performing-dark-web-monitoring-for-threats
Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked cre
Best use case
performing-dark-web-monitoring-for-threats is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked cre
Teams using performing-dark-web-monitoring-for-threats should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/performing-dark-web-monitoring-for-threats/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How performing-dark-web-monitoring-for-threats Compares
| Feature / Agent | performing-dark-web-monitoring-for-threats | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked cre
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Performing Dark Web Monitoring for Threats
## Overview
Dark web monitoring involves systematically scanning Tor hidden services, underground forums, paste sites, and dark web marketplaces to identify threats targeting an organization, including leaked credentials, data breaches, threat actor discussions, vulnerability exploitation tools, and planned attacks. This skill covers setting up monitoring infrastructure, using Tor-based collection tools, implementing automated alerting for brand mentions and credential leaks, and analyzing dark web intelligence for actionable threat indicators.
## When to Use
- When conducting security assessments that involve performing dark web monitoring for threats
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
## Prerequisites
- Tor Browser and Tor proxy (SOCKS5 on port 9050)
- Python 3.9+ with `requests`, `stem`, `beautifulsoup4`, `stix2` libraries
- Understanding of Tor hidden service architecture (.onion domains)
- API access to dark web monitoring services (Flare, SpyCloud, DarkOwl, Intel 471)
- Awareness of legal and ethical boundaries for dark web research
- Isolated VM for dark web browsing (no personal or corporate identity leakage)
## Key Concepts
### Dark Web Intelligence Sources
- **Underground Forums**: Hacking forums where threat actors discuss TTPs, sell exploits, and share tools
- **Paste Sites**: Platforms for sharing stolen data, credentials, and code snippets
- **Marketplaces**: Dark web markets selling stolen data, RaaS, exploit kits, and access
- **Telegram/Discord**: Alternative communication channels for cybercriminal groups
- **Ransomware Leak Sites**: Blogs where ransomware groups post stolen data from victims
### Collection Methods
- **Automated Crawling**: Tor-based web crawlers scanning hidden services
- **API-Based Monitoring**: Commercial dark web monitoring APIs (Flare, DarkOwl, Intel 471)
- **Manual HUMINT**: Analyst-driven research on specific forums and marketplaces
- **Credential Monitoring**: Breach databases and paste site monitoring for leaked credentials
### OPSEC for Dark Web Research
- Use dedicated VMs with no personal data
- Route all traffic through Tor (Whonix or Tails recommended)
- Never use personal accounts or identifiable information
- Use separate email addresses and personas for forum registration
- Disable JavaScript in Tor Browser for enhanced security
- Never download or execute files from dark web sources on production systems
## Workflow
### Step 1: Set Up Tor-Based HTTP Client
```python
import requests
from requests.adapters import HTTPAdapter
def create_tor_session():
"""Create a requests session routed through Tor SOCKS5 proxy."""
session = requests.Session()
session.proxies = {
"http": "socks5h://127.0.0.1:9050",
"https": "socks5h://127.0.0.1:9050",
}
session.headers.update({
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0",
})
return session
def verify_tor_connection(session):
"""Verify that traffic is routed through Tor."""
try:
resp = session.get("https://check.torproject.org/api/ip", timeout=30)
data = resp.json()
return {
"is_tor": data.get("IsTor", False),
"ip": data.get("IP", ""),
}
except Exception as e:
return {"error": str(e)}
```
### Step 2: Monitor Paste Sites for Credential Leaks
```python
import re
from datetime import datetime
def monitor_paste_sites(session, organization_domains):
"""Monitor paste sites for leaked credentials matching organization domains."""
findings = []
# Check Have I Been Pwned API (clearnet)
for domain in organization_domains:
try:
resp = requests.get(
f"https://haveibeenpwned.com/api/v3/breaches",
headers={"hibp-api-key": "YOUR_HIBP_KEY"},
timeout=30,
)
if resp.status_code == 200:
breaches = resp.json()
for breach in breaches:
if domain.lower() in breach.get("Domain", "").lower():
findings.append({
"source": "HIBP",
"breach_name": breach["Name"],
"breach_date": breach.get("BreachDate"),
"data_classes": breach.get("DataClasses", []),
"pwn_count": breach.get("PwnCount", 0),
"domain": domain,
})
except Exception as e:
print(f"[-] HIBP error for {domain}: {e}")
return findings
def search_for_keywords(session, keywords, onion_paste_urls):
"""Search dark web paste sites for specific keywords."""
results = []
for paste_url in onion_paste_urls:
try:
resp = session.get(paste_url, timeout=60)
if resp.status_code == 200:
content = resp.text.lower()
for keyword in keywords:
if keyword.lower() in content:
results.append({
"url": paste_url,
"keyword": keyword,
"timestamp": datetime.utcnow().isoformat(),
"snippet": extract_context(content, keyword.lower()),
})
except Exception as e:
print(f"[-] Error fetching {paste_url}: {e}")
return results
def extract_context(text, keyword, context_chars=200):
"""Extract text context around a keyword match."""
idx = text.find(keyword)
if idx == -1:
return ""
start = max(0, idx - context_chars)
end = min(len(text), idx + len(keyword) + context_chars)
return text[start:end]
```
### Step 3: Monitor Ransomware Leak Sites
```python
def check_ransomware_leak_sites(session, organization_name):
"""Check known ransomware group leak sites for organization mentions."""
