Illicit Communities Vs. Deep and Dark Web: Why the Full Intelligence Picture Depends on Both

What are Illicit Communities? Defining the Deep and Dark Web

In order to identify emerging cyber and physical threats, fraud, and other malicious activity, CTI and SOC teams must monitor the total threat landscape. Traditionally, the term “deep and dark web,” or DDW, is used to describe the digital underground where threat actors operate. But the adoption of chat services and other open-web sources has reframed the conversation about the boundaries of intelligence gathering and the threat actor landscape.

Sophisticated technology has become more accessible, thereby narrowing barriers to entry, reducing levels of friction to stand up a new channel, and making peer-to-peer interaction easier—in real time, from anywhere. In this context, the term “deep and dark web” is not a robust enough framework.

In this article we:

• Outline the differences between the deep web and dark web, and define illicit communities;
• Explain how the widespread adoption and sophistication of consumer technology has led to the inevitable convergence of the deep and dark web with illicit communities;
• Make the case for why illicit communities is a complimentary term to—and perhaps more encompassing than—the “deep and dark web” to describe the threat actor landscape.

It’s incumbent on security teams to push their threat intelligence programs in parallel with—and ideally ahead of—widening risk apertures. In order to better understand threat actor tactics, techniques, and procedures (TTPs), it’s vital to monitor all relevant channels where malicious activity seeds.

Traditionally, cyber threat actors have operated on to the dark web, on [.]onion sources. But the threat landscape has expanded due to the proliferation of chat services, closed and curated communities, and other secure forms of communication. This includes activity on deep and dark web channels, as well as open-source intelligence (OSINT).

What is the Difference Between the Deep Web and the Dark Web?

First, let’s establish what “the deep and dark web” is and is not. To do this, we must first separate the term into two because the deep web and dark web, despite sharing characteristics, are not the same thing. 

What is the Deep Web?

The deep web comprises any web-based content that’s not indexed and therefore hidden from conventional search engines. This may include some notable cybercrime and carding forums, social media platforms, multi-language news websites, password-protected content, corporate databases, academic research stored on university servers, and closed or encrypted chat groups, among others.

Related reading: Guide to Cyber Threat Actors—How, Why, and Who They Choose to Attack

What is the Dark Web?

Whereas the deep web may require credentials to access, the dark web, essentially a subcomponent of the deep web, has the added protection layer of only being accessible via anonymized web browser overlay networks, such as Tor, noted by its [.]onion address. These websites are intentionally unindexed by, and thus hidden from, conventional search engines in order to prevent surveillance.

Much of internet content is on the deep web, which is password protected and not indexed by search engines. The dark web as we define it has less than half a million sites, while the surface web has approximately two billion.

Open-web Sources

While the secure services that comprise the dark web are frequented by criminals, cybercrime and other illicit activities can take place elsewhere: social media, paste sites, encrypted chat applications, surface web, message boards, and blogs. 

This is why the term illicit communities—which includes these open and publicly available sources—is essential to describe the total threat actor landscape where cybercriminals can easily congregate.

The Significance of Tor

In 2002, Tor was purposely released as a free and open software for any internet user who wanted to protect their anonymity; in 2008, a Tor browser was developed to extend accessibility. 

Not all dark websites or applications are associated with threat actors. For dissidents living in authoritarian regimes that tamp civil liberties, secure internet services can go a long way to ensuring safety and anonymity while conducting important human rights work. Many popular news and social media websites have their own Tor hidden services for populations with limit access to information, often because of government censorship.

In the end, encrypted, secure, and anonymous online services are tools in the hands of the people that use them. Whether they are used for illicit or benevolent purposes largely depends on the user. 

Beyond Tor

An online search for “deep and dark web” might lead you to believe that the digital spaces where cyber threat actors operate are private melting pots for zero-day authors, drug dealers, extortionists, Russian cybercriminals, ransomware gangs, and other bad actors out for a payday. 

But a series of high-profile dark web takedowns by law enforcement—Silk Road in 2013 and Playpen in 2015—coupled with the emergence and adoption of secure chat services, changed how security teams should view the machinations of the threat actor ecosystem. 

All in, these services provided anonymous and secure ways for threat actors to communicate outside of the dark web, whose reputation for total security was dinged by the high-profile law enforcement raids. 

Compounding this was the rising popularity of image boards, forums, threads, blogs, and pastes sites among threat actors, which further fragmented the threat actor ecosystem—away from Tor-centric spaces. 

In short, “deep and dark web” does not cover the gamut; illicit communities does.

Identify and Mitigate Cyber Risks with Flashpoint 

Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo or free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.

Frequently Asked Questions (FAQs)

What are illicit communities and how does Flashpoint Ignite track them?

Illicit communities are hidden online spaces within Flashpoint Ignite’s monitoring scope where threat actors coordinate and trade stolen goods or discuss tradecraft. Flashpoint Ignite tracks these communities by archiving data from dark web forums, encrypted chat apps, and illicit marketplaces. This allows organizations to search through criminal activity safely, providing the visibility needed to detect if their corporate data or employees are being targeted by underground actors.

Internet Layer	Description	Flashpoint Ignite Visibility
Surface Web	Indexed sites like news and social media.	Monitors for brand abuse and physical threats.
Deep Web	Non-indexed sites and private portals.	Tracks leaked credentials and technical metadata.
Dark Web	Anonymous sites requiring Tor or I2P.	Indexes forums, shops, and chat logs.

How does Flashpoint help organizations access the dark web safely?

Flashpoint helps organizations access the dark web safely by acting as a secure buffer between the analyst and the threat actor. Instead of visiting dangerous sites directly, users can query Flashpoint’s massive data collections through a standard web browser. This prevents “exposure risk” and ensures that criminals cannot track the investigator’s IP address or plant malware on the organization’s network during the research process.

• Managed Attribution: Protects the identity of the user during investigations.
• Data Indexing: Makes the dark web searchable without needing specialized software.
• Risk Mitigation: Removes the danger of accidental infection from malicious sites.

Why is Flashpoint’s “full-spectrum” monitoring vital for modern defense?

Flashpoint’s full-spectrum monitoring is vital because threat actor activity is rarely limited to a single platform. A criminal might discuss a vulnerability on a dark web forum, coordinate an attack via an encrypted chat app, and eventually dump stolen data on a surface web paste site. Flashpoint connects these dots across all layers of the internet, ensuring that security teams have the complete context needed to stop a breach before it escalates.

Threat Action	Community Type	Flashpoint Integrated Response
Attack Planning	Hacking Forums	Identifies the TTPs being used to target your industry.
Fast Coordination	Telegram/Chat	Provides real-time alerts on active, trending threats.
Data Monetization	Illicit Shops	Finds your stolen assets for sale before they are used for fraud.