Breakthrough in Effective Cyber Intelligence Activities: Deepweb

Breakthrough in Effective Cyber Intelligence Activities: Deepweb

The web world is a cyber space consisting of layers. While the visible web, known as the Surface Web, represents the tip of the iceberg, the parts of the Internet that we cannot see, the deeper layers, are referred to as the Deep Web. Anything that does not appear in our search engine results, in other words, is not indexed by search engines, falls under the definition of the Deep Web. In the darker corners of the network, you will find more dangerous content and activities. Tor websites reside in the farthest reaches of the Deep Web, in a section called the “Dark Web,” and can only be accessed with an anonymous browser. It is known as an environment where illegal activities take place. Dangerous activities such as drug trafficking, arms sales, and identity theft occur in the Dark Web. These dangers pose a serious threat to both individuals and organizations, allowing for the exploitation of security vulnerabilities.

The Dark Web provides a space for cybercriminals to buy and sell stolen information, illegal goods, and services. The data being sold includes personal and sensitive information such as identity details, social security numbers, and credit cards. This situation can lead to a breach of data privacy on the web without you even realizing it. This is a matter related to using the internet. Just as there is no limit to this situation, there is also no limit to security breaches and protection methods. For all these reasons, most people feel uneasy when they hear the term Deep Web. Instead of focusing on the process of monitoring Deep Web crimes to prevent data loss and ensure information sensitivity, they tend to avoid anything related to the Deep Web. However, every individual who uses the internet in any way has data on the Deep Web. Monitoring Deep Web crimes holds an important place in securing your data in the unseen parts of the iceberg, especially for organizations that house the data of large masses, in order to prevent reputation and financial losses. The focus of the Dark Web on privacy and anonymity means that Dark Web sites have no index, making it difficult to identify important threat intelligence sources in the Dark Web. While the Dark Web can be a valuable threat intelligence source, professional support and expertise are required to find useful data. In order for organizations to prevent data breaches, they need “proactive” preventive mechanisms that can provide advance information about attacks. This need has led to the emergence of the field known as cyber intelligence.

Cyber intelligence is the collection and compilation of threats that could potentially harm the business elements and security of institutions and organizations at any level, gathered from electronic environments. With a Dark Web monitoring service, an organization can have a flow of threat intelligence about their companies and industries without the need for internal analysts to search, collect, and manually analyze.

However, it is a fact that open source intelligence elements are also used by organizations engaged in illegal activities. In order to protect against cyber open source intelligence collection methods, the principle of privacy of personal information should be adhered to, primarily in the virtual environment. A cybersecurity policy should be established within the framework of the idea that personal information shared on the internet can be accessed without permission. Open source intelligence can be used not only to guide policy makers in states but also to provide public support for government policies by the political authority. In this context, it is important to raise awareness among individuals and institutions and to be familiar with Deep Web crime monitoring activities in order to prevent open source intelligence elements from being used as an unsafe environment by communities engaged in illegal activities. This article is an awareness effort and has been written by a group of ethical hackers (Hackdra) who have made it their ideal to ensure the security of every layer and area of the web.

In this article, we will focus on the importance of the Deep Web and Dark Web, the competencies of Deep Web crime monitoring in ensuring the security of organizations and individuals, the types of threats, and the advantages of crime monitoring services for institutions and individuals. Our aim is to enable readers to develop a more informed and objective perspective on Deep Web and Dark Web crime monitoring services.


Table of Contents hide



The Deep Web refers to the parts of the Internet that are not visible to us. Anything that does not appear in searches conducted by search engines, i.e., not indexed by search engines (the process by which search engines crawl and index pages and present them to web visitors in a certain order), falls under the definition of the Deep Web. All sites for which no search link is provided or that cannot be found by search engines are part of the Deep Web.

Internet sites may not want to be viewed for various reasons. For example, they may carry content that is generally not intended to be seen by everyone or is difficult to index, such as library archives, public and private company information. In addition to these, flash sites, AJAX sites (those that work with jQuery), password-protected sites, and FTP sites are also part of the Deep Web because they are difficult for search engines to read. System and administrator folders on forums and sites are also not automatically displayed in search results to prevent security vulnerabilities. It is possible to access the Deep Web using different search engines, and for user security, these connections cannot be opened with regular browsers. Operator search engines can find superficial web pages through visible links (a process called “crawling” due to the search engine’s network crawling like a spider). While other websites simply tell search engines not to perform “crawling” for them, Deep Web sites may be protected by passwords or other security barriers, making them more secretive for various reasons.

What we refer to as the Internet can roughly be divided into three layers: the surface web, the deep web, and the dark web (Santos, 2017). Michael Bergman, an American academic and entrepreneur, is credited as the first person to coin the term “Deep Web” and is considered one of the leading authorities on the subject. In the late 1990s, he conducted a scale research to measure the depth of the web and concluded that the surface internet is two to three times larger than previously estimated by his employees. He emphasized that the estimated depth of the web is even greater than initially thought as the research progressed. Bergman also described the Deep Web as the fastest-growing area of information on the internet (Beckett, 2009). The Deep Web can be conceptualized as the most complex and mysterious part of the internet. It is also referred to as the Hidden Web or the Invisible Web (Hawkins, 2016: 5-7).

The Deep Web, which today is conceptually metaphorically referred to as the underground of the internet, is estimated to be 400-500 times larger than the current surface web, which represents only 4% to 10% of the total internet. . Special software products and browsers are used to access the Deep Web, which is the part of the Internet other than the surface web (Epstein, 2014).

Since the mid-1990s, when the Internet became popular worldwide, the concept of the “Deep Web” and its dark side, the “Dark Web”, have not received much attention. The Dark Web came to public attention when Ross William Ulbricht was arrested. In 2011, Ulbricht founded the Silk Road website, which was designed as a platform where 153 sellers and buyers can make anonymous transactions over the internet (Christin, 2012:3).

It turned out that Ulbricht used two methods to anonymize transactions on the Silk Road. Firstly, it used the Tor network to ensure the privacy of its customers, and secondly, it carried out all the illegal transactions using Bitcoin, an electronic currency that exists only in digital form and is not found physically anywhere, as a decentralized form of currency used on the internet. As mentioned in the relevant section, today internet users can buy and sell drugs and illegal goods anonymously through Silk Road. Silk Road, the first successful anonymous marketplace on the Dark Web, adopted a structure similar to Amazon (Hawkins, 2016:13). According to the FBI’s claims, when Ulbricht’s computer was seized, 144,000 Bitcoins worth $150 million were seized. The emergence of this illegal activity carried out by the FBI on the internet increased the world’s curiosity and revealed the need to examine the Deep Web and its dark side, the Dark Web, in many areas.

In the larger Deep Web, “hidden” content is generally cleaner and safer. Everything from blog post reviews to web page design updates to the pages you access while using online banking is part of the Deep Web. Furthermore, these generally do not pose a threat to your computer or security. Most of these pages are kept hidden from the open web in order to protect user information and privacy, such as:

  • Financial accounts like banking and retirement
  • Email and social messaging accounts
  • Private organizational databases
  • Sensitive HIPAA information like medical records
  • Legal documents


For the average internet user, Deep Web security is more important than Dark Web security because you can accidentally find yourself in dangerous areas. Many parts of the Deep Web can be accessed from regular internet browsers. This means users can navigate the border of danger and find themselves on a pirate site, a politically radical forum, or viewing disturbingly violent content.

All Internet sites sharing illegal content within the Deep Web are collectively referred to as the Dark Web. The term Dark Web is commonly used interchangeably with the Deep Web. At the dark end of the network, you will find more dangerous content and activities. Tor websites are located in the farthest corner of the Deep Web, in a section called the “Dark Web,” and can only be accessed with an anonymous browser.

As for the software tools required to access the Deep Web, the most popular and well-known ones include Tor and FreeNet. Tor, which is widely used in Turkey and is now banned (Aydoğan, 2017), emerged as a joint project between the U.S. Navy Research Laboratory and the non-profit organization Free Haven Project in 2002. The project’s main purpose was described as creating a distributed, anonymous, easily deployable, and encrypted network for use by those in need (Moore and Rid, 2016:11). In other words, Tor’s goal is to create a network platform that ensures the anonymity of transmitted data.

