The Darknet as a Cybercrime Marketplace

Today’s darknet functions like a bustling marketplace where cybercriminals buy, sell, and trade the tools they need to launch attacks.
This ecosystem offers everything from stolen credentials and corporate VPN access to exploit kits and AI-generated phishing sites.

One growing sector is Initial Access Brokers (IABs) — groups that sell direct access to corporate infrastructure. Instead of scanning for vulnerabilities themselves, buyers can simply purchase ready-made access, speeding up attack timelines.

In 2024, the most common IAB offerings included:

• Corporate VPN credentials (20%)
• RDP access (19%)
• Admin panels (13%)
• Webshells (12%)

Credentials: The Currency of Cybercrime

Credentials remain one of the darknet’s most valuable commodities.

In 2024 alone:

• Over 100 billion records were shared on underground forums — a 42% increase from 2023.
• Combo lists (massive collections of breached usernames and passwords) dominated discussions, enabling attackers to automate large-scale credential stuffing campaigns.
• Groups like BestCombo, BloddyMery, and ValidMail refined these stolen data sets to improve the success rate of attacks.

This booming trade means that even low-skill attackers can execute account takeovers, commit financial fraud, and carry out corporate espionage.

Credential Theft-as-a-Service: Infostealers on the Rise

The darknet’s credential supply isn’t just made of old breach data. There has been a 500% increase in logs from devices infected with infostealer malware, amounting to 1.7 billion stolen records in 2024.

The leading infostealers include:

• Redline (60%) – Targets credentials from browsers, email clients, wallets, and messaging apps.
• Vidar (27%) – Advanced harvesting with MFA bypass and cloud token theft.
• Racoon (12%) – Mass exfiltration of financial records, passwords, and cryptocurrency wallets.

Infostealers often feed IABs and ransomware operators, making them a critical part of the cybercrime economy.

Exploits for Sale: Zero-Days and Vulnerability Kits

Darknet forums are also home to exploit brokers, who trade tools targeting the latest vulnerabilities. In 2024:

• 331 zero-days were identified in underground channels.
• 55% had public proof-of-concept code.
• 32% had fully functional exploits ready for use.
• 30% were already being used in active ransomware and APT campaigns.

For defenders, monitoring these markets provides early warning of which vulnerabilities are likely to be weaponized next.

AI-Enabled Cybercrime: Faster, Smarter, More Convincing

Artificial intelligence is supercharging the underground economy. AI-powered tools now help attackers automate phishing, create deepfake videos, and even bypass MFA protections.

Notable tools include:

• DeepFaceLab / Faceswap – Realistic deepfakes to bypass identity verification.
• FraudGPT / WormGPT – Unrestricted AI text generators for phishing and social engineering.
• BlackmailerV3 – Automated extortion emails tailored with scraped personal data.
• EvilProxy / Robin Banks – AI-generated phishing portals with Adversary-in-the-Middle capabilities.
• ElevenLabs / Voicemy.ai – Voice cloning for vishing scams and bypassing voice authentication.
• Telegram AI Fraud Bots – Impersonate customer support to trick victims into sharing sensitive data.

What This Means for Defenders

The modern threat landscape is built on speed, automation, and specialization. To defend against these darknet-driven threats, organizations should:

• Monitor darknet forums for credentials, exploits, and mentions of their brand or domain.
• Prioritize patching vulnerabilities that are actively traded or exploited in underground markets.
• Strengthen identity protection with MFA, credential monitoring, and phishing-resistant authentication.
• Educate staff about AI-powered phishing and social engineering techniques.

Bottom line: The darknet has industrialized cybercrime, making it easier for anyone — regardless of technical skill — to launch sophisticated attacks. By proactively monitoring these channels and closing exposure gaps, businesses can stay one step ahead.