Skip to content

Tradecraft

Investigating the dark web: what is actually down there

Zvonimir Cvetko Damnjanović6 min read

Few subjects collect mythology the way the dark web does. Depending on who is talking, it is either a bottomless criminal underworld or a harmless privacy tool smeared by the press. Neither picture survives contact with the real thing. For an investigator, the dark web is a set of overlay networks with specific properties, a population far more mixed than either caricature, and two hard problems, attribution and preservation, that decide whether anything found down there ever becomes usable.

Layers, defined properly

The surface web is what search engines index. The deep web is everything they don't: webmail, databases, intranets, paywalled archives, anything behind authentication. Most of it is mundane by design. The dark web is a deliberately hidden subset of the deep web, reachable only through overlay networks. Tor is the largest, maintained by the nonprofit Tor Project, using onion routing to reach .onion services. I2P routes traffic through garlic routing to eepsites. Freenet, now Hyphanet, and Lokinet complete the list most practitioners meet. An ordinary browser reaches none of them, and conflating deep with dark is the quickest way to spot a report written from headlines.

Surface, deep and dark web layersThree horizontal bands. The surface web is indexed by search engines. The deep web is reachable with normal browsers but not indexed. The dark web requires overlay networks such as Tor or I2P.Surface webindexed by search enginesnews sites · public registers · company pages · forumsDeep webreachable with standard browsers, not indexeddatabases · paywalled archives · webmail · intranets · court records behind search formsDark weboverlay networks only — Tor, I2P, Freenet, Lokinetonion services · hidden markets · leak sites · closed forumsharder to reach · easier to misattribute
Fig. 1 — Three layers, three access models. The dark web is a small, deliberately hidden subset of the deep web.

What is actually hosted there

Less than the mythology promises, and odder. Much of what sits on hidden services is mundane or openly defensive: censorship circumvention for people behind national firewalls, mirrors of major news outlets, SecureDrop instances that newsrooms run so sources can reach them safely. That traffic is what the network was built for.

The illicit ecosystems are real and operate alongside. Markets and fraud shops. Trading in stealer logs and combo lists. Leak and extortion sites where ransomware groups publish stolen data. Closed forums where entry is vouched for or bought. Individual platforms fall and are replaced: the FBI took down Silk Road in 2013, an international operation removed AlphaBay in 2017, and German authorities seized Hydra Market in 2022. The trade migrated each time.

One category needs naming plainly. Child sexual abuse material circulates on hidden services, and investigating it belongs to law enforcement operating under specific legal authority, not to hobbyists or commercial researchers acting on their own account. Next Sight supports specialist child-protection units in that work.

Reaching it lawfully

Browsing Tor is lawful in most jurisdictions. What you do once connected is governed by ordinary law, the same law that applies everywhere else; the network changes the transport, not the offence. Professional practice adds discipline on top. Investigators work from controlled environments with managed attribution so casework never touches their real identity or infrastructure. And they capture immediately. Hidden services disappear without notice, addresses rotate, markets pull exit scams. Content is preserved at first contact with cryptographic hashes and UTC timestamps because nothing down there can be revisited reliably. The first capture is usually the only record that a thing existed at all.

Where the difficulty concentrates

Access is the easy part, a browser download and a link list. The work concentrates in attribution and preservation. Attribution means connecting personas and infrastructure to actual people, and these networks are engineered to resist exactly that. Cases advance through operational mistakes, handles reused from the surface web, infrastructure overlaps and financial flows, not through breaking the cryptography. Because markets settle in cryptocurrency, cryptocurrency tracing is a discipline of its own. Preservation is the quieter problem and the one that decides court outcomes: a finding that wasn't captured properly is a war story, not evidence. Neither problem yields to tooling alone, which is why the dark-web track in our OSINT training spends its hours on tradecraft.

Frequently asked questions

Is it legal to access the dark web?

In most jurisdictions, yes. Downloading Tor and browsing hidden services is lawful, and the network has legitimate uses from censorship circumvention to source protection. Conduct is what the law governs: buying stolen data is a crime on a .onion address exactly as it is anywhere else. Professional investigators also work within organisational policy and, where they hold them, statutory powers.

What do criminals actually use the dark web for?

Markets and fraud shops, trading in stealer logs and combo lists, leak and extortion sites operated by ransomware groups, and closed forums for coordination and access sales. Platforms are removed and replaced; Silk Road fell in 2013, AlphaBay in 2017 and Hydra Market in 2022, and activity migrated each time.

Can dark-web activity be traced?

Yes. Rarely by defeating the anonymity network itself, and routinely through operational mistakes, reused identifiers, infrastructure overlaps and financial flows, especially cryptocurrency tracing. Anonymity networks protect transport, not behaviour, and behaviour is where investigations win.

Put this into practice

Next Sight delivers these workflows as services, platforms, and training — lawful, documented, and built for teams who carry consequences.