Customer portal


Product news, Tips

Offensive Cyber Threat Intelligence for Lawyers and Private Investigators

In the last article, I wrote about how legal firms can utilise cyber threat intelligence and the SOS Intel toolkit for cyber defence. But in this article I want to explore a different idea, namely, offensive threat intelligence for legal firms. 

When someone says “cyber crime” what do most people think of? Likely something along the lines of “hacker”. Most will picture someone in a dark room staring at a computer screen with hundreds of lines of code flashing by while frantically typing on their keyboard. 

While hackers like this do exist, they make up a minority of cyber criminals. Cyber stalking is, by far, the most common cyber crime. 

Every year almost 10 million people in the United States are victims of cyber stalking or harassment. The vast majority, about ~80%, of cyber stalking incidents go unreported to law enforcement. To make matters worse, cases of cyber stalking that are reported often go unpunished. From 2010 – 2013, of the roughly 2.5 million reported cases of online harassment, only 10 cases resulted in a prosecution. 

A major reason many of these cases go unresolved is the extensive evidence required to make a case. Collecting evidence on a cyber stalker is a difficult and time consuming process. But, this doesn’t have to be the case. 

Utilising cyber threat intelligence tools, it is possible to collect large amounts of data on a target. Much like other cyber criminals, cyber stalkers use platforms like Telegram and Signal. Threat intelligence tools like the SOS Intel toolkit can pull data from these platforms on a mass scale. Just by crafting a few keywords you can search thousands of terabytes of data.

This “offensive” use of the SOS intelligence toolkit is not isolated to just cyberstalking cases. The SOS toolkit is incredibly versatile, it’s capable of assisting with any sort of research into any internet crime. Let’s take a look at what the SOS toolkit is capable of…

SOS Intelligence Toolkit API

The best way to utilise the SOS Toolkit is the API. The API allows you to integrate the toolkit into 3rd party programs. The API provides you the raw aggregate data and leaves the organisation up to your personal preferences. To start working with the API, first you will need to generate your API key. 

You can do this in the “API” tab of the web interface. Once you click the “generate” button you will see this message:

There are many API clients out there, but for the purpose of simplicity in the example I will be using Postman.

SOS Intelligence offers a Postman Collection file to further simplify the process of  implementing API requests in postman. If you are interested in using the Postman collection, please send an email to “[email protected]” 

Once you have your API key and have imported the Postman collection file (or you plan on manually adding the API requests) you need to add the key to Postman as such:

 Once you have your API key set you are ready to start making API requests! In this example I will be making queries as if I was investigating a cyber crime case. 

Quick note: The user I am searching for in this example is “pompompurin” a known cyber criminal who is active on Twitter and Telegram and administrator of the infamous “Breached Forums”.

Here is a simple query for “breached forums” using the Twitter search function. (Note: At the moment the Twitter search function has a search history limit of 6 months)

The Twitter search function will return any data that matches the search query. If the query matches any of the values or sub-values of a post, the function will return all of the data of said post. 

The data aggregated on each post is entirely dependent on the post itself, i.e. if other users are mentioned or if there are hashtags. It’s worth noting that searches are passed as phrases with “AND” logic. For example, my search for “breached forums” searches for “breached” AND “forums”. This way you can refine your results easily by crafting search queries that match exactly what you’re looking for, automatically weeding out all of the bad results.

Sometimes collecting intelligence from clearnet sources is not sufficient enough. Many hacking forums run both clearnet and darknet sites. The SOS Darkweb search function can search with several different categorical options. The first option is the “Full Text Search” as seen below.

The “full text search” searches through the full text of the site’s page. To narrow down your search results, you can set parameters like “phrase” to true. For example, if I search for SOS Intelligence, the query will pass as SOS “OR” Intelligence. However, if I set the “phrase” parameter to true, this query is passed as SOS “AND” Intelligence. 

The Dark Web Search tool also has special functions for more specific searches like emails and Bitcoin wallet addresses.

The SOS Toolkit puts all of these tools at your disposal instantly. The API is just one method of utilising the toolkit. 

