May 19, 2026

The intelligence community’s understanding of Arabic-language activity on the dark web has lagged significantly behind research focused on English-speaking environments.

A newly published, prestigious ‘Scopus Q1’ study is beginning to close that gap, and the findings carry direct operational implications for government investigators, law enforcement agencies, and cybersecurity analysts working the MENA (Middle East and North Africa) region and beyond.

The study is written by Dr. Mohammad Shadi Alhakeem, Assistant Professor of Cybersecurity & Digital Forensics, College of Forensic & Investigative Sciencesat the Naif Arab University for Security Sciences (NAUSS). This blog is based on peer-reviewed research published in IEEE Access: “Investigating Cryptocurrency-Enabled Illicit Activities on the Arabic Deep/Dark Web” by Prof Mohammad Shadi Alhakeem.

Flying Under the Radar

The Arab world’s digital footprint is enormous and growing fast. Internet penetration across the region has reached approximately 70%, with countries like Saudi Arabia exceeding 99%.

Meanwhile, the Middle East and North Africa ranked seventh globally in on-chain cryptocurrency value received in 2024 — roughly $338.7 billion in a single twelve-month period.

That’s not just economic activity.

It’s a substantial attack surface.

The combination of widespread internet access, high cryptocurrency adoption, and anonymizing technologies like the Tor network has created fertile conditions for illicit activity — much of it conducted in Arabic and largely invisible to investigators relying on English-language intelligence sources. This study is one of the first systematic efforts to document what’s actually happening in this space.

The Investigation Begins

The researchers used DarkOwl Vision as the primary tool for identifying and analyzing Arabic-language content containing cryptocurrency addresses. DarkOwl Vision indexes one of the world’s largest databases of dark web content, spanning Tor, I2P, ZeroNet, Telegram, and Discord, without requiring investigators to directly access dangerous or illicit networks themselves.

Figure 1: Sample of a finding from the Arabic Darknet containing Monero Donation Address, Source: DarkOwl Vision

This matters operationally. Standard OSINT approaches often require analysts to navigate anonymization networks directly, exposing them to harmful content and operational risk.

DarkOwl automatically and anonymously indexes this content, sanitizes explicit material, and presents results in plain text — protecting the analyst while delivering the intelligence. Its filtering capabilities allowed the team to narrow more than 3.1 million initial results to actionable data by applying filters for language, cryptocurrency entity type, network source, and crawl timeframe.

From that starting pool — spanning July 2024 through June 2025 — the team identified 4,711 results containing cryptocurrency addresses. After de-duplication, that yielded 95 unique addresses tied to illicit activity, each analyzed for type, linked activity, source network, appearance frequency, and total funds received.

What They Found: 6 Categories of Illicit Activity

The resulting 95 addresses were classified across six categories:

Unverified Humanitarian Aid Solicitations (UHAS) — Campaigns soliciting cryptocurrency donations, primarily framed around aid to Gaza, with no affiliation to any recognized humanitarian organization. This category accounted for the largest number of unique addresses and the largest volume of funds received. More than 85% of all tracked payments — including one address that received approximately $50,000 — flowed to UHAS addresses, reflecting sophisticated exploitation of public sympathy.

Dark Web Marketplaces (DWM) — Platforms facilitating the trade of illicit goods, including drugs, within the Tor ecosystem.

Cyber Threat Actors (CTA) — Entities conducting malicious cyber operations, predominantly affiliated with pro-Iranian hacktivist groups including 313 Team and LulzSec.

Terrorism Financing (TF) — Activity directly linked to financing terrorism, with specific ties to ISIS. Despite representing fewer unique addresses, this category generated the highest frequency of appearances across DarkOwl’s dataset.

Child Sexual Abuse Material (CSAM) — Multilingual onion sites serving as platforms for uploading and distributing CSAM.

Dark Web Blogs and Forums (DBF) — A catch-all for political discussions, sexual content, and other material from onion sites outside the five primary categories.

What the Coins Tell Us

One of the study’s most operationally significant findings is the behavioral distinction between actors using pseudonymous cryptocurrencies like Bitcoin (BTC) and Tether (USDT) versus those using privacy coins like Monero (XMR) and Zcash (ZEC).

BTC and USDT dominated by volume and appeared predominantly on Telegram.

Privacy coins were concentrated almost exclusively on Tor-based Onion sites.

The platform choice wasn’t random — threat actors are deliberately matching their anonymity tools, pairing privacy coins with the Tor network for maximum operational security.

For investigators, BTC and USDT transactions leave traceable blockchain records. Specialized tools like Crystal Expert, TRM Labs, and Chainalysis Reactor can analyze transaction histories, identify clustering patterns, and link addresses to real-world entities.

Monero and ZCash are a different problem entirely. Their cryptographic design obscures transaction details at the protocol level, and the study was unable to determine the volume of funds received by any privacy coin address. Given that these addresses are disproportionately linked to Terrorism Financing and CSAM, that blind spot is not a minor inconvenience — it’s a critical investigative gap.

Operational Security

None of the 95 addresses appeared on both Telegram and the Tor network. The platform separation was absolute — a clear sign of deliberate compartmentalization designed to prevent de-anonymization. These actors understand the forensic trail that cross-platform address reuse creates, and they’re avoiding it. Some Monero addresses had first appearances in DarkOwl’s dataset dating back to early 2022, indicating operations that have run continuously for years.

What Investigators Can Do

Telegram is where the volume is, but the Tor network is where the most serious crimes are concentrated.

Agencies with limited resources should weigh their coverage accordingly. Unverified humanitarian solicitations deserve coordinated public awareness efforts — the financial flows are substantial, and these campaigns risk eroding public trust in legitimate aid organizations. For terrorism financing and CSAM cases, traditional blockchain analysis won’t be sufficient where privacy coins are involved: acquiring darknet monitoring, forensic tools and building relationships with Virtual Asset Service Providers is essential.

DarkOwl: The Infrastructure Behind This Work

This research was made possible through DarkOwl, and the capabilities it demonstrates aren’t limited to the research context — they’re what DarkOwl delivers to government agencies, law enforcement, and intelligence teams every day.

DarkOwl Vision’s combination of breadth across platforms, depth of historical data, and analyst safety makes it the tool of choice for exactly the kind of cross-platform, multilingual, cryptocurrency-focused investigations this study documents.

The Arabic dark web is no longer uncharted territory. Mapping it accurately — and keeping that map current — requires the right intelligence infrastructure. DarkOwl is where that work happens.

---

Curious to see more? Contact us.