The Dark Web is only a tiny fraction of the internet, but its impact is growing every day. By 2025, the Tor network had surpassed 3 million daily users: a sign that this ‘shadow zone’ is by no means marginal. Even when law enforcement dismantles criminal marketplaces, the system quickly regenerates itself. In 2026, the real challenge is no longer preventing every attack, but how quickly we can bounce back after a blow.
Today, the Dark Web is no longer a chaotic jumble of illegal activities: it has become an organised ecosystem, with internal rules, specialised roles and even “professionals” in digital crime. Among these, cyber mercenaries stand out: small teams operating in closed, ultra-selective forums, where reputation is everything and every transaction is airtight.
These environments adopt mechanisms typical of regulated markets: mandatory escrow systems, active moderation, dispute arbitration and stringent rules that guarantee operational stability and trust among participants.
But the real revolution is the arrival of autonomous AI agents designed to attack. We are not talking about simple chatbots: these are systems that manage entire offensive campaigns, from reconnaissance to data exfiltration. The result? Attacks that previously took days are now completed in a matter of minutes. The machines race ahead, whilst defences often remain slow and human.
This time gap marks the definitive move beyond prevention as the sole objective: operational resilience becomes the new metric of cyber maturity.
In the most discreet markets, one can buy initial access, zero-day exploits and ‘tailor-made’ services, such as the cracking of administrative hashes to gain total control of an infrastructure. When a group gains access to a compromised server but fails to crack the privileged account’s hash, it posts a request on the forum offering a reward for its decryption.
The figures vary enormously: from small sums of $50–$200 up to offers of thousands of dollars for particularly complex hashes. Cracking on commission is entrusted to specialists equipped with multi-GPU workstations and optimised configurations, a highly technical niche that allows partial access to be transformed into full control of compromised systems.
Demand is also growing for silent attacks, without ransomware, aimed solely at stealing data without leaving a trace. The real value today lies in invisible persistence, not in making a fuss. And whilst ransomware continues to evolve, digital trust is faltering: deepfakes, advanced phishing and hyper-targeted campaigns exploit psychology rather than technology, even bypassing MFA. Identity is becoming the new security perimeter.
Ransomware-as-a-Service models are increasingly integrating with initial access brokers, whilst deepfakes and advanced phishing are accelerating the crisis of digital trust, rendering many traditional controls ineffective.
What does all this mean? That the Dark Web is now a ‘regulated’ criminal factory, with capabilities similar to APTs. No business is too small to be a target. We need updated risk models, end-to-end visibility, controls on privileged access and automated responses. It is no longer a question of preventing every intrusion, but of restoring clean systems before the attacker adapts.
Now more than ever, cyber threat intelligence focused on the Dark Web and response automation are becoming essential for competing with an adversary who operates non-stop and at machine speed.
Analysis by Vasily Kononov, Threat Intelligence Lead, CYBEROO