The SOS web application allows you to access the same tools with a more friendly user interface. But the API allows you to integrate the SOS Toolkit into 3rd party OSINT frameworks as well as your own programs/scripts. 

The API provides a simple way to work with the tool kit “offensively”. Utilising several or all of these search functions you can gather a great amount of information on a suspect. You can try these searches out yourself! Remember, we have two community APIs:

  • DARKSEARCH: Provides information about onion websites.
  • CVE Top Talkers: Provides a top list of most talked about CVEs across our threat feeds.

Both can be accessed via a free plan which you can sign up for here 🙂

Photo by Tingey Injury Law Firm on Unsplash.

Opinion, The Dark Web, Tips

An investigation into SS7 Exploitation Services on the Dark Web

In this latest investigative article we will be taking a look at alleged SS7 exploitation services on the Dark Web and diving into their credibility using our SOS Intelligence analytics toolkit.

If you don’t want to miss the latest post, then please sign up to our newsletter here.

SS7 Significance &  Background

Signalling System 7 is a telecommunications protocol adopted internationally that defines how the network elements in a public switched telephone network (PSTN) exchange information and control signals.

The signalling transport (SIGTRAN) protocols proved interoperability of SS7 signalling to operate over IP based networks. This enables PSTN services to operate analogue telephone systems and modern IP network equipment. SIGTRAN uses its own Stream Control Transmission Protocol (SCTP) as opposed to TCP or UDP (Transmission Control Protocol or User Datagram Protocol)

With the flexibility of SIGTRAN operating over IP this has given rise to the commoditisation of SS7 access through SS7 gateways, that bridge TCP based service such as VoIP, SMS gateways etc. providing interconnectivity through to SS7 Link providers. 

SS7 offers the following key services (but not limited to):

  • Call set up, routing and tear-down
  • Caller ID
  • SMS
  • Mobile phone roaming and tracking
  • Call forwarding 
  • Voicemail and call waiting 
  • Conference calling

The primary security defence of a SS7 network is that it is a closed system, no real message integrity or security exists and therefore messages transmitted across the SS7 network are easily intercepted or forged. End users, even SMS gateway providers do not have access to it.

However, given the feature rich tooling of SS7 it is ripe for abuse and a target for not only government run intelligence agencies but also organised crime groups that operate partly or wholly in the cyber domain, therefore access to SS7 is a sought after wildcard for any criminally minded hacker.

SS7 enabled crime and abuse

There are a number of significant abuses of SS7 that are possible with a compromised gateway or with clandestine access to a SS7 network.

We will discuss some of the SS7 enabled abuses as an overview. Please read on!

SMS 2FA Interception

SS7 plays a part in the transportation of SMS messages. An attacker may be able to register a victims MSISDN (mobile number) on a fake MSC (Mobile Switching Centre), the victims operator’s HLR (Home Location Register) that works as a kind of telephone directory for MSISDNs, operators and SMS service centres (SMSC) will set the new location for the Victim’s MSISDN.

When, for this example the victims Bank sends them a 2FA authentication token the MSC transfers the SMS to the SMSC the real MSMSC asks the victims opeartor’s HLR for the victims location, the HLR replies with the attacker operated MSC. The real operator’s SMSC transfers the SMS to the fake MSC operated by the attack.

Therefore the attacker is able to obtain the original 2FA token and respond to the victim’s Bank authentication prompt.

Call Intercept 

Likewise a similar attack is possible with Call interception where an attacker can using the first part of the spoofing process redirect a victims call to a VoIP provider or their own IP-PBX (for example Asterisk) and handle the call much like any VoIP call.

This attack can also surface in other ways, such as WhatsApp and other ‘end to end’ encrypted messaging services where the attack may be able to redirect WhatsApp enrolment to another device and intercept, by redirecting messages to their own attacker controlled phone.  

SMS Spoofing

By far the simplest of attacks and an attack that doesn’t require direct SS7 access is the spoofing of SMS messages to a sender. Most are unaware that the “from” part of a SMS message has no authentication and can easily be spoofed, in fact the SMS sender can put any alpha numeric word in the “from” of an SMS message. 

