What is the darknet? Shrouded in mystery for many years and often associated with ominous connotations, the darknet is a part of the internet that evokes curiosity, fascination, and even fear in many people.
This “hidden” part of the web isn’t accessible without special software. Contrary to popular belief, it’s not just used by criminals. Some people use the darknet to protect their privacy or to express their opinions freely. Others take advantage of the TOR network’s anonymity for different reasons, which can range from questionable to illegal activities.
Within the darknet, one can find an underworld catering to those looking to trade illegal goods or software. Additionally, it hosts groups offering RaaS (Ransomware as a Service) solutions and activists fighting against censorship or surveillance.
It’s also worth noting that many social media platforms, such as Facebook and X, have their own addresses on the TOR network. Entering the darknet is like stepping into a world where the lines between good and evil blur, and the possibilities are vast.
How does TOR software work? Is the darknet solely a breeding ground for cyber threats? How can we protect our applications from connections via TOR?
We will address these and many other questions in the following sections of the article.
The differences between the Darknet and the traditional Internet are significant and crucial for understanding the unique nature of this “world.”
Here are some key distinctions:
To start, it’s essential to understand where the darknet is positioned within the broader network. The internet can be divided into the Surface Web, also known as the clearnet, which is the space you navigate daily when browsing social media, searching for information, or shopping online. This is the part of the internet you are very familiar with—it’s worth noting that the Surface Web is often indexed in search engines, meaning it’s easy to find various websites using specific keywords.
The second part of the internet is the so-called Deep Web, which is deeply hidden. However, this isn’t yet the mysterious network often discussed. The Deep Web includes all websites and forums that are not indexed (such as private forums whose addresses can’t be found through a Google search). This part of the web also includes scientific reports, government materials, databases, and other information that cannot be accessed simply by entering keywords.
The third and final “layer” of the internet is the Dark Web, also known as the Darknet. This includes all websites, forums, and marketplaces hidden behind the TOR network (as mentioned earlier, these sites are not necessarily illegal). You cannot access this part of the internet using familiar web browsers, and the addresses do not resemble those found on the clearnet.
The following iceberg illustration effectively depicts the outlined structure:
One of the key differences between URLs on the regular internet and those on the darknet is the TLD (top-level domain). Unlike common TLDs like .com, .pl, or .org, the darknet uses a pseudo-top-level domain that is not listed in the official TLD registry: .onion. As you might guess, the .onion domain comes from “Onion Routing,” the method used to ensure anonymity.
Additionally, URLs on the darknet do not form readable words. For example, the TOR project’s address on the clearnet is a typical link:
https://www.torproject.org/
For comparison, a v3 onion address looks like this (in reality, it’s the same site):
http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion/
This address is composed of 56 random characters and cannot be purchased like regular domains. The link is generated based on the computer’s processing power using the ed25519 algorithm. While there are methods to create an address with specific starting characters, this requires significant time and computational resources.
It’s important to note that, unlike regular domains, which typically point to an IP address that can identify the server hosting the domain, every TOR network address points to 127.0.0.1.
Maximize your email deliverability and security with EmailLabs!
On the “regular” internet, you can use standard web browser like Chrome, Firefox, or Opera to search for popular sites or browse social media. However, when it comes to accessing the TOR network, you can still use these browsers, but they need to be “slightly” modified with the Tor software.
Alternatively, there’s the Tor Browser (based on Firefox), which allows direct users access to the TOR network. The Tor software itself is a command-line application that doesn’t enable direct browsing of the TOR network on its own.
To understand the phenomenon of the TOR network and why various social groups so widely use this software, it’s essential to grasp how TOR works—specifically, The Onion Router.
The Onion Router, commonly known as TOR, gets its name from the onion because the entire connection is literally multi layered encryption. In a typical public internet, the process works by having users connect to the destination server through their Internet Service Provider (ISP). Simplifying it further, our computer connects directly to the address we want to reach, and this connection is usually not encrypted.
When discussing the TOR network, we must highlight three main components:
It’s important to note that the actual operation of the TOR network is far more complex, and the description provided here is intended to give you a basic understanding of this fascinating network.
Below is a graphical representation of the TOR network:
You might wonder if it’s possible to track these servers to monitor who is connecting to what and from where.
The answer is: Unfortunately, it’s not that simple.
Nodes are randomly selected during each connection, so it’s unknown which servers the traffic will pass through until the moment of connection.
The image below illustrates an example of a route to a site within the TOR network:
Anyone can set up these nodes (though it’s important to remember that with exit nodes, all traffic exits through “your” server, which can lead to legal issues if the connection is used for illegal activities).
According to TOR metrics, there are currently around 8,000 nodes and about 2,000 bridges (which we haven’t covered in this article) worldwide. The number of nodes and their locations change very dynamically, and since anyone can create these nodes, the network continuously expands, providing an anonymous space for various groups.
Unless there are OPSEC (Operational Security) failures, tracking TOR users would require controlling the majority of the servers to correlate traffic across all nodes. As we recall, the entry node “knows” where the connection originates, while the exit node has information on the destination. However, given the current dynamics, this is not feasible at this time.
As we’ve learned, the TOR network’s unique functionality has won over many people who seek privacy protection and anonymity online (though it’s important to note that achieving full anonymity requires attention to many other factors not covered here).
Consequently, this software is used not only by cybercriminals but also by individuals who value their anonymity (it’s essential to remember that wanting to maintain anonymity does not equate to being a cybercriminal). Many of today’s social media platforms, email applications, and even chat services for discussing personal issues have their own addresses within the TOR network.
