Peeling back the onion part 1: Mapping the Dark Web by Stuart Peck

The Dark Web is no longer a place for criminals and cyber criminals to hide, with the launch of the first dark web map powered by a ZeroDayLab key partner, and threat intelligence service Intelliagg.

The Dark Web- and TOR

The dark web is officially defined as websites that cannot be accessed or reached without the use of specialised software, the most widely used and common of which is the TOR browser (The Onion Router).

The core principle of TOR, "onion routing", was developed in the mid-1990s by the US Naval Research Lab with the purpose of protecting U.S. Intelligence communications online. In 2006, the TOR project was founded, and made free for all to use. This initially lead to a rise in use by journalists to protect their identity in countries without freedom of speech, then a rise in whistle-blower sites, such as Wikileaks.

However, the privacy benefits of TOR have led to an unchecked rise in illegal activities, where criminals use TOR to create and run hidden online marketplaces; child pornography, drugs, leaked data, credit cards, fake documentation and weapons can all be purchased using normal currency or Bitcoins.


Finally, the growth of TOR usage is from Cyber Criminals and Hackers, where leaked data, zeroday vulnerabilities/malware is traded on private marketplaces or through brokers for huge profits.

What I have noticed, through my own research conducted at ZeroDayLab, is that there has been a huge rise in the last couple of years in Malware-as-a-Service/Crime-as-a-Service marketplaces, leading to a rise in attacks, such as Ransomware, where the technical barrier to entry is all but removed for criminals to enter the Cyber Crime Market.

 Mapping the Dark Web- and why it matters.


ZeroDayLab's partner Intelliagg released today a white paper on the Dark Web, where over a sample period, they monitored over 30,000 top level sites or .onion (Hidden Services).

Through compiling the hidden service address list from different sources, from spidering, private link lists and monitoring the TOR network itself, Intelliagg interrogated hidden services over port 80 and 443 using a mixture of human and machine learning information gathering techniques.

Key findings from the research include:

  • 46% of the 30,000 hidden services analysed were active at the time of the assessment (the other 54% of sites could be attributed to C2 servers or other temporary uses such as onion shares, ricochet chat).

  • 76% of the sites were in English, unsurprisingly Chinese and German as second and third languages.

  • 48% of the sites were classified as illegal.

  • With manual classification of over 1,000 sites, it was deemed that 68% of the content was illegal according to US and UK law.

  • File sharing (29%), leaked data (28%), and financial fraud (12%), were the top classification of hidden marketplaces. Surprisingly, hacking only made up 3% of the sites interrogated.

  • Interestingly, 39% of sites interrogated were unlinked, meaning they were extremely difficult to find.

In addition to the research conducted, Intelliagg has provided an interactive map, found here which I highly recommend viewing and exploring the vast and now visible dark web (30,000 odd sites at least).

But this brings me to my previous point why is this map so important? Until recently, it had been difficult to understand the relationships between hidden services, and more importantly the classification of these sites.

As a security researcher, understanding hidden services, such as private chat forums and closed sites, and how these are used to plan and discuss potential campaigns, such as DDoS, Ransom Attacks, Kidnapping, Hacking, and Trading of Vulnerabilities and leaked data, is key to protecting our clients through proactive threat intelligence.

Mapping these sites back to Threat Actors (groups), is even more crucial as it helps us build a database on the Capability, Infrastructure, and Motivations of the adversary.

The more we understand about the dark web, and the criminals that use TOR and hidden services to publish and trade threats, the more we as a community can flush out the undesirable services and market places, making what made TOR great in the first place, protecting privacy for good, not evil.

About the Author:

ImageStuart Peck has over 10 years in Information Security, and is currently the Cyber Security Strategist for ZeroDayLab ltd, and responsible for Threat Intelligence, Advanced Malware research, Security Awareness Training, and Pre-Sales of services and solutions. Stuart assists Executive IT leadership and Information Security Management in creating and developing a holistic Cyber Security Strategy underpinned by Governance and Proactive Threat Intelligence. Stuart is also an Advanced Malware enthusiast.

Source: ZeroDayLab

Let us know, what do you think about the article in the comments down below!

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013