January 13, 2026

Thanks to our analyst and content teams, DarkOwl published over 100 pieces of content last year. DarkOwl strives to provide value in every piece written, highlighting new darknet marketplaces and actors, trends observed across the darknet and adjacent platforms, exploring the role the darknet has in current events, and highlighting how DarkOwl’s product suite can benefit any security posture. Below you can find 10 of the top pieces published in 2025.

Don’t forget to subscribe to our blog at the bottom of this page to be notified as new blogs are published.

1. Telegram’s Crackdown: Why Accounts Are Getting Banned and What You Need to Know

The founder and CEO of Telegram, Pavel Durov, was arrested on August 24, 2024, at Paris-Le Bourget Airport. French authorities detained him as part of an investigation into Telegram’s alleged insufficient moderation of illegal activities on its platform, including child exploitation and drug trafficking. Following his arrest, Durov was indicted on multiple charges on August 28, 2024. He was placed under judicial supervision, prohibited from leaving France, and required to post bail of €5 million. As of February 2025, Durov remains under judicial supervision in France, awaiting further legal proceedings where he must appear at a police station twice a week. Should he be found guilty the most serious charge complicity in the administration of an online platform to enable organized crime and illicit transactions carries a maximum penalty of 10 years’ imprisonment, and a €500,000 ($521,000) fine.

In response to their CEO’s arrest Telegram announced plans to enhance its moderation policies and has expressed a willingness to cooperate more closely with law enforcement. They have been seeking to ensure that they are co-operating with authorities while claiming to continue to prioritize users’ privacy.

In this blog, we will explore what changes Telegram have said they have made, what effect DarkOwl analysts are seeing in response to these changes and what impact we expect to see in the future. Read blog here.

2. The State of Darknet Marketplaces in 2025: Trends, Metrics, and Insights

The darknet is a hidden part of the internet that operates beyond the reach of traditional search engines and mainstream platforms. Within this space, darknet marketplaces have emerged as virtual bazaars where anonymous buyers and sellers trade goods and services, often illicit, using privacy-focused technologies like Tor and cryptocurrencies such as Monero and Bitcoin. These markets are structured much like legitimate e-commerce sites, featuring product listings, vendor ratings, customer reviews, and even dispute resolution systems.

DarkOwl collects data from a wide range of marketplaces, capturing the breadth of listings, vendor activity, and community interactions. In this blog, we explore the state of darknet markets in 2025, highlighting which platforms lead in listings and vendor count, how products are distributed across categories, the flow of shipments around the world, and patterns of user engagement through reviews.

By examining these factors, we aim to provide a window into the scale, structure, and dynamics of this hidden economy, revealing both the major players and the underlying trends shaping the market landscape. Full blog here.

3. Extra! Extra! Read all about it! Archetyp Marketplace Takedown! 

In a major blow to the online drug trade, law enforcement agencies across Europe and the U.S. have taken down Archetyp Market, one of the most active and profitable dark web drug markets of the past five years. 

Launched in 2020, Archetyp wasn’t just another black market, it was the market. With over ~600,000 users and ~3,200 vendors, the platform facilitated transactions involving cocaine, meth, MDMA, and other narcotics. By its final days, it had moved an estimated $~250–290 million in illicit goods, making it a titan among darknet marketplaces. Read blog here.

4. BreachForums Disruption Sparks Copycat Domains and Darknet Chaos

BreachForums abruptly went offline, prompting a wave of opportunistic copycat domains and widespread confusion within the dark web community. The shutdown—now allegedly confirmed via a PGP-signed statement by former administrators—was attributed to a zero-day exploit targeting the MyBB forum software. This vulnerability was reportedly exploited either by law enforcement or rival threat actors. Read more.

5. Dark Web Pharmacy and Illegal PX Medication Sales 

Dark web “pharmacies” have become a global black market for prescription medications and counterfeit drugs. These underground vendors operate on hidden parts of the internet, accessible only with special software like Tor, and sell everything from opioid painkillers and anxiety meds to fake pills. Recent international crackdowns have led to hundreds of arrests across multiple continents, showing just how far-reaching and organized this trade has become. By using encryption and anonymous networks, dark web drug sellers connect with buyers around the world while evading traditional law enforcement. This blog looks at where these rogue pharmacies are found and the platforms they use to move drugs outside the law. Check it out.

6. Threat Actor Spotlight: The Terrorgram Network: Origins, Operations, and Downfall

In April 2024 the UK took the unprecedented step to sanction a group known as Terrorgram as a terrorist organization.  The UK was the first country to take this step, proscribing the group which consists of various Telegram channels which have been used to share and encourage extremist ideologies and methodologies. This marked the first time a group that is primarily organized on a messaging app has been declared a terrorist organization.  

In this blog we will explore the origins of the group, how they operated and the current status of the organization. Read more.

7. Whistleblower Sites 101

In this blog, DarkOwl analysts provide a summary of the digital whistleblower landscape, outlining the role of the dark web and examining some noteworthy whistleblower platforms. Read blog here.

8. What is Doxing?

This blog aims to provide a comprehensive overview of doxing, its implications, and strategies to safeguard against it. Learn more.

9. Major Threats and Trends to Look Out for in 2025

As we entered 2025, we predicted what would be the major trends of the year. The ever-shifting landscape of cybercrime continues to evolve, with the darknet remaining a significant hub for illicit activities. From emerging technologies to shifting criminal tactics, understanding these trends is critical for cybersecurity professionals, law enforcement agencies, and the general public alike. Drawing on industry expertise, this post identified seven major threats and trends expected to shape the darknet.
Full blog here.

10. Is Your City on the Dark Web? What Local Agencies Need to Know 

In 2023, investigators in a midsize U.S. city were tipped off to a darknet marketplace vendor offering “same-day delivery” of fentanyl-laced pills within specific zip codes. The listing named street corners and used coded references to local schools. It was not discovered by routine patrols or a community tip. It was found in an online space most local agencies never check: the dark web. 

