Are You Afraid of the Dark (Web)?

The Dark Web is a topic of much discussion related to cyber risk. While it’s super eerie to think of criminals stealing and selling data in cyber shadows, the data marketplace is only one small part of the problem.

When discussing the Dark Web, it is important to understand that the Dark Web has two personalities –much of it is comprised of young hackers trying to one-up each other with claims about what they have for sale, their software capabilities, and their forgery skills. However, there is a mobilized core of international criminals with sophisticated technical skills in the Dark Web as well.
Before 2020, the Dark Web was only a minuscule slice of organized international crime and therefore received notice but not a lot of law enforcement emphasis. Enter Q1 2020, and currency transaction activity on the Dark Web grew by 65% (source: However, to give a sense of scale, the amount of US dollar-equivalent dollars transacted on the Dark Web in Q1 2020 totaled a miniscule $411 million. A best guess estimate (my own guess) is that the Dark Web will cross the $1billion mark in 2020 if it hasn’t already, but keep in mind that the relatively small dollar value is less interesting than the sharp trajectory of growth.

The Dark Web has several marketplaces, but let’s focus on two that have direct bearing on cyber risk for companies: The first is the exchange of malware and ransomware code, the second is the exchange of data stolen in a cyber attack.

The marketplace for malicious code is the most dangerous part of the Dark Web for companies. Hackers buy and sell various portions of bot code, or fully operational attack code every day, trying to build customized bots that can be deployed across the open web to harvest the exact data that they want, regardless of the damage these bots cause to corporate infrastructures.
Malicious code inside a corporate infrastructure is costly and disruptive regardless of whether data was actually stolen. Most of the attack-ware available on the Dark Web is not designed to create a catastrophic breach, but could cause several days of down time and a loss of credibility for the company that was attacked. When a malicious attack bot is deployed with the intent of crashing a network, it can cause long lasting damage to the reputation of its victim.

The Dark Web data exchange is less interesting because much of the Dark Web marketplace has been addressed by companies who built technology that immediately detects fraudulent access. For instance, credit card companies can stop transactions on a credit card number purchased on the Dark Web as soon as it is used for the first time.

However, we do see a troubling issue with data transactions Dark Web. In a data exchange, criminals buy data from (you guessed it) other criminals. Because there is no agreed upon ethical standard for conducting business, much of the data purchased on the Dark Web exchanges is blatantly fake. This fraud among criminals deflates the price of all data in the exchanges – even the good stuff. This deflation causes lower profitability for the sellers and causes them to harvest greater and greater data sets, leading to more cyber-attacks on larger data sources.

In the next year, we expect to see more organized crime will transfer to the Dark Web as crypto currencies become more anonymized. We will also see a steady increase of cyber attacks with more effective attack bots, as well as a vast deployment of nuisance attack ware. Most importantly, may see actual economic models emerge in the Dark Web where merchants are effectively able to market and begin building genuine reputations, causing a trust-worthy criminal marketplace. The Dark Web is worth monitoring and is a breeding ground for malicious behavior even at its current small scale. If it grows and normalizes, it will be addressed by law enforcement and by private industry technologists in an ongoing “good versus evil” exercise as it is now, just on a larger scale.
Should you be afraid of the Dark Web? Maybe, but just to keep an eye on it.