The dark web economy is aptly named. It operates as a fully developed underground marketplace, where cybercriminals buy, sell, and trade illicit data, tools, and services—much like a legitimate economy, but hidden from public view.
This ecosystem is highly active. In 2020 alone, ZeroFox threat researchers published nearly 1,500 internal reports documenting activity across dark web forums, marketplaces, data leak sites, encrypted chat platforms, and discussion boards.
Since the early 2000s, rapid advances in computing and internet connectivity have created unprecedented global interconnection. While this progress has driven innovation, it has also expanded opportunities for cybercrime, including:
Nation-state hacking
Cybercrime-as-a-service models
Account takeovers
Phishing and credential theft
As supply and demand evolve within the dark web economy, cybercriminals continuously adapt their tactics to remain competitive.
Competition in the Underground Economy
Like any market, the dark web economy is shaped by competition. Threat actors compete for customers, credibility, and visibility. In many cases, this rivalry leads to misinformation campaigns, manipulation, and intimidation tactics aimed at undermining competitors.
ZeroFox monitors numerous underground communities, including forums, marketplaces, and encrypted chat networks. These spaces allow threat actors to:
Nation-state hacking
Cybercrime-as-a-service models
Account takeovers
Phishing and credential theft
As communities grow, so does competition. New members often work to establish trust by actively participating in discussions, selling tools, or offering services.
Tips on avoiding scammers in encrypted chat networks Source: ZeroFox Research
Trust, Reputation, and Guarantors
Anonymity is essential in underground communities, but reputation is equally critical. Trusted actors are valued, while scammers, researchers, and law enforcement are actively identified and excluded.
Some forums use Guarantors to oversee transactions. A guarantor acts as a trusted intermediary between buyers and sellers, ensuring deals are completed fairly. Their reputation helps maintain stability and trust within the community, as long as members follow strict privacy and security rules.
Ironically, underground forums often provide advice on avoiding scams, reinforcing the idea that even criminal marketplaces rely on trust to function.
Double Extortion Ransomware
One of the most prominent trends in the dark web economy is double extortion ransomware.
In these attacks:
Files are encrypted
Sensitive data is stolen
Victims are threatened with public data leaks if ransom demands are not met
This tactic surged in popularity in 2020 and continued into 2021 due to victims’ fear of data exposure and resale.
In Q1 2021:
Conti accounted for nearly 23% of known double extortion attacks
Other major groups included Avaddon, REvil (Sodinokibi), and DoppelPaymer
These ransomware groups often publish victim data on leak sites to pressure payments.
Overall volume of double extortion victims by group Source: ZeroFox Research