SMS spoofing attacks can be easily and cheaply performed by obtaining access to an SMS gateway service (on the clear web). Nearly all of the ones that SOS Intelligence were able to asses appeared to have no abuse monitoring or prevention. It is therefore possible to very easily and cheaply (in some cases for free) send a spoofed message much like a phishing email to a victim and prompt a call to action. 

Location Tracking

There are a number of free or paid for clear web services that allow some basic HLR lookup services, none of these services necessary provide an exact location fix of a Mobile Subscriber however they do in part allow some one to see if a MSISDN is roaming, assigned to its home operator, active or deactivated. 

Within the SS7 network of a network operator it may be possible to request the LAC (Location Area Code) and Cell ID and with that information get a reasonably good location for a victim. However, this may require the prior knowledge of the subscribers IMEI (International Equipment Identity) or and IMSI (International Mobile Subscriber Identity) – A MSISDN alone may not be sufficent to be able to query this information. However, a LHR lookup may provide an attacker with an IMSI.

It understood that it is fairly common and universal for an operator to provide specific LAC/CID, information to a GSM MAP (Mobile Application Part) message where an attack could send a “provideSubscriberinfo” message asking for the subscribers location and spoofing a SMSC. The LAC, CID and other information can then be looked online for example using Ofcoms website or service such as cell mapper. tower locator

It may be possible to automate the process of mapping LAC/CID [along with MCC&MNC information] to a geographic location such as with joining together of services provided by for example. 

Availability and Legitimacy of SS7 hacking services on the Dark Web

With the initial introduction to SS7 background and the significance of hacking SS7 out of the way lets start by taking a look into what SS7 hacking or exploitation services are available on the Dark Web. 

If we start off with using our DARKSEARCH too and searching for SS7 in page titles across the last year of our index we see some 84 unique onion domains. 

SS7 Title Search

Narrowing down on only onions that we’ve seen to be up recently further reduces our results to a manageable amount.

Key providers of alleged SS7 exploitation services

It would appear that there are a few main key providers of alleged SS7 exploitation services. 

1) SS7 Exploiter 




Services Offered:

  • Get Location 
  • DoS subscriber 
  • Intercept calls 
  •  Intercept SMS 
  • Spoof call/SMS 
  • Manage subscription 
  • Voicemail settings 
  • Upload SIM toolkit 

2) SS7 ONLINE Exploiter


 Services Offered:

  • Get Location 
  • DoS subscriber 
  • Intercept calls 
  • Intercept SMS 
  • Spoof call/SMS 
  • Manage subscription 
  • Voicemail settings 
  • Upload SIM toolkit

3) SS7 Hack



Services Offered:

  • SMS Intercept
  • Call Intercept and Redirect
  • Location Tracking

Services appear to be offered on time bases (1 day, 7 days, 30 days)

SS7 Hack

All onions associated with this provider appear to be offline at time of writing. All information of this service is gained from the historic SOS Intelligence Dark Web index.

4) Dark Fox Market



Services Offered:

  • SS7 Bypass 2FA (SMS Intercept)
  • SS7 Call Intercept 
  • SS7 Location Tracker

Lets dig into these and see what we can find. 

Looking at the “SS7 Exploiter Dashboard” service 

 SS7 Exploiter Dashboard

The oldest reference we have in our index, from June 6th 2020, we see that the HTML source of that page appears to have been Mirrored using HTTrack (A common website mirroring tool used by ‘419’ Advance Fee Fraud scammers) on the 14th of May 2019 mirroring another domain, xpll5hy2owj4zj22.onion 

  HTTrack Mirror of xpll5hy2owj4zj22

and likewise the other domain for the SS7 Exploiter Service: 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion 

Appears also to have been a copy of xpll5hy2owj4zj22.onion 

This then leaves the SS7 ONLINE Exploiter an almost identical looking website, as the SS7 Exploiter Service but without the Demo Video 

 We see that this page has a contact email address of “[email protected]

But these pages have no HTTrack comments in them, suggesting that they may be the original pages and that the “SS7 Exploiter – Dashboard” are copies.