Tor directs the user through a series of intermediary servers—servers that work on a proxy logic—in order to securely access a website without being identified or tracked. Within Tor’s own terminology, the navigation between these intermediary servers is referred to as “circuits” (Dingledine, 2014, p.1). Every data packet, image, and so on that will be transmitted over the Tor network is placed within multiple encryption layers that can only be removed by the next node in line, or circuit. Finding the information, virtual markets, and sites sought in the Deep Web and Dark Web accessed via Tor connections does not seem as difficult as one might think. The main reason for this is that the sites in the Deep Web and Dark Web accessed via Tor resemble those on the surface of the internet (Çelik, 2017, p.154).

There are no inter-site connections in the Deep Web and Dark Web accessed via Tor. Each site is published independently and entirely via hidden addresses for anonymity. Tor has been recognized as a free service to promote unrestricted access to the internet in societies with strict and rigid internet censorship and has been considered illegal by oppressive states for breaking the mold. Due to its anonymity, it has received support from:

  • Rose Foundation for Communities and the Environment (2017-2019)
  • Mozilla (2016-2018)
  • Open Technology Fund (2012-2019)
  • Swedish International Development Cooperation Agency (SIDA) (2010-2013, 2017-2020)
  • The Handshake Foundation (2018)
  • National Science Foundation joint with Princeton University (2012-2018)
  • National Science Foundation via University of Minnesota (2013-2018)
  • National Science Foundation joint with Georgetown University (2015-2019)
  • National Science Foundation joint with Rochester Institute of Technology (2016-2019)
  • National Science Foundation joint with University of Illinois at Chicago (2016-2018)
  • US Department of State Bureau of Democracy, Human Rights and Labor (2013-2019)
  • US Department of State Bureau of Democracy, Human Rights and Labor via Harvard University (2017-2019)
  • DARPA via University of Pennsylvania (2018-2019)
  • Institute of Museum and Library Services via New York University (2017-2020)


Universities, institutions, and organizations such as those mentioned above advocate for the use of the Tor browser, support its use by dissidents against oppressive governments, and contribute to the development of the Tor network through coding, network development, intermediary projects, and financial aid (Tor, 2019). The Deep Web accessed via Tor is preferred because it protects user identity and masks personal information, allowing individuals (including dissidents, human rights activists, and journalists) to securely transmit information (Watson, 2012, pp.718-723). One of the best examples of this usage emerged in Egypt in 2011. When the Hosni Mubarak regime imposed internet censorship to suppress protesters, many dissidents, activists, and journalists in Egypt used SecureDrop8 (open-source software) to transmit and disseminate information about the protests via Tor to news centers (Watson, 2012, pp.719-720).

Another notable example is the use of Tor by anti-regime individuals in Syria to submit human rights violations such as torture and disproportionate use of force to the Deep Web, where they are digitally recorded and presented to the international community (Sec Dev Foundation, 2018). Additionally, if traffic analysis is attempted on the Tor network, it can enhance privacy by creating new pathways approximately every 10 minutes (Core, 2018). When data exits the Tor network or when internet access is sought within the Tor network, individuals are randomly assigned to three servers via nodes based on anonymity principles. For example, one’s connection might exit through South Africa, then New York, and finally, Turkiye. This makes it significantly challenging (if not impossible) to intercept and decipher the path of each piece of information or data along the way (Moore and Rid, 2016, pp.16-17).

Roughly, when one wants to access the Deep Web or Dark Web using the Tor network, the Tor browser navigates the internet through multiple nodes and intermediary servers. Thanks to the Tor network, when reaching the exit node to access the internet, only the final node is seen as the source of the data at the exit server. Therefore, it is very difficult to uncover the user’s IP address or the identity of the server reaching the exit server. Numerically speaking, recent research shows that the Tor network operates with over 7000 intermediary servers, and each data packet is randomly routed through one of these servers to access the internet. Supporting this statement, Andrew Lewman, one of the Tor administrators, stated in an interview with the BBC in 2014 that the Tor network consists of 6000 nodes and utilizes a server network spanning 89 countries (Kelion, 2014). Today, instead of the typical website endings like “com,” “org,” “net,” or country-specific endings like “tr,” the addresses encountered in the Deep Web and Dark Web accessed via Tor have extensions such as “rtgfvmcadeoopp.42r5.onion.” In addition to the URL difference, these addresses, managed by “Hidden Services” within the Tor network, are constantly and irregularly changed. However, to help users access the sites they want in the Deep Web and Dark Web, there are some special sites that index actively working sites.

The most popular in terms of visibility is the “Hidden Wiki.” Built on the Wikipedia model, the site indexes constantly changing addresses of sites in the Deep Web and Dark Web (Bartlett, 2016, p. 15). It is a fact that security units tracking such sites that emerge in the Deep Web and Dark Web are following the visibility of the Hidden Wiki. Indeed, the Tor network, by its design, operates with a legal browser logic. However, due to its enabling access to the Dark Web and the illegal activities within its content, it has been declared illegal in some countries.

When we look at the work related to I2P/Invisible Internet Project, just like the first question encountered in the Tor architecture, the question arises: “What is the I2P network used for?” Based on the functionality of Tor, there is actually a single short and clear answer to this question: Anonymity. I2P also operates on the logic of the Tor network. I2P is defined as an anonymizing mix network service. It is designed to hide data content and ensure data delivery using a wide set of encryption standards to conceal the identities of the sender and receiver. Like Tor, it has the ability to route data through multiple nodes by directing data among the nodes (Zantout and Haraty, 2011, p.401). When comparing Tor with I2P, it can be said that due to Tor’s anonymity, prevalence, and speed, it is more preferred by terrorist groups, hackers, and generally, by individuals or groups engaged in criminal activities.

“Another structure used for anonymity is FreeNet (Clarke, 1999). FreeNet is not a proxy but a distributed data store. It is not possible to connect directly to services like Google or Facebook. FreeNet only has access to anonymous web sites, files shared by anonymous users, forum rooms, and communication channels via email. When the mentioned data is circulated for sharing on FreeNet, it can remain within FreeNet forever. In addition to all these features, FreeNet’s structure includes a “friend mode,” which allows data traffic between nodes only among defined individuals in a friend-to-friend system logic, making it extremely difficult to block FreeNet in the national security network (, 2018).

Continuously developed since 2001, unlike Tor, FreeNet does not provide service through an anonymous channel over the internet, but only allows the sharing of pre-published content to the extent permitted by individuals (Levine, Liberatore, Lynn, and Wright, 2017, p.1). The founders of FreeNet describe this situation as follows: “Freedom of communication is a fundamental value in democratic societies.”

FreeNet was designed for minority religious groups, dissident groups or ordinary citizens who want to use their data with a level of anonymity. Today, however, FreeNet can be used to plan a terrorist attack, or it can be a terrorist communication area” (Clarke et al, 2002, p.41). FreeNet, which prioritises anonymity even though it differs from Tor in terms of access, does not use standard extensions such as com, org, gov, etc., just like Tor. Instead, communication can only be achieved through addresses consisting of irregular, randomly generated numbers and letter sequences that people can transmit to each other (Çelik, 2017, p. 154). It is claimed by its founders that FreeNet was designed for two main purposes. Firstly, to eliminate content restrictions imposed by internet providers of non-democratic governments. Secondly, to create a platform for opposition groups to produce content anonymously within the framework of freedom of thought (Clarke et al., 2002, p.41).

To better understand the concepts of the Deep Web and the Dark Web, it would be useful to take a look at the layers of the internet. If we elaborate, the internet has eight accepted layers:


Level 0 Common Web

You can think of this layer as the internet you use on a daily basis.


Level 1 Surface Web

Websites that you can access through simple searches on search engines are found in this layer.


Level 2 Bergie Web

This layer includes content such as FTP servers and unindexed adult content that cannot be accessed through search engines.

From this level onwards, the Deep Web begins. For the subsequent levels, you would need to use a Proxy, also known as a “proxy server,” to access them. (A Proxy, also known as a “proxy server” or “intermediary server,” is a tool that allows you to connect to a website using a different channel. When you are online, your visited website or your ISP tracks your web history. Therefore, it helps to track online IP addresses. Your IP address can be used to determine the location of the website you are visiting. Personal data is very valuable. Therefore, with a Proxy, you can avoid being tracked online. The server, which acts as an intermediary between you and the internet, first tries to change your IP address. Then it connects to the website you want to visit. Your web request is processed through this server using its own IP address. This way, it runs the web request for you. When a response comes from the web servers, your real IP address is not revealed. It provides you with an advanced level of privacy. In other words, the website you are trying to access becomes the server. The Proxy is positioned between the browser and the server, approving the requests coming from the browser and connecting to the server.)


