What is the Dark Web?

What is the Dark Web?

The dark web is a term used in relation to cybersecurity and cyberattacks on the Internet. It has become more prevalent in general discussions over the last few years. Mostly hand-in-hand with the rise of ransomware attacks on businesses and organizations of all sizes over the World Wide Web. But what is the dark web? And how does it differ from the deep web, another term often used in cybersecurity discussions?

In this article, we'll cover these questions and more.

Defining the Dark Web and the Deep Web

The terms dark web and deep web get used as synonyms. This is a mistake. While having similar names, the deep web and dark web are not the same thing.

The deep web is everything on the World Wide Web that is not automatically indexed by web crawlers from Google and other web indexing companies. There are many reasons why certain websites may not be accessible to indexing systems. The content could be behind paywalls (although many paywalled sites do allow indexing to drive traffic), or it could be private company data that should not be available to the general public. When you log in to your bank or view your medical records at a health insurer or provider, you are using part of the deep web. Some website owners also put digital notifications on their sites to stop search engines and web crawlers from indexing their content, often for ideological reasons.

Content on the deep web is still available via a standard web browser (and sometimes a suitable logon at the site) if you already have the URL. The vast majority of the web is the deep web. Estimates suggest it is hundreds or even thousands of times larger than the “normal,” searchable Web. This familiar web consists of sites that are reachable by search engines like Google and Bing. This part of the World Wide Web is also called the clear or the surface web. It makes up a small fraction of the total.

As does the dark web. It is a part of the Internet that is a subset of the deep web in that it is also not indexed by search engines, but the dark web takes another step and requires specialized web browsers or other software to access the content. These specialized tools split the dark web into logical sections called darknets. The original dark web browser and associated tools was the TOR browser. This ran on the Onion protocol and The Onion Router (TOR). TOR is still one of the most widely used solutions on the dark web.

How the Dark Web Operates

The dark web contains multiple parallels and sometimes interconnected darknets. TOR is the main one that most dark websites and users use, but there are others. Some examples are:

  • Tor (The Onion Router) - an open-source toolset designed to enable anonymous communication. TOR sessions redirect traffic through a volunteer network of thousands of relays that conceal the originating location from network tracking and analysis tools.
  • Zeronet - decentralized network of peer-to-peer users using Bitcoin private keys rather than IP address. The private key allows changes to be made that then propagate through the network. It's not anonymous but can also use TOR to facilitate anonymous sessions. Zeronet can use BitTorrent for connection management.
  • Tribler - an open-source BitTorrent client that allows anonymous peer-to-peer connections.
  • Invisible Internet Project - anonymous, peer-to-peer solution using over 50,000 volunteer computers to allow random routing paths through the network. The possible number of routes available makes surveillance and tracking very unlikely.
  • Riffle - a network anonymity tool developed at MIT. It was designed to deal with issues related to how TOR works. It is much faster than TOR-based networking.
  • GNUnet - a decentralized, peer-to-peer networking framework that operates over most common connection types and protocols (WiFI, Bluetooth, HTTP/S, TCP, and UDP). It allows communication, encryption, and peer discovery.


Many other darknet tools have legitimate uses for research into network routing, censorship avoidance, and other benefits. Examples include Decentralized Network 42 and Freenet.

As stated previously, the vast majority of the dark web runs on TOR, with the Invisible Internet Project also having a footprint. We'll go into the TOR project in more depth.

What is TOR and Onion Routing?

The TOR Project was initially developed in the latter part of the 1990s by the United States Naval Research Laboratory. The TOR acronym comes from The Onion Router name, and it is the largest and most popular implementation of onion routing. Given that onion routing (see below) is great for anonymity, TOR quickly came to the attention of various groups looking to hide their activities on the Internet — including, but not limited to, cybercriminals and other bad actors. Hence its rise as the protocol of choice for the early dark web — a dubious accolade it still holds today, despite the increase of other anonymous networking protocols like those listed in the previous section.

Onion routing is a method of transmitting data over a network by securing and anonymizing it using multiple separate layers of encryption. The encryption is applied using different keys at different locations on the journey over the network and then unpacked at the destination – like taking the layers off an onion. It can be used for any network transfers but has become synonymous with the dark web and TOR.

Onion routing has given rise to the term “Onionland” as a synonym for the dark web. There is also a prominent dark web search repository called Onionland — not to be confused with search engines on the clear web as it's a maintained list of dark web sites, and not an index built by a web crawler on the dark web, as that's not possible.

