Most people have heard of the dark web, but few understand what it actually looks like or what goes on there. To separate fact from fiction, our research team spent 48 hours exploring it firsthand and documenting what we found.

The dark web isn’t inherently bad. It also serves legitimate purposes, providing a layer of privacy for journalists, whistleblowers, activists, and others who need to communicate anonymously. Accessing it typically requires the Tor browser, and a number of reputable organizations operate official dark web sites. For example, the BBC’s news website is available through the following Tor address: http://bbcweb3hytmzhn5d532owbu6oqadra5z3ar726vq5kgwwn6aucdccrad.onion

But alongside these legitimate uses is a thriving criminal ecosystem.

What we discovered was an organized, active underground economy that operates in ways most people never imagine. Cybercriminals don’t work alone. They gather in underground cybercrime forums where they discuss emerging attack methods, share techniques, and collaborate on ways to target people around the world.

Think of it less as a dark alley and more as a professional network for cybercriminals.

Beyond these forums, we encountered dedicated cybercrime marketplaces. These function like online stores where hackers and fraudsters can buy and sell a range of compromised digital goods, from stolen account credentials to hacking tools, all transacted anonymously using cryptocurrency.

Fun fact: Many of these marketplaces are named after well-known public figures, including US President Donald Trump.

The dark web compass

Cybercriminals come from every corner of the world, and like any global community, they need a way to find each other. That’s where link boards come in.

Link boards are directories that collect hundreds of underground forums and marketplaces. They’re organized by language, and act as a dark web compass.

A cybercriminal can operate within a community that speaks their native language or join larger English-language forums that attract an international audience.

Not all forums carry the same weight, though. In 2026, the community is largely concentrated around dominant platforms like BreachForums and DarkForums. More exclusive Russian-language forums such as Exploit and XSS tend to attract some of the underground’s more sophisticated cybercriminals.

Compromised data: Your information may already out there

Most people have no idea how much of their personal information is already circulating on the dark web. In many cases, the first challenge is simply knowing whether your information has been exposed at all. You can check yours here.

To understand the scale of the problem, it helps to compare what’s publicly known with what we found beneath the surface.

Publicly reported breaches are only part of the story. Since the beginning of 2026, Malwarebytes researchers have identified more than 7,500 compromised data sets containing over 8.4 billion records. These include data stolen in breaches, harvested through phishing campaigns, scraped from online services, and exposed through misconfigured systems.

Among the organizations affected are household names such as SoundCloud, ADT, Hallmark, Amtrak, Vimeo, and Instagram.

But as significant as those numbers are, they only tell part of the story.

When we examined the databases section on DarkForums, one of the underground’s most active platforms, we found 63 pages of listings posted since the start of 2026. With 20 listings per page, that’s over 1,200 small and medium-sized data breaches, most of which never made public headlines.

The picture on BreachForums was similar. Since the beginning of the year, the platform has accumulated 37 pages of database listings, each containing 20 entries, adding more than 700 additional compromised databases to the already huge pool of stolen data.

Add it all together, and the publicly reported breaches are only the tip of the iceberg. Much of the stolen personal data traded online changes hands quietly and out of sight.

US identities for sale

One of the most consistently sought-after commodities in the cybercrime underground is something hackers call “fullz”: a complete package of a real person’s identity information. In 2026, US identities remain especially valuable due to the country’s financial infrastructure, high credit limits, and wide range of services that can be exploited for fraud.

A typical fullz package includes a full name, Social Security Number (SSN), date of birth, address, and other personal details. In the wrong hands, this information is a ready-made toolkit for identity fraud. It allows cybercriminals to open fraudulent credit accounts, file fake tax returns, access financial accounts, or even obtain medical services under someone else’s name.

What makes fullz particularly dangerous is that victims often have no ideatheir identity has been compromised until long after the damage is done. Sometimes that’s months or even years later, when debt collectors come calling or a credit application gets unexpectedly denied.

It’s no surprise that the US remains one of the countries most heavily targeted by identity thieves. More than 1.15 million cases of identity theft were reported to the Federal Trade Commission (FTC) in the first three quarters of 2025 alone, already surpassing the total number reported during all of 2024.

During our research, we came across 9-Digits Market, one of many dark web marketplaces specializing in selling stolen identity data. What stood out was the price. A complete US identity profile was listed for as little as $0.95.

For less than the cost of a cup of coffee, a cybercriminal can buy enough information to devastate someone’s financial life.

How cybercriminals use malware to target your computer

Data breaches aren’t the only way your personal information ends up on the dark web. Sometimes the source is much closer to home: your own computer. During our time on the dark web, we encountered the developers behind a particularly dangerous category of malware known as infostealers, or just “stealers”. The concept is simple, which is partly why it’s so effective.

Once installed, an infostealer silently searches a device for anything valuable. That can include saved usernames and passwords, autofill data, stored payment details, cryptocurrency wallets and other sensitive information. That stolen data is then sent back to the attacker.

Below is a sneak peek at the STORM stealer panel, which compromised a US-based computer and stole 87 username-and-password combinations from the device.

Perhaps the most alarming part is how accessible this type of malware has become. In 2026, any aspiring cybercriminal can rent an infostealer on a subscription basis, requiring little technical knowledge and no major financial investment. Cybercrime-as-a-service has dramatically lowered the barrier to entry.

The stolen data is then sold or leaked on underground forums and marketplaces. We were shocked by the sheer volume involved.

On any given day, millions of stolen credentials are shared across these platforms. Behind each of those rows is a real person, completely unaware that their digital life is being picked apart and traded like a commodity.

Fake investments and cryptocurrency scams

Not all cybercrime revolves around stolen passwords or leaked databases. Some criminals chase much more lucrative payouts through carefully planned social engineering scams. One of the most sophisticated and damaging examples we encountered were crypto investment scams, also known as pig butchering.

The tactic behind it is highly effective. Criminals invest considerable time and effort into building what appears to be a genuine relationship with their target through dating apps, social media, or messaging platforms.

They are patient, friendly, and convincing, slowly earning the victim’s trust over days or even weeks. Only after establishing trust do they introduce what appears to be an exciting investment opportunity. By the time the victim realizes something is wrong, their money is gone and the person they trusted has vanished without a trace.

During our research, we observed a large-scale crypto fraud operation already fully up and running, targeting new victims with polished, high-end fake investment platforms specifically designed to keep victims hooked for long periods.

The operation offered:

• Full documentation, scripts, and credibility props. Everything needed to appear legitimate from day one.
• Carefully crafted communication guides and social engineering playbooks designed to psychologically pressure victims into maxing out credit cards, taking out loans, and repeatedly investing more money.
• In-house development teams building fake trading platforms that closely mimic legitimate investment services.

Our researchers also managed to gain access to one of these fraudulent platforms, and we were unsettled by the level of sophistication.

These are not amateur operations. They are well-funded, professionally run criminal enterprises that treat deception as a business.

In just 48 hours, we found stolen identities, malware-for-hire, leaked passwords, and industrial-scale fraud operations. Most people will never visit the dark web, but its effects can still reach them through data breaches, malware infections, and scams.

Malwarebytes helps protect against each of those threats. Our data breach monitoring service alerts you if your personal information appears in a known breach. Identity Theft Protection monitors sensitive information, including your Social Security number, while Scam Guard uses AI-powered detection to help identify suspicious texts, emails, links, and phone numbers before they can cause harm.

The dark web thrives on stolen information. Knowing when your data is exposed is the first step to staying ahead of it.