Level 3 Deep Web

This level is divided into two parts: the Proxy level and the Tor level.

  • Proxy level

The sites at this level do not carry the onion extension (.onion, a top-level domain that can be accessed via the Tor network, formerly known as “Hidden service” for special purposes and do not use real DNS names). They contain illegal content banned by search engines.

  • Tor level

The content at this level consists of sites with onion extensions, which are routed through directories. It includes classified government documents, training on weapons and bombs, illegal research, and similar content.


Level 4 Charter Web

This level is also divided into two parts: the Tor level and the private access level.


  • Tor Level

 It hosts sites that can be accessed without any additional processing other than using the Tor browser. It is noted that this level contains content such as million-dollar betting results, arms trafficking, high-budget sales, banned books, films, music, and illegal experiments.

  • Private Access Level

This level contains sites with the .clos extension that cannot be accessed even with Tor browsers and can only be reached through a special method called Closed Shell System. It is said that WikiLeaks documents also come from this level.


Level 5 Marianas Web

There are some doubts about the existence of this level as it has not been reached yet. It is said to require quantum technology-operated computers and the internet to access. It derives its name from the Mariana Trench, known as the deepest point on Earth.


Level 6

Considered the most dangerous known level. Even with the most advanced technology, this level has still not been reached. 


Level 7 The Fog/Virus Soup

This is another level about which no information is available. It is referred to as a war zone. The reason for this name is that if one day this level is reached, everyone in this level would have to fight each other to prevent anyone from reaching the higher level, level 8.


Level 8 The Primarch System

Simply put, it can be said to be the ultimate point of the internet. It is controlled by the Primarch system, which no one, not even any government, knows about. This system is called the God of the Internet.

The layers mentioned above have been collected from internet sources and are the layers that ethical hackers of Hackdra can access. So as mentioned above, there are layers whose existence is doubted and which are said to be unreachable, and access can be provided by ethical hackers of Hackdra.


The Importance of the Deep Web


Malicious Software

Malware can be found active all over the Dark Web. This software is presented on some portals to provide threat actors with tools for cyber-attacks. However, just like in the rest of the network, they continue to circulate throughout the Dark Web to infect innocent users.

Many of the social conventions that websites adhere to in other parts of the network to protect users do not apply on the Dark Web. Users are therefore frequently exposed to malware such as the following:

  • Keyloggers
  • Botnet malware
  • Ransomware
  • Phishing malware


If you decide to explore any site on the Dark Web, you risk becoming a target for computer hacking and similar activities. Your endpoint security programs can catch most malware infections.

Online threats that exploit access to your computer or network connection through browsing could also extend to your offline world if your device or connection is compromised. While anonymity achieved through Tor and the Dark Web structure is strong, it is not foolproof. All online activities can leave traces that determined people can follow deeply enough to uncover your identity.


State Monitoring

Given that many Tor-based sites around the world are believed to have been seized by law enforcement, there is an obvious risk of state targeting if you visit a dark web site.

In the past, illegal drug markets like Silk Road were taken over by police for monitoring purposes. The authorities used special software to infiltrate the sites, analyze activities, and identify the user identities of both customers and those simply present without making purchases. You could be monitored and potentially incriminate yourself for other activities in the future, even without making any purchases.

Infiltrations also carry the risk of being observed for other types of activities. In some countries, exploring new political ideologies to avoid state-imposed restrictions can result in prison time – a criminal offense. China restricts access to popular sites for precisely this reason through its “Great Firewall” system. Viewing such content could lead to being added to a monitoring list or immediately targeted for immediate imprisonment.



Some so-called services, such as professional “assassination”, may be fraudulent activities designed to profit from willing customers. According to reports, the Dark Web offers a wide range of illegal services, from assassination for a fee to trafficking in weapons and people for sex.

Some of these are familiar and serious threats in this corner of the web. Others may be capitalising on the Dark Web’s reputation to trick users into paying large sums of money. Also, some users of the Dark Web may try to use phishing scams to steal your identity or personal information for blackmail purposes.

If we talk about its social importance;

Use of Illegal Structures, Non-State Armed Actors and Terrorist Organisations Terrorist acts, one of the oldest forms of attack in history, have evolved in direct proportion to many parameters in the field of security and conflict in the 21st century. The development of technology and the integrated development of the Internet has caused terrorist organisations to focus on these areas. In this context, it is possible to say that the use of the Internet and the activities of terrorist organisations in the cyber world have gradually increased. Historically, since the end of the 1990s, online platforms (Weimann, 2010) have been attractive places for terrorist groups to disseminate their propaganda to large circles.

However, access to websites on the surface web and the increasing use of social media worldwide in recent years have turned into vast fields of operation for terrorist groups in terms of propaganda, recruitment of militants, and generating financial resources. Gabriel Weimann listed how terrorist groups and terrorists use the surface internet on a daily basis with the following points:


Data Mining

By its nature, the internet is like a digital library. Terrorists use the internet to find details about targets like nuclear power plants, airports, government institutions and even basic information about counterterrorism measures. In fact, terrorists can access information they need for attacks by using publicly available legal resources on the internet.


Network Building

Since the 2000s, the surface internet has effectively enabled various terrorist groups to communicate and coordinate their activities. The surface internet reduces communication costs and increases the variety and complexity of shareable information.


Recruitment and Mobilisation

Terrorist organisations are always in need of human resources. The surface Internet provides a channel of communication with people who are interested in the ideology or the reason for the establishment of terrorist organisations or who seem to be suitable for the organisation, and this is achieved by circulating among sympathisers and chat rooms related to the terrorist organisation. Instructions and Online Manuals: In the 2000s, there were manuals and handbooks on the surface Internet that taught readers how to create chemical and explosive weapons.


Planning and Coordination

The surface Internet has been invaluable for terrorists in planning and coordinating specific attacks. Al-Qaeda terrorist group preferred internet communication for the 9/11 attacks according to the conditions of the period. In the 2000s, all members of the organisation sent messages to each other via e-mail and used online chat rooms to coordinate their attacks and actions.



Terrorists used to identify their sympathisers using demographic information obtained from online surveys and order forms, and then solicit donations via email (Weimann, 2010). The fact that terrorist activities on the surface network can be monitored by counter-terrorism units, and that relevant websites and social media accounts have been shut down or attacked, has led terrorist groups to new searches (Weimann, 2018).  Arrests made by security units have started to direct terrorist groups to the Dark Web (Hussain & Saltman, 2014). Especially ISIS’s effective use of the Internet and the Dark Web has attracted the attention of more terrorist groups to the Dark Web, and the anonymity here has enabled terrorist groups to move many of their activities, especially communication, to the Dark Web.

The simple and straightforward explanation of all the actions of terrorist groups when they move to the Dark Web, unlike the surface Internet, can be expressed as ‘the same as the surface Internet but more secretive’. Terrorist groups, which continue to carry out their activities based on anonymity, cannot be tracked financially, especially thanks to cryptocurrencies. The acceptance of cryptocurrencies in virtual markets on the Dark Web and the illegal products obtained unlimitedly in the Dark Web have liberated terrorist organisations. However, thanks to cryptocurrencies, a person anywhere in the world can help a terrorist organisation financially (Glasser, 2015). After the 15 November 2015 Paris attack, ISIS included an address with the extension “.onion” on its website where it carries out its propaganda and announced that it would continue its posts from there. The content of the message on the website reads: “Due to the severe restrictions imposed on the “Caliphate_Publications” website, we announce that we have switched to the Dark Web”, and at the relevant address, they have implemented an online library such as Chadwiki, an online library containing various terrorist materials (Weimann, 2010). According to Moore and Rid, the purposes of terrorist organisations and terrorists in the Dark Web are divided into two:

  • Terrorist groups use the dark web to communicate anonymously, share propaganda, recruit members, and plan operations without detection from authorities.
  • The dark web provides a haven for these activities since communications and transactions can be conducted privately through encrypted networks and anonymous browsers.
  • Groups are able to find and access sensitive information on the dark web that may be censored or restricted on the public internet. This includes intelligence, documents, and data to support their goals.
  • Cryptocurrencies allow terrorist networks to transfer funds internationally without detection, supporting their operations financially.
  • As governments increase monitoring of the public internet, terrorist organizations migrate more of their coordination and planning to the dark web for secrecy and anonymity.
  • In summary, the dark web has become an important tool for terrorist propaganda, recruitment, communication, fundraising and carrying out operations covertly. Authorities face challenges in monitoring these anonymous networks.