The dark web is not just a place for global cybercriminal networks. It is a sprawling ecosystem where local-level threats are planned, traded, and discussed. Understanding what is being said about your city, and acting on it, can mean stopping crime before it happens. Read blog here.

2025, That’s a Wrap!

Thank you to everyone who reads, shares and interacts with our content! Anything you would like to see more of, let us know by writing us at [email protected]. Can’t wait to see what 2026 brings! Don’t forget to subscribe to our newsletter below to get the latest research delivered straight to your inbox every Thursday.

January 06, 2026

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Bloody Wolf Threat Actor Expands Activity Across Central Asia – InfoSecurity Magazine

The threat actor group, Bloody Wolf, has been observed using remote-access software to infiltrate government targets throughout Central Asia. Cybersecurity researchers claim the group has shifted from traditional malware to “a streamlined Java-based delivery method”. Reports claim the group has been operating a sustained campaign in Kyrgyzstan since June 2025 and recently began targeting Uzbekistan. By using counterfeit PDF documents, spoofed web domains, and fraudulent emails to pose as the country’s Ministry of Justice, the group has manufactured an air of legitimacy that has facilitated their access. Once a victim opens the downloaded JAR file, the loader retrieves additional components and installs NetSupport RAT for remote control. Read full article.

2. Poland arrests Ukrainians utilizing ‘advanced’ hacking equipment – Bleeping Computer

Three Ukrainians, claiming to be IT specialists, were arrested by Polish police while traveling through Europe. During a routine traffic stop, officers conducted a search of the threat actor’s vehicle, discovering suspicious items that could be “used to interfere with the country’s strategic IT systems, breaking into IT and telecommunications networks”. The seized equipment included “spy device detector, advanced FLIPPER hacking equipment, antennas, laptops, a large number of SIM cards, routers, portable hard drives, and cameras.” The data seized was encrypted but according to officers from Poland’s Central Bureau for Combating Cybercrime (CBZC) claim to have been able to collect evidence. Article here.

3. Chinese Hackers Have Started Exploiting the Newly Disclosed React2Shell Vulnerability – The Hacker News

Hours after CVE-2025-55182 was made public, Amazon Web Services (AWS) observed two different Chinese hacking groups, Earth Lamia and Jackpot Panda, beginning to weaponize the vulnerability. CVE-2025-55182, aka React2Shell, allows unauthenticated remote code execution in React Server Components (RSC). Using automated scanning tools, these threat actors have been observed exploiting additional vulnerabilities including CVE-2025-1338. AWS identified Earth Lamia due to the use of previously used infrastructure the group had demonstrated earlier in the year. This situation highlights threat actors systematic approach in abusing vulnerabilities quickly and learning to scan for common vulnerabilities. Read more here.

4. FCC Warns of Hackers Hijacking Radio Equipment For False Alerts – InfoSecurity Magazine

On November 26, the Federal Communications Commission (FCC) announced threat actors had been hijacking US radio transmission equipment and broadcasting fake emergency tones and offensive material. Several stations in Texas and Virginia were targeted, resulting in broadcasts being disrupted by emergency signals, alert tones, and obscene language. The threat actors targeted Barix network audio devices and reconfigured them to capture attacker-controlled streams. The FCC reports that the incidents stemmed from unsecured equipment, noting that some stations did not discover the compromise until after the attacks and were seemingly unaware as they unfolded. Read here.

6. Glassworm malware returns in third wave of malicious VS Code packages – Bleeping Computer

First emerging in October, the Glassworm campaign, has released 24 new packages distributing malware to OpenVSX and Microsoft Visual Studio. According to Koi Security, Glassworm malwares uses “invisible Unicode characters to hit its code”. Following previous detection, Glassworm evolved technically, using Rust-based implants packaged inside extensions as well as invisible Unicode. Once the malware is installed it attempts to steal GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data from 49 extensions. Additionally, the malware deploys a SOCKS proxy to route malicious traffic and give operators stealthy remote access. Read full article.

7. React2Shell flaw exploited to breach 30 orgs, 77k IP addresses vulnerable – Bleeping Computer

On December 03, React disclosed the vulnerability, CVE-2025-55182 aka React2Shell, detailing “that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.” React2Shell is a security flaw that allows attackers to run code on a server without logging in. It can be triggered with just one HTTP request and affects any framework that uses React Server Components, including Next.js. Over 77K internet exposed IP addresses are vulnerable to React2Shell and researchers believe 30 organizations are already compromised. Read full article.

8. RomCom Uses SocGholish Fake Update Attacks to Deliver Mythic Agent Malware – The Hacker News

The malware group RomCom has been observed using the JavaScript loader, SocGholish, to target U.S. based civil engineering company. By targeting poorly secured websites, the group injects fake Google Chrome or Mozilla Firefox update alerts into otherwise legitimate but compromised pages. These alerts trick users into downloading malicious JavaScript that installs a loader, which then retrieves additional malware. According to Arctic Wolf researchers, this allowed the threat actors to execute commands on the compromised host through a reverse shell connected to the command-and-control (C2) server, enabling activities such as system reconnaissance and deployment of a custom Python backdoor known as VIPERTUNNEL. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

December 30, 2025

As 2025 draws to a close, as we do every year, our content and marketing teams are taking a moment to reflect on the exciting events, trends, and changes the DarkOwl team experienced throughout the year. From major product advancements to strategic partnerships and thought leadership in the darknet intelligence space, this year has been marked by progress and momentum. We’re grateful to our customers, partners, and community for your continued engagement and support — and we look forward to building on these successes in 2026!

We hope you continue to find the topics we explore valuable, enlightening, and engaging. One final marketing reminder for the year: be sure to sign up for our weekly newsletter to stay updated on the latest insights from our research and content teams!

Around the World & Across the Industry

In 2025, DarkOwl continued its commitment to engaging with the global cybersecurity community. The team was active at leading industry events, including the RSA Conference in San Francisco, where we showcased our platform capabilities and met with peers and customers to discuss the evolving threat landscape. Check out where we will be in 2026 and request time to meet here.

