CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.
Dark web and TOR: What kind of intelligence can you find there?
In the early days of the internet (2002-2005), I ran the U.S. Army’s Computer Emergency Response Team (ACERT). This was right when the internet was really getting started as a useful tool to conduct business operations for the commercial sector, government enterprise, and academic institutions. It was also the time that the network defender community started to get serious about defending those operations.
I worked in a place called the Army’s Information Dominance Center because nobody was using phrases like Security Operations Center (SOC) to describe where they worked. We had a vague notion that cyber warfare was possible and we all thought that we would fight it independently of a physical war; that there would be a purely digital cyber war between nation states. That notion did not last too long but that was the current thinking.
Because of that perceived threat, one of my Army responsibilities as the ACERT Commander was to supervise counterintelligence operations against the known set of nation state hackers; at the time, they were mostly out of China. The dark web wasn’t a thing yet so hackers were hanging out in their own digital communities. The landscape was a free-for-all. What I learned from that experience is that counterintelligence operations is hard to do well. The intelligence gleaned from that kind of activity could be very valuable but it was expensive in terms of time and human capital.
20 years later, The Onion Router network (TOR) is the defacto location of the dark web. There are other places, but if you are trying to hide your location on the internet from prying eyes, whether you are a good guy or a bad guy, TOR is the first place that people migrate too. And, 20 years later, commercial intelligence firms offer services by conducting counterintelligence operations in the dark web for their clients. I thought it was time to review what the dark web actually is and the kinds of intelligence you can get out of it if you pay for a service.
Dark web not invented by the bad guys.
Experienced network defenders already know this but even though the “dark web” sounds mysterious and scary, it really isn’t. Bad guys hang out there for sure but so do the good guys. They hang out there because it provides an imperfect but elevated level of operational obscurity compared to what the general purpose standard internet provides. People that don’t like to be tracked on the internet use the “dark web” to camouflage their movement. Naturally, criminals and spies and hacktivists use it to disguise their activity. But so do journalists, activists, whistleblowers, and anybody that has an aversion to other people, especially governments, watching their online activity. "The dark web" is essentially an evocative marketing name for the The Onion Routing Project or TOR for short. And get this, it wasn’t built by the Russians, the Chinese, the First Order, or even the Kardashians. The original concept came from the U.S. Navy.
TOR concept and implementation.
Back in the early 1990s, three guys from the United States Naval Research Laboratory— Paul Syverson, Michael Reed and David Goldschlag— were playing around with the idea of Onion Routing. The basic concept was that if you wanted to hide your internet location from prying eyes while exchanging messages with a second party, the originator would send the message into this onion network. The onion network would consist of thousands of onion routers— as of February 2019, the TOR network had 6,500 routers— and the system would send the message randomly to a handful of them. Each time a node sent the message to another onion router, it would wrap a layer of encryption around the message. By the time the message popped out of the onion network to be received by the intended destination, nobody could tell where it came from. The intended destination, and all of the intermediary onion routers, only knew the router that sent them the message but none of the others in the circuit. The message path was hidden in the layers of encryption.
It is pretty easy to try this out yourself too. Just download and install the TOR Browser for your laptop, go to YouTube and search for something. Since the originator does not know which country the TOR exit node is located in, you might get some interesting results. When I just did this test, my YouTube responses were coming back in German, not the traditional English that I am used to when I am not using TOR.
TOR hidden services and history.
The commercial services provided by the dark web intelligence companies mostly rely on their ability to monitor hidden services within the TOR network. In the message exchange example above, the two parties sat outside the onion network and passed messages through it. But, people can establish other onion nodes that, in addition to routing, also provide other kinds of services. There is nothing mysterious here either. They are mostly retail websites and chat rooms that cater to a specific clientele. They are hidden because you can’t find them with a general purpose internet search engine like Google or Bing and nobody knows the location because they are protected by the layers of onion encryption.
If I am a cyber criminal selling credit card numbers to other black hats or a journalist setting up a drop site for a potential source, I might set up a website as a hidden service within the onion network. By some means outside of the Onion Network, I would tell my customer the hidden service Onion address, essentially the public key, and through some TOR routing magic using introductory nodes and rendezvous nodes, allow my customer to request access to it. If they have the right password, they get in.
So Syverson, Reed, and Goldschlag developed the onion router idea for the United States Naval Research Laboratory in the 1990s and then two MIT graduates, Roger Dingledine and Nick Mathewson, deployed the first alpha implementation in 2002. The Electronic Frontier Foundation (EFF) recognized the value of the work and provided initial funding. The TOR Project became a non-profit in 2006 in order to maintain development and today, according to Aditya Tiwari over at the web magazine called FOSSBYTES, TOR is funded by the U.S, Sweden, different NGOs, and individual sponsors. It is by far the largest known onion routing network. There are even Linux distributions, like Tails and Subgraph OS, that provide built-in Tor support. But there are other onion routing networks too like Freenet, I2P and Hornet.
