What is the dark web and how does it work?

The dark web is the underworld of the internet. A place where criminality thrives and anything is available—for a price. Stolen data, contraband, and cybercrime services change hands out of sight. The best estimates suggest dark web markets handle around $1.7 billion annually. For companies, it’s where breached credentials, customer records, and access to internal systems can quietly go up for sale. To understand how to defend against that risk, you first need to understand what the dark web is and how it actually works.

What is the dark web?

The dark web is a hidden and intentionally concealed part of the internet that standard search engines cannot find. It consists of websites that owners keep unindexed and that sit on encrypted networks. You won’t reach them by typing a query into Google or clicking a normal link from your browser.

The dark web is a small subset of the wider deep web. Deep web pages are also unindexed, but you can reach them through regular browsers if you know the URL and have the right logins (like online banking portals, SaaS admin dashboards, or internal HR tools). Dark web sites, by contrast, live on special “overlay” networks and use non-standard addresses such as “.onion” domains that only open in specific software.

Access usually requires tools like the Tor browser (The Onion Router). Tor routes traffic through multiple volunteer-run relays and wraps it in layers of encryption, which makes it much harder to link what you do online to your real IP address. That design helps conceal both visitors and the services they access.

In practice, the dark web has two faces. One is a marketplace for stolen data, malware, illigal drugs, weapons, and cybercrime-as-a-service. The other is a privacy layer used by journalists, whistleblowers, activists, and ordinary citizens who need to bypass censorship or avoid tracking and retaliation. From a defender’s perspective, both sides matter: the same anonymity that protects dissidents also shields cybercriminals who trade access to your systems.

Overall, browsing the surface web is like walking down a busy high street where every shop has a sign and appears on a map. The dark web is closer to a set of unmarked doors in an alleyway: you need to know they exist, have the right key, and understand the risks before you step through.

How does the dark web work?

The public internet or surface web is constructed from visible servers and web content identified by public IP addresses.

The dark web also features server-hosted content, but dark web sites lack standard identifiers or are excluded from indexing by website owners. Search engines cannot dark web sites to their indexes and search results.

Almost 99% of web content is thought to evade search engines. This includes data protected by password portals, obsolete files, and anything Google's algorithms decide is irrelevant. However, not all this data qualifies as part of the dark web.

To be part of the dark web, sites must be invisible to a standard web browser and search engines.

How the dark web ensures anonymity

The dark web requires non-standard protocols and encryption techniques. Browsers like Tor (The Onion Router) use special protocols to generate encrypted entry points. These protocols use a layered encryption model. This wraps data packets in many layers.

Tor also plots complex pathways for dark web data. As data passes between nodes, layers of encryption peel away, like the skin of an onion. There is no traceable connection between the entry point and the destination. Users remain anonymous as long as Tor operates.

Tor differs from standard browsers in other ways. No identifiable traffic passes between users and their ISP. Tor clears cookies and browsing data after every session. It also disables geolocation features that can reveal a user’s location.

Standard browsers can access most internet content, even if it does not appear in Google results. But the dark web is different.

Experts estimate the dark web comprises around 0.03% of unindexed content. The amount of hidden data is rising, though, and even 0.03% is a large amount of information.

How do you find sites on the dark web?

Because dark web sites are intentionally hidden, you can’t “Google” your way to them. Instead, people usually find dark web content in three main ways:

1. Direct .onion addresses
   Most dark web services share their URLs (.onion addresses) in invite-only forums, encrypted chats, or paste sites. These addresses are long and random, so users typically copy-paste them or store them in password managers. If the URL changes or the market disappears, the site is effectively gone unless operators push out a new address.
2. Dark web directories and link lists
   Community-maintained directories act like rough catalogues for .onion services: they group links by topic (markets, forums, whistleblower platforms, etc.). Because dark web sites churn quickly, many directory entries are outdated or dangerous. Security teams usually treat public link lists with caution and rely instead on curated threat intelligence feeds.
3. Dark web search engines
   There are search engines on the dark web, but they work very differently from Google:

   • Torch, Haystak, Not Evil, and similar crawlers try to index large portions of the Tor network, but coverage is patchy and results often include spam, clones, or dead markets.
   • Ahmia focuses on safer results and filters out some types of abuse content. It also publishes a clear policy on what it indexes and what it blocks.
   • Some privacy-focused search engines (like specific Tor-hidden mirrors of DuckDuckGo) provide a familiar search box inside the Tor network but still reach only a slice of hidden services.

