Dark Web Intelligence
Overview
The Dark Web Intelligence category provides structured, actionable data derived from monitoring and scraping illicit online sources. The primary goal is to offer visibility into the cybercriminal ecosystem where compromised data is traded and attack methods are shared.
Intelligence is gathered from forums, Telegram channels, marketplaces, and ransomware blogs upon customer request and legal agreement. This raw information is then processed, analyzed, and enriched with structured metadata, including a granular tagging system. This process transforms unstructured content into a high-fidelity intelligence stream, enabling security teams to identify compromised assets, understand emerging threats, and assess organizational exposure.
This document provides a technical overview of our monitored sources and the classification tags used to categorize the scraped content.
Monitored Content Sources
Our intelligence collection framework targets four primary types of sources within the cybercriminal ecosystem. Correlating data across these environments provides a comprehensive view of a threat's lifecycle.
-
Hacker Forums: We have access to a wide range of public and invite-only hacker forums where threat actors trade goods and information. Our scraping operations, when deployed, target discussions on software vulnerabilities, the sale and exchange of malware and exploit kits, and the posting of stolen data sets. The analysis of this content provides insight into new attack vectors and threat actor TTPs (Tactics, Techniques, and Procedures).
-
Telegram Channels: We can access intelligence from thousands of public and private Telegram channels used by cybercriminals for real-time communication, data leakage, and sales. Intelligence available includes credential dumps (combo lists), malware logs, phishing kits, and advertisements for compromised network access. This source often provides the earliest indications of a new data leak or active campaign.
-
Marketplaces: These are structured e-commerce platforms on the dark web dedicated to the sale of illicit digital goods. Our monitoring focuses on listings for:
- Compromised Credentials: Including Remote Desktop Protocol (RDP) and VPN access.
- Financial Data: Stolen credit card information, bank account details, and cryptocurrency wallets.
- Databases and Malware Logs: Data from corporate breaches and logs from various infostealers.
-
Ransomware Blogs: We have access to data leak sites operated by numerous ransomware groups. These blogs are used as part of a "double extortion" strategy to publish the names of victim organizations and post samples of exfiltrated data. Monitoring these sites provides high-confidence intelligence of successful network intrusions, often serving as the first external notification of a major breach.
Content Tags and Classification
To make the scraped data actionable, we apply a comprehensive set of tags to classify the nature and content of each piece of information. This allows for precise filtering, searching, and alerting.
Forum Content Tags
The following tags are applied to content scraped from dark web forums:
| Tag | Description |
|---|---|
| ACCOUNT_TAKE_OVER | A forum thread containing a text file or a link to such file of account metadata, often including usernames, passwords, URLs, and expiration dates. Used for unauthorized access. |
| ANDROID_PACKAGE | A forum thread containing a link to Android Package (APK) files. |
| ASSETS | A forum thread with a download link for digital assets like images, documents, models, or multimedia files, excluding databases. |
| BOTNET | A forum thread discussing the creation, operation, or sale of botnets. These threads may include code samples, links to botnet software, or information on how to use compromised devices in coordinated attacks. |
| BRUTE_FORCE | A forum thread detailing techniques, news or tools used for brute force attacks, where multiple password combinations are tried to gain unauthorized access. |
| CHEATS | A forum thread providing cheats, hacks, or exploits for video games. These threads may include downloadable cheat software, scripts, or instructions on how to gain an unfair advantage in games. |
| COMBO_LIST | A forum thread containing a list or a link to a list of text files that contain leaked usernames and passwords in a specific format. Sometimes hidden behind "Hidden content." Can sometimes also include login page URLs. |
| COMMUNITIES | A forum thread discussing specific online communities, forums, or groups. These threads may include links to join these communities, discussions about their activities, or information on membership. |
| CONFIGURATION_FILES | A forum thread containing a link to configuration files, often for potentially malicious purposes. |
| COOKIE_LIST | A forum thread containing a list or a link to a list of cookies used for online tracking. |
| COURSE | A forum thread offering a collection of lessons or educational materials on a specific subject. Usually includes a download link to the content. |
| CRACK | A forum thread sharing already cracked software or scripts that bypass the security of software products, enabling unauthorized usage. The crack or software is usually included in a link. |
| CREDENTIAL_STUFFING | A forum thread related to credential stuffing attacks, where lists of usernames and passwords are used to gain unauthorized access to multiple accounts. May include tools for automating the process or tips for evading detection. |
| CREDIT_CARDS | A forum thread with details about credit card numbers, expiration dates, and CVVs. Sometimes there is a link to such data. |