SS7 Exploiter Dashboard

We can use our dark web email search API to locate any reference to that email address across the dark web

So far we only see one result.

Email Dark Web Search API

It would appear that the “SS7 ONLINE Exploiter” services came after SS7 the cloned “SS7 Exploiter” and may in fact just be clones of a clone with the HTTrack parts stripped out and  demo video link removed and with the contact email address added.

SOS Intelligence DARKMAP tool

Using our DARKMAP tool we see the xpll5hy2jlze25w2.onion website on the very edges of the Dark Web with no known links in or out.

 Dark Map location of  xpll5hy2jlze25w2.onion

However, the identical copy of the website but under the 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion address we see in a much more central part of the Dark Web:

Dark Map location of 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion

And we see it with 3 inbound links 

inbound Links from:

sz5h6tiqkdkfl55qa3kcxgzck3xeffo6cso7sjpc7hc7sr3vghdyicqd.onion “The Dark Web Links Directory

linkdir7ekbalksw.onion  “The Dark Web Links Directory v2 Onion Address

toponiibv4eo4pctlszgavni5ajzg7uvkd7e2xslkjmtcfqesjlsqpid.onion “Hidden Link Directory

 Dark Map 64n64bh345yszlrp3diytow33gxzriofaii72lsiiq4uh4laqgddvyad.onion inbound Links

SS7 Hack

As for the SS7 Hack service. This too appears to have been a copy clone, this time of a clear web website www[.]ss7[.]dev made on Friday the 18th 2021

 HTTrack clone of website

Indeed, both of the “SS7 Hack” websites appear to be identical 

Dark Map location of SS7 Hack

SS7 Hack has one inbound link from:

e6wzjohnxejirqa2sgridvymv2jxhrqdfuyxvoxp3xpqh7kr4kbwpwad.onion  “TorNode – Onion Links Directory “

On the cached front page of SS7 Hack website we find an email address and as before using our Email Search API we see there are 3 results, 1 being a Tor Search service and the other two being the SS7 Hack website duplicates. 



        “created_at”: “Mon, 22 Feb 2021 16:30:49 GMT”,

        “description_json”: {},

        “hostname”: “searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Sat, 09 Oct 2021 08:42:11 GMT”,

        “portscanned_at”: “Tue, 23 Feb 2021 02:59:20 GMT”,

        “powered_by”: “”,

        “server”: “nginx”,

        “ssh_fingerprint”: null,

        “title”: “The Deep Searches”,

        “url”: “http://searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion/”,

        “useful_404”: true,

        “useful_404_dir”: false,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Wed, 29 Sep 2021 18:15:38 GMT”,

        “visited_at”: “Sat, 09 Oct 2021 08:43:37 GMT”



        “created_at”: “Fri, 25 Jun 2021 21:19:08 GMT”,

        “description_json”: {},

        “hostname”: “ss7hfyqn7fv7kjs7.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Tue, 07 Sep 2021 19:02:07 GMT”,

        “portscanned_at”: “Tue, 29 Jun 2021 18:23:08 GMT”,

        “powered_by”: “”,

        “server”: “Apache”,

        “ssh_fingerprint”: null,

        “title”: “SS7 Hack – SMS Intercept – WhatsApp, Telegram, GMAIL, Facebook, Instagram, Twitter, Phone Tapping, Call, Tracking.”,

        “url”: “http://ss7hfyqn7fv7kjs7.onion/”,

        “useful_404”: true,

        “useful_404_dir”: true,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Mon, 06 Sep 2021 17:46:32 GMT”,

        “visited_at”: “Wed, 06 Oct 2021 15:28:34 GMT”



        “created_at”: “Tue, 05 Oct 2021 21:35:23 GMT”,

        “description_json”: {},

        “hostname”: “ss7hxvtum6iyykshcefjmm5pvb2y3lsvcfh2lzml2vtdhqlseqhqnpqd.onion”,

        “is_up”: false,

        “language”: “en”,

        “last_seen”: “Fri, 15 Oct 2021 21:21:48 GMT”,

        “portscanned_at”: “Wed, 06 Oct 2021 02:31:26 GMT”,

        “powered_by”: “”,

        “server”: “Apache”,

        “ssh_fingerprint”: null,

        “title”: “SS7 Hack – SMS Intercept – WhatsApp, Telegram, GMAIL, Facebook, Instagram, Twitter, Phone Tapping, Call, Tracking.”,