Beyond trade shows, DarkOwl shared insights through webinars and blog posts on cutting-edge topics — from artificial intelligence’s role in threat intelligence to emerging darknet trends — providing thought leadership to practitioners and analysts worldwide.

And don’t worry! The team also made time for some fun. This summer, in our annual company get-together, we got to meet our adopted owl. 3 years ago, we adopted an owl! He jumped early from his Michigan nest in 2015 and fractured his right wing in two places and was on the ground for about a week next to a barn before he was picked up by the landowners and brought to a rehabilitation center. He was sent to the Raptor Education Foundation in Denver in August, 2016 where he now lives. You can learn more about him on his dedicated adoption page. 

We love our #Pets!

Gotta show some pet love as well from our Pets Slack Channel (the best channel).😻

Yearly reminder: DarkOwl analysts and their pets recommend you never use your pet’s name in any password combination as it is a popular term for threat actors using brute force attacks.

Product Enhancements & Platform Innovations

Throughout 2025, our Product Team rolled out significant updates designed to empower analysts and security teams with deeper, more actionable darknet intelligence:

• Enhanced Case Management: Vision UI now supports improved team workflows and collaboration with enhanced Case Findings features that include inline annotation and visual summary dashboards.
• Leak Visualizations & Timeline Analytics: New visualizations help users grasp leak compositions and alert trends over time — enabling richer analysis and faster decision making.
• Marketplace Intelligence: A major expansion of darknet marketplace capabilities incorporates rich structured data across dozens of fields — from vendor info to pricing and shipping — directly in Vision UI and API.
• Universal Phone Query Builder & Export Flexibility: We introduced a Universal Phone Number Builder and expanded reporting formats — including Word export — to support a variety of operational needs.

These enhancements reflect our ongoing commitment to refining workflows, increasing visibility into complex data, and enabling faster, smarter insights for our users. These are just a few of the product updates made throughout the year! You can check out more in our quarterly blogs, starting here.

---

Community & Education: Sharing Knowledge

DarkOwl’s blog continued to be a hub for expert analysis on darknet intelligence, cyber threats, and cybersecurity trends. Notable posts from late 2025 included practical guides on cyber hygiene, explorations of how threat actors operate, and even insights into unique aspects of darknet ecosystems like vendor shipping choices.

In addition, DarkOwl was selected as the darknet technology of choice for Channel 4’s series Hunted, offering real-world demonstrations of how darknet intelligence supports investigative work.

Partnerships & Strategic Collaborations

2025 saw DarkOwl strengthen its global reach through a series of partnerships aimed at bringing darknet intelligence to more organizations:

• Strategic Alliance with Ticura: A collaboration to simplify dark web monitoring workflows and broaden operational accessibility for security teams and MSSPs alike.
• 8com GmbH & Co. KG Partnership: 8com integrated DarkOwl’s Vision UI and Search API into its SOC workflows to enhance early detection of compromised data and proactive defense measures.
• Global Reseller Partnerships: Authorized reseller agreements — including with Hottolink in Japan — expanded access to DarkOwl’s threat intelligence solutions across international markets.

These collaborations underline DarkOwl’s role as a trusted provider of darknet intelligence to enterprises, security practitioners, and service providers around the globe.

Looking Ahead to 2026

As we close out 2025, we are energized by the rapid evolution of both cybersecurity challenges and the tools needed to address them. DarkOwl is committed to pushing the frontier of darknet intelligence — delivering deeper insights, smarter workflows, and stronger partnerships that equip our customers to stay ahead of threats.

Thank you for being part of our 2025 journey. Stay connected by subscribing to our newsletter, engaging with our content, and joining us at events in the year ahead!

---

Don’t miss any updates from DarkOwl in 2026 and get weekly content delivered to your inbox every Thursday.

December 18, 2025

The darknet is a hidden part of the internet that operates beyond the reach of traditional search engines and mainstream platforms. Within this space, darknet marketplaces have emerged as virtual bazaars where anonymous buyers and sellers trade goods and services, often illicit, using privacy-focused technologies like Tor and cryptocurrencies such as Monero and Bitcoin. These markets are structured much like legitimate e-commerce sites, featuring product listings, vendor ratings, customer reviews, and even dispute resolution systems.

DarkOwl collects data from a wide range of marketplaces, capturing the breadth of listings, vendor activity, and community interactions. In this blog, we explore the state of darknet markets in 2025, highlighting which platforms lead in listings and vendor count, how products are distributed across categories, the flow of shipments around the world, and patterns of user engagement through reviews.

By examining these factors, we aim to provide a window into the scale, structure, and dynamics of this hidden economy, revealing both the major players and the underlying trends shaping the market landscape.

Top Darknet Marketplaces in 2025

In 2025, we collected unique listings from the leading darknet marketplaces, summarized in Figure 1(a). Vendor activity is shown separately in Figure 1(b).

Based on listing volume, the most active markets in our dataset were Black-Pyramid, Ares, Dark-Matter, Zelenka-Lolzteam, Nexus-Market, and Drughub. These platforms consistently generated high volumes of product posts across a wide range of categories, from narcotics and fraud services to digital goods and hacking tools. However, when ranking markets by the number of distinct vendors rather than total listings, a slightly different picture emerges. Zelenka-Lolzteam, Archetyp, Drughub, Dark-Matter, Blackopps, and Black-Pyramid attracted the largest number of sellers overall, illustrating how some markets excel at breadth of vendors even if they generate fewer listings per seller.

Market stability in 2025 remained a challenge, as several high-profile platforms experienced abrupt shutdowns. MGM-Grand, Archetyp, Abacus, and Elysium-Market all disappeared mid-year, either due to law enforcement intervention or suspected exit scams. Their closures caused sudden shifts in vendor migration patterns and contributed to the overall volatility of the ecosystem. These dynamics highlight the importance of tracking not just market size but also operational longevity, resilience, and community trust.

Figure 1: Top Markets by (a) Unique product listings and (b) unique vendors

Market reviews

Reviews play a crucial role in darknet marketplaces because they are one of the few publicly visible indicators of community engagement, trust, and transaction legitimacy. In environments where users operate anonymously and traditional reputation systems are absent, reviews help buyers gauge vendor reliability, product quality, and the likelihood of receiving what they paid for. They also offer insight into vendor longevity and buyer satisfaction—information that listing counts alone cannot provide.