| CRYPTO | A forum thread discussing cryptocurrencies, including trading, mining, or other related activities. These threads may include links to exchanges, or information on different cryptocurrencies. |
| CRYPTO_WALLET | A forum thread with information or a link to information related to cryptocurrency wallets, including keys and transaction histories. |
| DATABASE | A forum thread, usually with "Hidden content" or a link to a text file, containing confidential data obtained without authorization, typically including personal or financial information. Usually includes a sample of such data. |
| DDOS | A forum thread discussing Distributed Denial of Service (DDoS) attacks, including methods, tools, and services for launching such attacks. May include links to DDoS software or services for hire. |
| DOXX | A forum thread providing tutorials and techniques on how to gather and expose personal information about individuals without their consent. These threads may include methods for finding addresses, phone numbers, and other identifying details, but do not share actual personal information of specific individuals. |
| DRIVER_LICENSE | A forum thread containing images or scans of driver's licenses, usually includes a download link for such files. |
| DRUGS | A forum thread discussing the sale, purchase, or use of illegal drugs. These threads may include links to marketplaces, reviews of different substances, or information on safe usage practices. |
| EMAIL_LIST | A forum thread containing a list or a link to a list of email addresses. |
| ENCRYPTION | A forum thread discussing encryption methods, tools, and best practices. May include software for encrypting data, tutorials on implementing encryption, or discussions on breaking encryption. |
| EXPLOIT | A forum thread detailing a security vulnerability in a system or application, potentially including instructions on how to exploit it. |
| FRAUD | A forum thread discussing various types of fraud, including identity theft, credit card fraud, insurance fraud and other types of fraud. These threads may include tips, tools, or services for committing fraud. |
| FTP_LIST | A forum thread containing a list or a link to a list of File Transfer Protocol (FTP) addresses, used for file exchange. |
| GIFTCARD | A forum thread with a list or download link to gift card codes for online or physical stores. |
| IDENTITY_DOCUMENTS | A forum thread usually containing a download link to images or scans of passports or other official identity documents. |
| IMAGE | A forum thread containing links to download images or discussing techniques for image manipulation. These threads may include software recommendations or tutorials. |
| IP_LIST | A forum thread containing a list or a link to a list of Internet Protocol (IP) addresses. |
| IPTV | A forum thread containing a list or a link to a list of Internet Protocol Television (IPTV) addresses. |
| KEYS_CODES | A forum thread related to activation keys or codes, potentially for software or other products. Codes and keys can be shared as text or included in a link. |
| KEYWORD_LIST | A forum thread containing a list or a link to a list of keywords relevant to a specific product, service, or topic. |
| LIVE_ACCESS_TO_SERVER | A forum thread disclosing information about a website backdoor, including addresses and/or login credentials for live unauthorized access to the server. Sometimes hidden behind "Hidden content." |
| MALWARE | A forum thread discussing malware, its functionality, how it spreads, and other related details. The thread can be text-based or include a link to the source of the subject. |
| MARKETPLACE | A forum thread where people are offering to sell or requesting to buy usually electronic goods or services from others. Typically includes a price and sometimes a sample of the data. |
| MOBILE_EXPLOIT | A forum thread discussing exploits targeting mobile devices, including Android and iOS. May include code samples, links to exploit software, or instructions on how to use these exploits. |
| MUSIC | A forum thread providing links to download or stream music. These threads may include reviews, discussions, or links to torrent files. |
| NEWS | A forum thread providing information about current events or linking to a site that shares such content. |
| NOSQL_INJECTION | A forum thread discussing techniques or providing scripts and tools for exploiting NoSQL databases. This often includes methods to inject malicious queries to manipulate or retrieve data improperly from NoSQL databases like MongoDB, CouchDB, or Redis. |
| OPSEC | A forum thread discussing operational security (OPSEC) practices. May include tips on maintaining privacy, avoiding detection, and protecting personal information online. |
| OTHER | Forum threads that do not fit any other tag. |
| PASSWORD_DICTIONARY | A forum thread containing a list or a link to a list of passwords used for password cracking attempts. |
| PHONE_LIST | A forum thread containing a list or a link to a list of phone numbers. |
| PHISHING | A forum thread discussing phishing techniques and tools. These threads may include phishing kits, templates, or tips on how to create convincing phishing emails. |
| POLITICALLY_MOTIVATED | A forum thread discussing or sharing information, materials, or tools that are used for political purposes. This can include activities such as hacking, leaking documents, spreading propaganda, or organizing cyber-attacks against political entities. The content is often aimed at influencing public opinion, disrupting political processes, or targeting political figures and organizations. |