How is the Dark Web Used?

Legitimate Uses

There are plenty of legitimate uses for the dark web. There are many authoritarian governments across the globe, and people living under such regimes often need to anonymously communicate, and hide their online activities from spies. Which, let's not forget, was the reason the TOR project was devised and completed by the USA Department of Defense back in the 1990s. It is often safer and more convenient for people to use TOR and the dark web than it is to use a virtual private network (VPN) over the open web.

At the time of this writing [May 2021], The Tor Project website (https://metrics.torproject.org/hidserv-dir-onions-seen.html) indicates that about 160,000 dark sites are using the Onion protocol. A study undertaken by security firm Hyperion Gray into 10% of the Onion sites in operation in 2018 showed that many of the sites investigated were used for legitimate and legal privacy and discussion-based activities. This corroborated a survey from 2016 in which Terbium Labs analyzed 400 TOR sites at random and found that 50% were perfectly legitimate and had no illegal activities going on.

Many governmental organizations, several newspapers, and myriad tech organizations have a presence on the TOR network, for reasons such as showing a commitment to privacy or allowing people to pass them information anonymously. The Guardian newspaper has a SecureDrop facility on TOR, as does the CIA, which uses it for virtual walk-ins for anyone wanting to pass them information confidentially. Even Facebook set up a way to post using TOR.

Accessing and using dark web protocols such as TOR is not illegal; it's just been adopted as the platform of choice by many bad actors who undertake illegal activities.

Nefarious Uses

The protections afforded to people looking to be anonymous for legitimate reasons also provide the same anonymity for cybercriminals and criminals operating in the real world who want private communications. While the amount of traffic is small compared to the e-commerce transacted on the open web, there is no denying that the dark web is a haven for bad actors and illegal e-commerce activities.

The illegal content traded on the dark web black market and the illegal activity on the dark web is spread over a wide range of activities that law enforcement agencies and internet service providers often have to combat.

Examples include:

  • Sale of illicit goods on dark web marketplaces - recreational drugs, illegal drugs, healthcare drugs (pharmaceuticals legal in some jurisdictions, but not all), firearms, and other items regulated on conventional commerce channels.
  • Sharing and sale of illegal content - pornography, child pornography, and child abuse images, neo-nazi propaganda.
  • Cyberattack solutions and information - sensitive information (like social security numbers, bank account details, credit card numbers) and other personally identifiable information such as authentication credentials for business systems and personal social media accounts. Cybercriminals can use this information to plan future cyberattacks such as ransomware, phishing, identity theft, cryptocurrency scams, data breaches, and other malware attacks.
  • Political activity - some governments use bad actors who advertise on the dark web to undertake activities that they wouldn't want to be made public. Examples include hiring hitmen to attack people such as dissidents and whistleblowers, and performing takedown attacks on news sites or other web pages, web content, or even web search engine results they don't like.
  • General criminal activity - cybercrime activity such as money laundering via cryptocurrency exchanges and the sale of stolen credentials for services as seemingly mundane as Netflix and other popular web entertainment companies.

Many of these illegal activities use Bitcoin and other cryptocurrencies for transactions so that the sellers and buyers can remain anonymous. This makes it hard for law enforcement agencies like the FBI, CIA, and international partner organizations to disrupt illicit activities. It is not impossible, however, as evidenced by the tracking and disruptions of dark web networks such as the Silk Road (described as the Amazon of the dark web) and the conviction and imprisonment of Ross Ulbricht. Another example is the shutting down of AlphaBay, one of the largest contraband sites on the dark web in 2017, due to the combined efforts of law enforcement from three countries.

Many harmful activities that eventually impact wider society are born and nurtured via TOR anonymity and funded by untraceable cryptocurrencies on the dark web. This is why monitoring and dealing with illegal activities is a focus for cybersecurity professionals and law enforcement in many countries.

Is Accessing the Dark Web Dangerous?

Accessing the dark web can be dangerous if you don't know what you are doing. Thousands of highly skilled cybercriminals and digital natives who frequent the dark web are more than willing to take advantage of anyone who is not careful or who doesn't know what they are doing on TOR sites.

If you want to protect your organization against cyberattacks that are planned and originate on the dark web, then IntSights External Threat Intelligence solutions can do that for you. Our skilled cybersecurity professionals use industry-leading tools to do dark web monitoring to spot emerging threats, take action, and therefore keep your business safe.