Dark web site operators and users want to stay anonymous. This makes perfect sense in an environment where personal identities are dark commodities and lucrative trade. Data breaches exposed 36 billion records in the first half of 2020 and personal data was a factor in over 58% of data breaches overall. This is one of the factors that underscore the need for extra visibility into the dark web for corporations to look for and monitor for their own risks.
What's different on the Dark Web?
The surface web and mainstream social platforms tend to take a divide and conquer approach. Depending on where you live, the language you speak, as well as your personal preferences, the surface web has been made more adaptive to give you something very specific and unique to you. Social platforms like Twitter behave in much the same way, focusing your attention on regional or affinity-based content and trends.
The dark web is an entirely different beast for threat researchers to tackle. Site operators and users go out of their way to conceal or misdirect their identity, especially if their actions are illegal. Tracing the identities of the most high-profile bad actors on the dark web often require international operations involving multiple nations.
Americans and Russians connect more often
The TOR browser is used all over the world to access special dark web .onion domains. Each connection to the dark web involves a series of relays before ultimately accessing the intended .onion domain. This allows users to stay a few steps removed from the site, and thereby anonymous to the site owner.
Among those who connected to TOR directly by relay in 2020, the United States accounted for the largest proportion of users (25.9%), followed by Russia (14.55%), Germany (8.02%), and the Netherlands (4.87%), according to the latest estimates from the TOR browser. The top ten countries go on to include France, Indonesia, the United Kingdom, Ukraine, India, and Canada.
Relays do not mean the traffic is completely untraceable. TOR needs to know where to direct the connections, after all. The list of relays is not secret. For people living in countries with oppressive governments, this relay information can be used to block access. Bridges are the solution to this problem. Bridges are unpublished relays that can be used to access the TOR network and this list is kept not made public.
Iran represented the highest proportion of bridge users in 2020, accounting for 26% of the estimated connections, followed by Russia (16.26%), the United States (9.13%), and China (3.5%). Other countries where bridges are used include, in order of usage, Germany, Belarus, India, Turkey, and the United Kingdom. That being said, a much smaller number of people use bridges.
All told, the United States and Russia make up the largest total population on the dark web and accounted for, respectively, 555K connections and 317K connections in 2020.
English is the unofficial language of the Dark Web
In spite of the global cast of dark web users, English makes up an uneven proportion of the content that is posted. Media Sonar analyzed a sample of 30 million pieces of data (posts or pages) from the dark web from January 1, 2020 to December 31, 2020. Focusing on the official languages of the top 5 countries by total users who connected to the TOR network in 2020, English is overused compared to other languages.
English accounts for a whopping 78% of the data available on the dark web during that time. Russian accounted for 17% of the posts we analyzed and German accounted for 4%. French and Dutch languages accounted for a combined 1% of the data. No language comes close to competing with the amount of data in English, as well as Russian, on the dark web.
A Global problem for companies
Keeping bad actors out is not working and by the time the personal data is exfiltrated, it’s often too late. For companies, the threat of the dark web is pervasive and global. Proactively assessing and monitoring exposure on the dark web is a lot easier than it once was. To understand bad actors, mitigate risks to their own networks and assets, and stay ahead of the threat landscape, companies should consider the role of the dark web in their intelligence lifecycle.