Dark Web Activity Statistics 2026: Explosive Fraud Growth

The dark web continues to shape global cybersecurity, financial crime, and digital privacy debates. Governments, banks, healthcare providers, and enterprise security teams now monitor dark web activity to detect stolen credentials, ransomware threats, and leaked corporate data before attackers exploit them. At the same time, anonymous marketplaces and encrypted forums keep evolving through cryptocurrency payments, decentralized infrastructure, and cybercrime-as-a-service models. This article explores the latest dark web activity statistics, usage trends, and enforcement developments that define the underground digital economy.

Editor’s Choice

• Darknet market activity reached nearly $2.6 billion in crypto flows during 2025, showing continued resilience despite international crackdowns.
• Ransomware attackers received approximately $820 million in on-chain payments in 2025, down 8% year over year.
• Claimed ransomware attacks increased by 50% in 2025, even as actual ransom payments declined.
• Illicit cryptocurrency addresses received at least $154 billion in 2025, representing a 162% annual increase.
• Researchers identified more than 80,000 onion services within 93 days during a large-scale dark web mapping project.
• Around 6.1% of detected onion websites contained unique content, highlighting the scale of cloned and mirrored dark web services.
• Fraud shops processed approximately $225 million in crypto inflows during 2024, despite declining market activity.
• Hydra Market alone processed an estimated $5.2 billion in cryptocurrency during its operational lifespan.
• Archetyp Market reportedly served more than 612,000 registered users before its seizure in 2025.
• Researchers estimate the dark web represents only about 3% of total Tor network traffic, despite its outsized cybersecurity impact.

Recent Developments

• German authorities seized the large darknet platform Archetyp Market in June 2025 after years of operation focused on drug-related sales.
• Law enforcement actions against ransomware groups such as LockBit and BlackCat contributed to a 35% decline in ransomware payments during 2024.
• Darknet marketplaces increasingly shifted toward Monero-based payments to reduce blockchain tracing exposure.
• AI-generated phishing kits and deepfake scams accelerated dark web fraud operations in 2025, with AI-enabled scams becoming 4.5 times more profitable than traditional fraud schemes.
• Security analysts observed that cybercriminals increasingly share infrastructure, including proxy services and bulletproof hosting providers.
• Dark web vendors expanded into wholesale fraud operations, especially in Chinese-language underground marketplaces.
• Researchers linked spikes in initial access broker activity to ransomware surges roughly 30 days later, improving predictive cyber threat monitoring.
• Public health analysts found that declining fentanyl-related crypto flows mirrored reductions in opioid overdose deaths in some regions.
• Threat intelligence companies expanded automated onion-site discovery systems capable of identifying tens of thousands of dark web domains daily.
• Governments worldwide increased investment in blockchain forensics and dark web intelligence platforms to track illicit crypto movement more efficiently.

What Is the Dark Web?

• The dark web refers to websites and services intentionally hidden from standard search engines and accessible only through specialized software such as Tor.
• Most dark web websites use the “.onion” domain extension, which routes traffic through encrypted relays to conceal identities and locations.
• Researchers estimated there were roughly 76,300 active Tor onion sites by late 2020, with numbers continuing to fluctuate annually.
• Only around 18,000 onion sites contained original content, while many others mirrored or duplicated existing services.
• Dark web ecosystems include forums, encrypted chat networks, whistleblower platforms, activist communities, and black-market marketplaces.
• Cybercriminals frequently use the dark web to trade stolen credentials, malware kits, counterfeit documents, and illegal narcotics.
• Ransomware groups commonly host data leak sites on Tor to pressure victims into paying extortion demands.
• Researchers identified more than 13,900 cloned onion sites connected to coordinated phishing infrastructure during one monitoring project.
• The dark web remains a relatively small segment of internet activity, but it drives a disproportionate share of global cybercrime investigations.
• Financial institutions and cybersecurity firms increasingly scan dark web forums to detect leaked credentials and emerging threats before public exposure.