On these markets, review activity becomes a broader marker of community health. Reviews show that buyers are active, transactions are taking place, and vendors are accumulating reputational signals that others can verify. When users take the time to leave feedback, it fosters a shared sense of accountability within an otherwise anonymous ecosystem. Markets with consistent review activity tend to feel more dynamic and trustworthy: buyers rely on collective experience to avoid scams, vendors depend on feedback to differentiate themselves, and the community becomes more informed and resilient. In this way, engagement acts as a stabilizing force, shaping user behavior and contributing to the long-term viability of a market. Measuring review activity, therefore, offers more than a participation metric—it provides a window into the social dynamics that influence market stability, consumer decision-making, and the overall trust architecture of the darknet ecosystem. Although it must also be considered that the reviews may be created by the vendors to make it appear as if they are active and deliver good services.

To quantify these dynamics, we examined review activity across markets. Overall, 68% of the markets we collected included some form of user review or feedback mechanism. Among those markets, 23% of listings had at least one review; across all markets (including those without review systems), 16% of listings received reviews. On markets that supported reviews, listings averaged 7 reviews per post, rising to 16 reviews when considering only listings that had reviews. Notably, ten of the fourteen top markets discussed above offered review functionality. Figure 2 shows the percentage of listings with reviews across these top markets, illustrating the varying levels of community engagement.

Figure 2: Markets with the highest customer engagement based on percentage of listings with reviews

Category Breakdown

In addition to examining overall activity and community engagement, we conducted a category-level analysis across the full DarkMart dataset, not just the top markets. Whenever markets provided category labels, we extracted and normalized them into 11 high-level categories to create a consistent taxonomy across platforms. For listings without explicit category metadata, we applied a clustering-based classification approach to assign them to the most likely category based on listing text and semantic similarity. This allowed us to produce a unified view of the thematic composition of the ecosystem.

Figure 3 presents the distribution of these categories across all markets in our dataset. The landscape is dominated by Drugs and Chemicals, which account for 68% of all listings. This aligns with longstanding trends in darknet commerce, where narcotics represent the bulk of transactional activity. The next largest categories are Fraud (13%) and Counterfeit Items (7%). The Fraud category encompasses offerings such as stolen payment-card data, phishing kits, account takeovers, and forged or altered identification documents. Counterfeit items include fake currency, imitation branded goods (e.g., luxury watches, designer bags), and various forged certificates or documentation.

Because drugs and chemicals dominate the darknet marketplace landscape, we took a closer look at the different types of products within this category. The right side of Figure 3 shows the distribution of subcategories, offering insight into the variety of goods vendors specialize in.

Cannabis leads the subcategories, accounting for 41% of listings, and includes traditional cannabis as well as THC-infused products. Following cannabis are opioids (14%), including powerful painkillers like Fentanyl and Heroin, which act on the body’s opioid receptors. Psychedelics (11%), including LSD, psilocybin mushrooms, and Ketamine, also make up a significant portion, designed to alter perception, mood, and cognition.

Stimulants (12%), including Methamphetamine, Cocaine, and other “speed” drugs, increase alertness and energy, while depressants (3%), such as Xanax and GHB, slow brain activity and are often prescribed for anxiety or sleep disorders. Party drugs (7%), such as MDMA and Ecstasy, are designed to enhance sociability and create feelings of empathy, often used in recreational settings. Finally, miscellaneous drugs (3%) cover a variety of specialized items, from hormonal treatments and sexual enhancement products to vaping-related substances.

Taken together, this subcategory breakdown illustrates not just the sheer volume of drug-related listings, but also the diversity of products and specialization among vendors. It shows how darknet marketplaces cater to a wide range of consumer needs, from medical and recreational to niche and experimental.

Figure 3: DarkMart category and subcategory breakdown (Drugs and Chemicals)

Shipping Breakdown

We also examined the shipping data available for our 2025 product listings. Figure 4 illustrates the flow of shipments from source countries to destination countries. For clarity, we excluded listings where the source or destination was listed as “worldwide” and aggregated countries into broader continents or regions.

Unsurprisingly, the bulk of shipments occur within North America. Europe follows a similar pattern, with many shipments staying within the continent, but European vendors also reach a wide range of international destinations. North America, too, sends products across the globe, including to regions like Africa—even though Africa itself contributes very few listings as a point of origin.

Some patterns are particularly striking. A small subset of products reportedly ships from and to Antarctica, highlighting the unusual and niche nature of certain listings. Asia exhibits a more modest version of Europe’s international reach, with most shipments staying regional but a smaller proportion traveling worldwide.

Overall, the shipping data reveals that while most transactions remain regional, darknet markets are capable of supporting truly global commerce. The map also underscores the asymmetry of trade: some regions are primarily exporters, others primarily importers, and a few see very limited activity despite being part of the network. These flows offer a window into how products, and by extension, vendors, connect distant parts of the world in a complex, global ecosystem.

Figure 4: Shipping flows within DarkMart

Conclusions

Our 2025 analysis of darknet marketplaces paints a picture of a highly active and evolving ecosystem. Some markets dominate in listings, while others attract the largest communities of vendors. Drug-related listings continue to account for most of the activity, with fraud and counterfeit items forming significant secondary categories. Shipping data highlights both regional concentration and surprising international reach, while review metrics reveal the importance of community engagement in fostering trust and reliability in an otherwise anonymous environment.

Taken together, these insights offer a comprehensive snapshot of the darknet economy, one that shows both the scale of activity and the social dynamics that sustain it. As markets rise, fall, and adapt, ongoing monitoring is essential to understand the forces shaping this hidden corner of global commerce.

---

Don’t miss any of our research! Follow us on LinkedIn.

December 16, 2025

The dark web often gets portrayed as a lawless digital bazaar where you can buy anything — from stolen identities to malware, services, how-to-guides, hit men and even human organs – as long as you know where to look. The assumption is that all illegal things are available to purchase on the dark web.  

