In today’s blog we’ll dive into the topic of Dark Web monitoring and why companies should care about. Oliver Muenchow, founder of Kaduu and Christian Grob, Head of Security Services at AVANTEC wrote this article in collaboration.

Introduction to Dark Web

The Dark Web is a so called sub-internet not indexed by traditional search engines like Google. It is a hidden part of the internet whose contents are inaccessible by the normal internet users. Specific software like “TOR” must be used to access the Dark Web. Cybercriminals use it to sell drugs, fake prescription drugs, stolen credit card numbers, weapons, malware, and more. Users also use the Dark Web to bypass business regulations, counterfeit currency and engage in illicit activities. However, not everything is illegal, there are some legitimate reasons for its use as well – for example whistle-blowers who want to remain their anonymity.

Main threats from Dark Web

Threat actors use Dark Web marketplaces and forums to search for targets and establish connections with others. Below you can find a short listing of the three main threats that are typically planned or executed in Dark Web.

    • Asset and Identity Theft
      • Identity thieves sell stolen credentials on Dark Web marketplaces, which allows them to cash in on their efforts.
      • In other cases, they may download ransomware and malicious software to encrypt files and lock their victim’s computer systems.
    • Hacker Groups
      • Hacker groups operate on the Dark Web without anyone noticing. The anonymity gives them plenty of freedom to plan, collaborate and hack through several potential targets. Hacking tools, including botnets and RATs (Remote Access Trojans), are regularly advertised and discussed on the underground forums. Individuals with malicious intents can often purchase malware, hacking tools, stolen data, or credentials online.
    • Vulnerabilities and Exploits
      • Vulnerabilities in web applications and other online services are among the most common threats attackers use to exploit various targets. Vulnerabilities can be exploited for financial gain, political or corporate espionage, or intellectual property theft. Attackers seek vulnerabilities on Dark Web forums, where they can request or even buy access to specific websites and exploit unpatched vulnerabilities.

Risks that can be addressed with Dark Web monitoring

Continuously scanning the Dark Web for company related data like e-mail domains, public IP addresses or credit cards helps to address certain risks or at least have an early warning system.

Below list shows some of the most relevant risks that may be identified through Dark Web monitoring services:

    • Detect leaks from ransomware: Monitoring of common ransomware groups to identify potential leaks (incl. leaks from third party suppliers)
    • Detect exposed data in the Dark Web and Deep Web: Monitoring of Dark Web forums, Onion-, I2P and paste sites for any appearance of company name and other attributes.
    • Detect exposed infrastructure: Monitoring of DB Dumps, IOT (Shodan), S3 Buckets and more for exposure of related information. You can find out what hackers know about your infrastructure and their potential vulnerabilities.
    • Detect leaked credit card data: Monitoring of credit card information helps to mitigate potential misuse of a stolen card as early as possible.
    • Detect attacks in preparation: Monitoring typo squatted domain names help an organization detect potential phishing sites that are using a similar domain or layout as the client. It’s a common and valuable add-on feature that some monitoring solutions provide.

A real world example

Below example shows some leaked accounts that were identified for a business e-mail during regular scans. All accounts have in common that they were part of a bigger leak from various websites. However, one website is particularly eye-catching as it is a dating site without any business context.

Website Account Password Other Data Idp5*akpiz Idp5*akpiz Userx123 Private Phone Number. Birth date, Private Address “Question from user related to SAP application”

What can we learn from this example?

    • Company e-mail addresses may be used in private context, even if it’s not allowed by company policies as it was the case in our example.
    • Users tend to use the same password for several accounts, it could be the case that the leaked password is used for business accounts as well, even AD Login (think about a company not using 2FA – yes, this still exists). We can clearly see the user tends to re-use the same password over multiple websites.
    • The e-mail address and the information where it was used is now “publicly available” and might be misused by a threat agent e.g. for a targeted phishing campaign (e.g. phishing mail imitating the mentioned dating site).
    • We know that the password is exposed in cleartext. This means hacker have already cracked it and it should never be re-used anywhere again. In one case we can see the user also registered with a very weak password on a business-related website.
    • The hacker might find some business-related information on the file sharing platform if the password is still valid.
    • Personal identifiable data (PII) is being leaked through the business website. There is a chance this information is being used for SPAM and hacking activities in future.
    • We can identify the users email address in association with a tech forum where a specific question related to an internal SAP application is used. This gives potential attackers information about the internal infrastructure which can be exploited in social engineering attacks (e.g. phishing) or in a direct attack against the infrastructure.

What should be done after such a case?

    • The user should be informed about the account/pw that is not secure anymore.
    • Awareness should be raised to ensure accounts are not used for private purposes, not talk about internal business-related data, always use strong passwords on external or internal apps and not store sensitive information in the cloud.
    • The organization should make sure to have an internet usage policy in placed and signed by the user.
    • The user should verify what type of business-related data is stored on external servers and make sure to delete all data that is no longer required.
    • Password change on respective user account should be enforced.
    • If not already in place, 2FA should be considered.


Dark Web monitoring was not very affordable in the past which likely is the reason why it’s not yet broadly adopted. However, every company should know what data of them or their third-party suppliers is available on the Dark Web and potentially used against them. It should not be seen as a one-off exercise rather than a continuous service. This gives Security Officers the chance to react fast e.g. by blocking an account immediately if a leak should occur.

With Kaduu as a key source and very innovative swiss provider in this area we’ve built a Dark Web monitoring service at AVANTEC which is reasonably priced and with low effort on customer side, as we manage all search filters and investigate suspicions events within our Cyber Defense Team.