Contact a rep

Darknet: The shady underbelly of the iceberg

Published: Oct 17, 2017
Author: Anshuman Sharma

Think of the internet as a large iceberg. The tip of the iceberg, which most people can see, is the internet. They can access it using normal channels such as search engines, social media and news websites. But the majority of the internet lies below the metaphorical waterline, and cannot be seen by search engines or accessed by the general public. These hidden parts of the internet are known as the deep web, and the darknet.

Three levels of internet

The entire world wide web can be categorized into three sections.

  • Clearnet or surface net. The part of the internet that can be indexed by search engines; such as all returned search results from Google or Bing; Facebook, LinkedIn, YouTube, etc. This is around 5–6% of the entire internet.
  • Deep web. The part of the internet that cannot be indexed by search engines, and requires authentication to access. To access the deep web, you need to know the exact link or Universal Resource Locator (URL). Some of the content available in the deep web includes medical records, government records, missing persons information, and organization’s website areas that are for internal use only. The deep web is around 95% of the internet.
  • Darknet or the dark web. The darknet is a subset of the deep web that can only be accessed by a special browser, such as TOR (The Onion Router). It is also known as the hidden web, and constitutes around 4–5% of the deep web. TOR is the most well-known browser, but the darknet also includes other overlay networks that can only be accessed with specific software/configurations. These include peer-to-peer (P2P) networks and anonymity networks. Other popular examples of the darknet include I2P, Freenet, RetroShare, GNUnet, Syndie, OneSwarm and Tribler.

What is the darknet for?

The darknet can be used for both good and bad purposes. Some people believe that simply visiting the darknet is illegal. But, generally, visiting the darknet is not illegal unless there is country-level censorship. Certain countries, such as China, have put restrictions on the use of TOR, preventing their citizens from accessing the network.

As mentioned above, the darknet can be used for both legal and illegal purposes. A legal use of the darknet is to share information anonymously, such as academia, background verifications, criminal activity verifications and details about missing persons. Illegal uses of the darknet include: buying and selling stolen information, such as social security numbers, personally identifiable information, payment card information; selling and buying of drugs; and child pornography. Since interactions on the darknet are anonymous for the most part, the “trust level” between the buyer and seller is of utmost importance.

The history of the darknet

To understand the darknet, it’s helpful to know its history.

In the mid-1990s, the US Naval Research Laboratory created the idea of anonymous information exchange and called it “Onion Routing.”

In the late 1990s, Defense Advanced Research Projects Agency (DARPA) did further work on the project.

  • In 2002, the alpha version of the TOR was launched.
  • In 2004, the TOR code was released under free license.
  • In 2006, the TOR project was created.

The initial purpose of using the TOR and visiting the darknet was to post and share information anonymously. For instance, if someone wanted to provide some information to another person but wanted to hide their identity, then the darknet would be the ideal solution. In countries where raising your voice can lead to retribution, people started to use TOR to communicate without compromising their identity. Later, some people started using the darknet to conduct illegal activities anonymously.

For buying and selling legal and illegal items, darknet users leverage crypto-currencies, such as Bitcoin, Ethereum, Litecoin, Zcach, Dash, Ripple and others.

Recovering stolen data

The importance of understanding the darknet is illustrated by an investigation carried out by the VTRAC (Verizon Threat Research Advisory Center) Investigative Response Team. We were contacted by a company that suspected its information was being sold on the darknet by a former employee. The employee had left the organization without any advance notice, resignation or a proper exit procedure. The employee also had possession of several company-owned laptops, which were believed to have stored sensitive information. The company suspected that the employee would try to sell the laptops or the sensitive information on either the clearnet or the darknet.

We were engaged to conduct a due-diligence exercise in an attempt to locate the company’s laptops and sensitive information. To conduct our darknet research, we created a secure environment to maintain anonymity.

Through the searches performed, we were able to find the sensitive information related to the company on the darknet. And subsequent efforts by Law Enforcement resulted in the recovery of the company’s sensitive information. However, we were unable to conclusively show that this information was being sold by the former employee, demonstrating the complexity of tracing data back to its origin on the darknet.

Staying a step ahead of the hacktivists

In another case, our investigations of the darknet helped identify a leak of personal information before it could be used for malicious activities by hacktivists. This case appears in the 2017 Data Breach Digest as the “Hacktivist Attack — the Epluribus Enum” scenario.

We were faced with a situation involving a multinational organization that had become a target for hacktivism following an unpopular restructuring. Our task was to proactively gather threat intelligence, perform penetration testing, and be prepared should any of the online threats materialize.

Our initial assistance and guidance to the victim organization centered on reviewing social networks and online forums as well as the darknet. We set up a secure anonymous account to search through marketplaces and other locations on the darknet to see what the hacktivists were discussing in relation to the victim organization. These activities identified a huge number of threats and negative statements.

Although the majority were not considered genuine, the home addresses and personal details of executives were being actively sought by suspicious parties. We found evidence that personal details for two executives had been obtained and were being shared online.

The breach of personal information associated with senior executives was identified early enough that it could be reported to Law Enforcement before malicious parties acted upon it. As a result, the ensuing threatening phone calls and spurious deliveries were monitored from the outset and were immediately followed up.

More about Data Breaches

Would you like to know more about data breaches?

2017 Data Breach Investigations Report

Get the 2017 Data Breach Investigations Report (DBIR). It’s our foremost publication on security, and one of the industry’s most respected sources of information.

2017 Data Breach Digest

Read the 2017 Data Breach Digest (DBD) for the story of Verizon’s most intriguing cybercrime investigations. Learn about the attacker’s tactics, the victim’s mistakes and the scramble to limit the damage.

Anshuman Sharma has 12 years of experience in the cybersecurity domain and is currently working as a Principal Consultant on the VTRAC Investigative Response Team. Anshuman is responsible for project delivery of Digital Forensics and Investigative Response services in India, as well as supporting delivery around the globe. Anshuman has also worked in the Governance, Risk and Compliance (GRC), vulnerability management and penetration testing and was an active PCI QSA for more than four years. Anshuman holds global certifications such as GCFA, CISM, CISA, CCSK and TOGAF.