But how much of that reputation is true? Especially during the holiday season when sensational headlines tend to resurface and most are looking for a few stocking fillers! So, as we approach the holiday shopping season, we wanted to explore the myths and realities of dark web “holiday shopping,” what is truly available to criminals, how do they find it, and what can we do to combat this through dark web monitoring.  

The Myth: “You Can Buy Absolutely Anything If You Know Where to Look”

This is the biggest misconception. Movies and tabloids love to exaggerate the dark web’s capabilities and the activities that take place there.

The Reality:

The dark web is messy, unreliable, and full of scams. Many “products” that criminal forums advertise are fake, recycled, or outright frauds designed to steal from other criminals. Law-enforcement stings, exit scams, and disappearing marketplaces happen constantly. And most things are not readily available. The criminals still require access to these goods – meaning they need a supply chain, and they have to have the means of sending these goods or services to their customers.

That is not to say that you can’t buy nefarious goods on the dark web – it is well known for its booming drug markets, and hacking and tools are readily available lowering the barrier to conducting some attacks. Furthermore, the sale of stolen data only continues to grow as we move into 2026.

The Myth: “Dark-Web Marketplaces Are Just Like Amazon”

Some people imagine a slick interface full of products and reviews.

The Reality:

This isn’t false. A lot of dark web marketplaces do model themselves after more mainstream commercial retail sites. Most marketplaces have listings, reviews, shipping time frames, and images of their listings. There is even a marketplace called Awazon!

That being said, most dark web markets are also unstable and can be confusing, slow, and filled with phishing mirrors. A lot of listings can also be scams, with vendors offering goods and accepting payments for goods they never intend to ship. Even the markets that try to mimic legitimate platforms collapse frequently — sometimes due to law enforcement, sometimes because operators run off with users’ funds. But this is not always the case – some markets are more mature and stable than others.

The Myth: “Holiday Specials Make It a Busy Time for Buyers”

You’ll occasionally see rumors about festive deals on illicit services or stolen data. Some markets will provide advertisements offering deals for things such as “Black Friday.”

The Reality:

Seasonal themes are mostly cosmetic. Some forums change banners or run small, informal “events,” but the idea of “Cybercriminal Black Friday Sales” is largely sensationalized. What does rise is scam activity — low-effort attempts to take advantage of distracted users. Usually “serious” vendors do not care what time of year it is – the price they set is based on the product they have and what they think people will pay for it. We have seen huge demands for stolen data in this last year – some of which have been paid either as a ransom or by other criminals hoping to use the data for their own gain.

The Myth: “Data Sold on the Dark Web Is Always New and Dangerous”

Headlines often imply a constant flow of fresh, highly sensitive data which is easily accessible to anyone who wants to access it.

The Reality:

Much of what circulates on dark web forums is outdated breach material, repackaged, and resold repeatedly. Combolists are known to pull data from multiple leaks which can be years old. Other threat actors may attempt to make more money by repackaging leaks which have already been sold.

Real, recent data is harder to obtain, tightly controlled, and often monitored by law-enforcement agencies. Ethically, this data should not be purchased; which makes it more difficult to access for those monitoring the leaks of these data sets for protection purposes. What’s more, just because there is a report of a data leak in the media does not mean that the data will be available on the dark web. Some threat actors steal data for their own personal use or negotiate within closed groups.

The Myth: “Everyone Accessing the Dark Web Is Up to Something Criminal”

Dark web content is frequently portrayed as exclusively illegal.

The Reality:

Not all dark web browsing is illicit. Whistleblowers, journalists, and privacy researchers use Tor for legitimate reasons. There are many legitimate sites on the dark web that help share true information and combat censorship. The technology is neutral — it’s the illegal marketplaces that create risk. Therefore, it is important to remember that whenever accessing dark markets to make sure you are doing so in a legal and ethical manner and never purchasing goods without legal authorization. This is why using DarkOwl to track the sale of these goods can be the safest way forward.

Why the Dark Web Can be Especially Dangerous During the Holidays

• Phishing mirrors multiply as scammers impersonate well-known markets.
• Pop-up marketplaces appear, then disappear with users’ money.
• Fake “limited time” offers lure inexperienced users.
• An increase in account-takeover attempts occurs as criminals hunt for holiday shopping creds to resell.

Cybercriminals know people are stressed, rushed, and spending more. It’s prime scamming season. This does not just apply to the dark web. All consumers should be hyper vigilant to scams during the festive time of year.

Final Thoughts

The festive season brings out the creativity — and opportunism — of cybercriminals. But most dark web holiday myths crumble under scrutiny. Understanding the reality helps prevent people from falling for exaggerated stories… and from stumbling into dangerous territory.

---

Check out our recent blog on Black Friday Scams.

A Deep Dive into Shipping Choices on Illicit Marketplaces

December 11, 2025

When we think of darknet marketplaces, the focus is usually on the products: drugs, counterfeit goods, stolen data, and more (linked are just a few of the blogs where DarkOwl has covered these examples). But behind every transaction lies a critical question: how does it get delivered? Shipping choices aren’t just logistical; they reflect trust, risk, and strategy in the underground economy. In this blog, we explore which carriers dominate the darknet, how preferences differ across marketplaces, locations, and product categories, and what these patterns reveal about the hidden infrastructure supporting illicit trade.

Shipping Options

Shipping is the final connection between vendor and buyer, and on darknet markets the choice of carrier shapes how a transaction is carried out. Vendors consider factors such as reliability, delivery speed, risk of scrutiny, and whether the shipment is domestic or international.

Not all listings specify shipping information. In DarkOwl’s enhanced market dataset within its DarkMart data store, a little over half (55%) of listings collected between January 2025 and November 2025 include any shipping details at all. This suggests that many vendors either keep logistics flexible or negotiate them directly with buyers. Among those listings that do include shipping information, the level of detail varies widely. Some specify a particular carrier, while others use general terms like standard or express without naming a particular service. Listings may include multiple carrier options or alternative delivery methods such as dead drops or digital delivery (see Figure 1). In some cases, only shipping price or estimated delivery time is provided, with no carrier identified.

