It turns out the dark web is pretty small.
Despite a years-long drumbeat of sensational headlines and high profile arrests implying there’s an abundance of criminal masterminds lurking in the hidden corners of the internet, the reality is that the number of sites makes up less than 0.005 percent of the number of web pages on the open internet, according to new research.
In findings set to be published Tuesday, the threat intelligence company Recorded Future sought to map the number of so-called .onion sites reachable via the anonymity browser Tor. Researchers found 55,828 different onion domains, and only 8,416 were active, though it’s not clear exactly how many of those are used for criminal activity, Garth Griffin, Recorded Future’s director of data science, told CyberScoop.
“We know there are [roughly] 100 live onion sites that are part of the active criminal underground as either high-tier criminal forums, lower-tier but still explicitly criminal forums, or dark web market where illegal goods are sold,” he said. “We also know that there are some totally benign onion sites, like the onion mirror of the New York Times website.”
And of those criminal sites, it’s clear many have been infiltrated by law enforcement who are collecting evidence against influential players, and private security researchers who sell that access to corporate clients for risk mitigation.
“Contrary to popular belief, the dark web is not an inherently criminal place,” said Emily Wilson, vice president of research at Terbium Labs. “With increased attention from law enforcement and community infighting, we see criminal communities spreading out – on the deep web, on the clear web, and as recent reports have shown, even on social media networks. A lot of these criminal communities, especially trading in personal data and fraud materials, are perfectly happy to operate in plain sight.”
The data suggests that users who visit the Hidden Wiki, a Tor-accessible directory of dark web sites, are three clicks away from 82 percent of the active dark web, according to Recorded Future.
Of the .onion sites that are active, most fail to consistently stay online. The most popular websites are available between 60 and 90 percent of the time. That’s a long way off the “five nines” gold standard for IT teams who try to stay online 99.999 percent of the time.
International police agencies last week announced the closure of Wall Street Market, the second-most popular drug forum online. The shutdown was the result of a year-and-a-half investigation into the market, which police say had 1.15 million anonymous customer accounts and 5,4000 registered sellers, though its known that dark web marketplace users often create multiple accounts. Wall Street Market’s administrators tried to make off with $11 million in an exit scam before the site’s closure, investigators said.
That takedown, while large, was only the latest evidence police have been lurking on these forums. French and Finnish authorities also closed the Valhalla forum earlier this year. And U.S. police announced in March an eight-month investigation resulted in the closure of the Dream Market, which specialized in the sale of narcotics and stolen data.
Despite the handful of markets, there’s more people than ever trying to uncover what’s happening.
Corporate heavyweights, led by the financial sector, are paying vendors big bucks to illuminate what’s happening on hidden sections of the internet. For example, by paying a company like Recorded Future, which has raised $57.9 million in funding, a bank can receive an early alert that its payment card numbers have been breached, allowing the bank to react more quickly and avoid losses later.
Wells Fargo, for instance, uses roughly 50 different sources of threat intelligence. Along with Recorded Future, Flashpoint, Digital Shadows and Terbium all have raised millions of dollars in recent years to meet this demand.