Abigail Klein Leichman
February 28

A review of trends on the “dark web,” a shadowy area of the deep web that can only be accessed via a specific browser, was released by Cybersixgill, a global Tel Aviv-based cyber threat intelligence data provider.

State of the Underground 2024 was compiled from the company’s collected intelligence from the clear, deep and dark web in 2023. The report features insights from Cybersixgill’s threat intelligence experts into underground cybercriminal discourse, tactics and behaviors, comparing them with previous years and revealing threat actors’ current activities and targets. 

“Our expert threat analysts collect and analyze 10 million intelligence items daily from the deep and dark web,” said Dov Lerner, security research lead at Cybersixgill.

“With the breadth and depth of our intelligence and Cybersixgill’s powerful AI and machine learning capabilities, we can continually monitor the cybercriminal underground and analyze evolving trends.”

Good news and bad news

Among the report’s significant findings:

  • Underground markets for compromised credit cards, which has been declining over the past five years, made a 25% rebound in 2023, reaching 12,022,455 cards (still far fewer than the more than 140 million compromised cards detected for sale in 2019).
  • Threat actors have shifted from underground forums to messaging platforms like Telegram. Still, in 2023, both areas saw significant declines, which could be tied to a 50% drop in right-wing extremist forum activity as law enforcers disbanded major forums like RaidForums and BreachForums.
  • In 2023, despite a small rise in the number of new vulnerabilities added to the National Vulnerability Database (NVD), the pace has slowed compared to previous years. Between 2022-2023, there were 5.4% more new vulnerabilities added to the NVD, compared to 36.1% between the period 2021-2022. However, the impact and number of attacks were still substantial.
  • Stealers, a type of malware that gathers valuable data like credentials from infected systems, have increased in popularity. In 2023, threat actors used four new types of stealer malware in large numbers — Stealc, Risepro, Lumma and Silencer – while established stealers like Raccoon and Vidar remained popular.
  • Last year, the wholesale trading of remote desktop protocol (RDP) ports ceased entirely due to the closure of some prominent underground markets. However, listings of compromised endpoints – a crucial entry for threat actors to gain a foothold in an organization’s systems to launch ransomware and other attacks – rose by 88%. Compromised domains also rose by 17% compared to 2022.
  • In 2023, Cybersixgill reported a 9.2% decrease in ransomware attacks, yet attacks have grown more targeted and sophisticated, with average payouts soaring in the millions of dollars. At the same time, there was a continued rise in ransomware-as-a-service offerings, lowering the entry barriers for less sophisticated threat actors. The U.S. and UK remained prime targets, highlighting the global ransomware threat.

“While advances in threat intelligence and cybersecurity, more stringent regulation, and stepped-up law enforcement activities are putting a dent in cybercriminals’ efforts, malicious actors are focusing their efforts on tactics and targets that generate the greatest return,” Lerner said.

“Organizations that combine broad visibility into hard-to-reach sources with automated analysis gain an important advantage in the ongoing battle to protect their people and assets.”

To learn about the above findings in greater detail, download Cybersixgill’s “State of the Underground” here.

More on News