The Ultimate Glossary of Dark Web Terminology (2026 Edition)

David Plaha

The Ultimate Glossary of Dark Web Terminology (2026 Edition)

The dark web is not just a place — it is a culture, an economy, and a language. For cybersecurity researchers, journalists, executives, and security professionals, understanding this lexicon is essential for understanding the threats in the 2026 cybersecurity landscape.

When conducting threat intelligence monitoring, we frequently encounter terms that sound like nonsense to the uninitiated but signal specific, immediate threats to a trained analyst. This comprehensive A-Z glossary decodes the underground.

A

Access Broker (Initial Access Broker / IAB)

A criminal who specializes in gaining initial entry to corporate networks but does not directly exploit the access themselves. Instead, they sell the credentials or backdoor to other criminal groups — often ransomware operators — for a fee ranging from a few hundred to tens of thousands of dollars, depending on the organization's size and privilege level of the access.

Advanced Persistent Threat (APT)

A state-sponsored or highly organized, well-funded hacking group that maintains long-term, stealthy access to a target network to conduct espionage or steal intellectual property. APT groups are typically identified by numbers (APT28, APT41) or names (Lazarus Group, Cozy Bear) assigned by threat intelligence firms. Unlike opportunistic criminals, APTs are patient, methodical, and return to the same target repeatedly.

Affiliate (RaaS Context)

In ransomware-as-a-service operations, an affiliate is a partner who deploys the ransomware and conducts the actual intrusion while paying a percentage of the ransom (typically 20–30%) to the RaaS operator who provides the malware and infrastructure. The affiliate model has allowed ransomware to scale massively, enabling thousands of lower-skill attackers to deploy sophisticated ransomware they could not build themselves.

B

Bitcoin Mixer (Tumbler / Coinjoin)

A service used to launder cryptocurrency by mixing "dirty" coins (proceeds of crime) with "clean" coins from other users, making the transaction trail extremely difficult to trace on the blockchain. Tumblers charge a mixing fee of 1–3% and are heavily targeted by blockchain forensics firms and law enforcement. Some jurisdictions have begun charging tumbler operators with money laundering.

Botnet

A network of compromised computers ("bots" or "zombies") controlled remotely by a single attacker through a command-and-control (C2) server. Botnets are rented or sold on dark web markets for use in DDoS attacks, spam campaigns, cryptocurrency mining, and credential stuffing. Mirai (which targeted IoT devices) and Emotet (which spread via phishing) are among the most historically significant botnets.

Bulletproof Hosting

Web hosting services, typically located in countries with weak cybercrime enforcement, that ignore or actively resist takedown requests from law enforcement. Bulletproof hosts provide the infrastructure for phishing sites, malware command-and-control servers, and dark web forums. They are a critical component of the cybercrime supply chain.

C

Carding

The trafficking and unauthorized use of stolen payment card data. This includes purchasing stolen card data in bulk from breach databases, testing cards to validate they are active, and using them for fraudulent purchases or cashouts. Dark web carding forums publish "freshness" ratings for stolen cards and typically guarantee replacement if a card is declined.

Clearnet

The regular, publicly indexed internet — Google, Facebook, news sites, e-commerce. As opposed to the deep web (unindexed but publicly accessible) and the dark web (intentionally hidden and requiring special software). Called "clearnet" because connections are visible and traceable.

Credential Stuffing

An automated attack that takes large databases of stolen username/password pairs (from previous data breaches) and systematically tests them against target websites and services. Effective because people reuse passwords across multiple services. The attack tool inputs millions of credential pairs per hour, flagging those that successfully authenticate.

C2 (Command and Control)

The infrastructure used by attackers to remotely control malware on compromised systems. C2 communications can occur over HTTP/HTTPS, DNS, social media APIs, or encrypted messaging channels — any protocol that blends with legitimate traffic. Detecting C2 communications is a primary goal of network security monitoring.

D

Darknet vs. Deep Web

Two terms that are frequently confused:

  • Deep Web: Any content not indexed by search engines — your Gmail inbox, online banking, internal corporate intranets, academic databases. This represents approximately 90% of the internet by volume. It is not inherently illicit.
  • Darknet: A small subset of the deep web that requires specialized software (primarily the Tor Browser) to access and is intentionally designed for anonymity. This is where dark web markets and criminal forums operate.

Data Broker

A company that aggregates and sells personal information (names, addresses, phone numbers, financial data, behavioral profiles) collected from public records, social media, and purchased data sets. Data brokers are legal but frequently exploited by criminals as a reconnaissance tool — they can reveal home addresses, relatives, and financial patterns. They are also the primary target of legal data removal requests.

DDoS (Distributed Denial of Service)

Flooding a target website or service with traffic from thousands of compromised systems simultaneously to knock it offline. DDoS-for-hire services ("stressers" or "booters") are available on dark web markets for as little as $10–$50 per attack. Often used as a distraction during a more targeted breach or as extortion ("pay us or we take your site offline").

