Egidio
Explainer · 2026

The dark web, explained without the mystery

No how-to, no exaggeration: what the black market for stolen data really is, what gets traded on it, and how your personal information can pass through it without you having done anything wrong.

A simple definition

The dark web is a portion of the internet that doesn't show up in standard search engines and requires specific software to access, originally designed to protect its users' anonymity. The vast majority of its use has nothing to do with crime. But part of it serves as a marketplace for actors who buy and resell stolen data — that's the part this report documents, without explaining how to access it.

What's actually traded there

According to Europol's annual cybercrime assessment (2025), the online criminal economy runs above all on access: access to accounts, to identities, to sensitive information. Login credentials, card numbers, medical records and social-media accounts are sold, resold and repackaged there by specialized data brokers.

34%
Share of listings tied to financial services (bank access, card data, access to business email accounts) on the main dark web markets analyzed in 2025.
Europol, IOCTA 2025 — analysis of criminal markets.
$4,200
Average price observed for a compromised corporate banking credential, including a way to bypass two-factor authentication.
Europol, IOCTA 2025.

The central role of the "infostealer"

The most common way these markets get supplied isn't a spectacular hack targeting a single person: it's malware called an infostealer, installed without the victim noticing (often via a booby-trapped file or fake software), which harvests saved usernames and passwords from the browser in bulk. The result is then resold as "logs" — batches of raw data, by the hundreds or thousands, before even being sorted.

Source: Europol, IOCTA 2025.

Authorities are pushing back

Taking these markets down isn't just a theoretical threat to their operators. Joint operations between several countries have already demonstrated authorities' ability to disrupt them:

2025
A coordinated international operation took down more than 373,000 sites linked to dark web activity and seized dozens of servers used by these markets.
March 2026
The FBI and Europol seized the forum "LeakBase," which specialized in reselling infostealer "logs" — archives of login data stolen by this type of malware.
Source: Europol · The Hacker News, March 2026.

Vocabulary worth knowing

Infostealer

Malware designed to harvest saved usernames, passwords and session cookies from an infected device in bulk.

Log

A raw batch of data stolen by an infostealer, sold as-is before sorting — often hundreds of credentials at once.

Access broker

A specialized reseller who buys stolen access or data in bulk to resell it, sorted and packaged, to other criminals.

Closed market

A platform accessible only by invitation or after vetting, to limit the risk of infiltration by authorities or security researchers.

🔒 Your data can pass through these markets with none of your own actions to blame — the useful protection kicks in downstream, when those stolen credentials get used to build a targeted call or text. See also the report on why fraud is exploding right now and how Medusa works.

Frequently asked questions

What exactly is the dark web?

A part of the internet not indexed by standard search engines, requiring specific software to access, originally designed for anonymity. A minority of its use is criminal, but that's the part relevant to stolen-data resale.

How do my credentials end up on the dark web?

Most often through malware called an infostealer, installed on a device, which harvests saved usernames and passwords in bulk and then resells them as grouped "logs" on specialized markets.

How can I know if my data is there?

Have I Been Pwned (haveibeenpwned.com) lets you check for free whether your email appears in an already-catalogued data breach, without needing to access the dark web yourself.

Go further