.

The scan infiltrates private sites - many of which require membership within the cybercriminal community to enter. 

When it comes to detecting data beaches it can quickly identify chat around data that is circulating online which has been gained by illegal hacking attempts. If data is detected from a particular company, whilst there is no way to retrieve that data organisations can take precautionary measures to mitigate the damage and threat of the data breach as well as determining how the data was gained and ensuring that breach is secured against further data beach attempts.

2. Detecting Physical Threats against People and Assets

The big draw for criminals to the dark web is that all users need to use an encrypted browser to access the dark web which entirely anonymises their presence. This means, very simply, that criminals can and do talk about their activity, either to brag or as part of their preparations.

Using software like Signal you can constantly monitor the dark web and when a criminal talks about or potentially threatens one of your staff or assets you can know instantly. Whilst they are anonymised and you won’t know who is planning something, you will know that there is a very real potential threat that you can now guard against.

3. Predicting potential terrorist actions

In the same vein as detecting potential physical threats against a company online, the dark web is also a place where terrorists go to communicate and organise. By monitoring the dark web then you can pick up on their conversation and use the data gathered to potentially predict and deter terrorist attacks aimed at the company.

How do you determine when chat becomes a serious threat? 

One of the potential issues some of our customers face is the sheer amount of noise which might surround their brand. Invariably not all of this noise is good. Which is why we have a sentiment analysis tool to help filter out what chat, what noise online we need to pay attention to.

On top of this, this can then closely monitor individuals who have been detected to hold negative sentiments towards a customer and it can determine if that was a once-off comment, or if this negative sentiment might actually evolve into a more palpable threat.

One of America’s biggest banks took four months to realise it had been hacked.

Signal could have helped the bank find and respond sooner to reduce their reputational damage.

In late July the $370bn bank Capital One announced a hack of one million social security numbers and 80,000 credit card-linked bank account numbers which is estimated to  cost over $100m to remedy.

Their announcement came 120 days after the actual hack occurred - the vigilant monitoring that Signal provides could have alerted Capital One to the problem quickly. Instead, it took months before a ‘white hat’ noticed conversation about the breach.   

The number of people affected was staggeringly high – in the words of Capital One itself, “The event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.”

Here’s what happened:

On July 19, 2019, it was determined there had been unauthorised access by an outside individual who obtained personal information relating to Capital One credit card customers.

Capital One says it immediately fixed the configuration vulnerability that the individual had exploited and promptly began working with federal law enforcement.

The FBI arrested Paige Thompson, 33, a software engineer who formerly worked for Amazon Web Services… which Capital One is known to use.

Charges against Ms Thompson state she boasted about the hack on GitHub, Slack, and Twitter, allowing Capitol One the opportunity to quickly alert their cyber teams of a potential breach – if they were utilizing an OSINT tool like Signal.

Capital One claims it is unlikely the information stolen was used for fraud or disseminated by the individual, adding it believes no credit card account numbers or log-in credentials were compromised and that over 99 percent of Social Security numbers were not compromised.

The fact remains: one million social insurance numbers and 80,000 credit card-linked bank account numbers were exposed.

The largest category of information accessed was information on consumers and small businesses created when they applied for credit card products across the last 15 years, including:

• Customer status data, credit scores, credit limits, balances, payment history, contact information

• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

• 140,000 Social Security numbers of credit card customers

• 80,000 linked bank account numbers of our secured credit card customers

• The Social Insurance Numbers of one million Canadian credit card customers were also compromised in this incident.

The configuration vulnerability was reported to Capital One by an external security researcher through a Responsible Disclosure Program on July 17, 2019. Capital One then began their own internal investigation, leading to the July 19, 2019, discovery of the incident.  the hacker had four months to do what she wished with people’s personal information.  Unfortunately, it is common for hacks to take months to be discovered, reported, and patched if the proper monitoring solutions are not in place.

Capital One expects the incident to generate incremental costs of approximately $100-$150 million in 2019. Expected costs are driven by customer notifications, credit monitoring, technology costs, and legal support and notifying customers.

Capital One said in its public statement it has always invested heavily in cybersecurity and will continue to do so.  This breach shows how the convergence of cyber and physical security is continuing to evolve as companies continue to invest in infrastructure and tools to stay at the forefront of cyber threats.  As threat surfaces continue to increase, social media and dark web scanning tools have become even more important to identify threats in real time.

Clearly there’s a lot of money at stake, but the worst part of it all is the hacker boasted about it online and the response could have been a lot quicker.

While it doesn’t appear that the breach was for financial gain, the reputational damage for Capital One has been huge (and continues).

Here’s how signal can help prevent this sort of thing happening:

Signal’s point of difference is scanning the web and dark web for chat around data hacks, breaches and stolen information for sale.

We know that the accused thief bragged about what she was alleged to have done to Capital One, and this is precisely the sort of thing Signal is set up to prevent.

Signal offers:

• Monitoring over 15 data sources, including social media, web/forums, surface web, the dark web and online forums.

• Accurate real-time results centred around the geographical locations you need to monitor

• Advanced filtering of searches

• Excellent visuals so you’re not sifting through raw data to find out who’s talking about hacks at  your organisation

• Situation awareness

• Online operation centre capability and data

 Please feel free to read how Signal could have helped resolve

• A British banker selling stolen data on the dark web (and being exploited until he was driven to steal even more)

• Slow responses to crises emerging in the real world outside a business

• Parsing the dark web and seeing discussions about plans to rip off your bank or business

• Mitigating the Threat of Credential Stuffing through Dark Web Monitoring

 www.getsignal.info

info@signalpublicsafety.com

There is plenty of online information regarding the dark web – mostly accurate, although it can be daunting to understand the various nuances. There are numerous benefits that come with monitoring of the dark web.

When it comes to dark web monitoring, Signal risk intelligence software offers a comprehensive service which enables security professionals to gain increased situational awareness using targeted, highly relevant data gathered from dark web sources.

Why did we add Dark Web monitoring to Signal threat intelligence software?

The Dark Web is the place to lurk out of sight, with complete anonymity, which makes it a logical centre for criminals to gather, discuss illegal activity, and sell illegal goods and services. Because of this, those bodies and security teams which are able to effectively monitor the blogs, forums, and chat rooms of the dark web have an invaluable source of information on nefarious or illegal activities - and are often among the very first to know about important and relevant information that may impact their company or organisation.  

Advanced warning for things like data breaches, reputational risks and physical threats to assets allow companies to effectively form strategies to deal with and mitigate the threats to their organisations.

These conversations and activities are highly relevant to many Signal subscribers, hence the addition of the Dark Web as a data source for Signal Gold subscribers in 2017.

Read our articles:

• Why a Dark Web Scan is Essential for your Business

• Mitigating the Threat of Data Breaches and the Risk of Credential Stuffing

Examples of activities that have been identified from dark web content include:

• Online markets selling stolen and fake goods

• Impersonation of individuals or organizations

• Details in regard to hacking or incitement to hack

• Reputational risk via fake news or impersonation

• Illegal activities such as drugs and drug paraphernalia

One of the benefits that Signal provides is the ability to review the dark web post content without needing to utilize a Tor browser – simply review the content from within your Signal browser session.

Dark web monitoring is available for Signal subscribers with a gold or better subscription– if you are interested in more information in regard Signal or the dark web content, then contact us info@signalpublicsafety.com