Top 5 Dark Web Marketplaces to Monitor

Gradient blue background. There is a light orange oval with the white text "BLOG" inside of it. Below it there's white text: "Top 5 Dark Web Marketplaces." There is white text underneath that which says "Learn More" with a light orange arrow pointing down.

Whatever your role in infosec, you probably know by now that dark web marketplaces offer budding and expert hackers various tools, data, credentials, ransomware, and malware for sale, with payment usually made via cryptocurrency. It’s in this underground landscape of shady buyers and sellers where dark web threats often lurk undetected until it’s too late and you suffer a breach. 

The ever-changing nature of dark web marketplaces makes it vital to stay on top of the main sites worth monitoring. High-profile markets sometimes close overnight, and new markets surge to enormous levels of popularity in no time. This article takes you through the top five dark web marketplaces currently worth keeping track of for potential threats in 2023.  

Keep in mind, Flare’s Dark Web Monitoring platform doesn’t just monitor Dark web marketplaces, but also monitors more than 14 billion leaked credentials, 46 million stealer logs, and hundreds of ransom leak and other cybercrime sites on Tor.

The Current State of Dark Web Marketplaces 

A large downturn in the estimated revenue generated by dark web marketplaces reflects some interesting recent trends. Research conducted by blockchain analysis company Chainalysis noted a decline in revenue from $3.1 billion in 2021 to $1.5 billion in 2021. So, what’s driving that downturn?

One important factor is the recent closure of several high-profile dark web marketplaces that were veritable hives of nefarious underground economic activity:

  • April 2022 saw the shutdown of popular Russian-language market Hydra Market after a joint sting by German and U.S. authorities took down the market’s servers. Hydra alone generated up to $1 billion in revenue. 
  • January 2022 saw UniCC, one of the most popular dark web marketplaces for stolen credit card data, shut up shop due to the owner’s apparent health problems.  
  • Leading dark web marketplace ToRReZ closed down in December 2021, with the only indicator of a motivation being the risk of getting caught had become too great. 

With more intense pressure from law enforcement, being extorted by other threat actors, and changes in personal circumstances, it’s clear that many dark web market admins and owners feel the risks are too great. It seems the older the market, the more likely these factors account for its closure. 

The emergence of Telegram as a new dark web frontier also partly explains the revenue reductions in traditional dark web marketplaces. Threat actors and aspiring cybercriminals have been flocking to Telegram channels and groups hoping to benefit from even better anonymity and default end-to-end encryption. 

It’s important to point out however that as long as the dark web provides an outlet for anonymously trading in illicit goods, malware, and stolen data, dark web marketplaces will continue to emerge and flourish.  

5 Dark Web Marketplaces That Offer Products and Services for Hackers 

While many of the most widely visited dark web marketplaces predominantly feature the trade of illegal and prescription drugs along with counterfeit and pirated goods/services, more interesting from a cyber crime perspective are the marketplaces that include malware, ransomware, stolen credentials, hacking tools, and other products, data, or services that could help threat actors get into your network. Here are the top five dark web marketplaces worth keeping an eye on. 


Dubbed by security researchers as the largest marketplace for mobile malware, InTheBox is a relatively new site that came online in early 2020. InTheBox features over 400 custom “web injects” that threat actors can buy and use to hack into different mobile apps and services. 

Attacks typically target users of banking, cryptocurrency, e-commerce sites, and even email. Web injects often take the form of adversary in the browser (AitB) attacks where an unsuspecting user installs a trojan horse on their smartphone. This trojan horse enables an outsider to then control, alter, or view traffic flows between the app or website and a victim’s mobile device. Account takeover and fraud are common outcomes seen in mobile malware attacks. 

Genesis Market

While not a traditional dark web market on TOR, Genesis is the leading marketplace for stolen credentials, cookies, and digital fingerprints. This is an invite-only market where the items listed for sale are known as “bots.” Each bot on Genesis contains stolen information that’s kept up to date through the use of malware that silently lurks on victims’ systems. 

There are close to half a million bots for sale on Genesis, which demonstrates the sheer scale of stolen information circulating on the dark web. Annoyingly, the stolen authentication cookies for sale on there can provide a method of account takeover even against accounts that have applied best-practice security advice, such as choosing strong passwords and switching on multi-factor authentication. 

Read more about the stealer malware ecosystem (including Genesis Market) in our report, The Stealer Malware Ecosystem: A Detailed Analysis of How Infected Devices are Sold and Exploited on the Dark and Clear Web.


2Easy is a quickly-growing dark web marketplace that’s based around a similar concept as the Genesis Market. Threat actors buy and sell harvested data from browsers and devices. The market now has an established reputation among cybercriminals, which means that any stolen credentials for sale on there are likely to provide valid access to systems, services, or apps. 

2Easy admins opted to call the data packages for sale on this market “logs”. Prices for harvested data on 2Easy are comparatively cheaper than the bots found on the Genesis market; some logs go for as little as $5. The data for sale on 2Easy comes from over 600,000 compromised devices, most of which have infostealing malware installed on them. 

Russian Market

Russian Market is a hacker-focused website with high volumes of stolen information available. Registration is easy and the site is accessible via both the dark web and clear web. Newly registered users cannot view any of this market’s listings though until they deposit at least $50 of Litecoin, Bitcoin, or Ethereum. 

Despite the name, this is actually an English-language marketplace. Among the selection of tools and data hackers can buy here are dumps of stolen credit cards, stolen credentials, access to specific remote desktop protocol clients/servers, and stolen cookies. Prices range from as little as $10 to $500 or more for some data. 


In the wake of Hydra market’s collapse in 2022, new markets quickly swooped in to try and replace it. Security researchers noted that a three-horse race began between OMG!OMG!, Blacksprut, and Mega to fill the gap left by Hydra’s demise. OMG!OMG! Is an English and Russian language marketplace that seems to have captured many of Hydra’s former vendors and consumers. 

While this is a predominantly drug-oriented market, an entire “Other” section features many items of interest to threat actors. Among these items are hacking utilities, stolen banking info, and compromised credentials. While not the biggest dark web marketplace for hackers, it’s still not a bad idea to monitor this site due to its continued growth. 

Why You Need Automated Dark Web Monitoring

Could you just list out these dark web marketplaces and ask your security team to keep an eye on them? That’s certainly one strategy for dark web monitoring, but it can be inefficient, time-consuming, and lacks coverage for other marketplaces. Furthermore, other value-driven security tasks are likely to suffer when teams have to manually browse these marketplaces and hunt for threats or signs of your digital footprint. 

Flare’s high risk threat monitoring solution provides automated dark web monitoring, which frees up time and resources for other important security tasks. The platform takes around 15 minutes to set up and it decreases dark web investigation time by 10x. 

Not only do you get automated monitoring, but your security analysts get contextualized alerts about dark web threats. From leaked credentials or stolen company data for sale and signs of targeted attacks, Flare provides comprehensive dark web threat detection. 

Get your free trial here. 

Share This Article

Related Content