Deep & dark web monitoring · continuous Fortgale surveillance
CTI · capability 05 · Deep & Dark Web Monitoring

Threats have an echo in the underground.

Criminal marketplaces, ransomware leak sites, Telegram channels, underground forums, infostealer log dumps. Most threats have an echo in criminal channels before they reach the SOC. Fortgale listens continuously: 24/7 surveillance, real-time alerts, actor context. 50+ ransomware leak sites, 300+ Telegram channels, dozens of underground forums and infostealer log dumps indexed by customer domain.

Request a monitoring sample Explore the 5 categories ↓
24/7Continuous surveillance
50+Ransomware leak sites
< 15 minCritical alert SLA
Standards · frameworks
MITRE ATT&CK
STIX 2.1
TAXII 2.1
Diamond Model
Discipline · analysis
OSINT
HUMINT
Tor · I2P
Crypto tracking
The problem

The SOC sees the attack. The dark web has already talked about it.

Most ransomware incidents are preceded by weeks of traces in criminal channels: credentials for sale, IAB access listings, brands discussed on forums. Without underground monitoring, these traces stay invisible to the SOC.

01

Traces invisible to the SOC

Credentials stolen by infostealers, IAB access listings, brands discussed in forums leave no logs on the customer's systems — they are outside the perimeter.

02

Time wasted post-leak

By the time data hits the leak site, the damage is done. Only monitoring lets you know earlier — during countdown or negotiation.

03

Blind supply chain

A compromised critical supplier can become the attack vector. Extended tracking to supplier domains = pre-warning on the supply chain.

The distinction that changes everything

Surface monitoring vs operational surveillance.

The difference is not "how many sites you scan", it is how varied, how often and with what context. Monitoring without correlation and analyst follow-up only produces noise.

Standard dark web monitoring
  • Periodic scans of a few known sources
  • Clearnet only + a handful of paste sites
  • Output: raw list of mentions
  • No correlation with customer assets
  • No context on the actor
Commodity
Fortgale coverage
  • 50+ leak sites · 300+ Telegram channels · underground forums · Tor marketplaces
  • Tor, I2P, Freenet · invite-only forums
  • Automatic correlation with assets, brand, executives
  • Context: actor, motivation, modus operandi
  • Analyst follow-up within 30 min for critical events
Operational · actionable
The method · 4 steps

From criminal source to qualified alert.

Four documented phases · from source discovery to the delivery of an alert with context.

  1. 01
    Continuous map of the underground

    Source discovery and indexing

    Continuous mapping of relevant criminal sources: active ransomware leak sites (50+), Tor/I2P marketplaces, Telegram channels of kit sellers and IABs, underground forums (Exploit, XSS, BreachForums successors), paste sites (Pastebin, RentryCo). The source database is constantly updated.

    Tor · I2P · FreenetTelegram crawlingForum huntingSource mapping
  2. 02
    Automated + analyst OSINT

    Continuous 24/7 surveillance

    24/7 automated surveillance combined with Fortgale OSINT analysts for sources that require human interaction (invite-only forums, private channels). Coverage of Tor, I2P, Freenet, dark web shops, Telegram, underground forums, paste sites, crypto channels.

    24/7 automatedOSINT analystInvite-only accessMulti-protocol
  3. 03
    From signal to context

    Validation, correlation, enrichment

    Every event is validated (no false positives), correlated with the customer's assets and brand (domains, corporate emails, executives, IP ranges, products), enriched with context on the originating actor (ransomware group, IAB, MaaS operator, motivation).

    ValidationAsset correlationActor enrichmentContext analysis
  4. 04
    From detection to action

    Real-time alerts and analyst follow-up

    Immediate alert via webhook (Slack, Teams, Discord), email, SMS. For critical events (leak site exposure, admin credentials, compromised executives), a Fortgale analyst gets back within 30 minutes for operational support (containment, reset, take-down).

    Real-time webhookEmail · SMS30-min analyst SLAOperational support
Monitoring categories

Five source families · continuous coverage.

The five families of criminal sources Fortgale monitors continuously. Each family has its own dynamics, its own timing, its own patterns.

Category 01

Ransomware leak site tracking

50+ active groups · LockBit · RansomHub · Akira · Medusa · Cl0p

Continuous tracking of the leak sites of the main ransomware groups. Every newly announced victim is indexed, correlated with Fortgale customers and with their supply chains. Pre-leak alert when a customer or supplier domain appears in countdown.

