I Searched The Dark Web for Breached Data

Kim Crawley
Dolores Bernal
September 14, 2023
Deep Web Dark Web Darkness

Image by Gerd Altmann

I’m a cybersecurity researcher. Instead of being an employee of one company for years, I’ve taken on a lot of small, interesting gigs as a freelancer. 

Usually, my job involves researching a particular cybersecurity problem, such as malware, a vulnerability, or an exploit, and writing an article about it for the general public to read. I typically produce a blog like the one you’re reading right now!

But in late 2020, I was given an unusual gig. A third-party agency had a client that’s one of Canada’s better-known banks. Because I’m not naming either entity, I can tell you a bit about what I did. 

Banks and other kinds of financial institutions are major targets of cybercrime. It makes sense. These institutions have tons of sensitive data, and they’re also literally in the money business

Cybercriminals can make a lot of money by maliciously acquiring some of a bank’s sensitive data. Some of this sensitive data is on multimillion and multibillion-dollar corporations

But a lot of it also pertains to ordinary people like us with much more modest bank accounts. We’re also lucrative theft and fraud targets, especially if a cybercriminal can steal data and money from thousands of us at a time.

My job through the agency was to explore the dark web for signs of crime against this particular bank. 

Let’s dive deeper.

What’s the Dark Web?

There’s a part of the web that you can’t access through an ordinary web browser. 

There are two major proxy networks that host parts of the web and other Internet services through specialized series of encryption vectors, Tor and I2P

To access the part of the web that’s deployed on Tor, you need the Tor Browser. And you need a special client to access I2P. When you use these applications, you can explore the Tor or I2P networks, and you can also explore the “clearnet” web, the ordinary part of the web that we’re all familiar with. You’re on the clearnet right now! 

When you use the Tor Browser or an I2P client, you send and receive data through the Internet through a series of encrypted proxy server nodes. Each node only knows the IP address of the node before it and the node after it on the route. 

IP addresses are how computers, phones, servers, and other devices are identified on the Internet. Only the node directly connected to your phone or PC knows your IP address, and only the node directly connected to the destination Internet server knows its IP address. 

Data packets along this route are strongly encrypted (to protect the privacy and integrity of your data), and only one node knows your IP address. In that way, you’re imperfectly anonymized. 

In most of the world, using the Tor or I2P networks is completely lawful. In fact, the Onion routing technology both Tor and I2P use was initially developed in the 1990s by the United States Naval Research Laboratory to protect American intelligence secrets

There are many noble use cases for Tor and I2P too. Investigative journalists and political activists working for the good of society benefit from the privacy they have while using Tor and I2P. And here at Home Security Heroes, we know how important privacy is for everyone. 

The law is broken when you use Tor or I2P to do things that would also be illegal to do offline. Selling illicit substances and stolen credit card data is criminal whether or not you use a computer to do it. 

The dark web is part of the web that’s only accessible through Tor and I2P and is sometimes only used to describe the parts of those networks that are used for crime.

If you’re a regular person who simply wants an extra layer of privacy for your Internet usage, using Tor or I2P can be one of many privacy layers you use and the security measures you take. 

Back around 2010 when I started using Tor, I found it really slowed my web surfing down. But now, with a lot more nodes on the network, I don’t find Tor to have noticeably more latency than the clearnet anymore. 

Dark Web Markets

Using Tor and I2P is lawful in most of the world and morally okay. But just like lighters and knives, encrypted proxy networks can be used for good and bad

The relative anonymization that Tor and I2P provide is very attractive to criminals who want to cover their tracks.

The dark web contains many dark web markets and forums. 

Dread, which is most likely the most popular dark web forum, is modeled based on Reddit

It has many subforums on various topics that Dread users find interesting, and their subreddit equivalents are called subdreads

Some subdreads are for discussion about particular dark web markets, others like /d/OpSec and /d/hacking feature cybercriminals talking about how they avoid getting caught and how they conduct cyber attacks.

Dark web markets are mainly modeled after eBay. Theoretically, anyone can be a buyer or vendor. 

