5 Indicators of Attack You Can Uncover with Dark Web Monitoring

The Dark Web has received a lot of attention recently, and is often portrayed as a scary, mysterious place where cyber criminals steal identities and purchase illegal goods. While this is true, the Dark Web can actually be a great source of threat intelligence. Hackers and Advanced Persistent Threat (APT) groups often plan out their cyber attacks using the Dark Web, performing activities like reconnaissance, buying malware programs or sharing leaked credentials.

Monitoring this Dark Web activity can help you anticipate cyber attacks against your organization and identify gaps in coverage prior to them being exploited. So what should you be looking for exactly? Here are 5 indicators of attack that you should be monitoring for on the Dark Web.

#1: Corporate Reconnaissance

The first step of any cyber attack is reconnaissance, which is one of the primary uses of the Dark Web by cyber criminals. Hackers and APT groups try to collect as much information as possible to help in their attacks. For example, they will look for potential vulnerabilities, leaked employee credentials, software programs in use and details about the IT infrastructure.

To do this, cyber criminals will typically purchase information or recruit people with knowledge of the target company. Tracking these requests and interactions can help you identify certain users or groups targeting your organization and figure out how they might attack you. This enables you to identify weak spots in your security infrastructure and take proactive measures to defend against an attack.

#2: Phishing Targeting

Hackers typically coordinate their phishing attacks using the Dark Web before they are launched against a user. Attackers don’t always engineer the entire phishing scheme. For example, they may recruit someone with web design experience to build a website that mimics a known or popular site. They may even purchase the actual ransomware program they plan to deploy using the phishing site.

The scary thing about phishing attacks is that nothing has to be breached or exploited for them to be carried out, so they can be difficult to monitor for. However, you still have an obligation to protect your employees and customers from phishing attacks that use your company’s name or brand.

Monitoring the Dark Web for phishing attack coordination can help you identify and takedown phishing sites before they’re ever used, protecting your employees, customers and brand reputation.

#3: Recruiting Company Insider

No matter how strong your cyber defenses are, a company insider can always bypass them and leak information. Cyber criminals know this is one of the best ways to access confidential information and frequently use the Dark Web to recruit company insiders. In addition, they may post or share lists of potential employees for recruitment, which can also be used to indicate a potential attack or leak.

Monitoring forums and list sharing on the Dark Web can help you identify when an adversary may try to recruit an insider from your organization.

#4: Buying or Selling Login Credentials

Buying and selling leaked credentials is a common practice across the Dark Web. Obviously, it’s very easy for someone to access your sensitive information if they have active login credentials. Locking down leaked credentials is essential to keeping your data safe, and monitoring the Dark Web for purchases or requests for login credentials can help you identify data leaks and lock down accounts before they’re exploited.

#5: Credit Card, Bank Account Logins & BINs for Sale

Another “good” that is frequently bought and sold using the Dark Web is financial information, like credit card numbers, bank account login credentials or Bank Identification Numbers (BINs). It’s important to monitor for any financial information being shared on the Dark Web to help protect your employees and customers against fraudulent charges.

Even if you are not a financial services company, it’s still important to monitor for any corporate bank accounts or credit cards that may be shared or targeted on the Dark Web.


The Dark Web is definitely a place for illegal activity, and it may not be a place you ever want to visit. However, monitoring these interactions, forums and marketplaces on the Dark Web can be a critical source of threat intelligence, enabling you to proactively protect your organization, rather than react to attacks. Dark Web monitoring allows you to be where your adversaries are and see your organization like an attacker would. Therefore, cybersecurity professionals must know about how the Dark Web is used and what to monitor for.

Want to learn more about the Dark Web and how it’s used by cyber criminals? Download our Dark Web 101 Guide today.

Dark Web 101: What Every Security Professional Needs to Know

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.