Skip to content

Types of sites

The Dark Web hosts a variety of services, ranging from legitimate privacy-focused spaces to illicit environments. Understanding how they are organized and what signals to watch for helps plan monitoring safely and without engaging in prohibited activities.

Directories

  • Indexes: List services and allow keyword queries. They are often incomplete and sometimes outdated.

  • Risk of clones: Popular sites often have fake domains that imitate their appearance to steal funds or credentials. Always verify the PGP key or the operator’s official announcement when available.

Forums and communities

  • Topics: Security and anonymity, leaks, fraud, peer-to-peer trading, technical manuals, and general discussions under pseudonyms.

  • Structure: Registration by invitation or captchas, reputation-based hierarchies, moderated threads.

  • Signals to watch: Forum creation date, actual activity (users per 24h), posting rules, history of closures or migrations.

  • Note: Passive access for analysis is subject to forum rules; do not participate or request/share illegal material.

Marketplaces

  • Model: Catalogs with sellers, ratings, shopping carts, and cryptocurrency payments. Many use escrow (custody) and internal messaging with PGP. Escrow is an intermediary mechanism in which a neutral third party holds a payment or asset until the conditions agreed upon by the parties are fulfilled.

  • Common categories: Stolen data, forged documents, intrusion tools, substances, cards/credentials, cash-out or drop services.

  • Volatility: Closures due to operator exit scams, police seizures, and frequent migrations to new .onion domains.

  • Risks: Phishing, exit scams, and malware in downloads. Any interaction may be illegal; professional analysis is limited to observation, evidence preservation, and reporting.

Leak sites and secure dropboxes

  • Ransomware group leak sites: Pages where data samples are published to pressure victims. They usually list the organization, date, and "proof identifiers". Lockbit pages are an example of a Dark Web site where data stolen by the Lockbit ransomware can be obtained.

  • Secure dropboxes for legitimate leaks: Projects like SecureDrop and GlobaLeaks provide anonymous channels for journalists and NGOs; these are legitimate uses focused on protecting sources.

  • Consideration: Never download or redistribute personal data; work with partial screenshots and report through established institutional channels.

Communication and utility services

  • .onion email and messaging: Privacy-focused email and instant messaging providers, using PGP/OTR.

  • Pastebins and wikis: Sharing of text, manuals, how-tos, and listings; useful for tracking narratives and operator announcements.

  • Mirrors and status pages: Sites that publish official mirrors and service statuses to mitigate takedowns.

Observable Technical Infrastructure

  • Panels and dashboards: Occasionally, administrative interfaces are accidentally exposed (brief time windows).

  • C2 and beacons: Some investigations document traces of command-and-control infrastructure; identifying them requires extreme caution and coordination with specialized teams.

  • Best practices: Do not interact; limit activities to observation and reporting to the appropriate security channels.