Figures 1 and 2: Example listings with varied shipping options

For consistency, our analysis focuses on the four major global shipping companies most frequently mentioned:

• USPS – The United States Postal Service (USPS) is the primary postal operator in the U.S., handling nationwide mail and package delivery. Its widespread domestic network makes it a frequent option for shipments within the country. Because USPS handles so much daily mail volume, some vendors may view it as the safest way to blend in.
• DHL – An international courier service headquartered in Germany. DHL maintains a strong global presence, particularly in Europe, and provides express and cross-border shipping to more than 220 countries and territories. DHL has a strong footprint in Europe and is known for smooth cross-border shipping, which makes it appealing for vendors sending goods overseas.
• FedEx – A major U.S.-based courier service offering express, ground, and international delivery. FedEx operates an extensive global logistics network and is well known for its fast turnaround times. Its tight tracking and security can make some vendors hesitant, though others prefer it for speed of delivery.
• UPS – Another large U.S.-based courier and logistics company with a broad ground and air network. UPS provides domestic and international parcel delivery, along with a wide range of supply-chain services. Vendors who want consistent delivery but don’t need overnight speed may lean toward UPS.

In addition to these major carriers, we also tracked references to regional postal services such as Deutsche Post, Royal Mail, and GLS, as well as nontraditional delivery methods like digital delivery and dead drops. While these alternative methods were less common than standard shipping, they illustrate the variety of strategies vendors use to move goods.  Below, figure 3 shows the distribution of all delivery types.

Overall, USPS was the most frequently mentioned carrier mentioned in 34% of listings naming a shipping vendor, followed by DHL (24%), FedEx (14%), and UPS (7%). Royal Mail, dead drop, Deutsche post, and GLS appeared in a smaller subset of listings with a combined total of 8%. While we considered all these shipping methods in our analysis, the rest of this blog will focus specifically on the top four main carriers: USPS, DHL, FedEx, and UPS.

Figure 3: shipping type distribution, based on number of listings within DarkOwl’s DarkMart data store

Market Breakdown

Shipping patterns vary noticeably across darknet marketplaces. Some sites show clear loyalty to certain carriers, while others provide a mix of options. For example, MGM Grand, Dark Matter, Mars Market, and Velox Market are dominated by USPS listings, suggesting a preference for this domestic carrier. On the other hand, Crown Market, TorZon Market, and DrugHub display a more balanced mix, with FedEx and DHL appearing frequently. Certain markets, such as Courier Market, Halfbreed, and King Market, lean more heavily toward DHL, particularly for international shipments. Meanwhile, Revolution Market and Ares offer a fairly even spread across at least three of the four major carriers. Notably, UPS does not dominate in any marketplace, appearing more sporadically across listings. Figure 4 illustrates the distribution of shipping options across these top markets.

Figure 4: Distribution of shipping types across the top markets

Location Breakdown

Beyond marketplace-level trends, we also examined the origins and destinations of shipments for each major carrier. For this analysis, we focused on listings specifying country-to-country routes, rather than broader “country-to-worldwide” entries. Each country was mapped to its corresponding region or continent to simplify the view. Figure 5 presents these flows using Sankey diagrams, which visually show the volume of shipments between source and destination regions.

USPS listings show a heavy concentration of domestic deliveries within North America, along with a notable stream of transatlantic shipments to Europe. DHL’s activity is also centered around Europe, but it distinguishes itself as the primary carrier facilitating large volumes of shipments moving from Europe to Asia and Oceania. FedEx, by contrast, is dominated by routes from North America to Africa and Europe, with comparatively fewer packages staying within North America. UPS displays yet another pattern: most of its activity remains within Europe, with a smaller, though visible, share of shipments originating in North America and heading primarily to African destinations.

These patterns highlight the distinct regional footprints of each carrier. North American vendors rely heavily on USPS and FedEx for both domestic and transatlantic shipments, while European markets are served mainly by UPS and DHL. DHL’s broader international reach underscores its role in longer-distance trade, particularly to Asia and Oceania. Overall, the flow patterns reveal how vendors align carrier choice with both origin and destination regions, reflecting practical considerations like geographic coverage, shipping speed, and the global nature of darknet commerce.

Figure 5: Shipping to/from for (a) USPS ,(b) DHL, (c) Fedex, (b), and (d) UPS

Category Breakdown

We also reviewed which types of products were being shipped by each carrier. To do this, we looked at the product categories listed in each shipment and normalized them for consistency, focusing only on listings that included both a category and one of the major carriers. Figure 6 shows how each carrier is distributed across the top three categories.

Unsurprisingly, Drugs and Chemicals made up the largest share of shipments, followed by Fraud and Counterfeit items. Drugs and Chemicals include illicit narcotics, prescription medications, and psychoactive substances, as well as, precursor chemicals.  Fraud includes items such as stolen credit card data, phishing kits, and fake IDs. While counterfeit items include counterfeit currency, fake branded goods (ie, watches, bags, etc..), and forged documents. USPS clearly dominates the drugs and chemicals category, with DHL and FedEx appearing less frequently. DHL stands out as the primary carrier for fraud and counterfeit goods.

Figure 6: Category shipping by type

These patterns hint at how vendors match products to carriers based on shipping needs. USPS’s prominence in drugs and chemicals suggests a focus on domestic or shorter-range shipments, whereas DHL’s role in fraud and counterfeit items highlights its reach for international deliveries. FedEx’s presence across multiple categories may indicate its flexibility for both speed and cross-border logistics. Overall, the distribution of products across carriers gives a window into the practical considerations shaping darknet shipping—showing how the type of product can influence both the choice of carrier and the geographic scope of the shipment.