| PORN | A forum thread containing a link to sexually explicit content. |
| PROGRAMMING | A forum thread focused on programming, including tutorials, code samples, and discussions. May include links to source codes, resources, or tools for different programming languages. |
| PROXY | A forum thread with a list or a link to a list of proxy addresses used to mask a user's original IP address for anonymity and accessing restricted content. |
| RANSOMWARE | A forum thread discussing ransomware, including details of specific attacks, encryption/decryption methods, or code samples. The thread can be text-based or include a link to the source of the subject. |
| RDP | A forum thread containing a list or a link to a list of RDP protocol addresses (Remote Desktop Protocol), used for remote access to computers. |
| REQUEST | A forum thread where users can request specific content, services, or information. These threads may include requests for files, tutorials, or assistance with various topics. |
| SCAM | A forum thread discussing different types of scams, including how they are executed and avoided. May include scam scripts, tools, exposing scammers, or tips for scamming others. |
| SERVICE | A forum thread where user offers a service for a fee. |
| SMTP_LIST | A forum thread containing a list or a link to a list of SMTP protocol addresses (Simple Mail Transfer Protocol), which are used for email transmission. |
| SOCIAL_ENGINEERING | A forum thread discussing social engineering techniques used to manipulate individuals into divulging confidential information. May include tutorials, tips, or real-world examples. |
| SOFTWARE | A forum thread that includes a link to a downloadable executable file or installation package of a software application. |
| SOURCE_CODE | A forum thread with a download link to the source code of an application or website, which may be open-source or illegally obtained. |
| SQL_INJECTION | A forum thread discussing SQL or other database injection techniques. Can have an example of such injection on live server. |
| SSN_LIST | A forum thread containing a list or a link to a list of Social Security numbers(SSNs). |
| STEALER_MALWARE_LOGS | A forum thread with "Locked content" or a download link for files containing logs generated by stealer malware designed to steal usernames, passwords, browsing history, and other sensitive data. |
| TOOL | A forum thread listing web addresses or software tools designed for specific purposes, often within a technical context. |
| TORRENT | A forum thread providing magnet links to torrent files for downloading various types of content. |
| TUTORIAL | A forum thread that includes a written or video lesson to teach about a subject. Sometimes includes links to external sources related to the subject. |
| VIDEO | A forum thread providing links to download or stream various types of video content, including movies, TV shows, tutorials, and other multimedia. These threads may include reviews, discussions, or links to torrent files. |
| WEAPONS | A forum thread discussing the sale, purchase, or use of weapons. These threads may include links to marketplaces, reviews of different weapons, or information on safe usage practices. |
| XSS | A forum thread that details techniques or offers tools for exploiting Cross-Site Scripting (XSS) vulnerabilities. This includes information on how to inject malicious scripts into webpages, enabling attackers to steal cookies, session tokens, or other sensitive information from users. |
Telegram Message Tags
The following tags are applied to messages and files scraped from Telegram channels:
| Tag | Description |
|---|---|
| ACCOUNT_TAKE_OVER | A Telegram message containing a file or a link to such file of account metadata, often including usernames, passwords, URLs, and expiration dates. Used for unauthorized access. |
| ANDROID_PACKAGE | A Telegram message containing a link to Android Package (APK) files or having such files attached. |
| ASSETS | A Telegram message with a download link or file attachment for digital assets like images, documents, models, or multimedia files, excluding databases. |
| BOTNET | A Telegram message discussing the creation, operation, or sale of botnets. These messages may include code samples, links to botnet software, or information on how to use compromised devices in coordinated attacks. |
| BRUTE_FORCE | A Telegram message detailing techniques, news, or tools used for brute force attacks, where multiple password combinations are tried to gain unauthorized access. |
| CHEATS | A Telegram message providing cheats, hacks, or exploits for video games. These messages may include downloadable cheat software, scripts, or instructions on how to gain an unfair advantage in games. |
| COMBO_LIST | A Telegram message containing a file or a link to a file that contains leaked usernames and passwords in a specific format. Can sometimes also include login page URLs. |
| COMMUNITIES | A Telegram message discussing specific online communities, forums, or groups. These messages often include links to join these communities, discussions about their activities, or information on membership. |
| CONFIGURATION_FILES | A Telegram message containing a link to configuration files or having them attached, often for potentially malicious purposes. |
| COOKIE_LIST | A Telegram message containing a list or a link to a list of cookies used for online tracking. |
| COURSE | A Telegram message offering a collection of lessons or educational materials on a specific subject. Usually includes a download link or attached files. |
