Illicit Communities Vs. Deep and Dark Web: Why the Full Intelligence Picture Depends on Both

Key takeaways

In order to identify emerging cyber and physical threats, fraud, and other malicious activity, CTI and SOC teams must monitor the total threat landscape. Traditionally, the term “deep and dark web,” or DDW, is used to describe the digital underground where threat actors operate. But the adoption of chat services and other open-web sources has reframed the conversation about the boundaries of intelligence gathering and the threat actor landscape.

Sophisticated technology has become more accessible, thereby narrowing barriers to entry, reducing levels of friction to stand up a new channel, and making peer-to-peer interaction easier—in real time, from anywhere. In this context, the term “deep and dark web” is not a robust enough framework.

What are Illicit communities?

In this article we:

• Outline the differences between the deep web and dark web, and define illicit communities;
• Explain how the widespread adoption and sophistication of consumer technology has led to the inevitable convergence of the deep and dark web with illicit communities;
• Make the case for why illicit communities is a complimentary term to—and perhaps more encompassing than—the “deep and dark web” to describe the threat actor landscape.

Threat intel: Deep and dark, but only half the picture

It’s incumbent on security teams to push their threat intelligence programs in parallel with—and ideally ahead of—widening risk apertures. In order to better understand threat actor tactics, techniques, and procedures (TTPs), it’s vital to monitor all relevant channels where malicious activity seeds.

Traditionally, cyber threat actors have operated on to the dark web, on [.]onion sources. But the threat landscape has expanded due to the proliferation of chat services, closed and curated communities, and other secure forms of communication. This includes activity on deep and dark web channels, as well as open-source intelligence (OSINT).

Deep web vs. Dark web

First, let’s establish what “the deep and dark web” is and is not. To do this, we must first separate the term into two because the deep web and dark web, despite sharing characteristics, are not the same thing. 

What is the deep web?

The deep web comprises any web-based content that’s not indexed and therefore hidden from conventional search engines. This may include some notable cybercrime and carding forums, social media platforms, multi-language news websites, password-protected content, corporate databases, academic research stored on university servers, and closed or encrypted chat groups, among others.

Related reading: Guide to Cyber Threat Actors—How, Why, and Who They Choose to Attack

What is the dark web?

Whereas the deep web may require credentials to access, the dark web, essentially a subcomponent of the deep web, has the added protection layer of only being accessible via anonymized web browser overlay networks, such as Tor, noted by its [.]onion address. These websites are intentionally unindexed by, and thus hidden from, conventional search engines in order to prevent surveillance.

Much of internet content is on the deep web, which is password protected and not indexed by search engines. The dark web as we define it has less than half a million sites, while the surface web has approximately two billion.

Open-web sources

While the secure services that comprise the dark web are frequented by criminals, cybercrime and other illicit activities can take place elsewhere: social media, paste sites, encrypted chat applications, surface web, message boards, and blogs. 

This is why the term illicit communities—which includes these open and publicly available sources—is essential to describe the total threat actor landscape where cybercriminals can easily congregate.

The significance of Tor

In 2002, Tor was purposely released as a free and open software for any internet user who wanted to protect their anonymity; in 2008, a Tor browser was developed to extend accessibility. 

Not all dark websites or applications are associated with threat actors. For dissidents living in authoritarian regimes that tamp civil liberties, secure internet services can go a long way to ensuring safety and anonymity while conducting important human rights work. Many popular news and social media websites have their own Tor hidden services for populations with limit access to information, often because of government censorship.

In the end, encrypted, secure, and anonymous online services are tools in the hands of the people that use them. Whether they are used for illicit or benevolent purposes largely depends on the user. 

Beyond Tor

An online search for “deep and dark web” might lead you to believe that the digital spaces where cyber threat actors operate are private melting pots for zero-day authors, drug dealers, extortionists, Russian cybercriminals, ransomware gangs, and other bad actors out for a payday. 

But a series of high-profile dark web takedowns by law enforcement—Silk Road in 2013 and Playpen in 2015—coupled with the emergence and adoption of secure chat services, changed how security teams should view the machinations of the threat actor ecosystem. 

All in, these services provided anonymous and secure ways for threat actors to communicate outside of the dark web, whose reputation for total security was dinged by the high-profile law enforcement raids. 

Compounding this was the rising popularity of image boards, forums, threads, blogs, and pastes sites among threat actors, which further fragmented the threat actor ecosystem—away from Tor-centric spaces. 

In short, “deep and dark web” does not cover the gamut; illicit communities does.

Identify and mitigate cyber risks with Flashpoint 

Never miss a development across illicit communities and protect your assets, stakeholders, and infrastructure by identifying emerging vulnerabilities, security incidents, and ransomware attacks. Sign up for a demo or free trial and see Flashpoint’s extensive collections platform, deep web chatter, and dark web monitoring tools in action.