Recruiting Militants

Since it is very easy to locate people on the internet today, terrorist organisations cannot meet with their sympathisers on a legal website or chat room, but they make propaganda through social media with some ambivalent attitudes. It is known that the communication channels are mostly realised through the Dark Web through their sympathisers. Jeffrey Feltman, United Nations Under-Secretary-General for Political Affairs, informed the Security Council that ISIS has adapted to the military pressures in the region in various ways and uses the Dark Web for communication and recruitment (UN News, 2017).


Instructions and Online Guides

Books on the Internet are freely available that teach how to make chemical and explosive weapons. A Google search with the keywords “terrorism” and “manual” yields 9,210,000 results, while a search with the keywords “weapons” and “explosive making” yields 1,480,000 results. When it is desired to access this information, which is easy to access so far, it is very likely that the security forces will see the IP number of the terrorists in the Cyber Crimes section. When they make these searches with Tor on the Dark Web, they can access more comprehensive information, but the possibility of catching terrorists is almost impossible thanks to anonymity. In recent times, terrorist groups, especially ISIS, which significantly benefit from the advantages of anonymity, have used encrypted mobile applications such as Telegram to convey their instructions to the members of the organisation. Although Telegram is a mobile program that is also used by ordinary users, it has evolved into an application where anonymity is provided at a high level by terrorist organisations by distributing channels over the Dark Web (Weiman, 2010).


Planning and Coordination

After 9/11, the fact that the fight against cybercrimes was carried out in a more serious and coordinated manner led terrorist organisations to new searches. Terrorists started to carry out communication, attack action and planning, and the materials to be used in the action over the Dark Web in order to avoid being tracked by security units. As a matter of fact, there are opinions that the terrorist attack carried out by ISIS in Paris in 2015 was planned over the Dark Web (Paoli, 2018, p.2). Another striking example of planning and coordination is the case of 18-year-old David Ali Sonboly, who was killed after shooting 9 people at the Olympia Shopping Centre in Munich, Germany on 22 July 2016.

According to the details revealed later by the German Federal Police, Sonboly, who is of Iranian origin and called the lone wolf, purchased the 9 mm Glock pistol and 250 bullets he used in the act he committed on the Dark Web. The German Federal Police, which followed Sonboly’s routines before the attack, announced that he was in contact with a seller on the Dark Web and that this is how he obtained the weapon (Paoli et al, 2017, p.3).



Many terrorist organisation groups encourage people to join terrorist organisations based on various factors – the search for adventure, ethnic and religious elements, drugs, poverty, etc. – through propaganda on social media sites such as Twitter, Instagram, Facebook as well as their own websites. One of the most striking examples of this is the money laundering of 27-year-old Zoobia Shahnaz from the USA, who went to Jordan as a volunteer with the American Medical Association in 2016 and spent 2 weeks in the Zataari Refugee camp, where ISIS was effective, through Bitcoin purchased from the Dark Web in 2017 to provide financing to ISIS.

Shahnaz purchased $62,000 worth of Bitcoin by making different payments from various credit cards and sent different amounts of funds to various addresses in China, Pakistan and Turkey (Mangan, 2018). It is known that terrorist organisations learn many tactical moves from each other in the field. Today, this learning also manifests itself in different areas such as propaganda and being active on the internet. ISIS’s relationship with Bitcoin has started to be imitated by the YPG, the armed wing of the PKK terrorist organisation in Syria. The fact that Amir Taaki, a British citizen of Iranian origin, known to be a Dark Web user and Bitcoin coder, went to Syria in 2015 and joined the ranks of the YPG terrorist organisation is considered as a move to increase the effectiveness of the PKK terrorist organisation in the Dark Web. Taaki provided training to YPG terrorists in the region on open source code software and to be active in the Dark Web. In addition, Pablo Prieto, a Spanish biologist working with Taaki in the region, emphasised the importance of the Dark Web and Bitcoin to YPG terrorists, and senior executives asked Taaki and Prieto to prepare a technology curriculum for YPG terrorists (Berg, 2017).

Based on these examples and the advantages provided by anonymity in the cyber world, when we look at the objectives and daily routines of terrorist organisations on the Dark Web, it is understood how effectively they use the Dark Web, and it is seen that the fight against terrorism and terrorism in this field constitutes an indispensable quality in the context of combating terrorism and terrorism. 

Map produced by MEMEX as a result of temperature analysis of illegal products on the Dark Web.


Effective Cyber Security Activities Revealing Deep Web Crimes

Source: Christian Mattman, “Searching Deepand Dark: Building A Google For The Less Visible Parts of Web”, The Conservation,2017,, (date: 01.02.2020).


The use of cryptocurrencies and the Dark Web by terrorist organizations is a significant indicator of the rapid, dynamic and evolving nature of terrorism in the 21st century.


To Summarize

The deep web provides a platform for cybercriminals to buy and sell stolen information, illegal goods and services.

Bank Account Details and Identity Information

Cybercriminals can easily steal bank account details. Worse still, they may sell bank details to other individuals.


Credit Cards

One of the most commonly sold items on the Dark Web are credit card details, which are much easier to steal. In short, the websites you use for your credit cards are not secure and safe.

Phone Numbers or Email Addresses

Identity theft is a highly sensitive issue when it comes to hacking. Your emails may contain personal information. Computer hackers can use credit card statements and home addresses for their own advantage.

Driver’s License or Passport Number

This gives cybercriminals access to your valid identity. It’s not difficult to imagine what they could do after accessing your identities.

Social Security Number

With access to your Social Security number, computer hackers can pretend to be you.

As Can Be Understood From the List, This Information and Identity Information Basically Contains

personal and sensitive information. Just knowing your social security number and credit card is enough to commit fraud. After obtaining the data, they can do whatever they want with the data. This is a major data breach problem. The anonymity and accessibility of Deepwep causes you not to be able to find the source of data breaches. No matter how careful you are, your information can be stolen without your knowledge.


Threat Types in Dark Web and Deep Web


Deep web threats come in various forms. When conducting threat intelligence on the Dark Web, it is important to look for the various types of data and services that cybercriminals offer for sale.

Vulnerability Information

Software vulnerabilities are common and can allow an attacker to access corporate systems or vulnerable devices. If a vulnerability is ethically reported by the discoverer, a complete report on how the vulnerability works is usually not published until a patch is released. However, there is often a gap between the initial discovery of the patch and its widespread implementation.

The dark web provides a forum for cybercriminals to discuss vulnerabilities that are not ethically reported or for which patches are not widely available or used. Discussions may include information on how a vulnerability works, possible exploits, and the use of the vulnerability in various cyber attack campaigns.

Cybercriminals may be discussing vulnerabilities on the dark web before information about them is made public. Monitoring these channels enables an organisation to protect vulnerable software until a patch is found and implemented, and can reveal previously unknown vulnerabilities in a company’s products.


Internal Threats

Insider threats pose a significant risk to an organization’s IT assets, intellectual property, and other sensitive data. Insider threats can come from current or former employees, partners, vendors, resellers, and other parties with access to sensitive information. Additionally, insider threats can intentionally or negligently put the organization at risk. 

Information related to insider threats may be found on the Dark Web. Malicious insiders could expose or list sensitive data for sale on Dark Web marketplaces. Additionally, users may upload software or other data collected from an organization to certain platforms. By monitoring these spaces, an organization can identify potential insider risks and sensitive data exposures. Regular monitoring of these spaces can help an organization protect vulnerable software until patches are developed and applied, and uncover previously unknown security vulnerabilities in a company’s products.


Exposed Identity Information

Identity information exposed as a result of data breaches, identity stuffing attacks, and similar cyberattacks is often sold on Dark Web marketplaces. Exposed identity information could be used to gain access to the specified account or as part of a targeted identity theft campaign where the attacker claims the victim’s identity information was collected by malware they uploaded to the victim’s computer. Alternatively, exposed identity information could be used by cybercriminals to test whether breached identity information is reused across multiple accounts in identity stuffing attacks. 