Conclusion

Shipping on the darknet is far from random, it’s a carefully chosen part of the trade. Different carriers dominate specific markets, regions, and product types. USPS dominates deliveries within the U.S., especially for drugs and chemicals, while DHL and FedEx handle more international shipments and fraud-related goods. UPS shows up but rarely takes the lead. Across marketplaces, countries, and product types, clear patterns emerge: vendors align their carriers with the practical demands of each shipment, from speed and reliability to geographic reach. These trends reveal that even in illegal markets, logistics and strategy matter. By looking at how goods move, we gain a window into the hidden infrastructure that keeps darknet commerce running smoothly, an underground network that’s as much about moving packages as it is about managing risk and trust.

---

Curious to learn how darknet data is relevant to you? Contact us

December 9, 2025

Hackers are always looking to gain access to sensitive information to ransom or sell. In recent years, there has been a surge in universities being attacked due to their large databases and typically more vulnerable systems. The most common attacks that compromise universities’ systems are phishing, ransomware, and denial of service (DDoS) attacks. Phishing involves tricking users into revealing login credentials, ransomware locks critical data until a payment is made, and DDoS attacks overwhelm systems to disrupt services.

Why Should Universities Take Precautions?

Universities can face major disruptions if their network is compromised by threat actors. There have been multiple cases where universities have had to shut down their networks to solve the problem, causing huge disruption to their staff and students. If a university deems it necessary to shut down their network, the immediate effects are an annoyed student body, frustrated staff, and long term can cost the school millions. Students expect their university to stay on schedule throughout the year, which is why a network shutdown can reflect poorly on the university.

Ransomware groups especially put pressure on universities because attackers assume they will receive a payment shortly after ransoming data due to a universities’ low tolerance of leaked information being made public and possible long periods of downtime. Furthermore, the school can face lawsuits from students if information is not handled correctly. This is why often when a ransomware group successfully attacks a university, the ransom appears to be paid within a few days.

Universities are required by law to keep any sensitive information like social security numbers, banking accounts, and health records secure. One example of laws that govern universities and how they handle information is FERPA (Family Educational Rights and Privacy Act). Since this is in the context of students who are above the age of 18, this law ensures that schools do not release any information without a student’s consent. This is why when breaches occur, universities tend to face lawsuits for not properly securing their students’ and or alumni’s data. Even when the ransom is paid and not leaked, students, alumni, or faculty can still pursue legal action on the grounds of negligence.

Recent Cyberattacks on Universities

University of Michigan

In August 2023, a major data breach occurred at the University of Michigan. Around 230,000 students, alumni, and employees were affected by the breach. The threat actors stole financial accounts, social security numbers, driver’s license details, and health information.

While the vulnerability that the attackers exploited was never released to the public, the University found the attackers stole the information from the University’s Health Service and School of Dentistry. Once the attack was detected by the University, they immediately shut down their network. The internet shutdown across all three of their campuses ultimately lasted four days during the first week of classes and stopped University operations during that period. The University of Michigan faced two lawsuits after the attack. Both claim that the University was negligent with the security of information. It is unknown if this information was released or who was behind the attack.

Stanford University

Another 2023 cyberattack, coming only a month after The University of Michigan breach was the cyberattack on Stanford University. Unlike Michigan, this attack on Stanford University was claimed by a ransomware group called Akira.

The data Akira gathered was from Stanford’s Department of Public Safety. They claimed to have 430GB of data that would be released unless a ransom was paid. The group later released a link in order for others to download this data. The data they claimed to have was “private information and confidential documents”. Stanford never released the information stolen or if they paid Akira. What we do know is that the FBI has advised companies and universities not to pay ransoms and instead immediately report it to law enforcement.

The below image shows Akira announcing information about the leak on their leak site, as well as the download link which is not shown in the image below.

Ransomware groups will make data available if victims do not pay, this can lead to further attacks against the victims or organizations in their supply chain as information found in this data can be used for further phishing or social engineering attacks.

Figure 1: Akira announcing information about the leak on their leak site; Source: DarkOwl Vision

Multi University Attack

The ransomware group Cl0p was responsible for a series of attacks on universities in May of 2023. They were able to exploit the software called MOVEit which is a file transferring tool. MOVEit at the time was known to have a high level of security, especially because many of the files moved within the software contained sensitive information. MOVEit handled file transferring of many other organizations, meaning this attack was not limited to just universities.

Some of the universities that reported the attack included UCLA, Rutgers, and Missouri. These universities reported student and faculty Social Security numbers and financial account information being posted online.

Some analysts believe this attack should not be considered a ransomware attack since the compromised data was never encrypted. However, Cl0p still demanded payments from some universities for the return of data. Recently, some ransomware groups like Cl0p have not been encrypting stolen data and instead pressure people or organizations into paying purely on the threat of releasing the data online.

Have These Attacks Increased?

A company called Netwrix, surveyed 1,309 IT and security professionals globally during 2024, finding that 77% of organizations in the education sector reported an attack on their systems within the past 12 months. This number was up 8% from 2023, which suggests a trend upwards of cyberattacks on schools and universities.

In 2025, the education sector has been the number 1 target for cyber-criminals and ransom groups. Specifically, DeepStrike reported that the two main threats are phishing and ransomware, while explaining that schools and universities typically have high vulnerability in their systems and have large amounts of data, two characteristics that make them top targets.

Protection Against These Attacks

The easiest way for universities to protect against an attack is to have strong authentication requirements. When trying to access the network, the university should require a login via student ID/faculty ID – a second layer to this is multi-factor authentication. This method can also make it easier to track malicious activity by linking activity on the network to an ID.

Another measure that can be overlooked is security software on school computers. These computers are often directly connected to the network, therefore exploiting one can give an attacker access to all of them. The main problem with updating all the software is that it takes a lot of time and most of the time this can’t be done all at once. A good time to update systems would be over Fall, Thanksgiving, Winter, or Spring break when these computers are not being used.

Finally, make sure faculty and students are aware of phishing emails. Humans can be just as vulnerable as a computer – make sure to always keep your passwords secure and do not download suspicious looking files.

---

To read more about security best practices, check out this blog.

