Intelligence notes

DARKINT

9 min read

DARKINT

BLUF

DARKINT (Dark Intelligence) is the collection, exploitation, and analysis of intelligence derived from dark web environments — Tor hidden services, I2P eepsites, and other anonymization-network-hosted platforms — that are inaccessible via standard internet infrastructure. DARKINT occupies the intersection of OSINT methodology and cyber threat intelligence (CTI): the collection environment is technically open (no classified infrastructure required) but operationally demanding (requires specialized software, OPSEC discipline, and jurisdictional awareness). Its primary intelligence value is pre-public threat visibility: ransomware operators announce victims, Initial Access Brokers (IABs) advertise compromised credentials, and underground forums discuss attack planning before this information surfaces in public reporting. For corporate threat intelligence teams, law enforcement, and national security analysts, DARKINT provides the earliest available warning of threats that will subsequently manifest in the open environment. The methodology is constrained by three structural factors: (1) the dynamic nature of dark web infrastructure (services move or disappear frequently); (2) the pervasive counter-intelligence environment (adversaries actively attempt to identify collection personnel); (3) significant jurisdictional variation in the legality of specific dark web collection activities.

Technical Environment

Tor (The Onion Router)

Tor routes traffic through a chain of three volunteer-operated relays (Guard → Middle → Exit) using layered encryption (each relay decrypts one layer, revealing only the next relay — hence “onion”). Hidden services (.onion addresses) extend this architecture: they are hosted inside the Tor network itself, eliminating the exit node and making both client and server anonymous.

v3 Onion address structure: 56-character base32-encoded Ed25519 public key (e.g., expyuzz4wqqyqhjn.onion). v3 addresses are cryptographically derived from the service’s key pair — they cannot be guessed or enumerated, only reached by knowing the address.

Collection constraint: Tor provides strong anonymity for both collectors and targets. Collection personnel cannot enumerate hidden services without knowing or discovering their addresses. This makes DARKINT fundamentally different from surface-web OSINT — you cannot search what you do not know exists.

I2P (Invisible Internet Project)

A parallel anonymization network using “Garlic Routing” — bundling multiple messages together for routing (unlike Tor’s single-message circuit). I2P is primarily used for internal peer-to-peer services (eepsites) rather than accessing the clearnet. Its user base is smaller than Tor; it hosts a distinct subset of underground forums and marketplaces. Less extensively documented in OSINT literature than Tor.

Freenet

A censorship-resistant file-sharing network, not an anonymization proxy. Used primarily for static content distribution. Less operationally significant for DARKINT than Tor or I2P.

DARKINT Collection Categories

Ransomware Leak Sites

Ransomware groups operating under the Ransomware-as-a-Service (RaaS) model systematically publish victim data on dedicated Tor hidden services when ransom demands are not met. These “data leak sites” (DLS) provide:

  • Victim organization identity (before public disclosure in many cases)
  • Sample exfiltrated data (often including internal documents, personnel records, financial data)
  • Ransom deadline and negotiation status
  • Claims about network access depth achieved

Monitoring tools:

  • RansomWatch (free, GitHub): automated monitoring of 100+ active ransomware leak sites; publishes RSS/JSON feed of new victim posts
  • Ransomware.live (free, web): aggregated real-time victim feed; searchable by group, date, sector
  • DarkFeed (commercial): curated threat feed including DLS monitoring; integrates with SIEM/SOAR

Intelligence value: victim disclosure on a DLS often precedes public disclosure (SEC 8-K filing, press release, regulatory notification) by 24–72 hours. Early detection enables downstream organizations in the same supply chain to initiate defensive posture changes before the incident is publicly known.

Initial Access Broker (IAB) Markets

IABs are threat actors who compromise organizational networks and sell the access (credentials, VPN sessions, RDP access, webshells) to other threat actors rather than conducting the final payload delivery themselves. Dark web forums and markets are the primary IAB sales channel.

Intelligence from IAB listings:

  • Target sector: IAB listings specify the industry vertical of the compromised organization (healthcare, financial services, critical infrastructure) — enabling sector-specific defensive alerting
  • Access type and depth: listings specify what level of access is being sold (domain admin, local admin, VPN credentials, email access)
  • Revenue size: many listings include the target’s annual revenue — enabling approximate victim identification when combined with sector and geography
  • Geographic indicator: jurisdiction of the compromised organization

Collection technique: systematic monitoring of active IAB forums (access requires invitation in most cases; monitoring services like Flare, Cybersixgill, and Flashpoint aggregate listings). Establish alert criteria by sector, access type, and geography relevant to monitored organizations.

Credential and PII Leak Markets

Leaked credential databases (username/password pairs, PII datasets) are traded on dark web markets and paste sites. Collection methodology:

  • Have I Been Pwned (HIBP): free; covers major public breach datasets; API for organizational domain monitoring (/domain/ endpoint)
  • Flare / Cybersixgill / Recorded Future: commercial dark web monitoring platforms; automated alerting on new credential exposures matching monitored domains or email patterns
  • Dehashed / Snusbase: semi-commercial breach aggregators; useful for investigating specific individuals or organizations already known to have been exposed

Intelligence application: detect organizational credential exposure before threat actors weaponize it; enable proactive credential rotation and account lockout ahead of attacker use.