Even with these tools, search is unreliable: many results point to seized markets, phishing clones, or malware droppers. That’s one reason businesses tend to use professional dark web monitoring and threat exposure platforms instead of manually exploring dark web search engines.

Difference between surface web, deep web, and dark web

Before we dive deeper, let's clear up a common misconception by defining some key terms. We cannot talk about the "dark web" without understanding how it excludes the surface web and the deep web.

Surface web

The surface web is the outer layer of the internet that web browser users see. When you run a Google query, the search engine delivers results from the surface web.

Algorithms process indexed data, assessing its relevance and quality. In the process, search engines miss a huge amount of data. Ideally, this doesn't matter because indexers collect the most relevant information and ignore everything else.

For instance, Google might return a set of Amazon landing pages for a query about sports jackets. Searches won't include back-end metadata or private vendor pages that require passwords. Users only see publicly accessible product listings.

Estimates vary, but it's safe to say the surface web comprises about 10% of the total internet.

Deep web

The deep web comprises internet data that is not indexed by search engines. Deep web data is not really "hidden" from ordinary browsers. Content may only be accessible with login credentials, but you don't need Tor or similar layered encryption tools.

Deep web content includes data stored behind log-in portals or paywalls. Social media profiles are a good example. However, most deep web content is mundane website data like unused or out-of-date files. Site owners use the robots.txt file to redirect search engines and avoid excessive traffic.

Estimates vary about the size of the deep web, but it forms around 90% of internet content.

Dark web

The dark web is a subset of the deep web that exists in the shadows. This hidden web features everything we cannot see without special tools.

Because of this, estimating dark web traffic is almost impossible. The same applies to monitoring dark web criminal activity. It's hard to know whether your personal data is being sold online. Companies cannot tell when hackers conspire beyond surveillance to plan attacks.

When was the dark web created?

The dark web started life in 1999 in the research lab of University of Edinburgh student Ian Clarke. As part of his computer science degree, Clarke wrote a landmark paper on "a Distributed, Decentralised Information Storage and Retrieval System."

In 2000, he released a working version of his project called Freenet. Clarke's goal was to provide members of the public with total anonymity. As concerns about online privacy and government censorship grew, Freenet was a natural progression. Nobody called it the "dark web’ —at least not yet.

Ironically, US intel agencies made the next leap forward, releasing the Tor network in 2004. Scientists at the Office of Naval Research created Tor to enable anonymous battlefield and intelligence activity. However, the creators successfully argued for public release.

The designers realized that decentralized routing and layered encryption needed a large community of users. That's why they launched the Tor Project and fine-tuned the Tor browser in 2008.

Tor could not function without a large user community, even if that meant the government losing control—which is exactly what happened.

In 2009, a shadowy website called Silk Road started to make headlines. Based on the dark web, Silk Road thrived as cryptocurrencies expanded. Dark web marketplaces soon sold everything from narcotics and firearms to pornography, pirated software, and prescription medication.

The FBI raided Silk Road founder Ross Ulbricht in 2013 and closed the site, but the dark web remains a thriving marketplace. Silk Road 2.0 appeared immediately, followed by Diabolus Market and OpenBazaar.

The dark web has also become notorious for more than illegal goods. A 2022 study found 24.6 billion pairs of credentials available for purchase. The dark web now functions as a credentials brokerage, providing access to vast private databases.

Cyber attackers obtain passwords via data breaches. Other criminals buy stolen data to use in phishing or other cyber attacks. Prices are easily affordable, with credit card details retailing for around $120 and single passwords costing just $10. It's a cybersecurity nightmare.

Why does the dark web exist?

Given the criminal activity associated with the dark web, it's natural to ask why the dark web exists. Scientists developed the underlying technology with noble purposes in mind. The ONS and Ian Clarke never wanted to encourage crime, but their creations made the dark web possible.

The dark web's creators set out to protect individual privacy. By the late 1990s, early enthusiasm about the internet gave way to fears about crime and surveillance. People needed ways to browse and communicate anonymously. Tor and Freenet were effective solutions.

The dark web is still a valuable privacy tool. Media organizations like the BBC, the New Yorker, and ProPublica use dark web tools to allow censorship-free browsing in repressive countries.

Is the dark web illegal?

The legal situation surrounding the dark web is pretty simple. Using dark web tools is legal, but using the dark web to commit criminal acts is not.

The benefits above are probably why the dark web remains legal and supported by some governments. Tor is the most reliable way to escape the attention of authoritarian states.

Balancing anonymity against credential thefts and illicit selling is hard, but states tend to see legality as a better option.