| CRACK | A Telegram message sharing already cracked software or scripts that bypass the security of software products, enabling unauthorized usage. The crack or software is usually included in a link or as an attachment. |
| CREDENTIAL_STUFFING | A Telegram message related to credential stuffing attacks, where lists of usernames and passwords are used to gain unauthorized access to multiple accounts. May include tools for automating the process or tips for evading detection. |
| CREDIT_CARDS | A Telegram message with details about credit card numbers, expiration dates, and CVVs. Sometimes there is a link or attached file containing such data. |
| CRYPTO | A Telegram message discussing cryptocurrencies, including trading, mining, or other related activities. These messages may include links to exchanges or information on different cryptocurrencies. |
| CRYPTO_WALLET | A Telegram message with information or a link to information related to cryptocurrency wallets, including keys and transaction histories. Can have files attached with such information as well. |
| DATABASE | A Telegram message with a file attached or a link to a file, containing confidential data obtained without authorization, typically including personal or financial information. Usually includes a sample of such data. |
| DDOS | A Telegram message discussing Distributed Denial of Service (DDoS) attacks, including methods, tools, and services for launching such attacks. May include links to DDoS software or services for hire. |
| DOXX | A Telegram message providing tutorials and techniques on how to gather and expose personal information about individuals without their consent. These messages may include methods for finding addresses, phone numbers, and other identifying details, but do not share actual personal information of specific individuals. |
| DRIVER_LICENSE | A Telegram message containing images or scans of driver's licenses, usually includes a download link or attached files. |
| DRUGS | A Telegram message discussing the sale, purchase, or use of illegal drugs. These messages may include links to marketplaces, reviews of different substances, or information on safe usage practices. |
| EMAIL_LIST | A Telegram message containing a list or a link to a list of email addresses. Can have files attached with such information as well. |
| ENCRYPTION | A Telegram message discussing encryption methods, tools, and best practices. May include software for encrypting data, tutorials on implementing encryption, or discussions on breaking encryption. |
| EXPLOIT | A Telegram message detailing a security vulnerability in a system or application, potentially including instructions on how to exploit it. |
| FRAUD | A Telegram message discussing various types of fraud, including identity theft, credit card fraud, insurance fraud, and other types of fraud. These messages may include tips, tools, or services for committing fraud. |
| FTP_LIST | A Telegram message containing a list or a link to a list of File Transfer Protocol (FTP) addresses, used for file exchange. Can have files attached with such information as well. |
| GIFTCARD | A Telegram message with a list or download link or attachment to gift card codes for online or physical stores. |
| IDENTITY_DOCUMENTS | A Telegram message usually containing a download link or attachment to images or scans of passports or other official identity documents. |
| IMAGE | A Telegram message containing links to download images, or having images attached or discussing techniques for image manipulation. These messages may include software recommendations or tutorials. |
| IP_LIST | A Telegram message containing a list or a link to a list of Internet Protocol (IP) addresses. Can have files attached with such information as well. |
| IPTV | A Telegram message containing a list or a link to a list of Internet Protocol Television (IPTV) addresses. Can have files attached with such information as well. |
| KEYS_CODES | A Telegram message related to activation keys or codes, potentially for software or other products. Codes and keys can be shared as text or included in a link or attachment. |
| KEYWORD_LIST | A Telegram message containing a list or a link to a list of keywords relevant to a specific product, service, or topic. |
| LIVE_ACCESS_TO_SERVER | A Telegram message disclosing information about a website backdoor, including addresses and/or login credentials for live unauthorized access to the server. |
| MALWARE | A Telegram message discussing malware, its functionality, how it spreads, and other related details. The message can be text-based or include a link or file attachment. |
| MARKETPLACE | A Telegram message where people offer to sell or request to buy goods or services from others. Typically includes a price and sometimes a sample of the data. |
| MOBILE_EXPLOIT | A Telegram message discussing exploits targeting mobile devices, including Android and iOS. May include code samples, links to exploit software or instructions on how to use these exploits. |
| MUSIC | A Telegram message providing links to download or stream music. These messages may include reviews, discussions, or links to torrent files. |
| NEWS | A Telegram message providing information about current events or linking to a site that shares such content. |
| NOSQL_INJECTION | A Telegram message discussing techniques or providing scripts and tools for exploiting NoSQL databases. This often includes methods to inject malicious queries to manipulate or retrieve data improperly from NoSQL databases like MongoDB, CouchDB, or Redis. |