A prime example of this is the popular Facebook:
TOR is not just a tool for criminals—although it is often associated with them (more on that later in the article).
This software is frequently used by journalists, activists, and regular users who want to protect their data from surveillance. Today, many non-profit organizations and projects dedicated to defending free speech and privacy also rely on TOR technology. As with many other tools, its ethical use depends on how it is applied.
As mentioned earlier, the ethical use of tools, including the TOR project, depends on how they are utilized. On one hand, TOR can be used to maintain anonymity in oppressive regimes; on the other hand, it is also frequently used by cybercriminals.
Due to the nature of the network, various criminal groups use the dark web sites to sell malware or share data leaks from different sites. Additionally, you’ll find websites for numerous ransomware groups (often operating under the Ransomware as a Service model), such as the recently notorious LockBit.
Additionally, cybercriminals operate numerous illicit forums on this network, all within an environment that provides significant anonymity. However, TOR is not just used for browsing sites accessible only within this network. A key aspect of TOR is its ability to route traffic from virtually any software through it.
It allows them to obscure their real IP address when running tools like vulnerability scanners, so the logs will only show the IP address of the exit node, not the attacker’s actual IP. Similarly, criminals can use the TOR network for data exfiltration or communication with Command and Control (C2) servers.
The reason cybercriminals use TOR for their activities is essentially the same reason why “ordinary” people use it—it provides a high level of anonymity from the outset.
Of course, cybercriminals often enhance this anonymity by using various VPNs and specialized operating systems that route all traffic through TOR. This makes them very difficult to track, assuming no other human errors occur. However, it’s not impossible. Law enforcement agencies, such as the Central Cybercrime Bureau, have successfully apprehended individuals using TOR. It’s important to note that in these cases, it wasn’t TOR itself that failed; rather, it was other factors.
Maximize your email deliverability and security with EmailLabs!
As we already know, the darknet enables users to maintain a high level of anonymity by hiding real IP addresses and other digital footprints. On the darknet, you can find many forums where cybercriminals share guides or leaked databases. There are also marketplaces where, for a fee, one can commission a hacking service or purchase ready-made malware (with all transactions conducted using cryptocurrencies). Additionally, it’s an ideal environment where cybercriminals use TOR-based communication platforms to plan and coordinate their activities.
But how does the darknet contribute to the growth of cybercrime? What factors are driving the increase in cyberattacks, and how does the darknet play into this?
The answer is quite simple, but before we get to it, let’s take a step back a few years…
Not too long ago, conducting a successful hacking attack and infecting a large number of devices required at least some technical skills. Back then, while it was possible to buy malware on certain forums, the majority of infections and attacks were carried out by individuals with some level of experience.
Today, cybercrime has evolved into a business model, most notably recognized as Ransomware as a Service or Phishing as a Service. These are services where individuals with no knowledge of hacking or creating malware can, for a fee, access a dedicated platform for activities like phishing. These platforms provide everything needed, including payment gateways, message templates, and phishing websites.
When it comes to ransomware, you can also purchase software ready for distribution, without worrying about updates. Interestingly, there are also so-called brokers who sell access to various networks. This means that with enough money, you can acquire malicious software and purchase access to a company or platform to carry out a malicious campaign.
There may be situations where you want to block traffic from the TOR network to your web applications. This decision might be based on a risk assessment, where you determine that most traffic from this network could be associated with malicious online activity.
There are several ways to block this traffic. One option is to use ipset, which can maintain an updated list of exit nodes. Such a list can be found on sites like FireHOL. It’s important to note that the list of exit nodes changes frequently, so it needs to be regularly updated. If you use a service like Cloudflare, you can create a policy that detects all connections from TOR. In this case, I recommend checking the documentation for detailed instructions.
Remember that cybercriminals don’t have to connect directly to your applications via TOR. They might use services like RDP or VPN to connect from an IP address that ultimately appears legitimate.
On the previously mentioned FireHOL website, you can also find IP lists for various other anonymization services. If you want to protect yourself against such connections (at least to a significant extent), it’s worth considering importing these lists into your security solutions.
To conclude this article, it’s important to debunk three common myths related to the darknet and the TOR network:
Stay Secure 👾!
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Deliverability, Sending Reputation
Are you just starting to send emails, transitioning to dedicated infrastructure, or switching your sending domain? Don’t overlook a key step – the warm-up process! Warming up an IP...
Best practices, Email Marketing
Email marketing is a powerful tool for businesses to connect with their audience, promote products, and drive conversions. However, simply sending out an email campaign is not enough to...
Deliverability, Sending Reputation
Are you just starting to send emails, transitioning to dedicated infrastructure, or switching your sending domain? Don’t overlook a key step – the warm-up process! Warming up an IP...
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
Best practices, Email Marketing
Email marketing is a powerful tool for businesses to connect with their audience, promote products, and drive conversions. However, simply sending out an email campaign is not enough to...
With the release of iOS 18 on September 16, 2024, Apple has introduced a long-anticipated update to Apple Mail: tabbed inboxes. While this feature isn’t a novelty – Gmail...
Gmail users may soon benefit from a game-changing feature called Shielded Email, designed to enhance privacy and combat spam. While the feature has not yet been officially launched, recent...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Attaching a folder to an email may seem complicated at first glance, especially if you’re trying to send multiple files or an entire project’s documents to a colleague or...