Information related to compromised identity information can be very valuable for corporate cybersecurity. Data about breached passwords could help improve password policies, and if an organization’s employees’ identity information is breached, it signals the need to change account passwords and investigate potential uses of the compromised identities. Regular monitoring of these spaces can help protect organizations and reduce harm from exposed credentials.


Targeted Attacks

Cybercriminals are increasingly moving towards a service-based economy where specialists offer their services for sale. In many cases, these services are sold on Dark Web marketplaces.

For example, a Botnet operator may be selling distributed denial of service (DDoS) attacks, where the buyer can choose the timing, duration and intensity of the attack against a target of his or her choice for varying prices. Alternatively, a buyer on the Dark Web marketplace may purchase a very specific attack, such as hacking the social media account of a significant other.

Information about targeted attacks for sale can help an organisation identify unknown and impending threats to its security. If an attacker is offering access to an organisation’s software or online accounts, or if a buyer wants a DDoS attack against corporate assets, this requires further investigation and response.


Hacked Accounts

Hacked accounts are often sold on Dark Web marketplaces. Hacked personal accounts include access to financial accounts, email, social media, e-commerce sites, and other online accounts. In addition, cybercriminals may offer access to corporate accounts for sale, allowing other attackers to reach that organisation.

Monitoring Dark Web marketplaces for the sale of hacked accounts is critical to protecting an organisation’s data and network security. The sale of access to corporate networks or data indicates an existing threat to the organisation. In addition, hacked email and other personal accounts can negatively impact the company if password reset emails are sent to these accounts or if the attacker extends access to corporate resources from personal emails.

Botnets for Sale

Botnets are a collection of compromised machines that a cybercriminal controls and uses in automated attacks. For example, an attacker can exploit a vulnerability in an IoT device to take control of a set of vulnerable devices. These IoT devices can then be used for distributed denial of service (DDoS), credential stuffing, and other automated attacks.

Botnet operators can have thousands of bots under their control and can divide their botnets into smaller groups. On Dark Web markets, these operators can sell control over bots or sets of bots to other cybercriminals who want to use them in their attacks.

Bots are useful for cybercriminals because they make it harder to trace cyberattacks back to the person behind them. When investigating a security incident, it can be useful to track botnet sales to help attribute the attack.

These services should be provided by professionals. Cyber intelligence services provided by non-experts can lead your organisation to the abyss.


Who is Active on the Dark Web and Why?

Dark Web actors vary in sophistication, from novices to nation-state-sponsored hackers. Some of the main categories of hackers on the Dark Web are:


Script Kiddies

have little or no hacking knowledge and experience. They often use the Dark Web to find hacking tools and information on how to perform different types of attacks.


Competent Hackers

Competent hackers work alone or in small groups and have at least some level of hacking knowledge. In addition to searching the Dark Web for tools and information, they may buy or sell information about compromised organisations or user accounts for use in attacks.


Crime Syndicates

Organised crime is increasingly entering the cybercrime space due to its profitability and the difficulty of attributing it to cyberattacks. They are often more sophisticated and operate on a larger scale than other hacking groups.



Advanced Persistent Threats (APTs) are the most sophisticated type of hacker found on the dark web. At the same time, their presence is difficult or impossible to detect, they are often the most subtle.

Hackers at various levels also look for different types of malware on the dark web. For example, Script Kiddies have a simple password cracker or search for it on the web, while APTs often uncover and exploit many zero-day exploits. In most cases, high-reward malware such as ransomware is in the hands of organised crime or APTs.


What is Dark Web and Deep Web Offence Monitoring?


Monitoring criminal activities on the dark web is important for cybersecurity for several reasons. Firstly, the dark web has become a haven for illegal activities, especially cybercrimes. These activities include identity theft, credit card fraud, drug trafficking, human trafficking and more. Monitoring such activities can help prevent such crimes and bring criminals to justice.

Secondly, dark web monitoring can help with early detection of cybersecurity threats. The dark web can be an area where cybercriminals develop new attack techniques and strategies. Monitoring such emerging threats can help cybersecurity experts take preemptive measures against them and develop more effective defense strategies.

Dark web and deep web monitoring and identity protection services are now crucial for both individuals and organizations. Individuals can greatly benefit from such services as they allow you to check if any vital information about yourself has been leaked, such as:

  • Social security numbers
  • Credit card numbers 
  • Bank account numbers
  • Identity numbers
  • Passport number
  • Phone numbers
  • Driver’s license
  • Credit reports and credit scores


For a large entity, dark web monitoring services are even more important. This is especially true if a company possesses a ton of information about its customers. Personal data breaches can also damage your reputation through social engineering scams.

One needs to be careful while sharing information online and should only provide it to trusted sources. Additionally, you may consider using two-factor authentication or biometric identity verification to add an extra layer of security to your accounts. Regularly monitoring your credit accounts and bank card transactions can also help detect any unauthorized activity quickly and allow you to take action to prevent fraud. Implementing these steps can help protect your personal information and minimize the risk of identity theft.

However, the biggest limitation is that the internet is a vast virtual marketplace that you cannot see or visit, so you do not know what is happening there. You only have the regular websites, IP addresses, and search engines. This is the real limitation. Imagine the data breach problems a careless entity could face. It carries a potential for looming disaster.

In the early 2010s, the cybersecurity world realized that conventional cybersecurity solutions like firewalls, antivirus, DLP products etc. were not sufficient to deal with cyber threats. Because these solutions were only ‘reactive’ tools that could act after an attack was initiated. This approach was not adequate and proactive measures were needed that could provide prior information about attacks, which led to the emergence of the field now called cyber threat intelligence.

Cyber threat intelligence can be defined as different solutions and tools that analyze potential cyber threat factors that could pose a risk to an organization, and provide early warnings and opportunity to take precautions.

Cyber threat intelligence is the collection, compilation and identification of threats from electronic mediums that could harm any aspect of organizations’ operations and security at any level.

Enriched data collected from electronic mediums are analyzed through a process, which helps identify attackers’ objectives, methods or types of attacks to enable early measures. This is a type of intelligence.

Cyber threat intelligence is categorized into levels according to their nature:

Strategic Intelligence

Bu tür istihbarat, düşmanı anlamaya odaklanır. Hasar potansiyeli olan kuruluşların, kuruluşların, bireylerin veya grupların izlenmesini içerir. Saldırganların niyetleri, motivasyonları, taktikleri, stratejileri ve geçmiş eylemleri hakkında bilgiler içerir.


Operational Intelligence

This type of intelligence includes technical, tactical and procedural information of attackers. This information is provided to SOCs (Security Operation Centers) for analysis and use as a preventive measure against possible attacks. 


Tactical Intelligence

This type of intelligence contains data that identifies potential malicious activities on systems and networks. It involves Indicators of Compromise (IoCs) which are abnormal and suspicious behaviors in the structures they are found. Tactical intelligence is integrated into security solutions such as SIEM, Firewall, IDP/IPS, DLP, Anti-Spam, Endpoint Protection.

The Dark Web can be a valuable source of threat intelligence, but a professional support, an expert person is needed to find useful data. The Dark Web’s focus on privacy and anonymity means that there is no index of Dark Web sites, making it difficult to identify important sources of threat intelligence on the Dark Web.


Cyber Electronic Intelligence

Includes concealed login information of users who more easily exploit system weaknesses, which computer software is absolutely unable to intercept.  Here, the American National Security Agency (NSA), abbreviated NSA, has embedded passwords. US intelligence then developed software with Microsoft to monitor the flow of information in communications all over the world. As a result, countries such as Russia and China have taken measures to use Microsoft products. PROMIS, one of the most popular computer software for covert information gathering, is a programme prepared for US prosecutors. In 1990, it was disclosed that it was used by the CIA and it was revealed that it was also used by the secret services of countries such as Canada and Israel. In the 2000s, the information that a “backdoor” was installed by the US intelligence service and sold to countries such as Turkey was enough to stir up the media. Thanks to this backdoor, information on the secret services and financial institutions of the country to which it was sold was sent to the CIA and NSA.

“Echelon” acts like PROMIS with its feature of being a global information gathering system. Since its launch, it has the capability to listen to almost all global communication channels. It uses two methods for interception. The first is the ability to capture microwave signals through satellites belonging to member countries; the second is listening to inter-oceanic cables. With this interception and monitoring, it intercepts conversations containing the monitored words and reports them to intelligence agencies.

