Dark Web Monitoring

Bart Lenaerts-Bergmans - April 27, 2023

What is Dark Web Monitoring?

Dark web monitoring is the process of searching for, and tracking, your organization’s information on the dark web. Dark web monitoring tools are similar to a search engine (like Google) for the dark web. These tools help to find leaked or stolen information such as compromised passwords, breached credentials, intellectual property and other sensitive data that is being shared and sold among malicious actors operating on the dark web.

Dark web monitoring tools offer improved detection against threats on the dark web versus identity theft monitoring tools or antimalware and antivirus programs. Identity theft monitoring tools are designed to protect individuals rather than businesses. Antimalware and antivirus programs aim to prevent malicious code from running from the start, but they do not help after the fact. Dark web monitoring tools help businesses and individuals alike by searching for any confidential information on the dark web, including login credentials, trade secrets and proprietary information.

How Does Dark Web Monitoring Work?

Dark web monitoring continuously searches the dark web and pulls in raw intelligence in near real time. Millions of sites are monitored for specific information (e.g., corporate email addresses), or general information (e.g., the company name and industry).

When a threat is discovered, users can create a customized alert that notifies team members and anyone else in the organization who is relevant to the threat, such as marketing, legal, human resources or fraud teams.

Features of Dark Web Monitoring

  • Threat intelligence. The data captured by the dark web monitoring solution can be fed into automated threat intelligence systems and used to enrich that data.
  • Threat hunting. Threat hunters can use dark web monitoring to speed their hunting and develop a more comprehensive understanding of attackers and their methods.
  • Faster incident response. Investigation and response workflows can be used to mitigate threats as rapidly as possible.
  • Integration into security platforms. The data collected can be sent to other systems to formulate more accurate insights from the entire security stack.

How to Expose the Open, Deep, and Dark Webs

Download this white paper to learn how CrowdStrike Falcon® Intelligence Recon can help identify potentially malicious and criminal activity across the dark web.

Download Now

Why Use Dark Web Monitoring?

Compromised credentials are not the only thing that businesses need to worry about on the dark web. Chatter and activity on the dark web can tip off a business that it is under attack, has already been attacked, or is associated with some other activity that poses a threat to the business, such as a breach at one of its supply chain partners. As part of an overall security strategy, dark web monitoring is akin to sending a canary into a coal mine.

In addition to scanning for data breach information, a dark web monitoring service can be used to classify risks from unknown sources. Businesses that receive alerts when their data appears on the dark web can connect those mentions to other threat sources, and use that information to profile and mitigate threats faster.

The types of risks that can be exposed through a dark web monitor include:

  • Third-party breaches
  • Data dumps to hacking forums and criminal chatrooms
  • P2P leaks
  • Accidental leaks
  • Brand misuse
  • Impersonations
  • Domain Spoofing
  • Potential threats

Benefits of Dark Web Monitoring

The benefit of dark web monitoring is that it identifies exposed data and the amount of time that your data is exposed. By actively monitoring the dark web at all times and mitigating exposed assets or identities, these tools give cybercriminals less time to exploit your confidential information, preventing further information leaks because you addressed them quickly.

Businesses that monitor the dark web can find out if they’ve been breached or find indicators that they are likely to be breached, as well as possibly learn who is attacking them and what methods the attackers may use.

Who Needs Dark Web Monitoring Services?

The short answer: Everybody. Any organization that is charged with protecting sensitive customer data, or that possesses valuable intellectual property, or is a popular target for hacktivists, nation-state actors or criminal activity is a good candidate for a dark web monitoring tool.

A better question is “Is dark web monitoring worth it?” Dark web monitoring provides visibility into threats that traditional security tools are not able to discover. Organizations that are committed to protecting their business and customers with a comprehensive security strategy should evaluate the potential benefits of deploying dark web monitoring in their security stack.

How Does Personal Information Get On the Dark Web?

Cybercriminals sell personal information, credentials or asset access on the dark web. According to CrowdStrike’s Global Threat Report, adversaries continue to show that they have moved beyond malware. Attackers are increasingly attempting to accomplish their objectives using stolen credentials and built-in tools — an approach known as “living off the land” (LOTL) — in a deliberate effort to evade detection by legacy antivirus products. Of all detections indexed by CrowdStrike Security Cloud in the fourth quarter of 2021, 62% were malware-free.

