Threat Intelligence
dark web
threat intelligence
leaked credentials

What Is the Dark Web? Risks for Businesses

What the dark web is, what gets traded on it (credentials, RaaS access, stolen data) and why it is a real risk for your business.

SecraJuly 6, 202610 min read

What is the dark web is one of the most searched questions in cybersecurity, and it is almost always answered with sensationalism rather than judgement. The dark web is the fraction of the internet reachable only through anonymity networks such as Tor, designed to hide who publishes content and where it is hosted. For a business, what matters is not the mystery but an uncomfortable fact: that layer is where the credentials, customer data and corporate network access an attacker will use against you are bought and sold. This article explains what the dark web is, what gets traded on it and why it affects you even if you never go near it.

The essentials

  • The dark web is the portion of the internet reachable only through anonymity networks (Tor, I2P), not a magic place nor a synonym for the deep web.
  • It is not illegal in itself, but it concentrates stolen data markets, intrusion forums and the extortion sites of ransomware groups.
  • What gets traded includes leaked credentials, stealer logs, customer data, corporate access (IABs) and phishing as a service.
  • Corporate data reaches it after a breach or an infostealer infection, following a predictable chain that ends in ransomware.
  • It affects you even if you never enter: the risk exists because your data is already circulating, and dark web monitoring is what detects it in time.

What the dark web is in 30 seconds

The dark web is the set of sites and services you cannot open with a conventional browser or find on Google, because they live on anonymity networks. The best known is Tor, whose services use addresses ending in .onion. Other networks share the same philosophy, such as I2P (with .i2p domains) or Hyphanet. The common trait is that they decouple content from identity: neither the visitor reveals who they are nor the server reveals where it is.

Two myths are worth clearing up straight away. First, the dark web is not illegal in itself: it hosts mirrors of censored media, secure drop boxes for journalistic sources and privacy forums. Second, it is tiny compared with the rest of the internet. What makes it relevant to business is that it concentrates stolen data markets, intrusion forums and the extortion sites (leak sites) of ransomware groups.

Surface web, deep web and dark web: the three layers

To place the dark web you need to distinguish three layers of the same network, which are not separate worlds but different levels of accessibility.

  • Surface web: the pages a search engine crawls and indexes (a corporate site, a blog, an online shop). It is a small fraction of the total.
  • Deep web: everything that exists but is not indexed and that you use every day: online banking, email, intranets, admin panels, databases behind a form. There is nothing clandestine about it.
  • Dark web: a tiny portion of the deep web reachable only through anonymity networks.

The most common mistake is treating deep web and dark web as synonyms. The correct relationship is one of inclusion: all of the dark web is deep web, but almost none of the deep web is dark web. If you want the technical detail of how Tor works under the hood (circuits, guard and exit nodes, v3 .onion addresses derived from an ed25519 key), we cover it in deep web vs dark web: differences.

What gets traded on the dark web

Dark web commerce works like a mature market, with reputable vendors, escrow services and reference prices. These are the products that affect a business most:

  • Leaked credentials and combolists. Files with millions of email:password pairs collected from multiple breaches. They feed automated credential reuse attacks, the mechanism we describe in what is credential stuffing.
  • Stealer logs. Records generated by infostealers such as RedLine, Lumma, Vidar or StealC, which infect a machine and exfiltrate browser-saved passwords, session cookies and system data. They are especially valuable because they include session tokens: with a valid cookie, an attacker can bypass the second factor without even knowing the password.
  • Customer data. Databases with personal information (PII), purchase histories, card numbers and so-called fullz, full-identity packages (name, ID document, address, banking details) used for fraud and social engineering.
  • Corporate access. Initial access brokers (IABs) sell already validated ways into company networks: VPN credentials, exposed remote desktop (RDP) or admin panels. Typical prices range from a few hundred to several thousand dollars depending on the victim's revenue.
  • Phishing kits and phishing as a service. PhaaS platforms such as Tycoon 2FA or EvilProxy rent adversary-in-the-middle (AiTM) infrastructure able to intercept the session token and bypass MFA. Templates that clone banking or Microsoft 365 portals are sold too.
  • On-demand services. Malware, exploits and, increasingly, AI-assisted fraud, including deepfakes of voice and video to impersonate an executive on a transfer order.

How corporate data ends up there after a breach

Data does not appear on the dark web by chance: it follows a fairly predictable chain.