        “url”: “http://ss7hxvtum6iyykshcefjmm5pvb2y3lsvcfh2lzml2vtdhqlseqhqnpqd.onion/”,

        “useful_404”: true,

        “useful_404_dir”: true,

        “useful_404_php”: true,

        “useful_404_scanned_at”: “Thu, 07 Oct 2021 23:26:02 GMT”,

        “visited_at”: “Tue, 26 Oct 2021 21:19:15 GMT”



The clear web “original” website appears to have almost identical services and pricing:

Screenshot of the “original” website.

This supplier boasts a good reputation rating on

Secured Hacks

DarkFox Market

They appear to have a fairly e-commerce style webpage, payment is in either Bitcoin or Monero.

DarkFox Market appears to be a more “holistic” hacking service provider, offering a wider range of non SS7 services from DDoS to Ransomware As a Service. 

The check out process requires you to enter your “victim’s” Phone number.

In terms of inbound and outbound links the DarkFox Market website has the most out of all the services seen so far,

DarkFox DARKMAP links

Inbound Links from:

uprb6pfh6yslgecvrx7w4kcsqyxrox26yt4sap5m4sdkvirmsmkroyad.onion “Dark Web Forums –

dwforumsmrcqdnt3.onion “Dark Web Forums 

searchgf7gdtauh7bhnbyed4ivxqmuoat3nm6zfrg3ymkq6mtnpye3ad.onion “The Deep Searches

Outbound Links to:

hackerss4ptfozouwjix72eh2y7cu2v72nz57c4myjdceejqfwnz3zyd.onion “DSM Hackers – All Hacking Tools And Services In One Place

The Proof videos on the DarkFox Proofs page for “Telegram hacking” show an SMS Intercept video. Part of this video actually shows a web portal similar to what’s shown on the “SS7 attack demos” web page! The video is actually stolen content from a journalist who wrote an article on this very attack back in June 2016, with the video along with a WhatsApp hack video uploaded originally in May 2016.

DarkFox Video

Original Youtube Video

www[.]ss7[.]dev video analysis

Although not on the Dark Web the website carries probably the most ‘credibility’ out of all of the SS7 hacking services on the Dark Web. 

The proof videos show web pages that look extremely similar to that of the original demo hack videos from 2016, with a distinctive “superman” SS7 logo however, the page background is white rather than a light yellow proof video uploaded 2nd August 2020

In one of the tabs from the proof video we see an open page to the DSM Hackers forum

Proof video tabs

We know that this was one of the outbound links from the DarkFox market, although this could be coincidental, we are not quite sure of the relevance for the Moscow local time web page tab.

In the service demo video, the first 6 minutes are spent showing how to set up an account and pay for the services.

The most unconvincing of all the services, “SS7 Exploiter ” has to no surprise one of the most unconvincing demo videos. Like the, it spends the first nearly 3 minutes out of 5:23 showing how to buy bitcoin and pay for the service. 

It then shows what is meant to be the supposed “SS7 Exploiter” CLI interface.

SS7 Exploiter Demo Video

Note that this version of the web page, at the time of it being recorded does not show a demo video link in the navigation menu on the left hand side.

Note also the Subscription End date “9/03/21 12:00AM GMT”

If the operator purchased a subscription “out of their own pocket” of 1 Month then that would put the recording of the video at around the 9th of February assuming a DD/MM format. 

Assuming a MM/DD format, this puts the recording at around the 3rd of August. The video itself was uploaded on the 16th of October 2021 to YouTube. It is possible that the video was re-uploaded, from an earlier time.

Interestingly looking back on our index history for this onion domain. We first added the domain to our index on the 23rd of July 2020 with pages crawled  on the 27th and 4th of August 2020. 