  • Top groups 2024-2026 LockBit (post-Cronos), RansomHub, Akira, Medusa, Cl0p, BlackBasta, Play, INC Ransom, Hunters International, Qilin.
  • Pre-leak countdown Alert when a customer or supplier domain appears in countdown on the leak site, before data publication.
  • Data leak content analysis When data is published, rapid analysis of the content: type (PII, financial, source code, email), perimeter, sensitivity.
  • Sector victimology Tracking of victim recurrences in the customer's sector for pre-warning on active groups (e.g. LockBit wave on European manufacturing).
  • Negotiation channel Monitoring of the group's negotiation channels (Tor portal, Tox ID, qTox) to anticipate tactical and pricing shifts.
Category 02

Criminal marketplaces

Russian Market · Tor shops · dark web stores

Continuous coverage of the marketplaces where initial access (IAB), credentials, exfiltrated data, exploits and malware are sold. Automatic indexing by customer domain, IP range, products, executives.

  • Russian Market Top stolen-logs marketplace (post-Genesis Market takedown). Continuous tracking of new listings by customer domain.
  • Initial Access Brokers Listings of compromised RDP, VPN, Citrix, SSH access. Typical pricing $500-50,000 depending on sector and privilege level.
  • Exploit marketplace Sale of 0-day, N-day, exploit chains. Tracking for CVEs relevant to the customer perimeter.
  • Tor shops and clearnet escrow Marketplaces on .onion (Tor) and clearnet mirrors with crypto escrow. Listings of exfiltrated data, compromised accounts, stolen identities.
  • Crypto laundering channels Tracking of crypto flows associated with ransom payments, exit scams, money laundering — useful for attribution and context.
Category 03

Infostealer log dump tracking

Lumma · RedLine · Vidar · StealC · Atomic

Acquisition and indexing of infostealer logs for sale. Infostealers steal credentials, cookies, session tokens, crypto wallets, autofill data from victims' browsers. Logs end up for sale on marketplaces, Telegram and forums. Fortgale acquires, indexes by customer domain, alerts in real time.

  • Lumma Stealer logs Top stealer 2024-2026. Distributed via Telegram, logs sold on Russian Market and the seller's Telegram channel. Indexing by customer domain.
  • RedLine · Vidar · StealC Legacy families still active. Tracking of C2 panels, build IDs, exfiltration servers and distribution channels.
  • Atomic / macOS stealer AMOS, Banshee, Cthulhu — a growing macOS ecosystem. Tracking of fake installers (homebrew, cracked apps), exfiltration patterns.
  • Combolist & credential stuffing dumps Aggregates of credentials from multiple breaches. Coverage of the main dumps distributed via paste sites and Telegram.
  • Session cookie and token theft Valid session cookies for Microsoft 365, Google Workspace, Okta — used to bypass MFA. Dump tracking.
Category 04

Underground forums

Exploit · XSS · BreachForums successors · niche forums

Monitoring of historic criminal forums (Exploit, XSS) and post-takedown successors of BreachForums/RaidForums. Coverage of technical discussions, access sales, attack planning, recruitment.

  • Exploit · XSS Historic Russian-speaking forums. Technical discussions, sale of 0-day and IAB access, recruitment for ransomware affiliate programs.
  • BreachForums successors Following the 2023-2024 takedowns, monitoring of the successors (clones, mirrors, niche forums).
  • European-targeting niche forums Forums specialised on European targets (language, branded content). Discussions on EU banks, national digital identity schemes, public-sector portals.
  • Recruitment & affiliate channels Recruitment ads for ransomware affiliates, IAB partnerships, DDoS-for-hire — useful to anticipate attack waves.
  • Reputation tracking Tracking of operator reputation (scammer blacklists) — useful for attribution.
Category 05

Criminal Telegram channels

Kit sellers · ransom announcements · IAB · combo dumps

Telegram is today the preferred communication channel of Russian-speaking and European cybercrime. Coverage of 300+ channels across kit sellers, ransom announcements (alternative to leak sites), IAB markets, combo list dumps, hacktivist channels.

  • Kit seller channels Tycoon 2FA, Mamba 2FA, EvilProxy, W3LL · seller channels with release announcements, demos, support.
  • Ransom announcements Some groups (Cl0p, Akira) announce victims on Telegram in addition to their Tor leak site. Bilateral coverage.
  • IAB market Channels where access is sold (RDP, VPN, Citrix). Real-time listings, transparent pricing.
  • Combo lists and dumps Channels dedicated to the distribution of combolists (email:password) from multiple breaches.
  • Hacktivist and ideological Hacktivist channels (KillNet, NoName057(16), Anonymous Sudan) with DDoS, leak and defacement announcements.
Among the most tracked

Seven sources Fortgale monitors every day.

