All SkillsGet Started Free
Monitoring Darkweb Sources
Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions of organizational assets, leaked credentials, threatened attacks, and threat actor communications to provide early warning intelligence. Use when establishing dark web monitoring coverage, investigating specific data breach claims, or enriching incident investigations with dark web context. Activates for requests involving dark web OSINT, leak site monitoring, credential exposure, Recorded Future dark web, or Tor hidden service intelligence.
MCP get_skill({ skillId: "monitoring-darkweb-sources-6df6a967" })Use this skill with your agent
Create a free account and connect via MCP
# Monitoring Dark Web Sources ## When to Use Use this skill when: - Establishing continuous monitoring for organizational domain names, executive names, and product brands on dark web forums - Investigating a reported data breach claim found on a ransomware leak site or paste site - Enriching an incident investigation with context about stolen credentials or planned attacks **Do not use** this skill without proper operational security measures — dark web browsing without isolation exposes analyst infrastructure to adversary counter-intelligence. ## Prerequisites - Commercial dark web monitoring service (Recorded Future, Flashpoint, Intel 471, or Cybersixgill) - Isolated operational environment: Whonix OS or Tails OS running in a VM with no persistent storage - Keyword watchlist: organization domain, key executive names, product names, IP ranges, known credentials - Legal guidance confirming passive monitoring is authorized in your jurisdiction ## Workflow ### Step 1: Establish Keyword Monitoring via Commercial Services Configure dark web monitoring keywords in your CTI platform (e.g., Recorded Future Exposure module): - Domain variations: `company.com`, `@company.com`, `company[dot]com` - Executive names: CEO, CISO, CFO full names - Product/brand names - Internal codenames or project names (if suspected breach scope is broad) - Known email domains for credential monitoring Most commercial services (Flashpoint, Intel 471, Cybersixgill) crawl forums like XSS, Exploit[.]in, BreachForums, and Russian-language cybercriminal communities without analyst exposure. ### Step 2: Manual Investigation with Operational Security For investigations requiring direct dark web access: **Environment setup**: 1. Use a dedicated physical machine or air-gapped VM (Whonix + VirtualBox) 2. Connect via Tor Browser only — never via standard browser 3. Use a cover identity with no links to organization 4. Never log in with real credentials to any dark web site 5. Document all sessions in investigation log with timestamps **Paste site monitoring** (clearnet-accessible, no Tor required): ```bash # Hunt paste sites via API curl "https://psbdmp.ws/api/search/company.com" | jq '.data[].id' curl "https://pastebin.com/search?q=company.com" # Rate-limited public search ``` ### Step 3: Investigate Ransomware Leak Sites
#mukul-cybersecurity-skills#security#cybersecurity#threat#intelligencecurljq