Largest Dark Web Marketplaces by Share

• BlackSprut Market was the largest dark web marketplace shown in the chart, accounting for 28% of the total share.
• Mega Darknet Market ranked second with a 22% share, making it one of the most dominant marketplaces after BlackSprut.
• OMG! OMG! Market held the third-largest position, representing 17% of the marketplace share.
• Solaris Market accounted for 13%, matching the combined Other category share.
• ASAP Market had the smallest individual share among the named marketplaces, at 7%.
• The top three marketplaces are BlackSprut Market, Mega Darknet Market, and OMG! OMG! Market, together, represented 67% of the total share.
• The named marketplaces combined accounted for 87%, while Other marketplaces made up the remaining 13%.
• The data shows that dark web marketplace activity was highly concentrated, with just two platforms, BlackSprut Market and Mega Darknet Market, controlling 50% of the market share.

Dark Web vs Deep Web vs Surface Web

• The surface web makes up only 4% of the total internet, while the deep web contains 96% of all online content.
• Search engines have indexed around 4.57 billion pages, which is just 10% of the whole web.
• There are roughly 3,000 hidden websites on the dark web, and 60% of them host illegal activity.
• Approximately 500,000 users regularly visit darknet marketplaces, where 37% of purchases likely lead to further crimes.
• Dark web sales reached an estimated $2.6 billion in 2025, with 60% of crime coming from selling posts on forums.
• Daily Tor traffic surpassed 3 million users in 2025, with Germany leading usage, followed by the U.S. and India.
• Cryptocurrency losses totaled over $11 billion in 2025, up 22% from 2024, with 98% of dark web transactions using Bitcoin.
• The dark web intelligence market is projected to reach $1.99 billion by 2030, growing at a 21.3% CAGR.
• More than 18 million US crypto users’ records are listed for sale on the dark web, with 93 million data logs available for $15/month.

How the Dark Web Works (Tor and .onion Services)

• Tor routes internet traffic through multiple encrypted relays to mask a user’s IP address and browsing activity.
• Onion routing technology encrypts data in layers, making traffic analysis significantly more difficult for observers.
• Websites operating on Tor use “.onion” addresses, which are inaccessible through standard browsers without Tor-enabled software.
• Cybercriminal groups frequently rely on Tor infrastructure for ransomware leak sites, anonymous marketplaces, and encrypted communication channels.
• Researchers identified more than 80,000 onion services during a 93-day automated monitoring experiment.
• Around 90% of detected onion services were successfully categorized using AI-based content analysis systems.
• Facebook previously operated one of the largest Tor hidden services by traffic volume, demonstrating that not all onion services are illicit.
• Dark web marketplaces often combine Tor access with cryptocurrency escrow systems to reduce fraud between buyers and sellers.
• Many ransomware operators recruit affiliates through underground Tor forums and offer profit-sharing structures ranging from 60% to 80% of ransom proceeds.
• Security researchers continue developing automated crawling systems to detect phishing networks, malware distribution hubs, and cloned onion sites more efficiently.

Global Dark Web Intelligence Market Growth

• The global dark web intelligence market is projected to grow from $520.3 million in 2023 to $2,921.8 million by 2032.
• The market is expected to expand by more than 5.6 times between 2023 and 2032, showing strong long-term demand.
• In 2024, the market size reached $619.1 million, increasing by $98.8 million compared to 2023.
• The market crossed the $1 billion mark around 2027, reaching $1,170.9 million.
• By 2029, the dark web intelligence market is expected to reach $1,617.5 million, showing steady adoption across cybersecurity operations.
• The market is projected to nearly double from $1,617.5 million in 2029 to $2,921.8 million in 2032.
• The highest year-over-year increase appears between 2031 and 2032, when the market rises from $2,344.1 million to $2,921.8 million.
• The sharp growth indicates rising investment in threat intelligence, cybercrime monitoring, data breach detection, and dark web surveillance tools.
• The consistent upward trend suggests that businesses, governments, and cybersecurity firms are prioritizing dark web intelligence solutions to detect threats earlier.
• By 2032, the market is expected to add around $2,401.5 million in value compared to 2023.