The demo.html page and link to it from the left navigation menu was only added to our index on the 18th of October 2021, a few days after the video is uploaded to Youtube. 

With the entire website being originally mirrored by the HTTrack tool on the 13th of May 2019


There appear to be 4 main alleged SS7 Hacking/Exploitation services on the Dark Web, with one “SS7 Hack”, a clone of a clear web website “” being completely offline. 

The other service appears to be a clone of another almost identical website offering a highly suspicious SS7 Exploiter service

With the last, DarkFox Market that offers more than just SS7 services showing nothing more than already stolen / faked videos. 

With ironically the most ‘credible’ of all a clear web website, shows what appear to be spoofs / copies of SS7 hacking demos that were originally uploaded to YouTube back in May 2016.

Like most things on the Dark Web that promise a lot they are very likely all fake money making schemes for some one who is benefiting from all of those who failed to do even the smallest amount of due diligence, as they say Caveat Emptor. 

Are there genuine SS7 hacking services on the Dark Web? 

Most likely, but they are more than likely to be hidden behind membership only hacking services advertised by individuals for a very short period of time, an example of some posts related to SS7 hacking from our intelligence collection service:

SOS Intelligence posts on SS7

In any case it is very unlikely to find a long lived actual openly advertised service offering compromised SS7 gateway access 

It would seem that there is a lot of interest in SS7 exploitation services but not a lot of genuine providers. post about SMS OTP Interception

Of all of the fairly openly advertised services, clear web or dark we strongly believe to be complete fakes.

How much money could they have made?

Using the advertised bitcoin wallets and assuming they are not changing wallets with each transaction we can look at the Bitcoin blockchain explorer to see exactly when and how much bitcoin was sent these wallets



2x Transactions $159.62



1x Transaction $10.09


It would appear that DarkFox e-commerce shop assigns a bitcoin wallet at time of transaction. It is difficult to tell if a wallet contains transactions specifically for SS7 hacking or other services. Upstream review of outbound transactions from these wallets reveal fairly large transactions suggesting that DarkFox is doing a reasonable amount of business.


2x Transactions $180.03


4x Transactions $779.55


2x Transactions $140.23


2x Transactions £319.50



1x Transaction $389.57


No Transactions.

Featured image Photo by Mario Caruso on Unsplash


New 159 Fraud Number launches

A new service launched today aimed at helping prevent what is sadly a growing menace – scam calls and people being defrauded.

People who think they are being defrauded on the phone are encouraged to stop, hang up and call 159. Any real bank or person will not mind you doing this. A scammer *will* mind and will always try and keep you on the phone.

It has been launched in conjunction with a number of major banks and phone service providers, including HSBC, Barclays, BT and Kcom.

A growing threat

Scams and financial fraud are increasing at an unprecedented rate. They have become a fast-moving and industrialised business.

Criminals stole over £1.26bn through fraud and scams in 2020. There were over 80,000 instances of fraud reported by UK telecommunications companies in 2019 as well.

The challenges presented by the COVID-19 pandemic have presented new opportunities for scammers to exploit. There were 149,946 reported Authorised Push Payment scams in 2020 – up 22% from 2019. These are scams where victims are conned into making a payment to a scammer who has posed as genuine and gained their trust. These scams often use legitimate platforms to reach victims, borrowing the credibility of the platforms and services they abuse.

Banks and financial institutions are making great efforts to stops frauds and scams. In 2020 that they stopped £1.6bn of attempted unauthorised transactions.

Stop Scams UK website

Having listened to a number of features about this on the radio today, it is always deeply troubling to hear about people losing money to scammers and fraudsters.

People think that they will be clever enough or switched on enough to know when it is happening to them, but in a lot of cases, the criminals are being incredibly devious and can trick you into transferring money.

In one instance, the scammers pretended to be not only the bank, but also the bank’s fraud prevention team PLUS sent official looking text messages at the same time from a spoofed number.

How does the new number work?

If you think someone is trying to trick you into handing over money or personal details…

…Stop, hang up and call 159 to speak directly to your bank.

Last year criminal gangs stole over £470m by pretending to be your bank or other service provider.

