The dark web is a hidden layer of the internet that most people never access directly. It matters to enterprise security teams because dark web marketplaces and forums influence how modern attack chains develop. Understanding what the dark web is, how it operates, and what it means for your organization helps frame the security risk.

• The dark web is a subset of the deep web that requires specialized software like Tor and enforces anonymity at the network routing layer.

• DOJ guidance states that accessing the dark web is not illegal in the United States.

• Dark web marketplaces sell stolen credentials, corporate network access, phishing-as-a-service (PhaaS) subscriptions, and session tokens.

• Law enforcement regularly disrupts dark web infrastructure, but operators often reconstitute or migrate operations quickly.

• Dark web-sourced attack chains can create detection challenges for rule-based and signature-based security tools.

The dark web is a portion of the internet designed to hide user and service identity at the network layer.

The surface web includes content indexed by conventional search engines and accessible through a standard browser. CISA defines it as content "indexed by Google" that "does not require special software or credentials to access." News sites, e-commerce platforms, and social media all live here, reachable through standard DNS resolution and HTTP/HTTPS protocols.

The deep web includes internet content that is not indexed by search engines. The FBI describes it as "websites and forums that require log-ins, websites that don't allow for indexing or aren't linked to anything, and databases." Your company's internal SharePoint instance, a bank account portal, or an HR system behind a login page all qualify. The deep web operates over standard protocols and carries no inherent network-layer anonymization. Its inaccessibility is a function of authentication and indexing architecture, not traffic routing.

The dark web is a subset of the deep web that requires specialized software, specific configuration, or authorization to access. The FBI primer defines it as content that "is not indexed and consists of overlaying networks that use the public Internet but require unique software, configuration, or authorization to access. And this access is predominately designed to hide the identity of the user." This CISA report notes that Tor-hosted dark web URLs end in .onion, and anonymization is enforced at the network routing layer, not merely the application layer.

The dark web relies on overlay networks that separate identity from destination through layered routing and encryption.

Tor routes traffic through a circuit of volunteer-operated relays to separate a user's identity from their destination.

Onion routing works by passing traffic through multiple relays so that no single relay has a complete view of both source and destination.

Tor history explains the development of onion routing and the Tor Project. The system works by building circuits one hop at a time through three relay types:

• Entry (Guard) Node: Knows the client's real IP address but not the destination.

• Middle Relay: Knows neither the origin nor the destination.

• Exit Node: Knows the destination but not the originating client.

Traffic moves as fixed-size cells with layered encryption. Each relay strips one encryption layer and forwards the cell to the next node. No single relay can link both the client's network identity and the traffic destination. This layered encryption model is the origin of the name "onion routing."

Onion services extend dark web anonymity to the server side by hiding the host's IP address and location.

Standard Tor usage anonymizes the client. Onion services (.onion addresses) extend that anonymity to the server, concealing its IP address and physical location. Tor documentation states that onion services provide end-to-end authentication, where the .onion address itself is the public key, end-to-end encryption, and NAT traversal without open inbound ports. Onion service traffic stays within the Tor network, which removes the exit node from that communication path.

Tor supports privacy-preserving access for both legitimate and illicit activity.

Europol report states that hidden services traffic represents a small share of overall Tor network traffic. The majority of Tor usage is for accessing the regular internet with enhanced privacy. CISA explicitly states that many people use the dark web for legitimate reasons, including political dissidence and private communication.

Accessing the dark web is legal in the United States, but conduct on the dark web can still create criminal liability.

DOJ guidance states that accessing the dark web is not a federal crime in the United States. Criminal liability attaches to specific conduct undertaken on the dark web, not to the act of reaching it.

Security professionals can monitor dark web sources for threat intelligence, but the legal boundary depends on how that access is obtained and used.

The Department of Justice Computer Crime and Intellectual Property Section (CCIPS) directly addresses this in its guidance on gathering cyber threat intelligence from dark web sources. The DOJ recognizes dark web forum monitoring as a legitimate professional practice and acknowledges that cybersecurity practitioners gather threat intelligence from hidden services accessible through Tor.