Global Dark Web Usage Statistics

• Tor usage regularly exceeded 2 million daily users worldwide during 2025.
• The United States held the highest share of directly connected Tor users at about 18.12% in early 2025.
• The U.S. also remained the top Tor user country in broader estimates, with roughly 16.80% of mean daily users.
• Tor researchers estimated that about 6.7% of users connect to onion services daily, suggesting only a minority use Tor for illicit activity.
• Average daily Tor relay clients were measured at 2,231,334 globally in one research period.
• Hidden-service activity has been estimated at around 3.4% of total Tor traffic, showing most Tor use is not onion-service access.
• Threat reports tracked 50,000+ users on one major cybercrime forum and 14 billion+ records traded on another, reflecting large-scale dark web activity.
• Daily onion and hidden-service infrastructure has been estimated at 30,000 hidden services announcing themselves each day.
• Dark-web Telegram ecosystems were described as high-traffic communities where channels may push thousands of fresh logs daily.
• Underground breach activity rose 43% in one 2025 analysis, with U.S. organizations accounting for nearly 20% of total breaches.

Daily Tor Users and Traffic Volume

• Tor network usage frequently surpassed 2.5 million daily direct users in 2025.
• More than 7,500 public relays flagged as fast and stable supported global Tor traffic routing during 2025.
• The Tor network had about 8,000 active relays running with around 2,000 bridges helping users in restricted regions by July 2025.
• Approximately 6–7% of users interact with .onion services, while 85% browse regular websites via Tor.
• Onion-service traffic collectively reached nearly 4 Gbps across over 150,000 onion services according to Tor Metrics.
• Average Tor bandwidth capacity exceeded 1,000 Mbps (advertised bandwidth) during peak periods in 2025.
• Tor Browser installations grew significantly in Russia, Iran, and India, with 30,000 Tor VPN beta installs by November 2025.
• About 1.5% of all Tor traffic goes to dark web .onion websites, while the vast majority accesses clearnet sites.

Dark Web Activity Distribution by Category

• Illegal file sharing accounts for the largest share of dark web activity, representing 29.0% of the total distribution.
• Leaked data is the second-largest category, making up 28.0%, nearly equal to illegal file sharing.
• Together, illegal file sharing and leaked data represent 57.0% of all recorded activity, indicating that data-related and file-sharing activities dominate the distribution.
• Financial fraud contributes 12.0%, making it the third-largest category in the dataset.
• News media accounts for 10.0%, showing that not all dark web activity is directly criminal or illicit in nature.
• Promotions represent 6.0%, while discussion forums make up 5.0%, suggesting a moderate level of communication and advertising-related activity.
• Drugs account for 4.0%, a smaller share compared with data leaks, file sharing, and fraud.
• Hacked accounts represent 3.0%, indicating a measurable but comparatively limited portion of the overall activity.
• Pornographic content makes up 1.0%, while weapons account for only 0.3%, making them the smallest categories shown in the chart.
• The distribution is highly concentrated, with the top three categories, illegal file sharing, leaked data, and financial fraud, accounting for 69.0% of total activity.

Geographic Distribution of Dark Web Users

• The United States accounted for roughly 18–21% of global Tor browser users in 2025.
• Germany represented about 11–13% of daily Tor traffic, making it the second‑largest geographic source.
• 38% of anonymized dark web traffic originated from Europe, with Western European countries dominating usage.
• 27% of overall dark web traffic came from North America, driven largely by users in the United States and Canada.
• Russia, India, France, and Finland each contributed more than 3% of the global daily Tor user base.
• Authoritarian‑style regimes collectively saw dark web and bridge‑relay usage jump by around 85% between 2022 and 2024.
• The Asia‑Pacific region generated roughly 18% of total dark web traffic, with notable spikes in mobile‑related cybercrime forums.
• Eastern European countries hosted over 40% of ransomware‑related infrastructure nodes mapped on the Tor network in 2025.
• North America and Western Europe together were linked to more than 70% of darknet drug‑market activity in recent years.
• Latin America contributed under 5% of global Tor traffic but accounted for over 15% of credential‑theft‑oriented malware campaigns.

