Dark Web Monitoring

Publications for Download

In this document, we provide information on what Dark Web monitoring is and why it is an important aspect of an overall cyber security strategy.

DOWNLOAD THE DARK WEB MONITORING PRESENTATION

How does our Dark Web Monitoring service work?

Our Dark Web Monitoring service works to track new posts containing compromised data or threats to leak stolen information that has been recently published on the Dark Web. While this is an essential service, it is also a difficult and complex task, as cybercriminals operate in highly unpredictable and ever-changing environments.

Challenges and Limitations

  • No Centralized Database – Unlike traditional cybersecurity measures, there is no single, searchable database of leaked data on the Dark Web.
  • Hidden & Encrypted Networks – Many cybercriminal sites operate within closed or invitation-only forums, making access and monitoring extremely challenging.
  • Evolving Threats – Ransomware groups frequently change their domains, use encrypted communication channels, or rebrand under new identities, making tracking efforts inconsistent.
  • Delayed or Partial Disclosures – Attackers may leak only a portion of stolen data as a pressure tactic, making it difficult to determine the full extent of exposure.

Despite these challenges, our team does everything possible to stay ahead of emerging threats and identify compromised data as early as we can.

How We Monitor

We use both automated and manual methods to track leaks:

  • Automated Monitoring – We employ tools that where possible, continuously scrape known ransomware data leak sites, allowing us to receive alerts whenever new data is posted. However, not all stolen data is made public, meaning some breaches remain undiscoverable.
  • Manual Investigations – Our team personally checks ransomware data leak sites and associated platforms daily to capture information that automated tools may miss. This is time-consuming and resource-intensive, but necessary given the inconsistent nature of cybercriminal activity.

If we are unable to determine which ransomware group is responsible for an attack, we expand our monitoring efforts by checking:

  • Social media and cybercriminal discussion forums
  • Ransomware research sites
  • Known data leak platforms used by multiple threat actors

Privacy Act 2020 Compliance
Under the Privacy Act 2020, organisations must notify the Office of the Privacy Commissioner and affected individuals if a data breach is likely to result in serious harm. Our monitoring efforts assist in identifying breaches early, but it is important to note that not all data leaks are publicly disclosed.

Our Commitment Despite the Challenges
While no Dark Web monitoring service can guarantee the discovery of every stolen data set, we remain dedicated to providing the most thorough monitoring possible. Cybercriminals continuously adapt their methods, but our combination of automation, human expertise, and multi-source intelligence allows us to do our best in a challenging and constantly shifting landscape.

There are two main types of data we monitor:

Data Leak Sites
Data leak sites are primarily used by ransomware groups to post stolen data as leverage to force victims into paying a ransom. Their main purpose is extortion, where cybercriminals display proof of a breach and threaten to release more sensitive information if the victim doesn’t comply. Monitoring these sites is relatively easier than dark web forums as they are often public or semi-public, designed to be visible to victims and third parties. However, challenges include CAPTCHA or anti-scraping protections, and attackers often remove data after negotiations, reducing the time organisations have to respond. These sites play a crucial role in “double extortion,” a growing ransomware tactic where ransom is demanded not only to decrypt data but also to prevent its public exposure.

Dark Web Forums
In contrast, dark web forums are broader environments where cybercriminals communicate, collaborate, and trade stolen data, malware, and hacking tools. These forums are harder to monitor due to their hidden, encrypted nature and invitation-only access. Forums serve as marketplaces and discussion spaces for threat actors to share techniques and plan attacks, making them a breeding ground for criminal activity beyond data extortion, such as selling credentials or launching new attacks. Monitoring requires a mix of automated and manual efforts, but interpreting the vast amount of data, often full of exaggerated or false threats, remains a challenge.

Our Dark Web Monitoring services uses human & machine intelligence to shine light on the Dark Web.