At 2:51 AM on a Tuesday, a credentials pair from your organization’s finance team lands on a Telegram channel frequented by initial access brokers. By 9 AM, your team arrives at the office unaware. By 3 PM, a ransomware affiliate has used those credentials to authenticate to your VPN.
This scenario plays out hundreds of times daily across organizations of every size. The dark web is not a mythological place — it is a distributed collection of forums, markets, and communication channels where stolen data is traded, and it operates on a schedule that doesn’t align with your SOC’s working hours.
What Gets Traded
Understanding what adversaries buy and sell helps prioritize your monitoring strategy:
- Combo lists — username/password pairs from previous breaches, resold repeatedly
- Stealer logs — output from infostealers (Redline, Raccoon, Lumma) containing browser-saved credentials, session cookies, and crypto wallets
- Initial access — RDP, VPN, and web shell access to specific organizations, sold by access brokers to ransomware affiliates
- Corporate email access — Office 365 or Google Workspace accounts, valued for BEC operations
Monitoring Approaches
Automated Dark Web Scanning
Services like SpyCloud, Flare, and Recorded Future index data from paste sites, criminal forums, and closed markets. They alert when your email domains, IP ranges, or specific employee identifiers appear. The key is operationalizing those alerts — not just logging them.
Session Cookie Monitoring
Modern infostealers don’t just steal passwords. They steal authenticated session cookies, bypassing MFA entirely. Monitor for your organization’s authentication tokens appearing in stealer log marketplaces. When one surfaces, the affected user’s sessions must be invalidated immediately — not at the next scheduled review.
Typosquat and Brand Monitoring
Threat actors register domains that closely resemble your brand to host phishing pages. Automated monitoring of new domain registrations matching your brand’s pattern (using tools like DNSTwist or commercial equivalents) provides early warning before those domains are weaponized.
What To Do When You Get a Hit
- Validate immediately — not all alerts are accurate; confirm the credential is real and belongs to your organization
- Force password reset — for the affected account and any shared passwords (use an enterprise password audit tool)
- Invalidate all active sessions — especially critical if session cookies were exposed
- Enrich with context — which stealer family? When was the log captured? What other data was exfiltrated?
- Hunt for related indicators — if one employee was compromised via an infostealer, others on the same network may be too
Building a Proactive Program
Reactive monitoring is table stakes. Leading security teams build proactive programs:
- Regular credential audits against HaveIBeenPwned’s enterprise API and NTLM hash databases
- Phishing-resistant MFA (FIDO2/passkeys) for all external-facing services — session cookie theft is irrelevant if there’s no password to steal
- Endpoint hardening to prevent infostealer execution: application control, browser credential store encryption, disabling password saving in browsers for privileged accounts
The threat never sleeps. Your monitoring program shouldn’t either.