Stolen Data, Credentials, and Identity Theft

• More than 15 billion leaked username‑password pairs appeared on underground markets in 2025, fueling credential‑based attacks at scale.
• Over 90% of data breaches involving stolen credentials used credential stuffing or password‑reuse exploits to gain initial access.
• The average global data breach cost for incidents involving stolen identities reached $4.88 million in 2024, the highest on record.
• Financial institutions suffered more than 40% of all account‑takeover attempts using stolen login data in 2025.
• Threat‑intelligence analysts tracked more than 200,000 sales listings for biometric identity data and synthetic identity packages on dark‑web forums in 2025.
• Over 60% of cybercrime forums now bundle stolen credentials with malware deployment services or phishing kits for one‑click attack campaigns.
• Infostealer malware was responsible for roughly 65% of freshly leaked corporate credentials in 2025, harvesting passwords within hours of infection.
• Healthcare records sold for an average of $250 per account on underground markets, making them the most expensive targeted identity data type.
• U.S. authorities logged over 1.1 million official identity‑theft complaints in 2023, with numbers remaining above 1 million annually through 2025.
• More than 70% of large enterprises deployed dark‑web credential‑monitoring tools in 2025 to detect and block compromised employee accounts before exploitation.

Key Insights: Dark Web Threats by Industry

• The Information industry faces the highest share of dark web threats, accounting for 11.42% of the total.
• Public Administration is the second-most targeted sector, with 11.17% of dark web threat activity.
• Together, Information and Public Administration represent more than 22% of all recorded dark web threats.
• Retail Trade ranks third, contributing 9.52%, showing that consumer-facing businesses remain major targets for cybercriminal activity.
• The Finance and Insurance sector accounts for 8.83%, reflecting the high value of financial data, banking credentials, and payment information on the dark web.
• Electronic Shopping and Mail Order Houses hold a notable share of 6.68%, highlighting risks linked to e-commerce platforms, customer data, and online payment systems.
• Educational Services account for 4.68%, suggesting that schools, universities, and education platforms are also vulnerable to stolen credentials and data leaks.
• Professional, Scientific, and Technical Services make up 4.06% of threats, indicating exposure among consulting, research, and technology-related service providers.
• Other Services, except Public Administration, represent 3.94%, showing moderate dark web threat exposure across miscellaneous service sectors.
• Commercial Banking accounts for 3.00%, while Manufacturing follows closely at 2.98%.
• The data shows that dark web threats are not limited to financial institutions; sectors such as information, government, retail, and education are also heavily affected.
• Industries handling large volumes of personal data, financial records, login credentials, and customer information appear to face the greatest dark web exposure.

Financial Fraud and Carding Activity

• Premium U.S. credit card profiles often sold for $100+ each in 2025, while some carding markets listed standard U.S. cards at $10–$40.
• Fraud shops drew about $225 million in cryptocurrency inflows in 2024, showing the ecosystem remained highly profitable despite enforcement pressure.
• The FTC said consumers filed 3 million fraud reports in 2025, with losses reaching $15.9 billion.
• Account takeover fraud has generated more than 5,100 FBI complaints since January 2025 and over $262 million in losses.
• Synthetic identity fraud increased eightfold in 2025 and accounted for 11% of all reported fraud in one major analysis.
• Mobile banking malware intensified in 2025, with 34 active malware families targeting 1,243 financial apps across 90 countries.
• Banking trojan attacks on smartphones rose 56% in 2025, underscoring how mobile payment apps became a major target.
• AI-assisted fraud escalated fast, with 51% of spam emails being AI-written by April 2025, and some phishing kits sold for under $20.
• Social media scams caused $2.1 billion in reported losses in 2025, and nearly 30% of people who lost money said the scam started there.
• Full identity kits, or fullz, bundled personal and financial data such as names, IDs, bank details, and medical records for resale.