| OPSEC | A Telegram message discussing operational security (OPSEC) practices. May include tips on maintaining privacy, avoiding detection, and protecting personal information online. |
| OTHER | Telegram messages that do not fit any other tag. |
| PASSWORD_DICTIONARY | A Telegram message containing a list or a link to a list of passwords used for password cracking attempts. Can have files attached with such information as well. |
| PHONE_LIST | A Telegram message containing a list or a link to a list of phone numbers. Can have files attached with such information as well. |
| PHISHING | A Telegram message discussing phishing techniques and tools. These messages may include phishing kits, templates, or tips on how to create convincing phishing emails. |
| POLITICALLY_MOTIVATED | A Telegram message discussing or sharing information, materials, or tools used for political purposes. This can include hacking, leaking documents, spreading propaganda, or organizing cyber-attacks against political entities. The content is often aimed at influencing public opinion, disrupting political processes, or targeting political figures and organizations. |
| PORN | A Telegram message containing a link to sexually explicit content or having such content attached. |
| PROGRAMMING | A Telegram message focused on programming, including tutorials, code samples, and discussions. May include links to source codes, resources, or tools for different programming languages. |
| PROXY | A Telegram message with a list or a link to a list or file attachment of proxy addresses used to mask a user's original IP address for anonymity and accessing restricted content. |
| RANSOMWARE | A Telegram message discussing ransomware, including details of specific attacks, encryption/decryption methods, or code samples. The message can be text-based or include a link or file attachment. |
| RDP | A Telegram message containing a list, or a link to a list or file attachment of RDP protocol addresses (Remote Desktop Protocol), used for remote access to computers. |
| REQUEST | A Telegram message of a user requesting specific content, services, or information. These messages may include requests for files, tutorials, or assistance with various topics. |
| SCAM | A Telegram message discussing different types of scams, including how they are executed and avoided. May include scam scripts, tools, exposing scammers, or tips for scamming others. |
| SERVICE | A Telegram message where the user offers a service for a fee. |
| SMTP_LIST | A Telegram message containing a list or a link to a list or file attachment of SMTP protocol addresses (Simple Mail Transfer Protocol), which are used for email transmission. |
| SOCIAL_ENGINEERING | A Telegram message discussing social engineering techniques used to manipulate individuals into divulging confidential information. May include tutorials, tips, or real-world examples. |
| SOFTWARE | A Telegram message that includes a link to a downloadable executable file or installation package of a software application or has the file attached. |
| SOURCE_CODE | A Telegram message with a download link or attachment to the source code of an application or website, which may be open-source or illegally obtained. |
| SQL_INJECTION | A Telegram message discussing SQL or other database injection techniques. Can have an example of such injection on live server. |
| SSN_LIST | A Telegram message containing a list or a link to a list or file attachment of Social Security numbers (SSNs). |
| STEALER_MALWARE_LOGS | A Telegram message with a download link or attachment of files containing logs generated by stealer malware designed to steal usernames, passwords, browsing history, and other sensitive data. |
| TOOL | A Telegram message listing web addresses to tools designed for specific purposes, often within a technical context. |
| TORRENT | A Telegram message providing magnet links to torrent files for downloading various types of content. |
| TUTORIAL | A Telegram message that includes a written or video lesson to teach about a subject. Sometimes includes links or attached files to external sources related to the subject. |
| VIDEO | A Telegram message providing links to download or stream various types of video content, including movies, TV shows, tutorials, and other multimedia. These messages may include reviews, discussions, or links to torrent files. |
| WEAPONS | A Telegram message discussing the sale, purchase, or use of weapons. These messages may include links to marketplaces, reviews of different weapons, or information on safe usage practices. |
| XSS | A Telegram message that details techniques or offers tools for exploiting Cross-Site Scripting (XSS) vulnerabilities. This includes information on how to inject malicious scripts into webpages, enabling attackers to steal cookies, session tokens, or other sensitive information from users. |
Domain Popularity Tags
One of the key enrichment tags we apply relates to domain popularity. When a domain is mentioned in scraped content, we check its popularity against the Cloudflare Radar domain rankings. This provides immediate context on the potential impact of the threat.
TOP_*_CF: This tag format indicates that a mentioned domain falls within a specific Cloudflare popularity bracket. For example:TOP_1000_CF: The domain is one of the top 1,000 most popular domains on the internet.TOP_20000_CF: The domain is within the top 20,000 most popular domains.TOP_1000000_CF: The domain is within the top 1 million most popular domains.
The presence of these tags helps you quickly assess risk. For instance, a post discussing a vulnerability on a TOP_5000_CF domain is significantly more critical than one on a less popular site.