The OSINT Newsletter – Issue #105

👋 Welcome to the 105th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Here’s an overview of what’s in this issue:

• The tools you need to know

• Strategies and limitations

• Following data to the surface

• …and how to fight the monsters under the Internet’s bed.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Gathering OSINT from Live Traffic: Datasets and Cameras

The OSINT Newsletter – Issue #104

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Episode 17: Dark Web Intelligence and Gathering OSINT from Live Traffic

Let’s get started. ⬇️

Welcome (back) to the dark side. We have OSINT.

Although it looks dangerous, DARKInt it’s perfectly safe if you know how – and if you read last week’s issue, you probably do. Without further introduction, let’s go even deeper into Dark Web OSINT.

In Part Two, we’ll cover:

• The tools you need to know

• Strategies and limitations

• Following data to the surface

• …and how to fight the monsters under the Internet’s bed.

Don’t forget your flashlight.

If the internet is an iceberg, it has three layers: the surface, deep, and dark web.

• Surface Web: The normie ”internet”. Indexed by search engines like Google and Bing.

• Deep Web: The “invisible” 90% of the web you don’t need a specific tool to access. Online banking, private networks, and corporate systems live here.

• Dark Web: The unindexed 1-6% of the web, only accessible via specialised tools. Always anonymised, always encrypted.

What you find in this dark bottom layer – open-source or not – is dark web intelligence. So, think of Dark Web intelligence (or DARKINT) as OSINT’s emo little brother. Got it? Good.

To access the Dark Web, specific tools are required. Here’s a conceptual run-down of the best tools for beginners curious about traversing the depths. Of course, this overview is intended for educational purposes only, rather than encouraging active exploration as soon as possible – it’s best to think before you leap.

TOR is the most (in)famous of the bunch. Short for The Onion Router, TOR is too complex to unpack fully here. What’s more, we already did that last week.

Basically, onion browsers work by routing your connection through multiple encrypted layers – a bit like an onion – so no single point can trace your activity. The Dark Web’s sites then use .onion domains; “hidden services,” where both user and host are obscured. Instead of connecting directly, both sides layer up encrypted links via a shared rendezvous point on the TOR network, so nobody knows anybody else’s true IP This creates the built-in anonymity which makes the Dark Web so popular, keeping everything… under wraps (sorry).

We know one of the most common forms of DARKInt comes in the form of the humble data breach. Public leak indexes are one of the most beginner-friendly entry points into DARKInt, as they point users to large collections of said breached data.

Unlike raw breach dumps (a.k.a. the actual compromised data) leak indexes are designed for search and discovery, and act as directories or lookup tools, rather than hosting any data directly. They’re finding where data exists, and how it connects across leaks. Although datasets are traded, reused or repackaged across multiple Dark Web platforms, indexes can often find specific data whether it’s circulating across the Dark Web or in the wider web bloodstream beyond.

The usual caveats about breached data apply. There’s always a compliance problem when handling potentially stolen data, so treat any data you find as if it were your own.

These aren’t the Dark Web Google. If TOR is your vehicle into the Dark Web, onion search engines are more like a slightly unreliable sat-nav; this Garmin won’t get you there, but it might point you in the right direction. These tools don’t provide access to anything. Instead, they index and surface .onion sites, helping users discover hidden services they might not know about. Onion search engines:

Unlike TOR browsers (which actually connect you to sites) onion search engines sit a layer above like the onion’s outer skin, acting as discovery tools rather than access tools. And because the Dark Web is so transient (sites appear, disappear, or hide deliberately), these engines are best thought of as more treasure hunt than Google search. The coverage on the aforementioned Garmin is patchy, unstable, and often outdated. Still, it works when it doesn’t drive you into a lake – or an active volcano.

1. Use the tools above (indexes, search engines) to identify breaches.

2. Extract identifiers (email, username, phone number) from DARKINT sources.

3. Pivot using emails.

4. Look for usernames.

• Do the same for usernames – especially look for reuse across social media, forums, or gaming sites.

• Look for variations, and cross-reference matches as in light-mode OSINT.

5. Pivot using phone numbers.

6. Correlate findings.

Lastly… Validate carefully.

• Watch out for false positives, outdated, or manipulated data – on the Dark Web, these are all over the place

If these two guides have made the dark, dirty web sound all sunshine and rainbows, now is the time to crush your dreams. There’s no unicorns skipping around down there. DARKInt has limitations, and plenty of them. Let’s meet the monsters under the Internet’s bed.

Imagine a world where everybody hates each other. That’s kinda the Dark Web. DARKInt operates within an anonymised, adversarial ecosystem built to keep its infrastructure volatile, and access inconsistent. Elevated operational security risks are baked-in. Hidden services frequently appear and disappear, and interacting with them can expose investigators to threat just by virtue (or vice) of a click. Tread carefully.

Data quality is ‘highly unreliable’ to be polite. Breach dumps are often annoyingly duplicated, hopelessly outdated, trickily manipulated, or deliberately seeded with false facts. Financially motivated actors frequently distribute misleading datasets. At worst, you might end up involved in a particularly icky scam. At best, the overall signal-to-noise ratio can reach a hair-tearing level. Be patient.

So you have that ‘highly unreliable’ data. It might never become reliable. Attribution and validation are inherently limited on the Dark Web, where anonymisation layers and restricted visibility are the whole point. So much activity occurs behind closed doors – in closed networks or private exchanges – that datasets can’t always be corroborated or independently verified (outside of our dreams). Manage your expectations.

If you work recklessly in DARKInt, you’re playing psychological Russian roulette. You may encounter material that is disturbing, illegal, or just deeply distressing; content that stays with you long after you’ve closed TOR. When people are anonymous, they showcase the worst things humanity can do to each other. Even if you do everything right, you can end up seeing something deeply wrong. Have caution.

Our journey through the Web’s dark side is coming to an end. You should now know:

• All DARKINT is OSINT, but not all OSINT is DARKINT

• The tools beginners need to go web spelunking

• How to bring dark data into the light

• … and why the Dark Web isn’t where the unicorns live.

See you next issue, investigators!

🏁 New CTF Challenge Live – Covert Communication

A new CTF challenge has been posted on our CTF website. This week’s challenge involves analyzing a covert communications channel used by a suspected intelligence operative and finding the name of the location.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Dark Web DB” required participants to investigate a suspected data breach involving Quick, where a threat actor allegedly published a customer database on the dark web and uncover key details about the publication.

To solve the challenge, we need:

1. Copy & paste the onion link into Wayback Machine.

2. Then we filter the results by date and select 06 March of 2026. We get a result for 06 March 2026 at 08:01:04.

3. We click on it, looking at the forum, on the right corner, we can see a post regarding a french and Belgian database.

4. It says that it was published 10 mins ago, we can also see the username of the threat actor who published it, which is: sarkstic.

5. Knowing that the forum was crawled at 08:01:04 and that the post says 10 mins ago, the post was made at 07:51:04.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.