Doxxing

The practice of researching and publicly publishing a person's private information — home address, phone number, workplace, family members — with the intent to harass, intimidate, or enable physical harm. Doxxing is used as a harassment and silencing tool against journalists, activists, gaming community members, and others.

E

Escrow (Dark Web Context)

A trust mechanism used on dark web markets to protect buyers and sellers in transactions. A trusted third party (the market operator or a dedicated escrow service) holds the cryptocurrency payment until the buyer confirms receipt of the goods. Criminals frequently run "escrow" scams — operating fake escrow services or performing "exit scams" where a market suddenly disappears with all funds held in escrow.

Exit Node (Tor)

The final computer in the Tor network's routing chain that connects to the open internet on behalf of the user. Exit nodes can see unencrypted traffic passing through them (though they cannot see where it originated). This is why HTTPS is critical when using Tor — the exit node operator can read HTTP traffic but cannot decrypt HTTPS.

Exploit Kit

A pre-packaged software toolkit sold on dark web markets that contains ready-made exploits for known vulnerabilities in common software (browsers, PDF readers, Office). It allows low-skill attackers to launch sophisticated drive-by download attacks against web visitors without needing to write exploit code themselves.

F

FraudGPT

An uncensored AI tool purpose-built for cybercrime, sold via dark web markets and Telegram since mid-2023. Unlike general AI tools, FraudGPT has no safety filters and was trained specifically on cybercriminal use cases: generating phishing emails, writing malware, creating credential harvesting pages. Available by subscription, it has dramatically lowered the technical barrier to sophisticated phishing attacks.

FUD (Fully Undetectable)

A claim made by malware sellers that their malware cannot be detected by current antivirus or EDR software. Because antivirus detection is based on signatures of known malware, newly written or heavily obfuscated malware may temporarily evade detection. FUD status is a premium feature with correspondingly higher prices in malware markets.

G

Ghost Account

A social media or online account created using false information for the purpose of conducting social engineering, surveillance, or disinformation campaigns. Ghost accounts are used in romance scams (building false relationships to extract money), corporate espionage (befriending employees to gather intelligence), and influence operations.

H

Hash (Password Hash)

A one-way mathematical transformation of a password that allows authentication systems to verify passwords without storing them in plain text. When a breach database is published, it often contains hashed passwords rather than plain text. "Cracking" a hash involves computing hashes of guessed passwords until a match is found. Weak hashing algorithms (MD5, SHA-1) and common passwords can be cracked in seconds using GPU-based hash cracking tools.

Honeypot

A security technique in which decoy systems, data, or accounts are deliberately set up to attract and detect unauthorized access. When an attacker or malware interacts with a honeypot, it generates alerts for defenders and may also trap and study the attacker's tools and techniques. Law enforcement also runs honeypot dark web services to identify and arrest users attempting to commission crimes.

I

Infostealer

A category of malware designed to harvest credentials, cookies, financial data, and system information from infected machines and transmit it back to the attacker. Modern infostealers (RedLine, Raccoon, Vidar) collect browser-saved passwords, cryptocurrency wallet files, and session cookies that allow account takeover without knowing the password. Infostealer logs are sold on dark web markets within hours of a machine being infected.

K

Keylogger

Malware that records every keystroke made on an infected computer, capturing passwords, credit card numbers, and sensitive communications as the user types them. Keyloggers transmit their captures to attacker-controlled servers and are often bundled with other malware as part of a comprehensive surveillance toolkit.

L

Lateral Movement

After gaining initial access to a network, attackers move laterally — extending their access from the initial entry point to other systems, particularly high-value targets like domain controllers, database servers, and backup infrastructure. Lateral movement techniques include Pass-the-Hash, Kerberoasting, and exploitation of misconfigured service accounts.

Leak Site

A dark web website operated by ransomware groups to publish stolen data from victims who refuse to pay the ransom. Publishing data on a leak site escalates double extortion pressure by creating regulatory notification obligations, potential GDPR fines, and reputational damage. The threat of publication is often more effective than the encryption itself.

M

Malware-as-a-Service (MaaS)

A business model in which malware developers rent or license their tools to other criminals for a subscription fee or revenue share. This includes ransomware-as-a-service, infostealer subscriptions, DDoS-for-hire, and exploit kits. MaaS has professionalized cybercrime, allowing low-skill criminals to access sophisticated capabilities developed by highly skilled programmers.

Money Mule

A person who transfers stolen money on behalf of criminals, often unknowingly (believing they are working a legitimate "remote payment processing" job). Money mules receive funds into their accounts, keep a commission, and forward the remainder via wire transfer or cryptocurrency. They are criminally liable for money laundering regardless of whether they knew the money was stolen.

