Dark Web OSINT for Security Defenders

OSINT on publicly accessible dark web sources (forums with public read access, paste sites, search-indexed content) is generally legal in most jurisdictions. Legal lines that must not be crossed in defensive OSINT: (1) purchasing access to illegal marketplaces even for intelligence purposes may constitute participation in illegal commerce, (2) paying for stolen data access (even to 'see what was stolen') in many jurisdictions constitutes receipt of stolen property, (3) downloading malware samples for analysis requires legal authorization in some jurisdictions, (4) exceeding authorized access to any system (including dark web systems that require authentication) is illegal under computer fraud laws in most jurisdictions. Consult legal counsel before establishing a dark web monitoring program. Most large organizations use specialized threat intelligence vendors (KELA, Recorded Future, Digital Shadows/ReliaQuest) who maintain appropriate legal agreements for their monitoring activities.

Compromised credentials (username/password combinations) are commonly traded and sold on dark web forums and paste sites. Breach data typically flows: company breach -> data sold to a small group of buyers -> data shared more broadly on forums -> data appears on paste sites and aggregators like Have I Been Pwned. Security teams monitoring for their organization's credentials should: (1) establish accounts on major breach aggregation services (HaveIBeenPwned Enterprise, Dehashed) for automated monitoring, (2) manually monitor major dark web forums where breach data is traded - currently Breached (formerly RaidForums), BreachForums successors, and specialized forums for specific industries, (3) use automated monitoring tools: SpiderFoot with dark web modules, Maltego dark web transforms, or specialized products (KELA, Intsights). Effective credential monitoring requires regular forum access which requires creating and maintaining forum accounts - an operational security task with its own risks.

OSINT investigators need infrastructure that does not expose their identity or their employer to the sites being monitored. Safe infrastructure requirements: (1) dedicated OSINT VPS or virtual machine that is never used for personal or employer traffic, (2) Tor Browser as the primary browsing tool for all .onion access, (3) for clearnet dark web-adjacent sites: use Tor Browser or a commercial VPN with no logging policy, (4) no personal email addresses or accounts linked to OSINT investigation accounts, (5) payment for any required forum memberships via Monero or Bitcoin obtained without KYC linkage to the analyst's identity. A VPS running Tails OS (amnesic, Tor-routed operating system) provides a strong foundation: all traffic routes through Tor, no persistent disk state, and hardware fingerprinting is reduced. For large-scale monitoring: a dedicated OSINT VPS running automated monitoring tools (SpiderFoot, custom scrapers) that routes all traffic through Tor.

Automated tools for dark web monitoring: SpiderFoot is an open-source OSINT framework with modules for dark web sources, breach data aggregators, and paste sites. Configure SpiderFoot to route through Tor (set HTTP proxy to Tor's SOCKS5 endpoint). Custom Python scrapers using Requests + SOCKS proxy support: requests-with-torsocks or configure the requests session with a SOCKS5 proxy (pip install PySocks). For scheduled monitoring: run scrapers on a cron schedule to check specific forums and paste sites for new content matching monitored keywords (organization name, executive names, domain names, IP ranges, email domains). Store results in a local database (PostgreSQL or SQLite) for historical comparison and alerting. Alert on new hits: send alerts via Signal bot or email (via a ProtonMail account created over Tor) when monitored terms appear in new content.

When dark web OSINT reveals actionable threat intelligence (the organization's data for sale, planned attacks), documentation for legal or law enforcement purposes requires attention to evidence integrity. Best practices: (1) screenshot with browser developer tools visible (showing the .onion URL), (2) record the Tor circuit path at the time of discovery (Tor Browser's circuit information panel), (3) hash screenshots and documents (SHA-256) immediately after capture to establish file integrity, (4) document the complete discovery chain (search query used, links followed, timestamp of discovery), (5) for law enforcement reporting: consult the organization's legal counsel about how to present dark web evidence in a way that is admissible and does not expose the investigator's methods. Law enforcement in many jurisdictions has experience with dark web evidence.