  • Open source intelligence (OSINT) refers to intelligence collected from publicly available sources.
  • With the rapid expansion of the digital world, OSINT gathering methods have become an important way to collect written and visual media from open sources.
  • Publicly available information as well as data with economic value for targets can be obtained through OSINT.
  • “Grey sources” refer to limited information available from academic, government, and private sector organizations.
  • Media sources include newspapers, magazines, radio, television, and computers.
  • Public satellite images with high resolution, like Google Earth, are important for OSINT.
  • Academic studies and research papers can also provide valuable data through OSINT methods.


The overall message is that OSINT leverages publicly available information from open sources like media, academic research, and satellite imagery to gather intelligence without using classified or covert methods.

We see that open source intelligence elements are also used by illegal organisations. In order to be protected from cyber open intelligence gathering methods, the principle of privacy of personal information, especially in the virtual environment, should be complied with. A cyber security policy should be established within the framework of the idea that personal information shared on the Internet can be accessed without authorisation. Open source intelligence can be used by the political power to provide public support for government policies, apart from providing guidance to policy makers. Cyber Intelligence Based on Social Networks The basis of cyber intelligence based on social networks consists of social engineering. Social engineering acts on the assumption that “man is the weakest creature” by taking advantage of the weaknesses at the human centre. Social engineering is at the basis of cyber intelligence. It reveals the purpose of accessing confidential information by utilising the tendencies and social networks of people and society. Social networks are important in igniting mass movements and information flow. Communities organised with social media can be the starting point of popular movements.

For this reason, intelligence organisations are expected to use this cyber intelligence method widely in the countries where they operate. In 2010, the Arab Spring in the Arab world started as a popular movement. 

A dark web monitoring service provides a great service to its customers to make them feel safe. A smart approach to dark web monitoring is to use a Dark Web monitoring service. These services already perform the work of mapping useful parts of the Dark Web and identifying important sources of threat intelligence. With a Dark Web monitoring service, an organisation can have a stream of threat intelligence relevant to their company and industry without the need to search, collect and manually analyse it with in-house analysts.

Some cyber security companies provide this service. But as we mentioned above, the web is a cyberspace that is “almost” impossible to access in every area. However, Hackdra cyber security company ethical hackers can maximise this monitoring. We touched on this issue in the “web layers that have not yet been entered” section mentioned above. Hackdra ethical hackers can infiltrate much more web rings than equivalent services. When the security of the clients is violated; Deepweb performs crime monitoring in order to perform deep monitoring, to detect the crime and the criminal, to stop the crime, to ensure security, to eliminate your data from all accessible web environments in order to remain hidden for you if your data has been leaked and to deliver it to justice with the consent of the clients. In this case, Hackdra provides access to these layers in order to ensure security in every area it can reach on the internet. This mission of Hackdra can be interpreted otherwise by those who do not favour it. At this point, the paths we follow from the beginning to the end are kept under control by our legal advisors. All these situations distinguish Hackdra from equivalent services.

Law enforcement agencies can also help reduce the risk of identity theft, fraud and other criminal activities associated with the dark web by eliminating illegal platforms. As we mentioned, Deepweb and Darkweb monitoring covers a fairly broad reach, but it does not mean that it can search the entire internet world. There are still many unknown pages that are difficult to discover. Often, these websites become breeding grounds for identity thieves and criminals! Even worse, law enforcement agencies may not find these criminals there either. Hackdra cyber security company ethical hackers have done a lot of work to help law enforcement at this point, and have prevented many illegal problems with takedown services. Hackdra’s ongoing efforts are critical to providing a safer online environment.


Advantages of Dark Web and Deep Web Crime Monitoring for Organisations and Individuals


Finding Data Breaches

An advanced software is very important to find stolen identity information and other individual data spread on dark web networks. You can adjust your queries on the software to find any relevant information or data. They continuously scan the open, dark, deep web and then direct these searches through AI technologies to know which ones are relevant.


Detecting Physical Threats to Humans and Assets

The big attraction of lawbreakers to the dark web means that all customers must use an encrypted browser to access the dark web, which completely anonymizes their presence. This means that lawbreakers can either boast or discuss their actions as a feature of their regulations. Through dark web monitoring, you can continuously scan the dark web and immediately realize it if a criminal discusses with one of your staff or resources or is likely in danger.


Predicting Potential Terrorist Attacks

The company can continue monitoring discussions on the dark web and use the collected information to potentially foresee and detect terrorist threats targeting the company.


Protecting Reputation

By monitoring the dark web, you can identify potential threats and take steps to mitigate them before they become public. This can help protect your company’s reputation and maintain customer trust. 


Competitive Advantage

By monitoring the dark web, you can get ahead of your competitors and be the first to know about emerging threats. It can help develop a competitive advantage for your company.


Common Risks That a Dark Web Crime Monitoring Service Could Identify

In addition to malicious software and data breaches, some of the most common risks that many dark web monitoring solutions could detect are:

  • Third party breaches
  • DNS spoofing
  • Impersonation attacks
  • Accidental data leakage
  • Data breaches appearing in criminal chat rooms, forums and dark web sites
  • P2P leaks
  • Brand abuse


Deep Web and Dark Web Crime Monitoring Threat Intelligence Collection Techniques and Tools


Information Gathering

The information gathering phase is about collecting as much information as possible about the organisation. In the information gathering phase, research should be done on the keywords to be searched on the dark web and a keyword list should be prepared. A large number of keyword lists about the organisation are created by using publicly available sources such as the name of the organisation, its subsidiaries and social media accounts. Google Dork, Ubersuggest and Keyword Tool can be used for keyword research.



One of the best ways to gather information. The most important part of gathering information with OSINT is identifying sources. These sources include dark web forums, social media platforms, marketplaces or search engines designed for dark web searches.


Identifying Potential Threat Actors and Attack Vectors

Hacktivists, cybercriminals or state-sponsored actors are identified. Potential attack vectors such as vulnerabilities in networks or software that attackers can target, phishing and social engineering are identified.


Dark Web Marketplaces and Forums

Marketplaces often sell services such as stolen data, malware, hacking tools, and phishing activities. To gather intelligence, marketplaces must first be identified. Each marketplace has its own search features and interfaces. It is determined that the data to be searched is related to malware, hacker group or cyber attack method and the data is collected. (Grey Market, Russian Market, Brian’s Crabs Club, Kingdom Market etc.) Forums are communities where cyber criminals can discuss and share various topics. They provide valuable information on threat intelligence and clues on how cyber attacks are carried out. When choosing a forum, one can choose between public forums and private forums. An invitation is required to access private forums. Dark Web search engines DarkSearch or OnionSearch can be used to increase the number of forums. Selected forums should be monitored periodically. It is useful to gather intelligence by interacting with communities and staying in contact with cybercriminals.


Analysing the Collected Data

Data analysis should be performed to ensure the accuracy of the attackers’ goals, objectives, methods and information collected on the Dark Web. In data analysis, the collected data are classified and analysed. Analysis processes vary according to the type and source of the data. Data mining and machine learning techniques can be used at this stage.


Prioritisation and Reporting of Findings

Prioritisation is the classification of the intelligence collected. In this way, it will be easier for the organisation to decide which threat to respond to first. Reporting is used to inform the organisation about cyber security issues and enable management to make the right decisions.


Visualisation of Dark Web Analysis Techniques

Navigating the complex Dark Web environment can be difficult. Some practical tools and search engines are used at this point.


Tor Browser

The most widely used web browser for Dark Web access. The Tor network uses layer-by-layer encryption. Dark Web forums, marketplaces and other sites can be browsed with Tor Browser. Tor Browser estimates the number of users by analysing the requests it routes to transitions and hyperlinks and provides public graphs. This graph shows the estimated number of clients connecting directly, excluding clients connecting through bridges.

Organizations can use these tools and search engines to gather valuable intelligence about tactics and techniques used by cybercriminals on the Dark Web.



A search engine that indexes over 100,000 websites on dark web marketplaces and forums, providing the most relevant results for searches.



Open source intelligence gathering tool Maltego can be used to analyze data like social media profiles, emails, phone numbers etc. collected from Dark Web and various sources.



A search engine that indexes content on the Dark Web. It can be used to search websites, forums and other online resources not indexed by typical search engines.



A tool that crawls .onion sites, collects data, and checks if links are working or not. This enables multiple tasks to be performed simultaneously during research.