# Use Ransomwatch API (clearnet aggregator of ransomware leak sites)
try:
resp = requests.get(
"https://raw.githubusercontent.com/joshhighet/ransomwatch/main/posts.json",
timeout=30,
)
if resp.status_code == 200:
posts = resp.json()
matches = []
for post in posts:
post_title = post.get("post_title", "").lower()
if organization_name.lower() in post_title:
matches.append({
"group": post.get("group_name", ""),
"title": post.get("post_title", ""),
"discovered": post.get("discovered", ""),
"url": post.get("post_url", ""),
})
return matches
except Exception as e:
print(f"[-] Ransomwatch error: {e}")
return []
```
### Step 4: Generate Dark Web Intelligence Report
```python
def generate_dark_web_report(findings, organization):
"""Generate structured dark web intelligence report."""
report = {
"organization": organization,
"report_date": datetime.utcnow().isoformat(),
"executive_summary": "",
"credential_leaks": [],
"ransomware_mentions": [],
"dark_web_mentions": [],
"recommendations": [],
}
for finding in findings:
if finding.get("source") == "HIBP":
report["credential_leaks"].append(finding)
elif finding.get("group"):
report["ransomware_mentions"].append(finding)
else:
report["dark_web_mentions"].append(finding)
# Generate executive summary
cred_count = len(report["credential_leaks"])
ransom_count = len(report["ransomware_mentions"])
report["executive_summary"] = (
f"Monitoring identified {cred_count} credential leak sources "
f"and {ransom_count} ransomware group mentions for {organization}."
)
if ransom_count > 0:
report["recommendations"].append(
"CRITICAL: Organization mentioned on ransomware leak site. "
"Initiate incident response immediately."
)
if cred_count > 0:
report["recommendations"].append(
"HIGH: Leaked credentials detected. Force password resets for "
"affected accounts and enable MFA."
)
return report
```
## Validation Criteria
- Tor connection established and verified via check.torproject.org
- Credential leak monitoring returns results from HIBP and paste sites
- Ransomware leak site monitoring identifies relevant mentions
- Dark web intelligence report generated with actionable recommendations
- All monitoring performed within legal and ethical boundaries
- OPSEC maintained: no personal or corporate identity exposure
## References
- [Tor Project](https://www.torproject.org/)
- [Have I Been Pwned API](https://haveibeenpwned.com/API/v3)
- [Ransomwatch](https://github.com/joshhighet/ransomwatch)
- [DarkOwl](https://www.darkowl.com/)
- [Intel 471](https://intel471.com/)
- [Flare Systems](https://flare.io/)Related Skills
performing-yara-rule-development-for-detection
Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.
performing-wireless-security-assessment-with-kismet
Conduct wireless network security assessments using Kismet to detect rogue access points, hidden SSIDs, weak encryption, and unauthorized clients through passive RF monitoring.
performing-wireless-network-penetration-test
Execute a wireless network penetration test to assess WiFi security by capturing handshakes, cracking WPA2/WPA3 keys, detecting rogue access points, and testing wireless segmentation using Aircrack-ng and related tools.
performing-windows-artifact-analysis-with-eric-zimmerman-tools
Perform comprehensive Windows forensic artifact analysis using Eric Zimmerman's open-source EZ Tools suite including KAPE, MFTECmd, PECmd, LECmd, JLECmd, and Timeline Explorer for parsing registry hives, prefetch files, event logs, and file system metadata.
performing-wifi-password-cracking-with-aircrack
Captures WPA/WPA2 handshakes and performs offline password cracking using aircrack-ng, hashcat, and dictionary attacks during authorized wireless security assessments to evaluate passphrase strength and wireless network security posture.
performing-web-cache-poisoning-attack
Exploiting web cache mechanisms to serve malicious content to other users by poisoning cached responses through unkeyed headers and parameters during authorized security tests.
performing-web-cache-deception-attack
Execute web cache deception attacks by exploiting path normalization discrepancies between CDN caching layers and origin servers to cache and retrieve sensitive authenticated content.
performing-web-application-vulnerability-triage
Triage web application vulnerability findings from DAST/SAST scanners using OWASP risk rating methodology to separate true positives from false positives and prioritize remediation.
performing-web-application-scanning-with-nikto
Nikto is an open-source web server and web application scanner that tests against over 7,000 potentially dangerous files/programs, checks for outdated versions of over 1,250 servers, and identifies ve
performing-web-application-penetration-test
Performs systematic security testing of web applications following the OWASP Web Security Testing Guide (WSTG) methodology to identify vulnerabilities in authentication, authorization, input validation, session management, and business logic. The tester uses Burp Suite as the primary interception proxy alongside manual testing techniques to find flaws that automated scanners miss. Activates for requests involving web app pentest, OWASP testing, application security assessment, or web vulnerability testing.
performing-web-application-firewall-bypass
Bypass Web Application Firewall protections using encoding techniques, HTTP method manipulation, parameter pollution, and payload obfuscation to deliver SQL injection, XSS, and other attack payloads past WAF detection rules.
performing-vulnerability-scanning-with-nessus
Performs authenticated and unauthenticated vulnerability scanning using Tenable Nessus to identify known vulnerabilities, misconfigurations, default credentials, and missing patches across network infrastructure, servers, and applications. The scanner correlates findings with CVE databases and CVSS scores to produce prioritized remediation guidance. Activates for requests involving vulnerability scanning, Nessus assessment, patch compliance checking, or automated vulnerability detection.