Vendors especially need to keep their identities secret. So how do you know whether a vendor is going to sell you real marijuana or ripoff oregano? Buyers rate vendors for their trustworthiness in the same way buyers rate vendors on eBay. 

That oregano dealer uses a unique username on the market, and too many oregano recipients mean they’d develop a very untrustworthy reputation.

My Non-Italian Job

Because cybercrime is a common threat to banks, they often have internal teams dedicated to researching cybercrime so the bank can protect itself and their customers. 

Sometimes they also hire external teams, independent contractors who aren’t bank employees. People like me

My job was to go to dark web markets and forums, look for evidence of crime targeting that bank specifically, acquire evidence through screenshots, and write reports about my findings. 

I figured out that the reason they hired both external and internal researchers is so the findings of external researchers can be used to sanity check the findings of internal researchers. If both people inside and outside of the bank, people who’ve never met each other and never will, see the same things, then it makes it doubly likely that what we’ve found is real.

I found lots of crimes against the bank I was working for at arm’s length

During my research, I found databases of breached credit card data from the bank’s customers. I didn’t see any sensitive financial data directly. I didn’t purchase anything from any cybercriminals. That would be breaking the law

What I did see were web pages advertising the credit card databases, and I took screenshots of them.  Even with an anonymous username, law enforcement, and other investigators can use that as a lead to investigate further. 

Illicit online vendors have conflicting needs. They cannot reveal their real-life identities and don’t want to be trackable. But they need to develop a positive reputation on dark web markets and establish their own brand as a vendor of high quality, reliable breached data or other illicit goods. 

I also found phishing kits that targeted the bank. 

Phishing is when a fake website, text message, email, or social media post is used to look like those made by a trusted entity, such as Netflix, Amazon, your utility company, the government, or your grandmother

By digitally impersonating a trusted entity, cybercriminals can entice you to give them sensitive information directly through a form or click on a malicious link that steals sensitive information from your phone or PC. For example:

“Email to HomeSecurityHeroesFan@domainname.com, from ConsumerAlert@BankX.net

Subject: ‘Your account has unauthorized charges! Take action.’

Dear Home Security Heroes Fan. This is Bank X. We’ve detected unauthorized charges to your checking account. Click here to review this potentially malicious activity so we can refund your account.”

Not only does the sender’s domain name look authentic, but so do the embedded graphics in the email. They’re the same graphics Bank X usually uses! And when you click on the link, the website looks just like Bank X’s real website

You entered your Bank X username and password to log in. Unbeknownst to you, the cybercriminal now has your username and password, and they can make actual unauthorized charges to your checking account. Or, they could also take that username and password and whatever other data they find in your online banking account and put it in a database that they sell to other criminals on a dark web market.

Phishing kits contain graphics and pre-developed web content that a criminal can use to make their own emails and websites that impersonate that bank in particular.

So it’s useful for ordinary people to know that sort of cybercrime EXISTS. It’s very common, and we can use that knowledge to protect ourselves.

Matrix movie still

Photo by Markus Spiske

Dark Web Checkup

Before I give you advice on how to protect yourself from the financial cybercrime that occurs on the dark web, I thought I’d augment my story about the work I did nearly three years ago with more timely discoveries. 

I went on the dark web today, just for you! Well, not you specifically. I don’t know which bank you use, nor am I entitled to know. I just went to see what sort of cybercrime I could find in general, especially if it’s the sort of cybercrime regular people can be victimized by.

Dark web markets come and go. Often one will operate for a few months or a year or so. Then law enforcement catches up and is able to shut it down. But ever since the first ever dark web market, the Silk Road, came and went, there have always been lots of other dark web markets around. One is shut down, the administrators are arrested, and then two more spring up in its place. One of the dark web markets that are currently online (as of this writing in June 2023) is called ASAP Market.

I found lots of interesting things in ASAP Market’s digital goods section! Here’s an example. 

“<Bank Name> Statement PSD Template

This template is fully editable. And is perfect for identification and


We promise:

– Your order will be delivered instantly.

