Dark Web Monitoring Methodology

Learn exactly what dark web sources Breachsense monitors and where our coverage has gaps.

Most dark web monitoring vendors don’t explain where their data comes from. You’re left guessing whether alerts are based on fresh intelligence or recycled combo lists.

This page explains what Breachsense monitors and how alerts work. It also covers where we have blind spots.

If you’re evaluating vendors or need to document your intelligence sources for compliance, this is for you.

We cover what sources we monitor, how alerts work, what our limits are, and how this connects to the breach tracker.

What Does Breachsense Monitor?

Your credentials could be for sale right now. You’d never know unless you’re actively watching the places where stolen data surfaces. With 60% of breaches involving stolen credentials or a human element, monitoring matters.

Here’s what we cover and why each source matters. For definitions of the terms used on this page, see our definitions and terminology reference.

Dark Web Marketplaces

Tor hidden services and .onion marketplaces are where criminals sell credentials and personal data. Our crawlers watch active darknet markets where this data changes hands daily.

Criminal Forums

Both public and private hacker forums are covered. Attackers discuss targets and post leaked data on these forums. Many breaches surface here before hitting mainstream news.

Ransomware Leak Sites

Over 100 ransomware groups and their leak sites are tracked continuously. When a gang posts a new victim, our monitoring picks it up fast. Browse the full list of tracked groups on the ransomware gangs page. For details on how incidents get verified, see how the breach tracker works.

Infostealer Channels

Logs from RedLine, Vidar, LummaC2, and other credential-stealing malware families get indexed as they appear. Stealer logs contain saved passwords extracted from infected devices, plus active session tokens that bypass MFA. This source is growing faster than any other. Learn more about our infostealer channel monitoring.

Telegram and IRC Channels

Criminal groups use Telegram and hacker forums to distribute stealer logs and sell access. These channels often carry early breach signals before data hits forums.

Paste Sites and Data Dumps

Paste sites like Pastebin are common drop points for leaked credentials and data samples. Our crawlers check these around the clock.

Third-Party Breach Data

Complete breach datasets get indexed as they become available, both historical and new. The result is a searchable database of billions of compromised credentials.

Exposed Databases

Misconfigured Elasticsearch and MongoDB servers leak sensitive data. We catch these exposed databases and index the data before criminals find it.

Certificate Transparency Logs

CT logs show every SSL certificate issued publicly. We watch for certificates issued to suspicious lookalike domains, which helps catch phishing domains impersonating your brand before they’re used in attacks.

Surface Web

Some leaks happen in plain sight. Publicly accessible sources where data surfaces outside the dark web are also covered.

Why Is Dark Web Collection Hard to Do In-House?

Most enterprise teams don’t try to monitor criminal sources themselves, and for good reason.

Malware risk. Criminal forums and marketplaces are full of malicious downloads. One wrong click and your analyst’s machine is infected. You need isolated infrastructure and strict OpSec just to browse safely.

Getting access. Many forums require vetting or vouching from existing members. Building and maintaining those personas takes months. Lose one and you start over.

Keeping up with new sources. Forums go dark and marketplaces rebrand constantly. New Telegram channels replace old ones. Staying on top of which sources matter right now is a full-time job.

Processing volume. Even if you get access, you’re looking at terabytes of raw data. Stealer logs alone generate millions of records per week. You need pipeline infrastructure to deduplicate records and crack hashes before you can even match against your assets.

This is why most teams use a vendor for collection and focus their own resources on response. For a side-by-side comparison of manual monitoring, threat intel feeds, and automated platforms, see dark web monitoring approaches explained.

What Doesn’t Breachsense Monitor?

You should know what falls outside our coverage.

• GitHub and GitLab repositories. We don’t scan code repositories for leaked secrets or API keys. Our focus is dark web sources and stolen credentials.
• Social media accounts. We detect phishing domains that impersonate your brand, but we don’t monitor for fake social media accounts.
• Private encrypted groups. Signal groups and private Discord servers are out of scope. If a group is invite-only, we can’t monitor it.
• I2P network. Our monitoring focuses on Tor-based dark web sources. I2P has a smaller criminal ecosystem and isn’t currently covered.

