Finance
Why should the financial sector care about the dark web?
Published by Jessica Weisman-Pitts
Posted on September 18, 2023
6 min readLast updated: January 31, 2026
Global Banking & Finance Review®
Company
Published by Jessica Weisman-Pitts
Posted on September 18, 2023
6 min readLast updated: January 31, 2026
Dr Gareth Owenson, Co-Founder and CTO, Searchlight Cyber
The financial sector has a deserved reputation for taking cyber security seriously, but that hasn’t stopped cyber criminals keeping the industry in their cross hairs. In fact, with highly sensitive data and huge sums of money as the potential reward – the average cost of a data breach in the financial sector is $5.9 million – threat actors are constantly evolving their methods of attack. With so much at stake, it is vital organisations equip themselves with the intelligence and capability to defend themselves against impending attacks.
Many of these cyberattacks originate on the dark web – this secretive corner of the internet where company data is sought and sold to the highest bidder. This is where the foundations are laid by criminals to create the next generation of cyberattacks. Targets are named, malware is bought and sold, and weak spots to attack are identified.
To combat cybercriminals operating on the dark web, it is important to understand how it works. The dark web cannot be accessed by conventional browsers and does not show up in typical search engine searches. The dark web requires specialist software to gain access to, and provides a high level of anonymity to users. Combined with the anonymity of cryptocurrency, cybercriminals use the dark web to buy and sell sensitive information, exploits, and cybercriminal tools in the belief they can act with impunity.
However, it is possible for security teams to monitor activity across the dark web’s ecosystem of forums, marketplaces, and websites. This turns it from a shadowy world of unknowns into a source of intelligence for early warning of imminent cyberattacks and, ultimately, can help organisations to prevent their network being breached.
So, how are cybercriminals on the dark web targeting the financial sector? And how can knowledge of this activity be used to an organisation’s advantage?
The majority of dark web activity against financial institutions involves posts from what are called ‘Initial Access Brokers’. These are people who use hacking forums like Exploit, XSS, and BreachForums to sell access to company infrastructure via exploits like remote network access or SQL injections. Other criminals, like ransomware groups, then use this access as the starting point for their attacks. Below is an example of an Initial Access Broker post, and the type of information cybercriminals provide:
Monitoring for this activity can provide invaluable pre-attack intelligence and alert organisations to when cybercriminals are targeting them. If they match the profile of the Initial Access Broker advert, they can launch an investigation to see if their internal technology – which the cybercriminal lists – is compromised.
Dark web messaging forums are also where cyber criminals look to recruit people from within an organisation to commit malicious activity. Often, when posting, they will relinquish information about the target organisation and type of data or access they are looking for.
This information can be used to identify insider threat activity within your own organisation and keeping track of all aliases associated with a specific poster can also help determine their capabilities and any potential risk.
Infrastructure reconnaissance is when attackers gather information on a potential victim organisation – for instance, on the network topology, operating systems and applications, and user accounts. It is their way of trying to pinpoint a potential weak spot and way in.
The discussion of this reconnaissance is another dark web activity that, if spotted at an early stage, can help security teams stop a breach before it happens. Organisations can take the data shared by cybercriminals in the planning stage, and use it to their advantage: for example, to patch systems that have been called out as vulnerabilities.
It is all well and good having a robust cyber security policy in-house. But if your suppliers and partners have not invested the same time and money – and are identified on the dark web because of these vulnerabilities – it leaves you open to attack. 62% of system intrusions in 2022 involved the supply chain. And, recent research shows that only 28% of CISOs in the finance industry currently collecting dark web data are using it to monitor for their suppliers being targeted on the dark web.
This lack of visibility can leave organisation exposed, especially given the complex supply chain ecosystem within the financial sector. Monitoring when details of key suppliers appear on the dark web can identity when a supplier (and, as a result, you) are under threat. This allows to inform the supplier to take action and, ultimately, close off a potential avenue for attack in your supply chain.
Given the type of activity taking place there, incorporating dark web threat intelligence into threat modelling allows businesses to be better protected and crack down on cyber threats when they’re still in their preliminary stages. Greater insights into dark web activity can quantify potential threats and determine where to allocate time, money, and attention.
Threat models leveraging dark web insights can help financial sector organisations:
The dark web has become the go-to place for cyber criminals and malicious insiders to lay the groundwork for cyber attacks against organisations in the financial industry.
But it can be turned from a challenge into an opportunity. Organisations can harness its power to stay one step ahead. Monitoring dark web forums, marketplaces and sites can shine a light on Initial Access Brokers, cybercriminals targeting employees, and infrastructure reconnaissance to help organisations take a proactive approach to securing their assets and data.
The financial sector has long pursued top-class cyber security measures but to ensure defences are capable of withstanding the evolving threat landscape, organisations must remain vigilant and innovate.
The dark web is a part of the internet that is not indexed by traditional search engines and requires special software to access, providing anonymity to users.
An Initial Access Broker is a cybercriminal who sells access to compromised networks, often using hacking forums to advertise their services.
A data breach occurs when unauthorized individuals gain access to sensitive data, potentially leading to financial loss and reputational damage for organizations.
Cybersecurity refers to the practices and technologies used to protect computers, networks, and data from unauthorized access, attacks, or damage.
Infrastructure reconnaissance is the process by which attackers gather information about a target's network and systems to identify vulnerabilities for exploitation.
Explore more articles in the Finance category