– If you are not satisfied with your order we will refund your order.”

The name is of an American bank, but I decided to take the name of it out from my example in order to be safe. PSD is a file type that’s used by Adobe Photoshop. The statement temple that the cybercriminal is using is to make authentic-looking bank statements in order to conduct financial fraud against the bank’s customers.

Here’s something else that I found:

“Hello and welcome to <vendor name>!

We are selling high-quality carding products- credit cards / PayPal / guides and so on!

This listing will provide you with:

 – Login to PayPal 100% with cookies without trigger 2FA

 – A PayPal account’s cookies (which you can use to get access to the account)

 – A linked card/bank account

 – Information about the linked credit card/bank account, account type, address information, the last transaction made

– CC linked which has up the balance stated in the title.”

So the vendor is selling stolen credit card numbers, that’s what CC means. 

They’re also selling stolen PayPal accounts, and they promise not to trigger 2FA. 

2FA (two-factor authentication) or MFA (multifactor authentication) is a security feature that we should all use as much as possible. Passwords are considered to be the weakest authentication method, and passwords are often cracked or breached

2FA and MFA adds a second or multiple types of authentication as an extra layer of security to protect your account. Additional methods of authentication can include a OTP (one-time password or PIN) sent  by text, email, or to a dedicated phone app such as Google Authenticator. 

The latter OTP method is more secure because SMS text messages and emails are intercepted more often. Another method of authentication could be some sort of biometrics, such as a fingerprint scan. In cybersecurity, we call that authenticating with “something you know” (your password), “something you have” (your phone with the OTP app), and “something you are” (your fingerprint). 

I could spend 40 hours per week looking for cybercrime that targets ordinary people on the dark web, and I’d find hundreds or thousands of incidents. But that’s not my day job right now.

Security Tips

It’s easy for criminals to conduct phishing attacks. 

The quality of phishing kits and the sophistication of cybercriminals means that phishing incidents can even fool me. 

So if your bank, utility company, streaming service, or government agency emails or texts you asking for information urgently, be suspicious

  • “We have that package you ordered! Get it before we take back our delivery!” 
  • “Your bank account has unauthorized charges!” 
  • “This is the government and if you don’t give us the money you owe us, we can have you arrested!”

If I received an email that looks like it’s from my bank that demands information, money, or for me to do anything else, I can verify its authenticity. I’m a Millennial and us Millennials hate making phone calls. But I’d push myself to phone my bank or visit my bank branch and ask them if the message is legitimate. 

If I’m visiting my bank branch, I can take my phone with me and show the message to a person who works there. If the message is actually a phishing attempt, I can report the phishing message to my bank and also report it as phishing to Gmail or whichever email provider I’m using. 

No legitimate bank or government agency would penalize you for not acting right away, nor for asking them for verification.

Never ever share anything publicly online that could reveal your bank account number or credit card number. I buy things online all the time, but only from online vendors that I trust. If I explore their website, 

I may be able to check if they comply with PCI DSS. PCI DSS is a security standard that retailers have to be compliant with in order to safely accept credit card numbers and bank account information to conduct transactions. 

A PCI DSS compliant retailer will only transmit your credentials through strong encryption, and will always store your data in the most secure way possible. Even then, you can be a victim of a cyber attack. But the likelihood is greatly reduced with PCI DSS compliance.

Use password managers in your PC web browsers and on your phone. A good password manager can generate long and complex passwords for each of the services you use, including your online banking. And then you won’t have to create less secure passwords because you won’t have to remember them.

Enable MFA as often as possible. Not all online services support MFA, but most do.

Set up alerts that can notify you of suspicious activity. I’ve set up my online banking so that I always get an email when money is withdrawn from or deposited to my bank account, or when my credit card is used to make a charge. If I see any activity that I don’t recognize, I can notify my bank. Security apps like Aura can also give you threat monitoring alerts so you can take action before more harm is done.

Dark web cybercrime can be quite disturbing, and we’re all susceptible to it. Fortunately, we can stay alert about it and not feel helpless.