December 01, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks – The Hacker News

On November 03, three former employees of the cybersecurity companies DigitalMint and Sygnia were indicted in district court for “allegedly hacking the networks of five U.S. companies with BlackCat (aka ALPHV) ransomware between May and November 2023 and extorting them.” The individuals Kevin Tyler Martin of Roanoke, Texas, and Ryan Clifford Goldberg of Watkinsville, Georgia, and an unnamed accomplice are facing multiple charges including interference with interstate commerce by extortion, and intentional damage to protected computers. During the aforementioned time period, BlackCat gained access to victims networks, stole data, employed malware and demanded cryptocurrency in exchange for decryption keys and to not leak the stolen data. Read full article.

2. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News

On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Article here.

3. University of Pennsylvania confirms data stolen in cyberattack – Bleeping Computer

On October 31, the University of Pennsylvania announced their information systems for development and alumni activities had been compromised. Using an employee’s PennKey SSO account the threat actor was able to gain access to “the university’s Salesforce instance, Qlik analytics platform, SAP business intelligence system, and SharePoint files.” This access provided the threat actors with 1.71 GB of internal documents as well as 1.2 million records of donor information. The hackers claim the attack was not politically motivated but posted on hacking forums that they targeted the university due to its “alleged DEI practices, admissions policies, and love of nepobabies.” Read more here.

4. “Bitcoin Queen” gets 11 years in prison for $7.3 billion Bitcoin scam – Bleeping Computer

Following a seven-year investigation by the Met’s Economic Crime team, 47-year-old woman, Zhimin Qian (also known as Yadi Zhang), was found guilty of a large-scale fraud campaign that defrauded over 128,000 victims in China between 2014 and 2017. Qian earned the name “Bitcoin Queen” in China after promoting the currency as “digital gold”. After her scheme was uncovered in 2017, she converted the proceeds into Bitcoin and fled to the United Kingdom, where, with the help of an associate named Jian Wen, she attempted to launder the cryptocurrency through property purchases. Qian was arrested in 2024 where law enforcement seized assets worth $14.4 million, as well as cryptocurrency wallets, encrypted devices, cash, and gold. Read here.

6. APT37 hackers abuse Google Find Hub in Android data-wiping attacks – Bleeping Computer

North Korean hackers, APT37, have been discovered abusing Google’s Find Hub Tool to target South Koreans. Victims are approached through KakaoTalk messenger, a popular instant messaging app. Spear-phishing messages transmitted through KakaoTalk impersonate South Korea’s National Tax Service, the police, and other agencies to deceive recipients into interacting. If someone opens the attached MSI file (or a ZIP that contains it), the program runs two hidden scripts: one to install the malicious code and one that pops up a fake “language pack error” to fool the user. Meanwhile the malware grabs the victim’s Google and Naver login details, signs into their email accounts, changes security settings, and deletes traces of the break-in. Read full article.

7. Iranian Hackers Use DEEPROOT and TWOSTROKE Malware in Aerospace and Defense Attacks – The Hacker News

Iranian threat actors, known for espionage driven attacks, have been observed deploying backdoors TWOSTROKE and DEEPROOT against Middle East industries. Mandiant attributes the activity to UNC1549 (aka Numbus Manticore and Subtle Snail). According to Google, these infection chains blend phishing campaigns aimed at stealing credentials with malware delivery operations that exploit trusted relationships with third-party vendors. Although the primary targets maintain strong security defenses, some third-party partners remain vulnerable, creating a ‘weak link’ that groups like UNC1549 can exploit. Read full article.

8. Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters – Bleeping Computer

The threat actor group, Scattered Lapsus$ Hunters, has announced the development of a Ransomware-as-a-Service (RaaS) platform named, ShinySp1d3r. The group announced on their Telegram channel that the ransomware was in development and will be led by ShinyHunters but operated under the “Scattered Lapsus$ Hunters” brand. Samples of the ransomware have been uploaded to VirusTotal and show a mix of common features and new features developed by the group. The encrypted files will contain “information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications”. Learn more.

---

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

November 25, 2025

The eighth series of the popular, BAFTA-nominated TV show ‘Hunted’ came to a dramatic end this month.  

Hunted is a gripping reality series that pits volunteer civilian ‘fugitives’ against a professional team of ‘Hunters’ – comprising former intelligence officers, police detectives, and cyber analysts – who employ real-world investigative techniques to try track them down within 28 days. 

The TV show regularly attracts over 2 million viewers per episode. 

In this series, the Hunters were able to catch 13 out the 14 original fugitives within the time frame. This the most successful capture record in history of the show. 

Copyright Shine TV/ Channel 4 

In the programme, the ‘fugitives’ must try to evade simulated capture by Hunters who leverage an impressive arsenal of capabilities: CCTV networks, ANPR systems, mobile phone tracking, financial surveillance, OSINT and behavioural profiling.  

The Hunters establish pattern-of-life analysis, exploit OPSEC failures, conduct tactical ground operations, and demonstrate how modern surveillance infrastructure creates a near-inescapable digital dragnet.  

OSINT specialist and DarkOwl super-user Daisy Hickman appearing in Series 8 (copyright Shine TV/Channel 4) 

The show illustrates the investigative challenges of resource allocation, intelligence fusion, and the cat-and-mouse dynamics between human behaviour and technical collection, while exposing how difficult it truly is to disappear in a modern surveillance state. 

In this series, DarkOwl was selected as one of the handful of intelligence tools (and the sole Darknet technology) to assist the Hunters in their London HQ. 

Daisy Hickman – an OSINT specialist Hunter who holds a MSc in Forensic Investigation – commented on her experience with DarkOwl (in capacity as a DarkOwl super-user during the show): 

“DarkOwl proved critical to our time-sensitive fugitive operations, and the easy to use interface and comprehensive data was an invaluable part of our OSINT analysis.” 

By continuously indexing high-value darknet websites, fora, marketplaces, chans, leak databases, Telegram channels and beyond, DarkOwl reconciles underground activities and personas with real-world events and people for all levels of intelligence analyst. 

DarkOwl was pleased to support Hunted, not least as it provided a good opportunity to showcase the power of DARKINT techniques for fast paced criminal investigations. 

---

Watch the latest series of Shine TV/Channel 4’s Hunted, and find out more about DarkOwl Vision.