159 is the memorable, secure number that contacts you directly to your bank if you think you’re being scammed.

159 works in the same way as 101 for the police or 111 for the NHS. It’s the number you can trust to get you through to your bank, every time.

159 will never call you. Only a fraudster will object to you calling 159.

How does 159 work?

How SOS Intelligence plays a part in preventing fraud

SOS Intelligence provides Real Time Threat Intelligence for everyone. We are not connected with fighting scam phone calls directly but we are actively fighting fraud online with our service.

Often scam callers use details they may have obtained online, often from breaches of popular services which are then sold on the Dark Web. We monitor keywords, key phrases and email addresses in realtime on the Dark Web and offer a free option to monitor an email address you use when signing up. As a result, you get alerted when your data / email address is out there on the Dark Web.

Sadly businesses and organisations don’t know until too late when their data has been compromised. We prevent that from happening.

It’s really good to see this new service launch.

Opinion, The Dark Web, Tips

How Does the Dark Web Work? An In-Depth Guide (2021)

This is the authoritative 2021 guide to the Dark Web

If you are looking to understand:

  • The Dark Web basics
  • Where did the Dark Web come from?
  • What’s driving the growth of the Dark Web?
  • What activities take place on the Dark Web?
  • Which Dark Web threats can impact my organisation?
  • How to protect organisations from Dark Web activity?
  • What does Dark Web Monitoring do?

Then this guide will provide you with all of the answers you need.

Chapter 1: The Dark Web basics

What is the Dark Web? 

The Dark Web is a peer-to-peer interconnected network of computers that use the Tor Protocol, commonly known as the Tor browser.

Tor uses the top-level domain .onion which takes its name from the method of routing the Tor network’s users.

Anonymity is maintained by building a circuit each time a user tries to connect to a certain .onion domain.

The circuit becomes a multi-layered encryption chain, with each layer unwrapping the next one until it gets to its destination. Hence the reference to an onion.

This method ensures that the relaying nodes on the network between sender and recipient never know who the other one is. They only know the next layer as they unwrap it.

It provides 100% anonymity whilst on the network.

The Dark Web is essentially the containing of that encrypted traffic within the Dark Web itself.

Is the Dark Web 100% anonymous?

There are only 2 places where you can breach Dark Web anonymity.

Either the client end before you transmit data onto the Tor network or via the other end using an Open Relay.

Anyone can download and install an Open Relay and capture information then pass it out onto the internet if the data hasn’t been sufficiently secured within itself.

Chapter 2: Where did the Dark Web come from?

The Tor Project is an open-source foundation that was started as a US Navy research project.

It was originally part of the National Security Agency, a national-level intelligence agency of the United States Department of Defense.

It’s likely that it predates its official launch by a number of years.

The early development of the .onion protocol was designed to allow spies to communicate with each other and contact their commanders via the internet in as safe and secure a manner as possible.

For it to work properly, they needed a sufficient number of nodes in order to allow traffic to pass anonymously.

Too few nodes would simply allow adversaries to intercept and attack their encrypted data.

So (the story goes) the Tor Project was started as a free open source project to encourage widespread use.

It has become increasingly popular over the years and undergone a number of significant iterations since its release in 2002.

Chapter 3: What’s driving the growth of the Dark Web?

The Tor Project quickly gained users thanks to its advanced anonymity properties.

Let’s face it, you build a road and people are going to start driving on it.

Yet here’s the thing:

There are numerous key global events that have seen spikes in growth of Tor.

These include the following:

  • Government clampdowns on file sharing following successful lobbying by Hollywood and the music industry forcing ISPs to block access to torrent hosting websites
  • Key political moments such the Arab Spring in 2010

Meanwhile, various Hacking Communities began using it because it became the ‘cool thing’ to do.

Chapter 4: What activities take place on the Dark Web?

Most of the activity taking place on the Dark Web is as dull and trivial as the rest of the Internet.

In truth, for all its negative connotations the Dark Web shouldn’t be something to be afraid of.

Of the 95,317 sites we currently track, less than 5% are flagged as having potentially abusive content on them.