The value of dark web intelligence services.
According to Andy Greenberg at Wired, as of 2017, there were about 3,000 live hidden services active in TOR. There are most likely more today but according to a report published by Terbium Labs in April 2020, these are the types of information that bad guys are selling in the dark web marketplaces.
- Fraud guides (49%): Criminals selling “How to” guides to other criminals.
- Personal data (15.6%): PII.
- Non-financial accounts and credentials (12.2%): USERIDs and Passwords.
- Financial accounts and credentials (8.2%): USERIDs and Passwords.
- Fraud tools and templates (8%): Bad guy tools.
- Payment cards (7%): Credit cards.
Dark web intelligence companies monitor these hidden services by conducting counter-intelligence operations against them. This involves creating and developing personas to use within each hidden service. Many hidden service operators have additional vetting procedures other than just providing access to the dark web service as described previously. In many cases, you can’t write code to sign up for the service. It involves a human interacting with the dark web service operators and once in, engaging with the clientele on the site. Conducting counterintelligence operations in these environments involves maintaining a stable of vetted personas so that if any one of them gets burned by the dark web operator or the clientele, the team can still pursue its counterintelligence mission.
There are a handful of companies that sell this kind of service like Recorded Future, Flashpoint, Intel 471, iSight, Terbium Labs, Deloitte and SenseCy. Some of their employees are former government specialists with current and expired government credentials. These folks cut their teeth by chasing bad guys in cyber space and they are very good at what they do.
The value of dark web Intelligence products.
I admit it. My inner cyber nerd gets excited at the prospect of telling my boss that I have counterintelligence agents monitoring the dark web on behalf of the company. How many times do you get to say that in your career? But I think that these kinds of services target a special niche of experts in the network defender community and may not be for everybody. By looking at Greenberg’s list of dark web marketplaces, you can see that law enforcement, banking, and possibly government intelligence groups would find these services attractive especially if these customers could customize their information requirements.
You might make the case that discovering employee PII on a dark web hidden service is valuable for the general purpose network defender. Getting that intelligence in a timely manner would be a trigger for you to change that employee’s credential settings and prevent a compromise. That could be true. My counter to that scenario is that there are probably a hundred other things you should do first before you implement that scheme; a hundred other things that would more robustly reduce the probability of a material cyber event in your organization. Your situation might be different but, as a general purpose network defender, I would pursue basic zero trust, intrusion kill chain, and resilience strategies before I did this.
You might also make the case that discovering your company’s proprietary information, like the secret ingredients to the Coca-Cola recipe, is sitting on some dark web hidden service web server is important intelligence. You might be right, but I would challenge you by asking what decision do you make with that knowledge after you find out about it? I am willing to bet that anything you do at that point would not be that impactful. As they say, that horse has already left the barn. That situation might get you funding for your next pet security project, but it will not change the fact that the information is gone.
The world and history of the dark web in general and TOR specifically is fascinating. Counterintelligence operations targeting that murky internet corner could yield interesting results for the right kinds of organizations. Double check yourself to validate if you watchover the right kind of organization and to judge if this is a high priority for you. If so, then celebrate your inner cyber nerd by all means.
"Everything About Tor: What is Tor? How Tor Works ?” By Aditya Tiwari, FOSSBYTES, 22 May 2017, Last Visited 30 April 2020,
“Fraud Guides Top List of Most Frequently Sold Type of Data on Major Dark Web Marketplaces” by terbiumlabs, 16 April 2020, Last Visited 30 April 2020,
“History” by TOR, Last Visited 30 April 2020,
“Honey Onions: Exposing Snooping Tor HSDir Relays” by Guevara Noubir and Amirali Sanatinia, College of Computer and Information Science, Northeastern University, 2016, Last Visited 30 April 2020,
"How the FBI relies on dark web intel firms as frontline investigators” by Chris Bing, CYBERSCOOP, 13 April 2017, Last Visited 30 April 2020,
"Scan the dark web for threat intelligence” By Michelle Drolet, Contributor, CSO, 3 January 2018, Last Visited 30 April 2020,
“It’s About To Get Even Easier to Hide on the dark web” by Andy Greenberg, Wired, 1 January 2017, , Last Visited 30 April 2020,
"The Onion Router and the Darkweb” by Corianna Jacoby and Ming Chow, 15 December 2016, Last Visited 30 April 2020,
"What is the dark web? How to access it and what you'll find” By Darren Guccione, Contributor, CSO, 5 March 2020,, Last Visited 30 April 2020,
"What's the difference between the deep web and the dark web?” Juliet Beauchamp and J.M. Porup, IDG Tech Talk, 12 February 2020, Last Visited 30 April 2020