The OSINT Newsletter - Issue #105
OSINT and the Dark Web: Part Two
đ Welcome to the 105th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Hereâs an overview of whatâs in this issue:
The tools you need to know
Strategies and limitations
Following data to the surface
âŚand how to fight the monsters under the Internetâs bed.
đŞ If you missed the last newsletter, hereâs a link to catch up.
⥠Gathering OSINT from Live Traffic: Datasets and Cameras
đď¸ If you prefer to listen, hereâs a link to the podcast instead.
Letâs get started. âŹď¸
OSINT and the Dark Web: Part Two
Welcome (back) to the dark side. We have OSINT.
Although it looks dangerous, DARKInt itâs perfectly safe if you know how - and if you read last weekâs issue, you probably do. Without further introduction, letâs go even deeper into Dark Web OSINT.
In Part Two, weâll cover:
The tools you need to know
Strategies and limitations
Following data to the surface
âŚand how to fight the monsters under the Internetâs bed.
Donât forget your flashlight.
Recap: What is the Dark Web?
If the internet is an iceberg, it has three layers: the surface, deep, and dark web.
Surface Web: The normie âinternetâ. Indexed by search engines like Google and Bing.
Deep Web: The âinvisibleâ 90% of the web you donât need a specific tool to access. Online banking, private networks, and corporate systems live here.
Dark Web: The unindexed 1-6% of the web, only accessible via specialised tools. Always anonymised, always encrypted.
What you find in this dark bottom layer - open-source or not - is dark web intelligence. So, think of Dark Web intelligence (or DARKINT) as OSINTâs emo little brother. Got it? Good.
A Beginnerâs Guide to DARKInt Tools
To access the Dark Web, specific tools are required. Hereâs a conceptual run-down of the best tools for beginners curious about traversing the depths. Of course, this overview is intended for educational purposes only, rather than encouraging active exploration as soon as possible - itâs best to think before you leap.
Browsers Are Like Onions
TOR is the most (in)famous of the bunch. Short for The Onion Router, TOR is too complex to unpack fully here. Whatâs more, we already did that last week.
Basically, onion browsers work by routing your connection through multiple encrypted layers - a bit like an onion - so no single point can trace your activity. The Dark Webâs sites then use .onion domains; âhidden services,â where both user and host are obscured. Instead of connecting directly, both sides layer up encrypted links via a shared rendezvous point on the TOR network, so nobody knows anybody elseâs true IP This creates the built-in anonymity which makes the Dark Web so popular, keeping everything⌠under wraps (sorry).
Whereâs The Leak?
We know one of the most common forms of DARKInt comes in the form of the humble data breach. Public leak indexes are one of the most beginner-friendly entry points into DARKInt, as they point users to large collections of said breached data.
Unlike raw breach dumps (a.k.a. the actual compromised data) leak indexes are designed for search and discovery, and act as directories or lookup tools, rather than hosting any data directly. Theyâre finding where data exists, and how it connects across leaks. Although datasets are traded, reused or repackaged across multiple Dark Web platforms, indexes can often find specific data whether itâs circulating across the Dark Web or in the wider web bloodstream beyond.
The usual caveats about breached data apply. Thereâs always a compliance problem when handling potentially stolen data, so treat any data you find as if it were your own.
Search Engines Are Like Onions Too.
These arenât the Dark Web Google. If TOR is your vehicle into the Dark Web, onion search engines are more like a slightly unreliable sat-nav; this Garmin wonât get you there, but it might point you in the right direction. These tools donât provide access to anything. Instead, they index and surface .onion sites, helping users discover hidden services they might not know about. Onion search engines:
Index .onion domains and hidden services
Enable keyword-based discovery (once youâre already using TOR)
Unlike TOR browsers (which actually connect you to sites) onion search engines sit a layer above like the onionâs outer skin, acting as discovery tools rather than access tools. And because the Dark Web is so transient (sites appear, disappear, or hide deliberately), these engines are best thought of as more treasure hunt than Google search. The coverage on the aforementioned Garmin is patchy, unstable, and often outdated. Still, it works when it doesnât drive you into a lake - or an active volcano.
Tracing An Account Back to the Surface, Step-By-Step.