Malicious users steal personal information using one or a combination of these common methods:

  • Phishing: Cybercriminals send phishing emails that imitate legitimate email requests to attempt to gain confidential information.
  • Malware, Loaders and Botnets: Hackers use different types of malicious software to steal confidential data and leak it out slowly.
  • Insecure networks: Hackers can gain access to personal information when you’re connected to an insecure network and the cybercriminal is nearby.
  • Vulnerabilities and exploits: Exploit kits can also be found on multiple forums. They target specific software or systems weaknesses (vulnerabilities) to install additional code and obtain access.
  • Keylogging: Keystroke logging records the keys that you type, allowing cybercriminals to monitor your activity and retrieve personal information.
  • Screen Scraping: Screen scraping copies the information shown on your screen.

Once captured, full sets of data about a single person, including name, date of birth, social security number, address, etc., are packaged (referred to as “fullz”) and sold. Fullz can cost $30, depending on the value of the victim’s assets and the current market demand. Many threat actors take it a step further and all package all the personal information they steal from an organization(s) and sell it in bulk.

2023 Threat Hunting Report

In the 2023 Threat Hunting Report, CrowdStrike’s Counter Adversary Operations team exposes the latest adversary tradecraft and provides knowledge and insights to help stop breaches. 

Download Now

What Does It Mean If Your Information Is On the Dark Web?

For consumers, the revelation that their information is available on the dark web usually means they should change all their passwords, keep an eye on their credit reports and consider replacing their credit cards. After years of huge data breaches where up to 148 million records have been stolen in a single breach, everybody’s personal information, or at least some of it, has been for sale for a while – even if an identity theft victim is only just hearing about it now. While consumers should take the protective measures mentioned below, they shouldn’t panic.

Businesses need to respond much more aggressively. They are the guardians of their customers’ data and if they expose those customers to risk, they have failed. Litigation, lost brand reputation, regulatory penalties and auditing costs may be at stake. The risk of future attacks also increases as stolen logins are used in credential stuffing or other attacks.

If you receive an alert that your information is on the dark web, it means that your identity, data or asset is at risk. The types of personal information that are at risk on the dark web are credentials and personal identifiers that can be used for identity fraud or illegal access. You want to take action right away to prevent cybercriminals from further exploiting this stolen data.

Tools to Help Protect You from Threats on the Dark Web

To help protect yourself from hidden threats on the dark web, consider using a tool to keep private information secure and prevent identity theft. The following methods are sample best practices to protect against and monitor for dark web threats.

  • Build a Cybersecurity Culture: The end user is a crucial link in the chain to stop breaches. User awareness programs should be initiated to combat the continued threat of phishing and related social engineering techniques. Security teams should encourage an environment that routinely performs table top exercises and red vs. blue teaming to identify and eliminate cybersecurity gaps and weaknesses.
  • Protect All Workloads: An organization is only secure if every asset is protected. All critical areas of enterprise risk must be secured: endpoints and cloud workloads, identity and data. Look for solutions that deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities so exploits to your environment can not get sold on criminal forums.
  • Establish strong IT hygiene with an asset inventory and consistent vulnerability management. Remember, it’s impossible to defend systems you don’t know are there.
  • Identity Management: Identity management tools help you to manage the lifecycle of identities in your environment. Identity threat protection technology can segment identities to autonomously enforce risk-based conditional access and revoke access quickly when threats are uncovered.
  • Dark web monitoring: These tools monitor the dark web for stolen data and notify users like businesses if there are breaches, impersonations, accidental leaks and more detected on criminal forums.

How to Achieve Threat Protection with CrowdStrike

The Falcon Counter Adversary Operations threat intelligence solution provides easy wizards that save security teams from wasting time building complex queries while simultaneously minimizing false positives and noise. Results are displayed as user-friendly cards with information on the original threat actor posts, the actor and the site. This information can be viewed in its original language or translated into another. The translation is supplemented with augmented dictionaries, including slang.

CrowdStrike also offers comprehensive security solutions that help customers understand their digital presence and mitigate any risks. To see how CrowdStrike services could help you or your business stay safe online, start a free trial.

For more information on Dark Web Monitoring and Access Brokers, check out our Tales from the Dark Web CrowdCast.


Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.