Dark Web Sales Driving Major Rise in Credential Attacks


In the world of cyber security, the rising popularity of darknet markets has resulted in norm.’s threat intelligence team observing a significant surge in credential attacks. 

In this article our Principal Threat Intelligence Analyst, Daniel Russell, explains what exactly a Darknet Market is, how stolen credentials are being sold in this forum and what you can do to protect your people and business.

What are Darknet Markets?

Darknet markets’ is a term used to represent underground online platforms where illegal goods and services, including drugs, weapons, and stolen data, are traded anonymously. Operating within the encrypted confines of the dark web, these marketplaces facilitate transactions through cryptocurrencies, shielding both buyers and sellers from conventional surveillance and tracking measures. In this blog, we will focus specifically on credential theft.  

How are credentials stolen in cyber attacks? 

Credential theft in cyber attacks often occur through various nefarious means, with phishing being the most popular method. Cyber criminals send deceptive emails or messages, masquerading as legitimate entities to lure unsuspecting, trusting individuals to divulge sensitive information such as usernames, passwords, or financial details. Additionally, malware-infected websites, keylogging software, and data breaches intensify the vulnerability landscape, enabling malicious actors to steal credentials with alarming ease. 

What is an Initial Access Broker?

Capitalising on unpatched vulnerabilities, misconfigured systems, or lax security protocols, Initial Access Brokers specialise in infiltrating corporate networks, exfiltrating valuable data, and subsequently selling access to ill-intentioned buyers via the dark web.  

How can I reduce the likelihood of credential theft?

To mitigate the looming threat of credential theft, organisations must adopt a multi-faceted approach to harden their cyber defences. Firstly, robust employee training programs are essential in educating a workforce to exercise caution while navigating online communications. Implementing stringent authentication measures, such as multi-factor authentication (MFA) and password managers, also bolsters resilience making unauthorised access significantly more complex. While, regular security audits, timely patch management, and comprehensive incident response plans serve to proactively thwart cyber threats. 

Additionally, a dark net monitoring service provides you access to a team who understand the modus operandi of cyber adversaries and their tactics, techniques, and procedures. By utilising a dark net monitoring service you’ll receive intelligence about your organisation and its industry. Armed with this information, you can quickly become aware of the vulnerabilities threat actors are likely to target and ensure your systems are patched accordingly.  

Whilst there is no doubt that credential theft is rising, there are effective defensive mechanisms organisations can utilise to combat the persistent threat, ensuring you are not part of the next statistic. 


Written by Daniel Russell

Daniel Russell is a seasoned cyber security professional serving as the Principal Analyst for Threat Intelligence at NormCyber. With extensive experience in threat intelligence analysis, Daniel is dedicated to staying ahead of evolving cyber threats and developing effective mitigation strategies. His comprehensive understanding of emerging threats and strong analytical skills empower norm.’s clients to proactively defend against cyber attacks.