Dark Web and Deep Web Crime Surveillance Methods


Cybercrimes on the Dark Web are quite similar to real-world crimes, except that monitoring virtual crimes is more difficult. Anonymity is one of the fundamental problems provided by Dark Web services. Therefore, this prevents the judicial investigation of criminal activities. Many crime detection studies are carried out on the Dark Web to find crimes or criminals.


Law Enforcement


Smaller law enforcement agencies lack technical expertise. Therefore, they have increased their expertise in combating certain crimes that cybercriminals have. On the Dark Web, there are various types of laws related to criminal activity at the local, state, and federal government levels regarding criminal law, civil law, and regulatory law.

The type of punishment can vary from a fine to life imprisonment. Depending on the country where the crime was committed, the penalty may be death. Civil law deals with a person or organization. To hold them accountable, a fine must be paid or a service must be completed as part of the punishment. In regulatory law, an agency in a jurisdiction has the power to impose fines as punishment for activities.

Regulatory bodies have the right to stop all business activities of non-compliant individuals or companies.


Bi̇t Money Flow

Bit coins are virtual money used to make transactions in virtual money. The flow of bitcoins on the Dark Web can be used by law and police agencies to locate criminals.

The criminal’s activities can be monitored by law enforcement agencies and agencies that analyse the bit coin flow. One of the successful examples of such surveillance is the “Silk Road server”, which was used to locate criminals from the Deep Web.

The FBI located the server in the Icelandic data centre thanks to the flow of bit coin transactions.  It was detected due to a misconfiguration in Silk Road’s system, despite being operated using the anonymous network TOR.

The FBI was also able to successfully hack darkode, an underground discussion board where criminals participate daily.

Welcome to Video, a massive Dark Web child pornography site launched in 2015, was shut down in March 2018.  The arrest of the site’s operator, Jong Woo, was announced by his son at a joint press conference.

The way to technical insight to prevent illegal activities on the Dark Web can be the correct understanding of its structure and analysing cybercriminal and terrorist networks.

Network traffic monitoring and network traffic analysis can be done in many different ways. Network traffic monitoring provides raw data input for quality of service (QoS), which allows the network analyst to understand how the network is using its resources and determine network performance.

Data transmission is managed by simple protocols; Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), which operate without monitoring, inspection and intelligent control over non-functionalised traffic. Network monitoring can be achieved by port-based traffic classification methods, load-based classification methods (Deep packet inspection) and classification methods based on flow characteristics (Machine learning and statistical feature). As the interest in traffic classification has increased, many classification methods have been applied to this field. Port-based method is known as one of the best techniques for network traffic classification.


Classification of Network Traffic Using Correlation

The classification technique for detecting attacks in the dark has been applied in the field of network security monitoring and intrusion detection.

Another method of network analysis is to determine the location of the ingress, although there is strong infrastructure that is difficult to break. Although the exit nodes have TOR to identify attacks, the communication and routing behaviour of users are detected by applying some attack techniques in TOR.


Dark Web Marketplace Scraping

Dark Web marketplaces are one of the main platforms cybercriminals use to propagate and conduct illegal activities. Therefore, scraping information from these marketplaces leads the way to success in identifying and apprehending criminals. As per an article written by Alan Travis citing anonymous usage, marketplaces and forums selling financial data related to 5.1 million online fraud cases in England and Wales were found.

Automatic Dark Web market scraping methodology has been developed and applied in different studies. Researchers analyzed scraped data through findings related solutions and crimes on the relevant Dark Web market or crypto markets anonymous purchases and sales results.


Honeypot Distribution Network

As a way to spread malware, attacks are carried out by network or system infiltration. The network server is often targeted by cybercriminals. Another efficient way to observe network monitoring activities is traffic.

Honeypots techniques for criminals in the Dark Web TOR network have been applied and proposed in various studies for use in detecting cyber attacks and as a detection for monitoring the behaviour of criminals in network traffic. As a method for ransomware, illegal accesses are detected with this technique by acting as a trap for attackers, as the honeypot deceives. This technique can prevent secure socket selling, DDoS attack, SSH port scanning, SSH brute force attack, phishing attack, etc.


Tripwire Application

Tripwire is another detection method used for monitoring. Technically different works have adopted this to detect any comprehensive threat in the system.

Reusing passwords can lead the identity theft site to be at risk of corporate abuse with the advantage of reusing credentials. Any action could trigger notifications and alerts about system data misuse.

Tripwire works by establishing a baseline of approved system files, configurations and settings. It then scans the system on a regular basis to check for any changes from this known baseline. If any unauthorized changes are detected, it generates alerts to notify administrators or security teams. This helps detect intrusions or unauthorized modifications to systems early.


Anomaly Detection Methods

Anomaly detection can be used as a security measure for breaches and attacks in cyberspace. Anomaly detection techniques have been applied as a cyber incident detection method in many countries.


Factors of Artificial Intelligence Technology in Deep Web and Dark Web Crime Monitoring Service


To enhance existing cyber security systems and applications, organisations can apply AI on three levels.


Prevention and Protection

Researchers have long been focusing on the potential of artificial intelligence to stop cyber attackers. In 2014, the US Defense Advanced Research Projects Agency (DARPA) announced the first DARPA Cyber Grand Challenge, a competition to develop and implement automatic systems that could solve vulnerabilities in real-time that professional computer hackers and security researchers could exploit.

While still early, the future of cybersecurity will benefit from more advanced artificial intelligence-enabled prevention and protection systems that use advanced machine learning techniques to strengthen defenses. According to a 2019 statement by F.Selçuk, CEO of Hackdra Cyber Security company on their platform, artificial intelligence technology using advanced machine learning techniques to strengthen defenses has already been adopted, considered still early at the time. And this artificial intelligence has the power to significantly and positively impact the world’s future and has been developed by itself. In other words, this system has been used, has long passed the trial stage, and is currently only an 185 IQ level developed artificial intelligence technology module open for cyber security defense services, but has many abilities and competencies. It also has the ability to interact with people in a flexible way with algorithmic decision making. In the near future, all modules will be made available to serve humanity to facilitate life and provide near-flawless security in the web world.



Artificial intelligence enables some key transitions. One is moving from signature-based perception (always reliant on up-to-date recognition of an attack signature based on static rule sets) to more flexible and continuously improving methods. AI algorithms can perceive any anomaly without requiring an advanced definition of ‘abnormal’. Another transition is moving beyond classical machine learning approaches reliant on large, curated training data sets to deeper forms of representation learning (such as reinforcement learning and deep neural networks), which are gaining interest especially for Internet of Things (IoT) applications. AI can also provide insights into potential threat sources stemming from small monitoring scripts extracting digital traffic through deep packet inspection or from internal and external sensors. Most companies will need careful policy development and oversight to ensure AI-based perception and potential automated response processes comply with laws and regulations governing data usage.

AI can help reduce cybersecurity analysts’ workloads by prioritizing areas of risk, and intelligently automating many of the manual tasks they frequently perform, thus directing human effort toward more valuable activities. It can also help detect anomalies without requiring an advanced definition of ‘abnormal’ and perceive any change that looks anomalous. While still nascent, AI is demonstrating potential to strengthen defenses, facilitate life, and provide near-flawless security. Continued progress will depend on addressing challenges around explainability, bias, privacy and ensuring AI systems behave helpfully, harmlessly and honestly.

Furthermore, AI can predict and apply competencies that human effort may miss. Artificial intelligence can also enable intelligent responses outside or within the field of view to attacks based on shared information and learning. For example, we now have technology that will apply semi-autonomous, intelligent decoys or “honeypots” that will convince attackers they are on the right path to penetrate an environment, and then identify the culprit later. AI-enabled response systems may segregate networks to keep valuable assets in “safe places” or remove threat actors from security vulnerabilities or valuable data. This can help efficiency by allowing analysts to focus on higher probability signals rather than spending time hunting for them.

The implementation of automatic AI-guided intervention requires careful design and strategic planning. This is particularly relevant for systems operating at the digital-physical interface (e.g. critical links in manufacturing or supply chains, or critical medical devices in hospitals or emergencies) where users may need to be isolated or quarantined. AI can predict and compensate for competencies human effort may miss, apply intelligent decoys, and segregate networks. However, ensuring such systems behave helpfully, harmlessly, and honestly requires attention to challenges around explainability, bias, privacy, and appropriate human oversight.

