How dark web threat intelligence can help protect your organization

Author: Phil Muncaster

Date published: May 2, 2025

Threat actors around the globe are operating with impunity, thanks to the anonymity afforded by the dark web. One of the best ways to help proactively mitigate their impact is through dark web threat intelligence. If implemented judiciously, it can help reduce the potential financial and reputational damage caused by cyber threats, while empowering security teams to be more effective.

What is the dark web?

The web that most people use day to day is actually better known as the surface web. Think of it like an iceberg. The surface web is the part of the internet that's visible to a casual user, but there's much more that is hidden—a wider web that lies beneath the surface. The deep web refers to anything not indexed by regular search engines, including corporate intranets, paywalled services and login-protected services like bank accounts or personal email accounts. The deep web is estimated to comprise between 96% and 99% of the internet.

The dark web, however, is less benign. The dark web is the part of the deep web that can only be accessed by a Defense Advanced Research Projects Agency (DARPA) creation known as the Tor browser.

The dark web makes up around five percent of the total internet. The anonymity the Tor browser provides can make the dark web an attractive landscape for cybercriminals. Their onion domain sites host forums and marketplaces dedicated to dark cyber activity, including:

  • Trade in malware, hacking tools and exploits
  • Trade in stolen corporate data, personally identifiable information (PII) and logins
  • Rental of botnets and as-a-service offerings like phishing kits and ransomware
  • Sharing of the latest tactics, techniques and procedures (TTPs) to evade cybersecurity teams and law enforcement
  • Ads to recruit new affiliates to ransomware-as-a-service (RaaS) gangs, or initial access brokers touting their wares

Why is the dark web a threat?

The dark web is continuing to fuel cybercrime. According to Verizon’s 2025 Data Breach Investigations Report (DBIR):

  • Vulnerability exploitation as an initial access step for breaches grew 34% from the previous year.1
  • Use of stolen credentials appeared in 31% of breaches last year.2
  • Ransomware accounts for 75% of breaches in the system intrusion category of data breaches in 2024 and continues to feature prominently in data breaches, representing a top threat across 92% of industries. Ransomware or some other extortion technique is present in 44% of breaches.3

Cryptocurrency can also help facilitate this threat, as it can help provide anonymity for dark web threat actors who want to pay each other or extort money from victims. The dark web continues to flourish thanks, in part, to Bitcoin and newer digital currencies like the privacy-centric Monero.

What is dark web threat intelligence?

As a result of this growth in cybercrime, dark web threat intelligence is increasingly popular among enterprises. Put simply, it is threat intelligence sourced on the dark web, providing invaluable insight into the current threat landscape, emerging trends and TTPs. A specialized service can go dark web hunting for chatter on forums or new cybercrime services for rent, as well as data, tools and exploits for sale.

Dark web threat intelligence could include information on:

  • Vulnerabilities and exploits: These risks may be bugs that are unknown to the vendor (zero-day attacks) or flaws that organizations have not yet patched en masse.
  • Stolen data: This information could include sensitive corporate secrets, customer and employee PII or logins that are up for sale.
  • Hacked accounts: These accounts could be related to email and social media, or business applications such as remote desktop protocols (RDP), enterprise resource planning (ERP), or customer relationship management (CRM) software.
  • Attacker TTPs: These may include the latest initial access techniques such as exploits or multifactor authentication (MFA) bypass, or new social engineering tactics and discussion of news events which could be used in a phishing campaign.

Why go dark web hunting?

Threat intelligence can ultimately help provide the information your organization needs to build resilience and help proactively prevent incoming cyber threats. Dark web threat intelligence is no different. In fact, dark web hunting has an added advantage because it can leverage information that threat actors believe is not visible to their victims.

If applied judiciously, these dark web hunting efforts can:

  • Help provide early warning of breaches for faster incident response: For example, if you discover a large volume of customer credit card details in a hacking forum, you can notify those customers to cancel their cards and take immediate action to contain and investigate the breach.
  • Use intelligence to help fortify systems: Information regarding vulnerabilities and exploits can be fed into detection and response tooling or used to expedite certain security updates. If compromised corporate credentials are discovered, password resets can be rolled out.
  • Help with threat hunting: If your security operations (SecOps) team has spotted malicious activity in your network but is still looking for more information, dark web threat intelligence services can help provide additional insight.
  • Help attribute attacks: Although threat actors go to great lengths to remain anonymous on the dark web, sometimes their own operations security (OPSEC) lets them down and online monikers are traceable. Extensive digging through forums sometimes produces valuable information.
  • Help amplify existing tools: By integrating dark web hunting intelligence into your security stack, you can help elevate the effectiveness of existing investments, such as extended detection and response (XDR) tools.

How can Verizon help?

Although the dark web can be a great source of threat intelligence, it is not always easy to find the right sources of this information, especially as no sites or forums are indexed. A partner expert like Verizon does all the heavy lifting for you, leveraging deep domain expertise and knowledge of key cybercrime hotspots. Evaluate your security program against commonly used industry security standards to help you understand if you might be protected from cyber threats.

Verizon’s Dark Web Hunting service delivers over 20 years of experience. Analysts in six digital forensic labs around the globe work on over 500 customer investigations each year, monitoring on average 10 million alerts and 500,000 incidents annually.

Verizon dark web hunters continuously search the surface, deep and dark web to identify malicious activity that may target your organization. They transform these threat patterns and activities into customized analytical data aligned with your business priorities. This process enables the identification of cybercrime and state-sponsored threat actors and patterns, as well as insider threat indicators and methodologies.

Verizon’s Dark Web Hunting service is:

  • Highly scalable, depending on your threat intelligence needs
  • Risk-free, as all hunting is accomplished without exposing your organization's involvement
  • Highly actionable, helping you proactively protect the business and quickly respond to breaches

Find out more about how Verizon can enhance your cyber resilience and threat intelligence program.

The author of this content is a paid contributor for Verizon.

1 Verizon, 2025 Data Breach Investigations Report, page 10.

2 Ibid, page 20.

3 Ibid, page 27.