Dark Web OSINT: Tor, I2P, and Investigation Workflow

Last updated: April 26, 2026

Dark-web OSINT — investigating threat actors, leaked data, ransomware blogs, marketplaces — requires specific tooling and OPSEC discipline. Tor and I2P are the primary anonymity networks; each has distinct use cases for cybercrime. This article covers practical dark-web OSINT for security teams.

The networks

• Tor — dominant network for cybercrime; .onion services; ~3 million daily users
• I2P — smaller but significant; .i2p eepsites; some marketplaces moved here after Tor takedowns
• Freenet, ZeroNet — niche; less cybercrime activity

What you find

• Ransomware leak blogs — every active ransomware operation maintains an .onion blog with victim shaming and stolen-data downloads
• Marketplaces — cybercrime services, leaked data, drugs, fake documents
• Forums — BreachForums (resurrected), various criminal communities
• Initial access broker (IAB) ads — selling access to specific compromised companies
• OFAC / sanctioned-entity infrastructure

Setup for safe browsing

# Install Tor Browser (official)
https://www.torproject.org

# Or Whonix VM for stronger isolation
https://www.whonix.org/

# Or Tails OS for amnesic operations
https://tails.net/

# For automation:
# Configure SOCKS proxy via tor service:
sudo apt install tor
sudo systemctl start tor
# Tor SOCKS proxy at 127.0.0.1:9050

# curl through Tor:
curl --socks5-hostname 127.0.0.1:9050 http://example.onion

Discovery — finding .onion addresses

• Ahmia, OnionScan — clearnet-accessible Tor search engines
• Threat-intel feeds — list known ransomware blogs with current .onion addresses
• Dark.fail — directory of well-known dark-web services with verified addresses (anti-phishing)
• Forum / Telegram cross-references — addresses shared in cybercrime communities

Practical workflow

1. Identify ransomware blog of interest — operator targeting your sector / company
2. Browse with Whonix or Tails for OPSEC
3. Document findings — screenshots, victim list, leak metadata
4. Cross-reference with company name — has your organisation appeared?
5. Monitor on cadence — daily crawl of priority blogs

Automated monitoring

# Python with requests + Tor SOCKS
import requests
proxies = {'http':  'socks5h://127.0.0.1:9050',
           'https': 'socks5h://127.0.0.1:9050'}
r = requests.get('http://example.onion', proxies=proxies)
# Parse, store, monitor for changes

# Commercial tools
# Recorded Future, Flashpoint, DarkOwl — comprehensive dark-web monitoring
# Indian-market: NETFAB, Sectrio

OPSEC critical points

• Never use Tor over personal internet without VPN — ISPs see Tor connections (legal but identifying)
• Never download executables from dark-web sources to investigation system
• Never log into personal services through Tor (de-anonymises)
• Use Whonix or Tails for strict isolation
• Investigate in compartmented VMs; reset between sessions

Legal context

• Visiting public dark-web sites is legal in India (and most jurisdictions) for legitimate investigation
• Purchasing illegal goods or downloading stolen data is illegal
• For confirmed criminal activity, coordinate with law enforcement (CERT-In, sectoral CERTs, cyber crime cells)
• Tor itself is legal in India

Indian-context findings

• Several Indian banks, fintech, and government databases have leaked through dark-web ransomware blogs in 2023-25
• Stolen Aadhaar / PAN datasets traded on multiple platforms
• Indian-language carding communities increasingly active

The takeaway

Dark-web OSINT yields high-signal threat intelligence — early warning of organisation breach, IAB ads targeting your sector, ransomware operator targeting patterns. The investment is OPSEC infrastructure (Whonix/Tails) and monitoring discipline. Commercial tools provide breadth; manual investigation provides depth. For threat-intel teams covering Indian BFSI, dark-web monitoring is now table-stakes.