Skip Navigation

An Introduction to the Dark Web

October 13, 2021

As the ubiquity of computer-based services now touches almost all aspects of our lives, it is not surprising that our use of the interconnected world is evolving to more closely mirror the real world. The innocence of the internet some 25 years ago has been replaced with a more sobering version where it is not only encyclopedic information, entertainment content and financial and social connections that are maintained – the internet is now also the place where freedom fighters, terrorists, criminals and those engaged in free but controversial political speech also operate. These latter uses often require strict anonymity and the avoidance of tracking by law enforcement, authoritarian regimes or anyone else. The dark web (sometimes referred to as the dark net), as it has come to be known, represents an alter-ego to the World Wide Web that we are all used to.

One particular use of the dark web is relevant to all Canadian individuals and organizations: the execution of cybercrime. The frequency and complexity of cyberattacks continues to rise at an alarming and exponential rate. While attacks are carried out by a variety of actors for a variety of purposes, Canadian organizations are increasingly being targeted by criminal groups that are attempting to financially profit from attacks on their computer systems. These criminal groups rely on the dark web to transact, execute and profit from cyber-extortion activities out of the view of law enforcement and others who would otherwise try to track them.

A familiarity with the dark web can help Canadian organizations prepare for and respond to such attacks. This article serves as a primer for the uninitiated and aims to demystify the concept and operation of the dark web at a basic level.


Much of the content available on the World Wide Web can be found using any popular web browser directed at well-known web search engines. These search engines index locations (URL, or Uniform Resource Locator addresses) of websites that allow users to easily find a website and then allow one’s web browser to connect to them. However, there is also content on computers (also referred to as servers) connected to the internet that cannot be found or indexed by standard search engines – these usually require a direct URL address or IP (Internet Protocol) address and occasionally a password or other security measures to access. In other words, to access this content, you need to know where to look.

This is referred to as the “deep web.” A simple illustration is when a user searches for a webpage, connects to it and then clicks on a link on that webpage which then allows the user to access the deep web content. It is the link that you click on that knows where to find the content – the location of the content itself is not otherwise indexed by the search engine but rather the website that contains the link. Examples of this content include a private video or a document hosted on a private cloud storage space. The deep web is not about the type of content – it is any available content that has not been indexed by common search engines and therefore requires you to find it using some other means.

The dark web is a subset of the deep web. In addition to being invisible to standard web search engines, the dark web is the content on the World Wide Web that cannot be accessed without the use of special software or techniques. Additionally, this special software deliberately encrypts a user’s activity, thereby allowing users accessing the content to themselves remain untraceable. A well-known example of such a software program is the Tor browser.


For a large majority of internet users, when you access a website, you are using the World Wide Web to transfer information from one computer network to another (and vice-versa). For example, when you visit, your device communicates directly with the computer that hosts our Firm’s website.

Tor increases an internet user’s anonymity using a process nicknamed “onion routing” (Tor is an acronym for The Onion Router). Rather than allowing the user’s device to communicate directly with the computer hosting a website, Tor encrypts a user’s traffic in multiple layers of encryption (“layered” encryption is the origin of the onion moniker). It then sends this encrypted bundle through a number of intermediate computers, referred to as “nodes”. Each node is only able to decrypt enough information to send the bundle to the next node, thereby peeling back one layer of encryption. The decryption process is repeated at each node, until the computer hosting the desired website is reached, and the content can be sent back to the initial user in the same manner.

From the perspective of the computer hosting the ultimate website, it appears as though the request has come from the computer which decrypted the final layer (the “exit node”), rather than the initial user. As such, none of the nodes will be able to know both the origin and ultimate destination of the line of communication, making it much more difficult to monitor and track the user and webpage. Although routing web traffic through multiple computers is part and parcel of the everyday functioning of the internet, it is the process of peeling back of layers of encryption at each node that characterizes the Tor browser.


While Tor can be used to access standard websites with greater anonymity, the program also allows users to host and access websites that are invisible to search engines and cannot be accessed using a standard web browser. These sites, called “onion services” or “hidden services” use the “.onion” top-level domain (rather than “.com”, “.ca” or another top-level domain). Addresses to access some hidden services can be easily found on well-known websites and by using search engines. Other hidden services require direct links from cybersecurity specialists or even participation in underground online chatrooms or other communities. The degree to which dark web sites are difficult to find will vary from site to site.

By offering anonymized connections, the dark web has earned a reputation for housing virtual marketplaces for illegal goods and services such as drugs, child pornography and terrorism. Furthermore, many cyber criminals use the dark web to publish or sell stolen personal information and credentials, to communicate within their organization and externally and to trade cryptocurrency. More specifically, threat actors who carry out ransomware attacks will often only communicate with their victims using the dark web. It is common for these threat actors to direct the organization to download the Tor browser and access a dark website they have created that contains a chat function, thereby providing a direct and anonymized line of communication. Organizations who find themselves in this position should contact cybersecurity professionals prior to visiting this page or otherwise engaging with the threat actor.

The dark web also serves more licit purposes. For example, journalists, human rights activists and law enforcement officials may all use the dark web to anonymize their online activity. Additionally, organizations such as Facebook, BBC News and the New York Times have launched parallel versions of their sites that are designed specifically for the dark web, making them accessible in countries in which they are actively blocked or censored.

The dark web is neither good nor bad. It is simply an anonymized virtual space where users of the internet can operate with greater anonymity. As a final comment, the dark web is not a place for casual browsing – most of the material that typical users want to access exists on the indexed World Wide Web. The dark web, by contrast, allows users to access specific sites and services which are typically not meant to be accessed by a general audience.

For more information, please contact:

Sunny Handa            514-982-4008
John Lenz                   514-982-6308

or any member of our Cybersecurity group.