There is also a significant amount of fraud taking place here, along with a percentage sharing abusive content.

The biggest threat to organisations comes in the form of Ransomware.

What is Ransomware?

Ransomware is the process of hackers encrypting and stealing sensitive company and customer data then ransoming it back to the organisation for profit.

Let’s look at this in more detail in the next chapter.

Chapter 5: Which Dark Web threats could impact my organisation?

In June 2017, the chief technology and information officer for Maersk, a Danish shipping and logistics giant, returned from his honeymoon to discover that the company has suffered a major malware attack.

The attack on its IT systems was so bad that the company was virtually unable to operate, even to the point that its ship’s captains were forced to navigate the globe using paper and pen.

4 years later and the company is still remediating, estimated costs to date are as much as £300 million.

No one is sure whether this attack was Ransomware gone wrong (no public request for payment has been made) but the damage to its business continues to be felt to this day.

The different types of Dark Web attack

The Dark Web enables hackers to remain anonymous whilst providing them with a marketplace to force you as the victim to pay to have your data decrypted.

It gives them a foothold, a place where they can publicly advertise to the world all of the organisations they have hacked.

This data often includes intellectual property, financial information, and customer data and is usually placed on the Dark Web and made free to download until the organisation pays to have it removed.

These are very professional operations with call centers, helplines, and live-chats. Some of them even provide a ‘Get 1 File for Free’ service to prove that the decryption works.

Human Driven Ransomware

This term describes when a group of hackers come together and plan an attack. This would often involve them having a good look around your network before they begin encrypting specific files and servers.

They typically look to exploit vulnerabilities in your network and appear to be reasonably agnostic when it comes to sectors and industries.

Victims could be a dental surgery or multinational aerospace company. The primary motivation is getting you to pay for your encryption keys.

Another way into your systems is via ‘phishing’.

This could involve an IT employee’s credentials are stolen and where the company doesn’t have sufficient protection to prevent the hackers from gaining access to the system.

Ransomware Trends

Ransomware is developing and maturing into a more industrialised activity, with a much greater trend towards automation.

A lot of Ransomware programmes will automatically send your encryption keys off to an onion domain that is spun up just for you, gaining access through something as simple as a Word or Excel document that executes a Macro in the background.

The Macro will then automatically begin to encrypt your data and spin it out onto the Dark Web.

Apart from disabling Macros, patching applications to keep things up-to-date, not opening docs you aren’t sure about and using good security software there isn’t much more you can do.

At present we are aware of between 26-30 active ransomware groups.

If you find yourself on a Ransomware site, there is nothing you can really do except pay and begin remediating.

However, police forces are active on the Dark Web looking to take down operations and have had some success. Dutch police were recently so pleased to have taken down one botnet network that they even posted about it as themselves on a hackers’ forum.

Chapter 6: How to protect organisations from illegal Dark Web activity?

Protecting your organisation from hacking and Ransomware is a difficult task, especially when a concerted hacking campaign coupled with human error comes into play.

If as an IT Professional and/or diligent CTO you have done everything within your power to secure the network and Ransomware still finds its way through a lot of it will simply come down to bad luck.

Hackers work hard to ensure that they are fully undetectable and use dynamic systems that generate malicious downloads on the fly, making it difficult to defend against these types of attacks.

The priority then becomes managing the fallout and particularly the PR as best as you can.

A data breach quickly moves from being an IT problem to a business problem. If you can show that you have behaved competently and done as much as you can there is a chance to come out of it looking better.

Our Dark Web Monitoring tool supports you in this process by providing early warnings of any Dark Web activity around your brand.

SOS gives you awareness, time, and context by letting you know if your information is out there; what information that is; and who is talking about it.

Having these instant alerts can be very reassuring, giving you time to react with the full knowledge of just how big your exposure is.

Now we’d like to hear from you. Have you been affected by any of the issues raised in this guide? Do you have any concerns around data breaches and threat intelligence?

Please get in touch if you need to find out more using the contact info below. And if you’ve found this information helpful, please feel free to share it on your social networks!

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound