What Is the Dark Web? A Security Pro Explains

Your Credentials Are Probably Already There

In April 2021, a threat actor posted a database of 533 million Facebook user records — phone numbers, full names, locations, email addresses — on a popular dark web forum. For the price of nothing. Just sitting there, searchable. So what is the dark web, exactly, and why should you care? Because there's a very good chance your personal data or your organization's credentials are already circulating in it.

I've spent years tracking how stolen data moves through underground markets. The dark web isn't some exotic hacker playground from a Hollywood movie. It's a functioning economy with customer service reps, escrow systems, and product reviews. And it's where the consequences of every data breach eventually land.

This post breaks down what the dark web actually is, what happens there that affects your security, and what practical steps you can take right now. No hype. No scare tactics. Just what you need to know.

The Three Layers of the Internet You Should Understand

Surface Web: What Google Sees

The surface web is everything indexed by search engines. News sites, social media, online stores. It makes up roughly 4-5% of the total internet. This is where most people spend their time, and it's the only layer most people ever think about.

The deep web is everything not indexed by search engines. Your email inbox. Your bank account dashboard. Medical records behind a hospital portal. Company intranets. This is the vast majority of the internet, and most of it is perfectly legitimate. People often confuse the deep web with the dark web. They're not the same thing.

Dark Web: Intentionally Hidden

The dark web is a small subset of the deep web that requires special software — most commonly the Tor browser — to access. Sites use .onion domains instead of .com or .org. The infrastructure is designed to anonymize both the people running the sites and the people visiting them.

Not everything on the dark web is illegal. Journalists use it to communicate with sources in authoritarian countries. Activists use it to organize under oppressive regimes. But the criminal marketplace is massive, well-organized, and directly relevant to your cybersecurity posture.

What Actually Gets Sold on Dark Web Markets

I've monitored dark web marketplaces as part of threat intelligence work, and the inventory is disturbingly mundane. It looks like Amazon, except every product is stolen or illegal.

Here's what moves in high volume:

Stolen credentials: Email and password combinations, often from data breaches. Sold in bulk — sometimes millions of records for a few hundred dollars.
Credit card data: Full card numbers with CVVs, billing addresses, and sometimes the cardholder's Social Security number. Called "fullz" in the trade.
Ransomware-as-a-service (RaaS): Turnkey ransomware kits that anyone can deploy. The developer takes a percentage of each ransom paid. The Colonial Pipeline attack in May 2021 involved DarkSide, a RaaS operation.
Phishing kits: Pre-built phishing pages designed to mimic banks, email providers, and SaaS platforms. Some include tutorials.
Corporate network access: Initial access brokers sell VPN credentials or RDP access into company networks. Prices range from a few hundred to tens of thousands of dollars depending on the target's size and industry.
Personal identity documents: Scanned passports, driver's licenses, and utility bills used for identity fraud.

The 2021 Verizon Data Breach Investigations Report found that 61% of breaches involved credential data. Those credentials don't just vanish after a breach. They flow directly into dark web markets and get weaponized in credential stuffing attacks, social engineering campaigns, and account takeovers.

You can review the full report at Verizon's DBIR page.

How Your Data Ends Up on the Dark Web

In my experience, most people assume they'd know if their data was compromised. They wouldn't. Here are the most common pipelines:

Data Breaches at Companies You Trust

You gave your email and password to a service. That service got breached. Your credentials are now in a database being sold or traded. The Accellion FTA breach earlier this year hit dozens of organizations — universities, banks, government agencies — through a single file-transfer tool vulnerability.

Phishing Attacks That Actually Work

A convincing email tricks an employee into entering their credentials on a fake login page. Those credentials get harvested and either used immediately or listed for sale. Phishing remains the number one attack vector for credential theft. The FBI's Internet Crime Complaint Center (IC3) received over 241,000 phishing complaints in 2020 alone — more than any other category.

Malware and Infostealers

Trojans like TrickBot and RedLine Stealer silently harvest saved passwords from browsers, autofill data, and session cookies. This data gets packaged and sold in bulk on dark web log markets.

Insider Threats

Sometimes, it's an employee selling access. Initial access brokers actively recruit insiders at target companies, offering cryptocurrency payments for VPN credentials or active directory dumps.

Why "What Is the Dark Web" Is the Wrong First Question

Here's what I tell every organization I work with: stop fixating on the dark web as a mysterious place and start treating it as a supply chain for attacks against you. The dark web is the storefront. The real problem is the security gaps that put your data on the shelf.

Every stolen credential on a dark web marketplace represents a failure somewhere upstream — a phishing email that worked, a password that was reused, a system that wasn't patched, a lack of multi-factor authentication.

If you want to actually reduce your dark web exposure, you need to address the root causes. That means training your people, hardening your systems, and assuming breach.

The $4.88M Lesson Most Organizations Learn Too Late

According to IBM's 2021 Cost of a Data Breach Report, the average cost of a data breach hit $4.24 million this year — the highest in 17 years. Breaches involving stolen credentials took an average of 250 days to identify and contain. That's over eight months of an attacker having access before anyone noticed.

Credential theft feeds directly from the dark web back into your network. An attacker buys an employee's compromised credentials, logs into your VPN, moves laterally, and deploys ransomware. No exploit needed. No zero-day required. Just a valid username and password.

This is why security awareness training isn't optional — it's a frontline control. Your employees need to recognize phishing attempts, understand social engineering tactics, and know why password hygiene matters. If you're building out or upgrading your program, our cybersecurity awareness training course covers exactly these fundamentals in a practical, no-fluff format.

Practical Steps to Reduce Your Dark Web Exposure

1. Deploy Multi-Factor Authentication Everywhere

MFA is the single most effective control against credential theft. Even if an employee's password shows up on a dark web marketplace, MFA prevents an attacker from using it. Prioritize email, VPN, admin consoles, and any system with access to sensitive data. CISA has been emphasizing this all year — their MFA guidance is a solid starting point.

2. Run Regular Phishing Simulations

You can't train people with a slide deck once a year and call it done. Regular phishing simulations build pattern recognition. They teach employees what real attacks look like in context. Our phishing awareness training for organizations provides structured simulation programs designed to measurably reduce click rates over time.

3. Monitor for Credential Exposure

Use dark web monitoring tools or services that alert you when employee credentials appear in breach databases or paste sites. This gives you an early warning to force password resets before attackers exploit the data.

4. Enforce Password Policies That Reflect Reality

NIST's current guidance (SP 800-63B) recommends against forced periodic password changes and instead focuses on checking passwords against known-compromised lists. If a credential shows up in a dark web dump, that's when you force a change — not every 90 days on a calendar.

5. Adopt a Zero Trust Architecture

Zero trust assumes that no user or device is inherently trustworthy, even inside your network perimeter. Every access request gets verified. This limits the blast radius when a stolen credential does get used. It's not a product you buy — it's an architecture and a mindset.

6. Patch Aggressively

Many dark web listings for corporate access originate from unpatched VPN appliances and remote access tools. The Accellion, Pulse Secure, and Microsoft Exchange vulnerabilities exploited this year all had patches available before mass exploitation began. Patch management isn't glamorous, but it directly reduces the access that ends up for sale.

Can Law Enforcement Shut Down the Dark Web?

They've tried. And they've scored real wins. The FBI and Europol took down AlphaBay and Hansa in 2017 — a coordinated operation that was genuinely impressive. In January 2021, DarkMarket, then the largest dark web marketplace, was seized by German authorities in coordination with Europol, the FBI, and others.

But new markets appear within weeks. The Hydra marketplace, operating primarily in Russian, continued growing through 2021 and became one of the largest darknet markets globally. Shutting down individual markets is like cutting heads off a hydra — fitting, given the name.

Law enforcement action matters. It disrupts operations, erodes trust among criminals, and occasionally leads to major arrests. But it will never eliminate the dark web. Your security strategy can't depend on someone else solving this problem.

What Should You Actually Do Today?

If you've read this far, you understand that the dark web is a symptom, not the disease. The disease is weak authentication, untrained employees, unpatched systems, and poor visibility into your own attack surface.

Here's your immediate action list:

Audit your MFA coverage. If any internet-facing system lacks it, fix that this week.
Check Have I Been Pwned for your organization's domains. See what's already out there.
Start a phishing simulation program if you don't have one. Make it ongoing, not one-and-done.
Brief your leadership team on dark web risks in business terms — not technical jargon. Frame it around financial impact and regulatory exposure.
Invest in security awareness training that actually changes behavior. Theory doesn't stop threat actors. Practiced recognition does.

The dark web isn't going away. The underground economy is more sophisticated in 2021 than it's ever been. But every credential you protect, every phishing email your team catches, every system you harden — that's one less product on the shelf.

Your job isn't to defeat the dark web. Your job is to make sure your organization's data isn't the easiest thing to buy on it.