A selection of the criminal sources most relevant to European customers. It changes continuously: every month new leak sites emerge, others disappear due to takedowns or exit scams.

Ransomware leak site · 2019-active · top

LockBit leak site

LockBit · RaaS · post-Operation Cronos
Type
Tor leak site · countdown · double extortion
Tracking
Victims · countdown · negotiation channel · published data

Continuous tracking of the LockBit leak site following Operation Cronos in 2024. The group has reconstituted with renewed leak site and affiliate program. Fortgale monitors new victims, countdowns and indexes published data for customer assets.

Post-CronosESXi targetingRaaSTop tracked
Tracking · Top Request monitoring →
Ransomware leak site · 2024-active · top group

RansomHub leak site

RansomHub · RaaS · ex-ALPHV affiliates
Type
Tor leak site · multi-sector
Tracking
Victims · payload exclusivity · negotiation

Top group 2024-2026. Tracking of the RansomHub leak site, announced victims (manufacturing, healthcare, public administration), exfiltration patterns and correlation with your suppliers' customers.

Top 2024-26Multi-sectorPost-ALPHVESXi
Tracking · Top Request monitoring →
Infostealer logs · 2022-active · top dump

Lumma Stealer logs

Lumma · MaaS · Telegram-distributed
Type
Stolen log dump · credentials · cookies · wallets
Tracking
C2 panel · build ID · log dumps · Telegram channels

Lumma Stealer is the top infostealer 2024-2026. Stolen logs are sold on Russian Market, Telegram and BreachForums. Fortgale indexes logs by customer domain and alerts in real time.

Top stealer 2025MaaSTelegram-dist.Cookie theft
Tracking · Top Request monitoring →
Stolen log marketplace · 2024-active

Russian Market

Russian Market · marketplace
Type
Stolen log marketplace · post-Genesis
Tracking
New listings · domains · products · prices

Marketplace #1 for stolen logs following the Genesis Market takedown. Real-time tracking of new listings by customer domain. Distinct fingerprint on the main sellers' patterns.

Stolen logsPost-GenesisMulti-stealerActive 24/7
Tracking · Top Request monitoring →
Underground forum · 2024-active

BreachForums successors

BreachForums · post-takedown clones
Type
Underground forum · breach sale · IAB
Tracking
Breach listings · credential sale · 0-day discussion

Following the 2023-2024 takedowns, BreachForums has had numerous clones and successors. Tracking of the main ones (some invite-only) with Fortgale OSINT analysts.

Post-takedownBreach saleIABInvite-only
Tracking · Active Request monitoring →
Phishing kit market · 2023-active

Telegram phishing kit shops

Tycoon · Mamba · EvilProxy seller channels
Type
Phishing kit sale · operator support
Tracking
Listings · demos · pricing · operator profile

Telegram is the preferred channel for phishing kit sales. Tracking of Tycoon 2FA, Mamba 2FA, EvilProxy, W3LL channels. Coverage of new versions, pricing, support channels.

Phishing kitTelegram-dist.AiTMOperator tracking
Tracking · Active Request monitoring →
IAB & exploit · 2023-active

Initial Access Broker forums

IAB · Exploit · XSS · Telegram IAB market
Type
Initial Access sale · RDP · VPN · Citrix
Tracking
IAB listings · victim sector · pricing

Forums and channels where compromised initial access is sold (RDP, VPN, Citrix, SSH). Real-time tracking, correlation with the customer's sector for pre-warning.

IABPre-ransomwareAccess salePricing tracking
Tracking · Active Request monitoring →
Quality · methodology

Explicit severity. No noise.

Every event receives an explicit severity level (Critical/High/Medium/Info) that determines the alert channel. No raw list, no alert fatigue.

Critical

Immediate action

Active leak site exposure, compromised admin credentials, executive on victim list, sensitive data for sale. Immediate alert + analyst follow-up within 30 min.

High

Webhook alert

Compromised standard user credentials, company mention in a criminal forum, active look-alike domain registration. Webhook alert within 15 min.

Medium

Weekly digest

Mention in the weekly digest, historical listing no longer active, low-value data. Included in the weekly digest.

Info

Dashboard only

Informational mention, mention in a low-value channel, general context. Available in the dashboard, does not generate an alert.

The output

How monitoring is delivered.

Four distribution channels, chosen based on role (CISO, SOC, IR, board) and event criticality.

01

Real-time dashboard

Fortgale web console with a real-time view of detected events: leak sites, marketplace listings, infostealer log dumps, forum mentions. Filtering by source, severity, asset involved.

02

Real-time webhook alerts

Immediate push of critical alerts via webhook (Slack, Teams, Discord), email, SMS. SLA < 15 minutes from detection for critical/high events.