Ransomware, Malware, and Hacking Services

• Ransomware attackers received about $820 million in cryptocurrency payments in 2025, even as overall payments declined.
• Claimed ransomware incidents rose 50% year over year in 2025, showing attacks grew faster than victim payments.
• 138 distinct ransomware groups claimed victims in 2025, up from 98 in 2024.
• The top 10 ransomware groups accounted for about 56% of all victims in 2025.
• Malware-as-a-service subscriptions commonly cost $150 to $1,000 per month, putting advanced tools within reach of smaller criminals.
• Over half of ransomware victims had infostealer traces recorded beforehand, linking credential theft to later ransomware deployment.
• Healthcare ransomware attacks jumped 115.4% year over year, with 672 victims listed on data leak sites between April 2024 and April 2025.
• Education ransomware attacks rose 25.8% year over year, with 273 victims listed on data leak sites between April 2024 and April 2025.
• The number of active data-leak sites hit a record 81 in Q3 2025, reinforcing Tor-based extortion as a standard pressure tactic.
• AI automation reduced phishing attack costs by over 95%, accelerating malware creation and malicious campaign scaling.

Cryptocurrency Use in Dark Web Transactions

• Monero (XMR) is the most used cryptocurrency in dark web transactions, accounting for 60% of total usage.
• Bitcoin (BTC) remains the second-largest cryptocurrency used on the dark web, with a 30% share.
• The data shows that privacy-focused coins dominate dark web payments, with Monero alone representing more than half of all cryptocurrency usage.
• Altcoins such as Zcash and Dash account for a smaller share, making up 5% of usage.
• Ethereum-based tokens also represent 5% of dark web cryptocurrency activity.
• Monero’s high usage share highlights the demand for privacy, anonymity, and harder-to-trace transactions in dark web markets.
• Bitcoin still holds a significant role due to its wide availability, liquidity, and long-standing use in online transactions.
• Together, Monero and Bitcoin account for 90% of cryptocurrency usage in dark web transactions.
• Smaller cryptocurrencies and token-based payments remain limited, with Altcoins and Ethereum-based tokens together making up only 10%.
• The chart suggests that dark web users strongly prefer cryptocurrencies that offer either privacy protection or high market acceptance.

Cybercrime-as-a-Service on the Dark Web

• Global cybercrime losses are projected to reach $10.5 trillion annually by 2025, largely driven by Cybercrime‑as‑a‑Service on the dark web.
• Dark web marketplaces recorded around $2.6 billion in illicit sales in 2025, with CaaS offerings accounting for a major share.
• Dark web listings in 2025 featured more than 140 million stolen credit card records alongside bulk credential‑dump packages.
• Initial Access Broker (IAB) listings for corporate network access surged by roughly 90% across top‑10 target countries from 2024 to 2025.
• A typical IAB listing for mid‑sized organizations now averages under $1,000, with bundled access packages including multi‑vector entry points.
• Over 70% of IAB listings in 2025 bundle multiple access types or privilege‑escalation tools, turning basic access into near‑turnkey intrusion kits.
• Ransomware affiliates often receive 60–80% of extortion proceeds under revenue‑sharing deals, while ransomware operators keep the remainder.
• DDoS‑for‑hire services observed more than 8 million attacks between July and December 2025, many provisioned via dark web and encrypted channels.
• Underground fraud operators using AI‑generated voice and image tools have increased impersonation‑attack volumes by an estimated 32–40% year‑on‑year.
• Cryptocurrency escrow systems on dark web marketplaces helped cut transaction disputes by over 50% compared with direct peer‑to‑peer transfers.