  1. Initial compromise. A breach in a platform exposes its database, or an infostealer infects an employee's laptop through an attachment or a trojanised installer.
  2. Extraction and packaging. The attacker dumps the database or collects the stealer log. Emails, hashes and passwords are normalised and grouped into reusable combolists.
  3. First sale. The material is posted on forums such as the successors of BreachForums, on log markets (Russian Market, 2easy) or on Telegram channels. Some is sold, some is leaked for free to build reputation.
  4. Resale and specialisation. An IAB buys a stealer log, verifies that the VPN credentials are still active and resells that already validated access to an affiliate of a ransomware-as-a-service (RaaS) programme.
  5. Exploitation. The affiliate uses that access as an entry point, moves laterally, exfiltrates data and deploys encryption. If the victim does not pay, their data ends up published on a leak site as part of double extortion. It is the pattern we analyse in ransomware in Spain 2026.

The lesson is that a leaked credential is rarely the end of an incident: it is usually the beginning of another one.

Why it matters to your business even if you never enter

Here is the shift in mindset. You do not need to open Tor or visit a single market to be affected: the risk exists because your data is already circulating there, with or without your knowledge. Treating the dark web as a matter of morbid curiosity is precisely what delays detection.

The impact is concrete and measurable:

  • Free initial access. A single employee credential in a stealer log can be the doorway to a ransomware incident that halts your operation for days.
  • Targeted fraud. Executive and supplier data feeds CEO fraud (BEC) and voice-based social engineering, which gain credibility precisely because they start from real information.
  • Regulatory obligations. If the leak includes personal data, the GDPR may require you to notify the supervisory authority within 72 hours; NIS2 adds management and incident-reporting duties for essential and important sectors. Discovering the exposure late narrows your margin to comply.
  • Reputational and supply-chain damage. Access to your network can be reused to attack your customers, turning you into a third party's weak link.

Put differently: the dark web is not a curiosity problem, it is an exposure-surface problem. And that surface is managed by watching it, not by ignoring it.

Signs of exposure and how it is detected

Few companies discover their exposure by browsing: they discover it when someone watches on their behalf. These are signs that your data may already be in circulation:

  • Corporate emails showing up in known public breaches.
  • A sudden rise in failed login attempts or account lockouts caused by credential stuffing.
  • Mentions of your domain or brand in access-selling forums.
  • Employee accounts with active sessions from geographically impossible locations.

Detecting this in time is the job of threat intelligence, and specifically of dark web monitoring: systematically observing breach dumps, combolists, stealer logs and brand mentions, correlating them with your domains and assets, and triggering a response (credential reset, session revocation, analysis of prior use). We cover the full process in dark web monitoring for business.

This watch relies on the same OSINT discipline an attacker uses to prepare a strike: the difference is that you apply it to stay ahead. In MITRE ATT&CK terms, much of what gets bought in these markets feeds the adversary reconnaissance phase (for example T1589, gathering victim identity information) and the later use of valid accounts (T1078) as initial access.

Frequently asked questions

What exactly is the dark web?

It is the part of the internet reachable only through anonymity networks such as Tor, whose services use .onion addresses that a conventional browser cannot resolve. It is designed to hide the identity and location of both the publisher and the visitor. It is not a synonym for the deep web nor for illegal activity, although it does concentrate stolen data markets and criminal forums.

Is it illegal to enter the dark web?

In most countries it is not: using Tor or opening a .onion site is legal, because they are legitimate privacy tools. What is illegal are specific activities that may take place there, such as buying stolen data, hiring criminal services or accessing third-party systems. For a business, the point is not to enter but to watch whether its own data appears exposed.

What data of my company can end up on the dark web?

Mainly employee credentials, session cookies, corporate emails, customer data (PII, cards, fullz), internal documents and, in the worst case, full access to your network sold by an initial access broker. Mentions of your brand may also appear in forums where an attack is being prepared.

Can I find out if my data is already exposed?

Yes, through a dark web monitoring service that correlates your domains and assets with breach dumps, combolists and stealer logs. Public references such as Have I Been Pwned allow a first individual check, but an organisation needs domain coverage, continuous alerts and a response process behind them.

How is it different from the deep web?

The deep web is everything search engines do not index, including your online banking or your email, and it is perfectly legitimate. The dark web is a tiny fraction of that deep web reachable only through anonymity networks. All of the dark web is deep web, but almost none of the deep web is dark web.

Watch your exposure with Secra

At Secra we treat the dark web for what it is to your business: a source of risk to be watched, not a mystery to be idly explored. We integrate monitoring into a threat intelligence programme tailored to your organisation, with domain and brand asset coverage, detection of leaked credentials and stealer logs, risk-based prioritisation and a response process that connects the alert to the reset, session revocation and impact analysis. All aligned with NIS2 and GDPR, with traceability for the file.

Discover our threat intelligence service and plan the monitoring of your exposure with us.

About the author

Secra Solutions team

Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.

Share article