Activities that remain legal include:

• Passively browsing dark web forums.

• Using a fabricated persona to observe forum activity.

• Monitoring threat actor forums for intelligence.

• Accessing forums with operator-provided credentials.

Activities that cross into criminal territory include:

• Using stolen credentials to access forums or systems (violates the Computer Fraud and Abuse Act (CFAA) and Access Device Fraud statutes).

• Purchasing stolen credentials or data.

• Exploiting vulnerabilities to access systems.

• Impersonating a real person.

U.S. computer crime and fraud laws define the main legal framework for dark web-related offenses.

The CFAA summary explains that the CFAA (18 U.S.C. § 1030) is the primary federal statute governing dark web-related computer crimes, covering unauthorized access, password trafficking, and fraud. Wire fraud also applies to schemes conducted through electronic communications. The CFAA also has extraterritorial reach, covering attacks against computers used in or affecting interstate or foreign commerce even when those computers are outside the United States.

Measures beyond passive monitoring involve legal ambiguity that security teams should evaluate carefully.

A DOJ roundtable documented legal uncertainty around measures beyond passive monitoring, including network scanning, sinkholing malware command-and-control domains, and accessing hop points where stolen data is stored. Security teams designing threat intelligence programs that include dark web access should consult legal counsel on operational boundaries.

Dark web marketplaces function as a supply chain for enterprise compromise and operates as a structured supply chain for enterprise compromise, selling everything from stolen credentials to phishing infrastructure.

Stolen credentials and session tokens are core commodities in dark web markets.

Infostealer malware forms the foundation of the dark web credential economy. These tools capture not just passwords but complete browser fingerprints, including saved credentials, autofill data, and authentication cookies that function as post-MFA session tokens. The Verizon DBIR describes how infostealer activity affects enterprise environments and unmanaged devices that host both personal and business credentials.

Dark web markets also sell direct footholds into enterprise environments.

Initial access brokers (IABs) sell pre-established footholds into corporate networks. Listings on major dark web forums typically specify the victim's industry, annual revenue, number of endpoints, and type of access obtained, whether VPN, RDP, Citrix, or domain admin credentials.

Phishing infrastructure is also sold as a service on dark web platforms.

Europol assessment documented the LabHost platform, which offered customizable phishing kits, hosting infrastructure, and campaign management on a subscription basis. Law enforcement also linked the platform to large-scale phishing operations. The W3LL phishing platform followed a similar model, designed to target Microsoft 365 corporate accounts and support business email compromise (BEC) attacks from initial access through post-exploitation.

AiTM phishing kits help attackers capture credentials and authenticated sessions.

Adversary-in-the-middle (AiTM) phishing kits like EvilProxy operate as commercial PhaaS platforms, inserting a reverse proxy between the victim's browser and the legitimate service to capture both credentials and live session cookies. CSO coverage identifies documented targets including Microsoft 365, Google Workspace, and Okta. EvilProxy provides a web interface for creating campaigns, selecting targets, and retrieving captured sessions on a subscription basis, while Evilginx serves as the primary freely available open-source AiTM toolkit.

Dark web-sourced credentials, phishing kits, and leaked data can feed directly into email-borne attacks.

The commodities sold on the dark web can support attack chains that lead to account takeover and socially engineered email fraud.

Stolen credentials and session tokens can give attackers valid access to corporate email accounts.

When infostealer logs or AiTM kits capture valid credentials and session tokens, those assets are sold to operators who use them to authenticate into corporate email accounts. Because the login uses legitimate credentials, authentication succeeds. There is no failed login event to trigger an alert. The FBI IC3 report recorded business email compromise activity as a major source of reported loss and described BEC as frequently carried out through compromised legitimate business email accounts.

A compromised internal mailbox gives attackers a trusted sending channel.

Once inside a compromised account, an attacker can send emails from a legitimate internal address. Dark Reading analysis states that these messages can bypass domain reputation checks, pass DMARC, SPF, and DKIM authentication, and arrive in colleague inboxes with organizational trust. A wire transfer request sent from a CFO's actual email account looks identical to a legitimate one because, at the infrastructure level, it comes from the real account.