03

Weekly digest

Weekly report via email for the CISO with statistical summary: event volume, top sources, top actors, focus on events that require management decisions.

04

On-demand investigation

On-demand deep dive into specific events by Fortgale analysts: actor context, containment support, coordination with incident response.

Technical honesty

When activating monitoring does not make sense.

Deep & dark web monitoring is only worth it if the organisation has online exposure: visible brand, executives with a public profile, e-commerce, critical assets exposed to the internet, ransomware target sector (manufacturing, healthcare, energy, finance, public administration).

If the organisation is B2B niche, with no public brand, no e-commerce, no visible executives — the value of alerts is low. In that case a standard STIX/TAXII feed (capability 02) or vertical advisories (capability 03) produce more value.

Not sure? Let's talk. If you don't need it, we'll tell you.

Integration

Monitoring as the advanced sensor of defence.

Monitoring events feed detection, intelligence and governance · they do not stay in an isolated report.

SOC · detection

Compromised credentials → detection

When an exposed infostealer log includes corporate credentials, the SOC receives a priority alert to disable the session and force a reset.

Discover the SOC →
IR · early warning

Pre-leak alert for IR

When a domain appears in countdown on a leak site, the IR team is activated preventively for containment.

Contact IR →
CTI · capability 01

Actor context from monitoring

Dark web traces feed actor profiles — who is hitting what, how, how often.

Discover TA Profiling →
CTI · sister capability

The other 6 CTI capabilities

Threat Actor Profiling · TI Feed · Advisory · Executive Briefing · ASM · Brand Intelligence. Monitoring is capability 05 of 7.

See all →
To bring to the board

Three slides · the exposure the board doesn't see.

Dark web monitoring produces data the board cannot obtain otherwise. Three slides to surface the relevance.

01 · Current exposure

How many events detected in the last 6 months · how many credentials exposed · how many executives mentioned · how many suppliers on leak sites.

02 · The adversary

Who is hitting your sector (ransomware groups, IABs, infostealers) · how many indirect recurrences (via suppliers, former employees) you have.

03 · The action

How many incidents avoided thanks to pre-warning (credentials reset · domains blocked · executives contacted for coaching) · estimated avoided cost.

The "3-slide board pack" is available as a PDF · can be requested separately.

FAQ

Frequently asked questions on Dark Web Monitoring.

What does deep & dark web monitoring mean?

It means continuous surveillance of criminal sources not accessible from search engines: Tor marketplaces, ransomware leak sites, underground forums, Telegram channels of kit sellers and IABs, infostealer log dumps for sale, paste sites. Fortgale monitors more than 50 active ransomware leak sites plus dozens of marketplaces and hundreds of Telegram channels, with 24/7 automated coverage and analyst OSINT.

Which ransomware leak sites are tracked?

All top groups active in 2024-2026: LockBit (post-Cronos), RansomHub, Akira, Medusa, Cl0p, BlackBasta, Play, INC, Hunters International, Qilin, and 40+ other minor groups. Tracking of leak announcements, published data, negotiation channels, victim recurrences in the customer's sector.

How does infostealer log monitoring work?

Infostealers (Lumma, RedLine, Vidar, StealC) steal credentials, cookies and session tokens that end up for sale on Russian Market, Telegram channels and BreachForums successors. Fortgale acquires marketplace logs, indexes by customer domain and alerts in real time when corporate credentials or compromised assets appear.

How is this different from standard dark web monitoring services?

Standard services run periodic scans of a few known sources. Fortgale offers continuous coverage of 50+ leak sites, 300+ Telegram channels, dozens of underground forums, Tor/I2P marketplaces and infostealer log dumps, with automatic correlation against the customer's inventory and actor context. Not a raw report: a qualified alert with the required action.

How fast does an alert arrive?

For leak site exposure and high-privilege credentials: real-time webhook alert within 5-15 minutes from detection. For critical events (Critical severity), a Fortgale analyst calls or writes within 30 minutes. For informational events, daily or weekly digest at the customer's discretion.

When does it NOT make sense to activate dark web monitoring?

If the organisation has no online brand visibility, no critical assets exposed to the internet, no executives with a public profile, no e-commerce and is not in a ransomware target sector. In those cases the value of alerts is low. If, however, the brand is visible and the sector is targeted, monitoring is one of the most cost-efficient ways to intercept attacks before the active phase.

Start with monitoring

What is already being said about you in the underground?

Request a free 30-day scan · 5 domains, 10 executives, brand keywords. We return a report with real events detected in criminal channels · no commitment.

Response time: < 1 business day.