The Dark Web Explained: What It Is and Why It Matters for Business

The Dark Web: What It Actually Is

The dark web is a portion of the internet that is intentionally hidden from standard web browsers and search engines, accessible only through specialized software — most commonly the Tor Browser. Tor (The Onion Router) anonymizes internet traffic by routing it through a series of encrypted relays, making it difficult to trace the origin or destination of communications. Dark web sites use .onion domains that are not registered in standard DNS systems and are only resolvable through the Tor network.

The dark web is not synonymous with illegal activity — it is used by journalists protecting source confidentiality, political dissidents in authoritarian countries communicating without government surveillance, privacy-conscious individuals, and researchers studying cybercrime. The BBC, The New York Times, and numerous other legitimate organizations operate .onion mirrors of their websites specifically to provide access to users in countries where those sites are blocked.

But the dark web hosts significant criminal markets, and that is what makes it relevant to cybersecurity and business risk. Criminal forums, ransomware group infrastructure, initial access broker markets, stolen credential databases, and data leak sites — where ransomware groups publish stolen data from victims who did not pay — all operate on the dark web. Understanding what is sold and disclosed on dark web markets provides threat intelligence that is directly relevant to organizational risk assessment.

What Is Sold on Dark Web Criminal Markets

The criminal marketplace ecosystem on the dark web is sophisticated, specialized, and in some respects more economically rational than many legitimate markets. Stolen credentials — username and password combinations from breached services — are sold in bulk, with price varying by the freshness of the data and the value of the accounts. Corporate VPN credentials command premium prices. Healthcare insurance credentials for billing fraud are purchased by specialty buyers. Financial account credentials are priced based on account balance.

Initial access to corporate networks — established footholds from which ransomware affiliates and other buyers can launch attacks — is sold by initial access brokers. These brokers compromise organizations and then sell the access rather than conducting further attacks themselves. A VPN credential with documented admin access to a mid-size US company might sell for $500-$5,000 depending on the company's size and the scope of access. Ransomware-as-a-Service toolkits, exploit code for known vulnerabilities, phishing infrastructure, and identity documents for fraud are also common commodity offerings.

Dark Web Monitoring: What It Is and What It Provides

Dark web monitoring is the practice of systematically searching dark web sources — criminal forums, paste sites, credential marketplaces, data leak sites — for information related to a specific organization or its employees. Commercial dark web monitoring services automate this search across a broad range of dark web sources and alert organizations when their domain names, email addresses, or specific credentials appear in monitored sources.

The intelligence value of dark web monitoring depends on what is being monitored and what action the organization takes on findings. Employee credentials found in breach databases on the dark web indicate that specific accounts have been compromised in third-party breaches and may be subject to credential stuffing attacks. Forcing password resets for accounts found in breach databases eliminates the credential stuffing risk from those specific exposures. Internal documents or proprietary data found on dark web leak sites indicate an active or recent data exfiltration event that requires incident response. Employee personal information on criminal forums may indicate targeted social engineering research against specific individuals.

What Dark Web Monitoring Cannot Tell You

Dark web monitoring provides visibility into what has already been exposed and is available to threat actors — it is inherently backward-looking. It does not prevent data from being stolen; it detects that stolen data exists on dark web markets after the fact. It does not provide complete coverage — criminal forums and markets operate with varying degrees of accessibility, and many high-value transactions occur in private channels not accessible to monitoring services. And it does not provide actionable intelligence about threats that have not yet materialized as data exposure.

Dark web monitoring is a useful component of a threat intelligence program, but it is not a security control. Organizations that purchase dark web monitoring as their primary threat intelligence investment are measuring historical exposure rather than managing current risk.

The Dark Web and Business Risk

For executives and PE operating partners, the dark web matters in three specific business contexts.

Employee credential exposure is the most common and immediately actionable finding. When employee email and password combinations appear in breach databases on dark web markets, those credentials are available to any criminal actor willing to purchase them for credential stuffing attacks. Organizations that monitor for credential exposure and force resets for exposed accounts eliminate this specific attack vector. Organizations that do not monitor have no way of knowing their employees' credentials are actively for sale.

Corporate data disclosure on ransomware leak sites is a breach notification and reputational crisis event. When ransomware groups publish stolen corporate data, the information is publicly accessible — to regulators who monitor these sites, to journalists who cover cybersecurity, to competitors, and to the individuals whose data was exposed. Dark web monitoring that detects leak site publications enables organizations to understand the scope of disclosure and begin breach response before regulators or journalists bring the disclosure to their attention.

Pre-acquisition dark web research provides risk intelligence about acquisition targets that is not available through traditional diligence. Searching dark web sources for mentions of a target organization's domain, credentials, or internal documents can surface evidence of historical breaches, active criminal market interest in the target's systems, or leaked information that indicates ongoing attacker access. This intelligence is material to deal valuation and post-close security planning.