Leaked corporate data helps attackers write convincing, low-artifact messages.

Corporate data sold on dark web markets, including organizational charts, project names, vendor relationships, and executive PII, enables attackers to craft messages with contextual accuracy that content filters cannot evaluate. A plain-text email referencing a real project and a known vendor relationship, containing no malicious links or attachments, presents little for a signature-based filter to act on.

Dark web monitoring can help security teams identify exposure before it turns into an inbox-centered incident.

Continuous dark web monitoring should function as an active detection layer, not a periodic report. CISA training recognizes dark web threat intelligence as a professional security discipline and states that NIST CSF maps this activity to both the Identify and Detect functions.

The most useful monitoring signals tie directly to account exposure, phishing preparation, and organization-specific targeting.

Signal categories with the highest operational value for security teams include:

• Employee and executive credentials appearing in breach databases or stealer logs.

• Session tokens and authentication cookies that bypass MFA.

• Organization-specific phishing kits or phishlets appearing on forums before campaigns launch.

• CISA advisory identifies typosquatted domains impersonating your brand as a pre-attack indicator.

• Corporate data or IAB listings referencing your organization.

Dark web exposure is most useful when it triggers a defined response workflow.

When a credential match surfaces on the dark web, the response should be automated and immediate: force credential rotation, trigger MFA re-enrollment, and audit authentication logs for activity tied to the exposed credential. If exposed credentials carry administrative privileges, treat the event as an active incident. Detection of an organization-specific phishing kit should trigger alerts to the email security team and increased filtering sensitivity before any employee receives a phishing email.

Dark web-sourced attacks often pressure email defenses that rely heavily on known artifacts and established rules.

The attack chains fueled by dark web marketplaces are designed to reduce the obvious indicators that email gateway (SEG) and rule-based tools commonly inspect.

Artifact-based detection works best when attacks repeatedly expose recognizable indicators.

Dark Reading analysis states that SEGs are designed to block attacks by detecting known threat signatures: malicious attachments, suspicious links, and blacklisted sender domains. This model works against high-volume malware campaigns where the same artifacts appear repeatedly. Dark web-sourced attacks, particularly text-only BEC, compromised internal accounts, and contextually accurate spear phishing, often generate few of these artifacts. As a result, the message may evade artifact-based detection.

Successful authentication can make malicious activity look routine.

When an attacker logs in with valid stolen credentials or replays a captured session token, the authentication system sees a legitimate login. SEGs and rule-based filters that treat successful authentication as a trust signal may struggle to distinguish this from normal activity. The detection problem shifts from identifying malicious content to identifying suspicious behavior from an authenticated identity.

Detecting these attacks requires analysis of identity and messaging patterns, not just message artifacts.

A more effective approach is to establish a baseline of normal activity per identity and flag significant deviations. Signals like who a user typically communicates with, when they send messages, what they normally request, and how their engagement patterns flow over time create a dynamic, per-identity model. A wire transfer request from a CFO's account at an unusual time, to an unfamiliar recipient, using language patterns inconsistent with established communication style, becomes more visible because it deviates from known behavior.

Email remains a primary entry point for cyberattacks, including those fueled by dark web supply chains.

Dark web marketplaces can feed the inbox with stolen credentials, session tokens, and phishing infrastructure that rule-based email security tools often struggle to detect when attacks contain few traditional indicators of compromise. Closing this gap can require an approach that models identity and behavior rather than scanning only for known-bad artifacts.

Abnormal is designed to help detect the email and account-based components of these attacks by analyzing behavioral signals, including vendor interaction patterns, recipient behavior, timing, and engagement flows, to help surface threats that evade traditional defenses. It can enhance existing email security controls by helping teams identify compromised accounts, socially engineered messages, and vendor impersonation attempts that legacy tools may miss.

Recognized as a Leader in the Gartner® Magic Quadrant™, Abnormal can help security teams strengthen detection coverage alongside their current stack. Book a demo to see how behavioral AI helps address the detection gaps created by dark web-fueled attacks.