Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Hacking Communities in the Deep Web, Part 2

Written by Thycotic Team

June 16th, 2015

Editor’s Note: We’ve partnered with the InfoSec Institute author Pierluigi Paganini to offer a two part guest blog post series on the changing roles of hackers and their communities in the deep web. Have you had experiences in the deep web? Share your stories in the comment section below.

The opinion of an Expert – Paolo Stagno


In order to give you an illustrious opinion about the hacking in the Deep Web, I decided to involve a valuable colleague, Paolo Stagno, aka VoidSec, which is a Cyber Security Analyst specialized in Underground Intelligence. Paolo is attending as speaker at various international conferences, including DEFCON, BlackHat, and Droidcon, and he is the leader and founder of, a meeting place where hackers can share experience and ideas.

Below my questions for Paolo regarding deep web and hacking communities:

What can we find in the in the Deep Web?

The Deep web is a “hidden reality” where is possible to find every kind of illegal products and services. Black markets are the places in the Deep Web were sellers offers their illegal goods and services, including drugs, weapons, counterfeit, stolen merchandise, credit cards, access to bank accounts, fake identities and related documents, various accounts, trafficking in persons, organs, hacking services and also hitmen.

The hacking market inside the deep web is flourishing thanks to the anonymity offered by the communications protocols implemented in this part of the web. The newest trend observed by security experts is the model of sale known as hacking as a service. The addition of a technical support to the hacking tools (i.e. Friendly interfaces, email and IRC) lowers the level of difficulty for their usage, ransomware kits, for example, are offered according this model example allowing anyone to commit crimes just for 50 €.

Most common services available in the hacking underground are:

  • Hire an hacker
  • Botnet
  • exploit kit
  • 0day
  • Crypter
  • DDoS
  • Doxing
  • Spam
  • Malware
  • Money laundering services

For renting a botnet, usually used to run spam or for DDoS campaign, users pay a price from 2-5$ / month (with a limitation on the number of attack sessions and their duration) up to $ 100-200 every day for more complex attacks.

Exploit kits are still sold in their entirety (including source code), but they still have exorbitant prices ($ 20-30k), for this reason, users rent them for the limited periods ($ 500 / month). A similar approach is the same goes for 0-day exploits that can cost up to hundreds of thousands of euro (MS-15-034).

Which are the principal players of the hacking on the Deep Web?

In deepweb, there are several hacking communities that are accessible via both anonymizing protocols or via Clearnet. Many of them are accessible only by invitation resulting exclusive, usually they are focused on specific topics (i.e. trojanforge: malware and reversing), but there are also generic communities (hackforum) in which members address various issues related to the world of hacking except carding, frauds or “financial” crimes.

In the Darknets, there are many forums and chat dedicated to activities of black hacking, but the sale of products and services is arranged through black marketplaces to reach a wide audience. The major players in the hacking landscape in the deep web are:

  • Agora (TOR)
  • silkroadreloaded (I2P – potentially dying due to the transfer from TOR I2P resulting in reduction of total consumption)
  • TheRealDeal (TOR) past the spotlight recently due to the possibility of buying 0day exploits
  • DreamMarket (TOR)
  • MRNiceGuy (TOR, clone of the original)
  • Outlaw (TOR)
  • MajesticGarden (TOR)

Among the blackmarket in Clearnet find

  • Rescator
  • Lampeduza

What are the risks for buyers?

The black markets hosted in the Darknet increase the safety of both sellers and buyers, making hard to track them by law enforcement. In any case, there is the concrete risk that users fall victim of a website used as honeypot by the law enforcement.

Another risk for buyers is that law enforcement can intercept the shipment of real and illegal products (i.e. Drugs or weapons).

How is the payment, what guarantees the buyer?

Trust is one of the major problems of the hacking communities, in the black markets, exactly like in any other market, the operators have been implemented a reputation mechanism based on the buyers’ feedbacks. Some black markets implement escrow mechanisms based on BTC MultiSignature in order to protect both sellers and buyers.

The Payment is generally made by exploiting virtual currency schema such as Bitcoin and Litecoin, rarely operators allow PayPal, Western Union and other payment systems.

What activities conduct VoidSec in DeepWeb?

VoidSec runs an intense activity of Underground Intelligence by performing research and prevention of threats, primarily by monitoring the main marketplaces and hacking communities. We analyze the latest trends, products and services offered in the DeepWeb.


As we have seen it not so difficult to hire a hacker in the numerous black markets available on the Deep Web, especially when someone needs simple tasks. The situation is quite different when you search for a professional hacking team to hire; these groups usually use different channels to communicate with a restricted number of clients. Another consideration to make is that the majority of services offered through several hidden services are scams and in many cases, the hackers are not able to complete their tasks.

For this reason, users that intend to hire a hacker usually refer black markets due to the reputation mechanisms they implements.

Another reflection to make is that the prices for various hacking services are quite similar among the different forums or hacking communities, this can allow us to monitor the evolution and trends in the hacking underground. Price variations, for example, could be caused by to the sudden availability of a product in the criminal ecosystem. The availability of a large amount of data related to a data breach could cause a decrease for the price of a single record and sustain the offer hacker against clients of organizations affected.

This information is extremely valuable for law enforcement and for those who constantly monitor criminal groups and their operations.

Stay tuned …

Read Part 1 of this blog post here >


Pierluigi Paganini

Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security)Treat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at Cyber Defense magazine, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to create the blog “Security Affairs,” recently named a Top National Security Resource for US. Pierluigi is a member of the The Hacker News team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News magazine and for many other security magazines. He is the author of the books The Deep Dark Web and Digital Virtual Currency and Bitcoin.


Like this post?

Get our top blog posts delivered to your inbox once a month.