Underground Forums and Communities

Dark web forums (Exploit.in, XSS.is, BreachForums successors, RAMP, etc.) host:

  • Vulnerability discussion and proof-of-concept code sharing
  • Attack planning and target selection discussions
  • Tool and malware sales (stealers, RATs, ransomware kits)
  • Threat actor recruitment and partnership formation

Access methodology: most Tier 1 forums require reputation-based membership (vouching from existing members, proof of technical capability, or financial deposit). OSINT practitioners access content through:

  • Open-registration forums (lower-quality content; accessible)
  • Commercial monitoring services (Flare, Cybersixgill) that maintain forum access and archive content
  • Law enforcement-operated infiltration (not available to civilian OSINT analysts)

OPSEC Requirements for DARKINT Collection

DARKINT collection against adversarial environments requires significantly higher OPSEC than surface-web OSINT. The threat model includes active counter-intelligence by forum administrators and threat actor groups who attempt to identify and expose collection personnel.

Hardware Isolation

  • Preferred: dedicated air-gapped or purpose-built device used exclusively for dark web collection; never used for personal or organizational network access
  • Acceptable: Tails OS (amnesic live operating system; leaves no persistent traces on the host device; boots from USB; forces all traffic through Tor)
  • Advanced: Qubes OS with Whonix integration (compartmented VMs; Whonix Gateway routes all VM traffic through Tor; maximum isolation between collection activities)

Network Isolation

  • Tor Browser: the baseline; installs no additional extensions; uses Tor network for all connections
  • VPN + Tor sequencing: [VPN] → [Tor] (user connects to VPN first, then routes Tor through VPN): hides Tor use from ISP, but VPN provider sees Tor connection. [Tor] → [VPN]: not recommended for dark web access — exit node can be monitored by VPN provider
  • Never: use personal devices, organizational networks, or non-Tor browsers for dark web collection

Identity and Account Discipline

  • Use purpose-created accounts with no linkage to real-world identity, organization, or any other account
  • Monero (XMR) for any necessary forum registration or market transactions — Bitcoin provides pseudonymity only; Monero’s ring signatures, stealth addresses, and RingCT provide significantly stronger privacy
  • Rotate accounts and contact patterns regularly — forum behavior analysis can identify collection personnel through behavioral consistency

Evidence Standards and Chain of Custody

Dark web content presents unique evidentiary challenges for legal proceedings or formal intelligence products:

  • Berkeley Protocol (UN Human Rights Office, 2022): the authoritative framework for digital open-source evidence in international legal proceedings — applies to dark web content
  • Hash verification: SHA-256 hash of collected files and screenshots at time of collection; provides tamper-evident record
  • Timestamp documentation: record UTC timestamp at collection; include in evidence metadata
  • Archive methodology: offline archival (wget, HTTrack for accessible services; manual screenshot + hash for inaccessible-to-automated-tools content)
  • Chain of custody log: document who collected, when, from which platform, using which method — required for evidentiary use in any legal proceeding

Dark web collection is legally and jurisdictionally complex. Key rules vary by jurisdiction:

JurisdictionKey rulesSpecific constraints
United StatesCFAA (18 U.S.C. § 1030): accessing without authorization is criminal; passive monitoring of publicly accessible sites is generally permitted; purchasing data from IAB markets may constitute receiving stolen propertyCSAM: absolute prohibition; immediate reporting obligation to NCMEC
European UnionGDPR: collecting PII from dark web markets may create GDPR obligations even where the collection itself is passive; NIS2 Directive creates threat intelligence sharing obligations for critical infrastructure operatorsCSAM: absolute prohibition; criminal liability; mandatory reporting
United KingdomComputer Misuse Act 1990; Investigatory Powers Act 2016; GDPR (UK retained); passive monitoring generally permitted; account creation on criminal markets may constitute preparation of criminal conductCSAM: absolute prohibition; Sexual Offences Act 2003
BrazilLGPD (Lei Geral de Proteção de Dados): PII collection and processing from dark web sources creates LGPD obligations; Marco Civil da Internet governs data accessCSAM: absolute prohibition
UniversalCSAM (child sexual abuse material): possession, access, and collection is a criminal offense in all relevant jurisdictions. Any collection methodology that encounters CSAM must immediately cease and report to appropriate authorities. No intelligence justification overrides this rule.

Standing rule: before initiating any DARKINT collection operation, confirm the applicable legal framework for the collector’s jurisdiction, the target platform’s hosting jurisdiction, and the applicable law of the subjects being collected against. Legal review is a prerequisite for formal DARKINT programs, not an afterthought.

CTI Integration

DARKINT products integrate with the formal Cyber Threat Intelligence workflow via:

  • MISP (Malware Information Sharing Platform): ingest DARKINT indicators (hashes, onion addresses, threat actor aliases, IAB listing details) as structured MISP events; share via MISP feeds to downstream SIEM/SOAR systems
  • STIX/TAXII: structure DARKINT-derived threat intelligence as STIX 2.1 objects (threat actor, indicator, malware, attack pattern, vulnerability) for interoperable sharing
  • MITRE ATT&CK mapping: map threat actor TTPs observed in dark web forum discussions to ATT&CK technique IDs for integration with detection engineering workflows

Key Connections

Methodological foundation: Dark Web Methodology — the operational collection methodology for dark web environments Cyber Threat Intelligence — DARKINT is a primary CTI collection vector OSINT — DARKINT as a specialized OSINT sub-domain

Related concepts: Signals Intelligence — conceptual parallels in collection-under-anonymization environments OSINT Legal Framework — jurisdictional constraints on dark web collection Tor Network — technical infrastructure

Intelligence products: Network Analysis Methodology — dark web forum social network mapping Financial Intelligence — cryptocurrency transaction tracing from dark web marketplace activity

Graph View

Backlinks