Note: Some countries suppress dark web usage. China, Russia, and Vietnam all prohibit Tor usage (with variable success). Keep that in mind if you use Tor when traveling.

How people access the dark web

From a technical point of view, accessing the dark web usually involves three steps:

1. Install a specialized browser
   The most common option is the Tor Browser, which you download from the Tor Project’s official website. It bundles a browser with the software needed to connect to the Tor network and is preconfigured with safer defaults (for example, blocking certain plugins and trackers).
2. Connect to the Tor network
   When Tor launches, it builds an encrypted route through several relays before you reach any site. In some countries where Tor is restricted or blocked, users may need extra configuration (such as using “bridges”) and should check local law before trying to connect.
3. Open dark web services via their addresses
   Once connected, you can enter .onion URLs or use dark web search engines and directories to reach hidden services. Unlike normal web browsing, there’s no guarantee that a site is legitimate, legal, or safe to visit. Visiting illegal content or buying illicit goods is a crime in most jurisdictions, even if the connection itself runs over Tor.

For anyone who needs to access the dark web for research or security reasons, experts recommend doing so only on hardened, isolated systems, with strong endpoint protection, VPN use where legal, and clear internal policies about what staff may and may not do.

What can be found on the dark web?

Dark web markets borrow many tricks from ordinary e-commerce sites: product categories, search filters, seller ratings, and even customer support. The difference is the inventory, which ranges from stolen data and access credentials to forged documents and cybercrime services.

Recent dark web price-index reports from Privacy Affairs, Experian, Nord Security, and others show that much of this data is surprisingly cheap, even in 2024–2025.

Dark web price snapshot (2024–2025)

Typical listings on dark web markets currently include:

• Credit card detail: From around $6 for a single card number to roughly $110 for full details with an advertised balance of up to $5,000.
• Online banking logins: Access to an account with a minimum balance of ~$2,000 often lists for around $60. High-value bank or payment accounts (for example, Stripe or Revolut) can run from several hundred dollars to over $4,000.
• PayPal and similar wallets: PayPal credentials with spendable balances frequently appear around $100, with some “money transfer” offers priced per transaction.
• Cryptocurrency accounts and wallets: Logins for crypto services range from $20–$350 in many recent reports, while verified or high-balance exchange accounts can reach $2,500+.
• Business and consumer credentials: Bank statements, utility bills, VPN accounts, and health insurance cards often list for around $10–$15 each, useful as building blocks for identity theft or social engineering.
• Email and social media accounts: A hacked Gmail inbox averages about $60, while hacked Facebook, Instagram, or Twitter/X accounts often sell for $20–$25 per profile.
• Streaming and subscription services: Compromised logins for Netflix, Hulu, Spotify, Disney+, or even Airbnb can cost anywhere from $1–$20 for basic accounts to $300 for high-value or verified profiles.
• Bulk email lists: Datasets such as 10 million US email addresses often sell for around $120 per dump, feeding phishing campaigns and credential stuffing.
• Identity documents: Templates and scans of passports or driver’s licenses start at about $20–$150, while high-quality forged or stolen passports in some markets average over $2,000, with driver’s licenses in the hundreds of dollars.
• Cybercrime tools and services: Malware “install” packages often sell by the thousand infected devices, while a one-week DDoS attack on an unprotected site (10,000–50,000 requests per second) is still advertised at around $350 in some indices.

Prices fluctuate constantly based on supply, demand, and law-enforcement pressure. But the pattern stays the same: highly sensitive data and attack services are cheap enough for almost any motivated attacker. That is why even small companies need to assume their data could end up on the dark web and put strong controls in place to reduce that risk.

Types of threats on the dark web

The dark web may be legal, but it's not safe. Many critical threats make the dark web dangerous. Here are just a few of the most concerning examples:

• Illegal activity. When users access the dark web, it's easy to become involved in criminal activities. Dark web marketplaces peddle illicit drugs, firearms, and even stolen information like medical and legal documents. Buying stolen or prohibited items brings the risk of legal consequences.
• Malicious software. The dark web is unregulated. Dark web forums you visit could direct you to malware and compromise your device. They could also direct you to illegal content without warning. There's no way of knowing.
• Hacking. Dark websites are havens for data thieves and other hackers. These actors are happy to target customers or casual dark web visitors alike.
• Ransomware-as-a-Service. Dark web vendors now sell off-the-shelf ransomware kits, allowing almost anyone to mount cyber-attacks. Groups like REvil and GandCrab provide specialized software that leverages stolen data.
• Webcam attacks. One of the scariest dark web hazards is webcam hijacking. Attackers target visitors with unsecured cameras. They may then deploy remote administration tools to blackmail targets or use the camera to gather data.
• Data breaches. The dark web is a global hub for originating and executing data breaches. Nobody is safe. For instance, in March 2024, communications giant AT&T reported a data breach involving 73 million records. Stolen data was available on the dark web from 2019. And AT&T is just the tip of the iceberg.
• Law enforcement. Criminality is everywhere on the dark web, but so is law enforcement. Users risk detection and prosecution if they engage in illicit behavior. Never assume that contacts are who they say they are.

