What is the dark web?
The dark web is a small, intentionally hidden portion of the internet accessed through tools like Tor, home to criminal marketplaces, forums, and private channels. In the identity context it’s the trading floor for stolen credentials, session cookies, stealer logs, and personal data – frequently listed within hours of the original theft.
What actually circulates - and where
The criminal underground isn’t a single marketplace; it’s a layered ecosystem from surface-level forums down to invitation-only communities that take sustained operations to access. The identity data trading across it includes:
- Stealer logs – device-level packages of credentials, cookies, and fingerprints.
- Combolists – aggregated credential sets built for stuffing.
- Access broker listings – corporate VPN and RDP access sold to ransomware affiliates.
- Session cookie markets organized by service, plus real-time phishing captures.
Most monitoring tools only scan the public, already-indexed slice of this ecosystem. For a full picture of how exposed identities are weaponized across industries, read the 2026 Annual Identity Exposure Report →
Why depth is the difference between monitoring and recapture
The gap most “dark web monitoring” misses is depth – and depth is the difference between learning about exposure months late and surfacing it in days:
- Surface scanning is late. It finds already-indexed, widely circulated data – by the time you’re alerted, it’s old and likely used.
- Recapture goes deeper. SpyCloud operates in closed Telegram channels, restricted forums, and direct-to-buyer markets where fresh data appears first.
- Days, not months. That positioning surfaces exposure while there’s still time to remediate.
Act, don’t just alert. See the model in the Dark Web Monitoring use case →
Dark web vs. deep web vs. surface web
The three layers are routinely confused, and the distinction matters for where identity threats actually live:
- Surface web – everything indexed by standard search engines.
- Deep web – anything not indexed, including ordinary, benign things like banking portals, email inboxes, and internal apps. The vast majority of the internet.
- Dark web – a small, intentionally hidden subset of the deep web reachable only through tools like Tor, where criminal marketplaces operate.
Identity-data trade happens on the dark web and the encrypted channels beyond it – not on the broad, mostly harmless deep web the term is often confused with.
Every reused password your users have is a potential entry point.
Check Your Exposure to see how many of your domain’s credentials are already circulating.
Frequently Asked
Stolen credentials from breaches and phishing, session cookies and tokens from infostealer malware, PII (names, SSNs, financial details), combolists for stuffing, corporate access listings sold to ransomware affiliates, and device fingerprints for impersonation. Infostealer logs are the most comprehensive – one log is all the identity data from a single device.
Breach notification alerts you after a breach is publicly disclosed – often months after the data circulated. Dark web monitoring proactively scans criminal markets for your exposed data before it’s used. SpyCloud goes further by operating in the closed layers where data appears first and by triggering automated remediation, not just alerts.
The deep web is anything not indexed by search engines – including ordinary things like banking portals and email inboxes. The dark web is a small, intentionally hidden subset requiring special software. Criminal identity trade happens on the dark web and adjacent encrypted channels, not the broad, mostly benign deep web.