50 Shades of Dark: From the Surface to the Dark Web

Posted: 22nd May 2015

We just published a new white paper outlining how we used open source intelligence (OSINT) to research the dark web. You can download the white paper here, and read the summary below.


There is a lot of talk about the dark web these days, including how cyber criminals use it to spread malware, leak intellectual property, and publish user account credentials.

So, we decided to explore the surface, deep, and dark parts of the web to see what information is available and how they are connected. What we found was there really is no sharp border between them. Information tends to seep into the surface web from its darker parts, and it is more appropriate to talk about one web, with different shades of darkness.

The logic behind this is brokers of illicit information on the dark web need to market their products, and hence need to post links to them on the surface web (Brian Krebs has noted the same).

Using Recorded Future’s real-time threat intelligence we can identify paste sites and forums as primary nodes of communication between the surface and dark web, and show how these are used to link to both Tor/Onion sites and various download sites. This connectivity allows us to harvest and analyze metadata (such as link patterns, activity levels, and topics) about the dark web from the Surface web, giving us access to valuable information for threat analysis.

To continue reading, click here to download the full white paper.