The Data That Matters Is No Longer on the Dark Web

Dark web monitoring made sense when it started. Go where the criminals hang out, find the threats. Venues like RaidForums and BreachForums were open markets where stolen credentials, attack tools, and campaign plans changed hands in full view of researchers and law enforcement.  

That window has closed. A series of government raids and takedowns in recent years drove criminal operations deeper into encrypted channels, private Telegram groups, and invitation-only communities with no public footprint. The most sophisticated threat actors moved first and deepest. What's left on the dark web is mostly opportunistic actors, recycled data, and noise - a conclusion Google reached in December 2025, when it discontinued its own dark web report, citing user feedback that the alerts didn't translate into action.

This means that organizations anchoring their threat intelligence programs in dark web monitoring may be playing at a table that the high rollers have abandoned. And even when dark web coverage does surface something relevant, it can by definition capture only intent - what someone claimed to be planning, in a forum, at a point in time.  

In this blog, we'll examine why dark web intelligence leaves defenders a step behind, where threat indicators have migrated and what it looks like to act on signals that actually matter.

Where the Criminals Went

The dark web's decline as a criminal coordination hub started when the DOJ seized RaidForums in April 2022. Genesis Market was dismantled in April 2023, and BreachForums was seized in June 2023, relaunched, seized again in May 2024, and went dark for good in August 2025. Each takedown pushed actors further from venues that defenders could systematically monitor.

The next stop was Telegram - highly encrypted and loosely moderated. This made it the default destination for threat actors displaced by forum seizures. And indeed, Kaspersky found that cybercriminal activity on Telegram grew 53% in 2024 compared to the year before. But then it started working less well for criminals.

When French authorities arrested Telegram founder Pavel Durov in August 2024, the platform began cooperating with law enforcement. Not surprisingly, Kaspersky documented a sharp rise in channel takedowns from late 2024 into 2025. And threat actors scattered across encrypted messaging apps and various private channels.

The moral of this story is that communication-based monitoring simply can't keep up. That's why security leaders are today shifting from hunting intent on the dark web to hunting action elsewhere.

Intent vs. Action - Where the Real Signals Live

Even in its heyday, dark web monitoring could only really capture intent - forum posts, claims, announcements, offers. It could tell researchers that a threat actor was interested in a target, had acquired certain tools, or was advertising a malicious capability. That information had value. Yet it could never tell security stakeholders what infrastructure was already being staged, which specific assets were being targeted, or when an operation would actually go live.

Action is a more tangible beast. Regardless of where attackers congregate to chat, every campaign requires infrastructure. And the construction process is observable. MITRE's PRE-ATT&CK framework defines this as the resource development stage: the phase where attackers build capability before they deploy it. The signals the pre-attack phase produces are hiding in plain sight, not in forums, and include:

• Domain registrations tied to target brands or known campaign naming patterns

• TLS certificates issued to hosts with no legitimate purpose

• Command-and-control server provisioning and configuration

• Scanning activity against exposed services in sequences that match known staging behavior

• ASN and hosting provider reuse across campaigns

At Malanta, we call these Indicators of Pre-Attack - IoPAs. They show what's being built, what it's aimed at, and how much time defenders still have to act.

A Different Approach

According to the CrowdStrike 2026 Global Threat Report, the average time between an attacker's initial access and their first lateral movement fell to 29 minutes in 2025. The fastest observed breakout clocked in at 27 seconds. In one documented case, data exfiltration began within four minutes of initial compromise. And 82% of intrusions involved no malware at all - attackers simply logged in with valid credentials and moved through environments using legitimate tools.

At those speeds, a forum post loses relevance. By the time a threat surfaces in a criminal channel - assuming it ever does - the infrastructure is built and the clock has started. The signals that actually matter appear earlier, during setup, when attacker infrastructure is still being assembled.  

A 2025 Google Cloud analysis found that DNS-based threat detection identifies malicious infrastructure an average of 68 days before other security tools catch it. And DNS, as mentioned above, is just one signal. Pre-attack signals surface on the open internet the moment an attacker starts building. That window - between when attacker infrastructure appears and when it goes live - is where defenders have the most leverage. The question is whether the tools they have in place are designed to operate there.

The Bottom Line

Dark web monitoring remains a valuable, if limited, tool in the security stack. The visibility it provides into criminal intent has real value. Yet the threat environment has moved on. Sophisticated actors have fragmented across platforms that resist systematic monitoring, attack timelines have compressed to the point where intent-based intelligence rarely arrives early enough to act on, and the forums that once made dark web coverage credible are largely gone.

The data that actually changes outcomes lives in the infrastructure attackers build before they strike - domains, certificates, servers, and scanning patterns that surface on the open internet, weeks or months before any attack launches. That's where the leverage is. That's where prevention is still possible.

Start preventing attacks before they launch. Get access to Malanta today.

‍