Cybersecurity has always been part of an arms race. In 2016, then-US President Obama expressed concerns to Wired magazine about a potential AI-assisted attacker accessing US nuclear codes. Obama said: “If it’s just his job and he’s self-learning and really effective at it, then we’ve got a big problem.” AI increases attackers’ speed, agility, opportunities, and chances of success. As each AI algorithm learns from every attempt and failure, it becomes smarter. Just as companies use AI to automate and improve business processes, computer hackers can automate vulnerability discovery and exploit writing (hacking).

AI algorithms tend to rely on open-source software that is widely available and easy to use on the internet. Just as many companies use ‘software as a service’ (software accessed via the internet as a service through a web browser), ‘malware as a service’ is also quite prevalent and applicable for criminals. There is high competition among cybercriminals to develop advanced malware. Open-source AI libraries and software that provide companies with a new fast and cheap source of innovation can also be a new security vulnerability source.

AI algorithms tend to rely on open-source software that is widely available and easy to use on the internet. Just as many companies use ‘software as a service’ (software accessed via the internet as a service through a web browser), ‘malware as a service’ is also quite prevalent and applicable for criminals. There is high competition among cybercriminals to develop advanced malware. Open-source AI libraries and software that provide companies with a new fast and cheap source of innovation can also be a new security vulnerability source.

As F. Selcuk stated regarding open-source AI libraries, “AI needs to be proactive about potential security exploits from such situations, able to block future attacks without the attacker noticing and perform crime detection. What defines an ‘AI’ is the ability to have will and analytical thinking bestowed upon it and also being programmable. So it can demonstrate will over the topic it is programmed on. This is required for open-source AI resources to establish security rather than create security vulnerabilities. ULGENAI has been customized from other AIs by being programmed and developed not to provide opportunities for such exploits.”

In addition, artificial intelligence can also help prevent the detection of malicious software. While security companies are increasingly integrating AI features into their products, many antivirus and endpoint protection software still largely rely on signature-based detection. In contrast, attackers develop tools that conceal the nature and origins of malware, making digital fingerprints harder to recognize.

Today on the dark web, anyone can purchase a custom virus guaranteed not to be detected by 10 or 20 major antivirus software. However, defense systems gradually gain information over time. This information can be blocked by an artificial intelligence algorithm masking the identity of malicious software.

Companies should view artificial intelligence and cybersecurity from two perspectives: protecting their own AI initiatives and using AI-enabled cybersecurity to protect all digital assets, whether or not AI is actively involved. Regular software updates, employee training, secure configurations and multifactor authentication can help bolster protections. With careful planning and policy, AI shows promise for strengthening security defenses through new detection techniques when enabled for cybersecurity.


Implementation Factors of Hackdra Deep Web and Dark Web Crime Monitoring Services


Comprehensive Scope

Hackdra provides broad coverage of the dark web including general and private marketplaces, forums and other online sources. This helps businesses identify and monitor all potential threats and security vulnerabilities.


Real-time Alerts

Hackdra provides real-time alerts when potential threats are detected. These alerts can be customized according to business needs and delivered through various channels like email, SMS or mobile app notifications.


Customizable Dashboards and Reports

Hackdra provides customizable dashboards and reports that allow businesses to view dark web monitoring data in a way tailored to their unique requirements.


Actionable Intelligence

Hackdra provides actionable intelligence that businesses can use proactively to reduce threats and security vulnerabilities.


Integration with Existing Security Infrastructure

Hackdra’s dark web monitoring service can integrate seamlessly with a business’ existing security infrastructure. This allows businesses to leverage investments in their security technology and streamline security operations.


Strong Data Privacy and Security

Hackdra has strong data privacy and security measures to protect the sensitive information being monitored. This includes encrypting pending and transmitted data, multi-factor authentication to access the service, and regular security audits and vulnerability testing.


Artificial Intelligence Scanning

Hackdra’s high-level artificial intelligence technology functioning as a detection tool that can identify any insights that may be overlooked by ethical hackers and cybersecurity experts, allows securing with two factors despite them.


Methods that Organisations Should Implement to Maintain Security


Encrypted Cloud Services

Companies should provide online cloud services that will encrypt files and authorize access to repositories. Only authorized users should be able to access the file. This extra layer of security is important to keep passwords and data secure. For Hackdra Cloud Security Privileges:


Before Clicking on Links

Make sure employees are cautious of suspicious links that could lead to ransomware. Users should open attachments only from proven and trusted sources, no matter how “official” extensions may appear.


Regular Backups

The organization should back up data regularly, such as weekly, to prevent data loss and enable quick recovery in case of an issue.


Cloud Security Assessment

The organization should regularly conduct an appropriate cloud security assessment to ensure the security of employee and organizational information.


Password Protection

Use a password manager instead of reusing passwords or writing them on sticky notes. Develop a password implementation policy.


Disable USB/HDD Ports

The organization should disable USB/HDD ports and try to assume a more secure function for employees. It is important as official machines can potentially be attacked by unknown threats or malware.


Avoid Data Leakage

The organization should pay attention to data theft… It will help to know if any data has been leaked or not.


Be Cauti̇ous of Suspected Networks

Employees should be cautious of logging into and using insecure public networks.

All these methods can be implemented in an authorized manner with the proper informing of organization employees and will greatly secure the organization. It is recommended that organization employees receive social engineering training. Discover the privileges of Hackdra Social Engineering Services.



The topics covered in the article were Web and Deep Web crime monitoring services as an initiative to suppress cybercrimes for institutions and individuals, common risks that Dark Web Crime Monitoring Service can identify, Deep Web and Dark Web Crime Monitoring Threat Intelligence Collection Techniques and Tools, Dark Web and Deep Web crime monitoring methods.

With these services, institutions and individuals can detect potential threats, monitor criminal activities and take precautions against increasing and developing cyber threat factors day by day. This is an important tool to ensure their security and legal prosecution.

Dangers in the Deepweb pose a serious threat to both individuals and institutions and allow exploitation of security vulnerabilities. Sold data contains personal and sensitive information such as identities, social security numbers, credit cards, etc. With a Dark Web monitoring service, an organization can have a threat intelligence flow related to their companies and industries without the need for in-house analysts to search, collect and manually analyze, protecting their data and reputation with prior measures.

Deep Web and Dark Web Crime Monitoring Threat Intelligence Collection Techniques and Tools covered important tools and techniques used in the crime monitoring process. Technologies such as big data analysis, artificial intelligence algorithms and intelligence collection methods are effectively used in the crime monitoring process. However, most cybersecurity companies have not caught up with the developing level of artificial intelligence technology.

This is why open-source artificial intelligence technologies can be used for security exploitation. Open-source artificial intelligence technologies need to be predictive against security exploits so that it can block the upcoming attack and detect the perpetrator without their knowledge. What gives an AI its name and analytical thinking ability is that it can have a will of its own on the topic it is programmed on and can also be programmed. In other words, it can demonstrate will on the topic it is programmed on. This is necessary for open-source artificial intelligence resources to establish security rather than create security vulnerabilities. ULGENAI has been programmed and developed to not allow such exploits, distinguishing it from other AI technologies.

Lastly, we touched upon Dark Web and Deep Web crime monitoring methods. These methods are used to monitor criminal activities and identify criminals on secret networks. Intelligence sharing, deep network scanning tools and access to secret networks play an important role in the crime monitoring process.

Lastly, we discussed the Methods Organizations Need to Implement to Protect Security. While you may have an individual set of precautions that will protect your security against intrusions, Deep Web crime monitoring will not provide effective security unless obtained from an expert cybersecurity consultant.

Unfortunately, cyber security is not taken seriously enough as an issue. This is why many attacks find their place today and institutions suffer very serious amounts of financial and reputational losses. Considering all these, working with competent cyber security experts in their fields should now become a noteworthy issue.

Deep web crime monitoring service is an important element for individuals and institutions to be able to take necessary precautions, provide security and obtain security intelligence to protect their data and reputations, rather than being a situation to be hesitant about. Provided under the consultation and by an expert team, it is a privileged security service.


Mert Doğukan is an experienced C-level executive, CISO, specialized in information security and risk management. With strong leadership qualities and strategic vision, he plays a crucial role in protecting and ensuring the security of the company's information assets. He demonstrates top-level performance in developing, implementing, and auditing corporate-level information security strategies. Additionally, he closely monitors technological advancements to continuously update and enhance the company's cybersecurity infrastructure.

Related Posts