Use the tools above (indexes, search engines) to identify breaches.
Extract identifiers (email, username, phone number) from DARKINT sources.
Youâll need a Tor browser to access them.
Pivot using emails.
Identify email accounts, recovery emails, and profiles just as you would as normal.
Look for usernames.
Do the same for usernames - especially look for reuse across social media, forums, or gaming sites.
Look for variations, and cross-reference matches as in light-mode OSINT.
Pivot using phone numbers.
Investigate links to messaging apps, listings, or leaked records that use breached phone numbers.
Correlate findings.
Always combine multiple data points to strengthen attribution.
Lastly⌠Validate carefully.
Watch out for false positives, outdated, or manipulated data - on the Dark Web, these are all over the place
Key Limitations on DARKInt
If these two guides have made the dark, dirty web sound all sunshine and rainbows, now is the time to crush your dreams. Thereâs no unicorns skipping around down there. DARKInt has limitations, and plenty of them. Letâs meet the monsters under the Internetâs bed.
A High Risk Environment
Imagine a world where everybody hates each other. Thatâs kinda the Dark Web. DARKInt operates within an anonymised, adversarial ecosystem built to keep its infrastructure volatile, and access inconsistent. Elevated operational security risks are baked-in. Hidden services frequently appear and disappear, and interacting with them can expose investigators to threat just by virtue (or vice) of a click. Tread carefully.
False-Data Scam-O-Rama
Data quality is âhighly unreliableâ to be polite. Breach dumps are often annoyingly duplicated, hopelessly outdated, trickily manipulated, or deliberately seeded with false facts. Financially motivated actors frequently distribute misleading datasets. At worst, you might end up involved in a particularly icky scam. At best, the overall signal-to-noise ratio can reach a hair-tearing level. Be patient.
Not Everything is Verifiable
So you have that âhighly unreliableâ data. It might never become reliable. Attribution and validation are inherently limited on the Dark Web, where anonymisation layers and restricted visibility are the whole point. So much activity occurs behind closed doors - in closed networks or private exchanges - that datasets canât always be corroborated or independently verified (outside of our dreams). Manage your expectations.
Seeing Things You Canât Unsee
If you work recklessly in DARKInt, youâre playing psychological Russian roulette. You may encounter material that is disturbing, illegal, or just deeply distressing; content that stays with you long after youâve closed TOR. When people are anonymous, they showcase the worst things humanity can do to each other. Even if you do everything right, you can end up seeing something deeply wrong. Have caution.
Key Takeaways
Our journey through the Webâs dark side is coming to an end. You should now know:
All DARKINT is OSINT, but not all OSINT is DARKINT
The tools beginners need to go web spelunking
How to bring dark data into the light
⌠and why the Dark Web isnât where the unicorns live.
See you next issue, investigators!
đ New CTF Challenge Live - Covert Communication
A new CTF challenge has been posted on our CTF website. This weekâs challenge involves analyzing a covert communications channel used by a suspected intelligence operative and finding the name of the location.
Start competing in our Capture the Flag (CTF)
đŞ If you missed the last CTF, hereâs a link to catch up.
Last weekâs CTF challenge featured a challenge titled âThe Dark Web DBâ required participants to investigate a suspected data breach involving Quick, where a threat actor allegedly published a customer database on the dark web and uncover key details about the publication.
To solve the challenge, we need:
Copy & paste the onion link into Wayback Machine.
Then we filter the results by date and select 06 March of 2026. We get a result for 06 March 2026 at 08:01:04.
We click on it, looking at the forum, on the right corner, we can see a post regarding a french and Belgian database.
It says that it was published 10 mins ago, we can also see the username of the threat actor who published it, which is: sarkstic.
Knowing that the forum was crawled at 08:01:04 and that the post says 10 mins ago, the post was made at 07:51:04.
â Thatâs it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.
By upgrading to paid, youâll get access to the following:
đ All paid posts in the archive. Go back and see what youâve missed!
đ If you donât have a paid subscription already, donât worry. Thereâs a 7-day free trial. If you like what youâre reading, upgrade your subscription. If you canât, I totally understand. Be on the lookout for promotions throughout the year.
đ¨ The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.