Is your business data on the dark web?

There are some positive uses of the dark web, but we need to be aware of the dangers. Most importantly, every internet user and company must know if their data is available via dark websites. And we need ways to prevent this.

Let's start with a simple process to check whether your information is on the dark web.

Firstly, don't enter the dark web alone. Individual users lack the contextual data and tools to penetrate dark web defenses. Logging onto Tor and searching your name won't work.

Companies worried about leaked credentials should use in-depth threat exposure management platforms like NordStellar.

Dark web monitoring solutions leverage huge databases of exposed credentials. Scanners constantly analyze databases of compromised credentials and scan dark web forums and marketplaces for keywords related to your business data.

How to keep your company data off the dark web

Searching the dark web for confidential data can be imprecise. A smarter solution is preventing the disclosure of your company data in the first place.

Dark web criminals are clever and ruthless, but cybersecurity measures deter even the most skilled data leeches. Many companies fail to put those barriers in place. That's why dark web markets thrive, but it doesn't have to be like that.

Here are some tips to secure your data and ruin the bottom line of dark web data vendors:

• Protect traffic with a Business Virtual Private Network (VPN). VPNs encrypt traffic and hide your data in transit. Secure every endpoint with VPN coverage to block data thieves.
• Guard your credentials like a hawk. Credential theft or brute forcing allows criminals to access your network and steal user or customer data. Enforce strong, regularly-changed passwords. Add multi-factor authentication for all log-ins. Apply Zero Trust principles to minimize access to sensitive data.
• Be smart about phishing. Phishing encourages users to click dangerous links, leading to malware infections and data loss. Implement advanced DNS filtering solutions to prevent access to websites used in phishing attacks. Train employees to spot phishing emails and explain why phishing awareness is a critical data protection issue.
• Use dark web monitoring. Dark web monitoring is a must-have for companies handling sensitive data. Remember the AT&T case. It took 5 years to uncover the data breach, resulting in millions of dark web sales. Monitoring informs you immediately about data exposure. It also helps you tweak your security posture to prevent cyber attacks.
• Put in place holistic dark web protection. Don't apply password security, VPN coverage, and access controls independently. Gather everything together in one, like NordLayer’s threat protection setup. That way, you can anticipate and neutralize threats before they cause problems.

The tips above will protect companies who do not intend to access the dark web.

But what if you need to use the dark web safely? In that case, extra data security measures come into play.

• Be very cautious about exposing confidential information on dark web forums. Never mention your name, employer, phone number, or address.
• Never trust dark websites. There is no SSL encryption on the dark web, and nobody certifies dark web sites as safe to use. Remember that when entering discussions or buying goods.
• Don't click links on forum posts. The same applies to links. Dark web links could easily be malicious or lead you to illegal content. As a rule, avoid clicking unknown links if possible.
• Disable Java and ActiveX. You may already have done this, but disable these frameworks before firing up Tor. Both are notoriously vulnerable to exploits, especially by dark web residents.
• Separate dark web browsing from critical assets. Ideally, only use Tor inside a well-defended network segment. Create a secure zone with minimal east-west movement. If the worst happens, this should restrict the damage.

Key takeaways

• The dark web includes web content that search engines cannot access and users cannot reach with standard browsers.
• Dark web content differs from the surface web, which is accessible via Google and browsers. The deep web is not indexed by search engines but can be accessed by browsers. The dark web is inaccessible without a Tor browser.
• The dark web initially sought to evade censorship and ensure privacy. However, it later became linked to criminality as anonymous marketplaces and cryptocurrencies emerged. Law enforcement bodies routinely close markets, but buying and selling continues.
• Goods available on the dark web often include narcotics, counterfeit medications, weapons, and stolen data. Users can purchase almost any illegal items via anonymous payment methods. Many customers are cybercriminals, intent on leveraging personal data to access bank accounts or company networks.
• Safeguard data to keep it away from dark web sellers. Security measures include using VPNs, applying strong password policies, and controlling network access. Businesses should use dark web monitoring to detect potential data breaches early and mitigate the risk.