N

Nation-State Actor

A hacking group operating on behalf of a government, with state resources, funding, and protection from prosecution. Nation-state actors conduct cyber espionage, sabotage, and disinformation operations. They are distinguished from criminal hackers by their objectives (strategic intelligence and disruption rather than financial gain) and their technical sophistication.

O

Onion Routing

The encryption and anonymization technology underlying the Tor network. Traffic is wrapped in multiple layers of encryption (like the layers of an onion) and routed through at least three randomly selected servers around the world, with each server decrypting only its layer and forwarding to the next. No single server knows both the origin and destination of the traffic.

OSINT (Open-Source Intelligence)

The practice of gathering, analyzing, and acting on information from publicly available sources — social media, public records, news sources, academic publications, satellite imagery. OSINT is used legitimately by cybersecurity professionals, journalists, and intelligence analysts. It is also used by attackers for target reconnaissance and by stalkers and abusers for surveillance.

P

Phishing

Sending fraudulent communications — typically email — designed to trick recipients into revealing credentials, clicking malicious links, or downloading malware. In 2026, AI-powered phishing has made attacks indistinguishable from legitimate communication at scale. Subtypes include spear phishing (targeted), vishing (voice), smishing (SMS), and whaling (targeting executives).

Pig Butchering (Sha Zhu Pan)

A sophisticated long-con investment fraud originating from Southeast Asian cybercrime operations. Attackers cultivate victims over weeks or months via social media or messaging apps, building a romantic or friendship relationship before steering them toward fraudulent cryptocurrency investment platforms. Victims are encouraged to "fatten up" (invest more and more) before the platform disappears with all funds. Named after the practice of fattening a pig before slaughter.

R

Ransomware

Malware that encrypts a victim's files and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware operations use double extortion (data theft + encryption), ransomware-as-a-service models, and sophisticated negotiation portals. The Ransomware Ransom Note Database documents the evolution of extortion techniques from 2020 to present.

RAT (Remote Access Trojan)

Malware that gives an attacker full covert control over an infected computer — webcam, microphone, file system, network connections. RATs are used for espionage, credential theft, and as a persistent access mechanism. They typically disguise themselves as legitimate software and communicate with C2 servers over encrypted channels.

S

Social Engineering

The use of psychological manipulation rather than technical exploits to gain access to systems, information, or physical locations. Social engineering attacks include phishing, pretexting (creating a fabricated scenario to extract information), baiting (leaving malware-loaded USB drives), and vishing. Human deception remains the most reliable initial access vector in most breaches.

SQL Injection (SQLi)

A web application attack in which malicious SQL code is inserted into an input field (login forms, search boxes) to manipulate the underlying database. A successful SQL injection attack can reveal entire database contents, modify or delete data, or provide administrative access to the application. SQL injection is in OWASP's Top 10 most critical web application vulnerabilities.

SIM Swapping

An attack in which the attacker convinces a mobile carrier to transfer a victim's phone number to a SIM card the attacker controls. Once the number is ported, the attacker can receive SMS-based two-factor authentication codes, enabling takeover of bank accounts, email, cryptocurrency wallets, and social media. Primary targets: cryptocurrency holders and executives.

T

Tor (The Onion Router)

The most widely used software for accessing the dark web and anonymizing internet traffic. Tor routes traffic through a network of volunteer-operated servers, encrypting it at each hop. It is used by journalists, activists, and citizens in repressive regimes for legitimate anonymity, as well as by criminals for illegal activities.

Threat Actor

An individual, group, or nation-state that conducts malicious cyber operations. Threat actors are categorized by motivation (financial, espionage, hacktivism, sabotage), capability (script kiddies to nation-states), and targeting patterns.

V

Vulnerability Broker

An individual or company that buys and sells information about previously unknown software vulnerabilities (zero-days). Prices range from thousands to millions of dollars depending on the target software and severity. Some brokers sell only to governments (Zerodium, publicly); others sell to any buyer.

W

WormGPT

A dark web AI tool similar to FraudGPT, focused specifically on business email compromise (BEC) attacks. WormGPT generates convincing executive-impersonation emails with urgent financial requests, optimized to bypass employee skepticism. First observed in mid-2023, it represents the industrialization of BEC attacks.

Z

Zero-Day

A vulnerability in software that is unknown to the vendor and therefore has no patch available. Zero-days are the most valuable weapons in a hacker's arsenal — they can be exploited without any defensive response from the target. Nation-states maintain stockpiles of zero-days for offensive cyber operations. Prices for premium zero-days (targeting iOS, Chrome, Windows) reach $2–5 million on broker markets.

Stay Informed, Stay Safe

Understanding this vocabulary is the first step to recognizing when these threats apply to your situation. If you suspect your data is on the dark web, or need a professional threat intelligence assessment for your organization, contact Cyberlord for a confidential evaluation.