Dark Web Involvement in Major Data Breaches

• Over 15 billion breached credentials were estimated to circulate across underground dark web forums during 2025.
• Threat actors published billions of sensitive corporate records on Tor‑based leak sites following ransomware compromises in the last 12 months.
• Healthcare, finance, and retail sectors collectively accounted for nearly 60% of all data‑exfiltration incidents linked to dark web leak sites.
• Dark web data brokers sold over 140 million stolen credit card records and millions of API keys and cloud credentials tied to enterprise systems in 2025.
• Major ransomware gangs routinely threatened to leak multiple terabytes of stolen data per victim if ransom payments were not met.
• Research showed that the median time between network compromise and dark web exposure of stolen data shortened to under 72 hours in 2025.
• Infostealer‑generated logs supplied roughly two‑thirds of all leaked credentials listed for sale on underground dark web markets.
• Public breach‑disclosure rules in the US and EU revealed that over 80% of dark‑web‑linked data leaks stemmed from unpatched or misconfigured cloud services.
• Analysts recorded a 42% year‑on‑year surge in extortion‑style attacks where stolen data was threatened for release without ransomware encryption.
• Organizations using proactive dark web credential‑monitoring platforms detected over 17 exposed employee credentials per company on average before public breach disclosures.

Key Challenges Faced in Dark Web Investigations

• Lack of system or browser isolation is the biggest challenge, affecting 15.7% of respondents, showing that secure investigation environments remain a major concern.
• Insufficient training or experience accounts for 14.2%, highlighting a significant skills gap among teams handling dark web investigations.
• Lack of organizational support is reported by 13.5%, suggesting that many teams may not receive enough budget, tools, or leadership backing.
• Difficulty in finding relevant information on the dark web affects 12.5%, showing how fragmented and hidden dark web content can make investigations time-consuming.
• Inability to manage attribution effectively stands at 11.2%, indicating challenges in tracking identities, sources, or threat actors with confidence.
• Absence of a separate network for dark web investigations is cited by 10.5%, pointing to security risks when investigations are not conducted through isolated infrastructure.
• Insufficient internal resources also represents 10.5%, showing that many organizations lack dedicated staff or tools for regular dark web monitoring.
• Overall, the data shows that dark web investigation challenges are spread across technical, operational, and organizational barriers, with no single issue dominating completely.

Law Enforcement Operations Targeting Dark Web Markets

• Archetyp was dismantled in 2025 after a 6-country operation; it had 600,000+ users, 17,000+ listings, and €250 million in illicit transactions.
• Operation SpecTor led to 288 arrests, the largest JCODE result at the time, and seized 117 firearms plus $53.4 million in cash and virtual currencies.
• Hydra Market processed about $5.2 billion in cryptocurrency since 2015, and investigators linked around $8 million in ransomware proceeds to its wallets.
• Darknet market takedowns can shift traffic fast, with one 2026 analysis noting that displaced vendors and buyers often migrate to surviving platforms after a seizure or exit.
• Bulletproof hosting enforcement intensified in 2025, including a case involving 250 servers and 80+ cybercrime investigations tied to one hosting service.
• Cryptocurrency-related cybercrime losses reached $11.36 billion in 2025, showing why law enforcement kept expanding crypto-focused financial investigations.
• Ransomware payments still totaled more than $820 million on-chain in 2025, even after a year-over-year decline, showing continued pressure on criminal ecosystems.
• Cybercrime disruption campaigns continued to hit ransomware infrastructure, with one 2025 report noting 57 new ransomware groups and 27 extortion groups emerging despite enforcement pressure.
• A major 2025 crackdown on crypto fraud centers led to 276 arrests and the seizure of over $701 million in cryptocurrency.

Frequently Asked Questions (FAQs)

Conclusion

Dark web activity reflects a rapidly evolving underground economy powered by ransomware operations, cryptocurrency payments, identity theft, and cybercrime-as-a-service ecosystems. While international law enforcement agencies continue dismantling marketplaces and seizing illicit infrastructure, threat actors adapt quickly through decentralized platforms, encrypted communication tools, and AI-enhanced fraud techniques. At the same time, enterprises and governments are investing heavily in dark web monitoring, blockchain intelligence, and proactive threat detection to reduce cyber risk exposure.

As digital crime operations become more organized and globally connected, understanding dark web statistics has become essential for cybersecurity teams, regulators, financial institutions, and business leaders worldwide.