What Data Does Breachsense Index?

This is what you can actually search for and get alerts on.

Compromised Credentials

Emails and passwords from data breaches and stealer logs. Hashed passwords get cracked to plaintext so you know exactly what’s exposed. The database holds over 343 billion compromised credentials.

Session Tokens

Active authentication tokens extracted from infostealer logs. Attackers use these to bypass passwords and MFA entirely. These alerts are time-sensitive because tokens expire.

Infostealer Malware Logs

Full stealer log entries showing which device was infected and which credentials were extracted. Each entry ties back to a specific malware family and infection timestamp.

Ransomware Victim Announcements

Every time a ransomware gang posts a new victim, the announcement gets captured and indexed. You can monitor for your own company or for vendors appearing on leak sites.

Leaked Files From Ransomware Attacks

Stolen files published by ransomware groups get indexed. You can search their contents for your company name or employee names to check if your data appears in a vendor’s breach dump.

Phishing Domains

Homoglyph and typosquatting attacks targeting your brand are detected automatically through CT log monitoring and domain scanning.

Exposed Subdomains

Attack surface mapping discovers all subdomains tied to your assets. Forgotten or shadow IT infrastructure gets flagged before attackers find it.

How Do Alerts Work?

Here’s what happens between a credential appearing on the dark web and you getting an alert.

Continuous collection. Our crawlers monitor all source types 24/7. When new data appears on a marketplace or forum, it gets collected and processed.

Asset matching. You register the domains, emails, IPs, or other assets you want to watch. Every new piece of indexed data gets checked against them.

Real-time notification. When a match is found, an alert fires immediately. You choose the delivery method: webhook or email.

What triggers alerts:

• Your employees’ credentials appear in a new breach or stealer log
• A vendor in your supply chain shows up on a ransomware leak site
• A phishing domain targeting your brand is registered
• Session tokens for your applications are found in stealer logs
• Your company data appears in leaked ransomware files

Alerts include context: the source and when it was detected. You can push alerts directly to your SIEM through the Breachsense API.

What Are the Limitations?

Every monitoring platform has blind spots. Here are ours.

We only index publicly available data. We don’t buy stolen data from criminals or pay for access to private dumps. If data hasn’t been posted to a source we monitor, we won’t have it.

There’s a gap between breach and detection. When a company gets breached, it can take weeks or months before the stolen data surfaces on the dark web. Companies take an average of 241 days to identify and contain a breach (IBM’s 2025 Cost of Data Breach Report). This delay is most common with third-party breaches where data changes hands privately before going public.

Password cracking depends on hash strength. We crack hashed passwords to plaintext, but success depends on the hash algorithm and whether the breach included salt values. Strong hashing (e.g. bcrypt or argon2id) makes cracking slower.

New dark web sites appear constantly. We add new sources as they become active, but coverage isn’t exhaustive at any single point in time.

Private encrypted channels aren’t covered. We can’t monitor Signal groups or private Discord servers. Data in those channels only becomes visible when it’s reposted to a source we do monitor.

How Does This Differ From the Breach Tracker?

The Breachsense breach tracker and the monitoring platform serve different purposes.

The tracker is a public feed of ransomware victims. It shows which companies were hit and which group claimed the attack. It’s free and updated daily.

The monitoring platform goes deeper. It indexes stolen credentials and stealer logs. You can search the contents of leaked ransomware files too. Search for your specific data and get real-time alerts.

Here’s how they connect: the tracker tells you a vendor was hit by ransomware. The platform lets you search the leaked files to see if your company’s data was in the dump.

For a detailed breakdown of how the tracker collects and verifies ransomware incidents, see how the breach tracker works.

Conclusion

Breachsense monitors dark web marketplaces and hacker forums 24/7. Ransomware leak sites are tracked too. We index leaked files so you can search their contents.

Our monitoring has limits. We can’t access private encrypted channels, and there’s always a gap between when the breach occurred and data surfacing publicly. We’re transparent about those gaps because your security decisions depend on knowing what your tools can and can’t see.

If you want to check your current exposure, run a dark web scan. For continuous monitoring with real-time alerts, see Breachsense dark web monitoring.