Why Fraud Examiners Need to Be Familiar With the Dark Web


“When I first entered [the dark web] about five years back, I couldn’t go to sleep for days. It is disturbing.” This is one of the first things Ritesh Bhatia said during his presentation at the 2019 ACFE Fraud Conference Middle East. Bhatia’s session, “Dark Web Threat Intelligence and Investigations,” focused on what the dark web is and why fraud examiners need to be familiar with it if they want to stay ahead of fraudsters.

Bhatia took his time throughout the first half of the session to make sure attendees understood what the dark web is and how it works. First, he explained that the dark web cannot be accessed through the internet browsers we are most familiar with — Chrome, Safari, Firefox and others like them. A special tool called The Onion Router (TOR) must be downloaded onto a device before it can access the dark web. “In most countries,” Bhatia warned, “the government keeps a watch of who is using TOR. I know for sure in India, when I am starting TOR, my internet service provider is going to raise a flag.”

Next, Bhatia revealed why TOR is different. Unlike popular dot com browsers, it encrypts user information. So if someone in the UAE sends a request through TOR, their search terms and their ID are encrypted. Then the information will jump from one TOR browser to another, obfuscating the origins of the request, until it reaches its final destination, where it will then be decrypted. “I was asked to do a demonstration,” Bhatia said with an amused tone, “but I’m not going to take any chance of connecting to TOR over here. I want to go back to my country.”

Finally, Bhatia introduced attendees to dark net markets. You’ve most likely heard of the many different types of illicit goods available on the dark web. Well, dark net markets, or DNMs, are where these goods are bought and sold. So what types of information are at risk of being stolen and then sold on the dark web? This list is by no means exhaustive, but these are the things fraud examiners should be most concerned about, Bhatia advised:

  • Credit card information

  • User names and passwords

  • Banking information

  • Personally identifiable information

  • Proprietary information

  • Organization’s internal communication

  • Stolen documents

  • Patient data

  • Employee data

The second half of Bhatia’s session focused on how to use the dark web for investigations. Bhatia showed attendees slide after slide of screenshots from the dark web. There were sites selling PayPal accounts, and the listings were thorough. They showed the email address of the account holder, what country it was from, how much was in the account and how much the seller wanted for it. There were sites selling real passports. Can you believe that a real passport is only $10 on the dark web? There were sites selling fake certificates, degrees and licenses. “You want a fake CFE certificate?” Bhatia joked with attendees.

One attendee wanted to know how there is so much information out there. Bhatia’s response was brief and to the point:

  1. We keep on giving our information to the internet.

  2. There are endless breaches.

  3. Criminals keep on selling.

Before performing any sort of investigation work on the dark web, Bhatia emphasized that you need to create a strong, secure, isolated environment. He paid special attention to the isolation aspect. If you’re going on to dark websites and you’re on the same networks as other people in your organization, that creates a vulnerability. There are hackers in the dark web. They want to hack. Their job is to hack. So make sure you’re not using the same network.

When it comes to gathering dark web intelligence, there are a few things to keep in mind. Threats can be found in thousands of dark web conversations and communities, but access to these communities is closely guarded. You can’t just enter a dark website and start reading DNM forum discussions. Not to mention that there’s no guarantee that threats will be in the language(s) you speak. These are global forums, so many references to threats are in local languages. Bhatia suggested partnering up with several others.

The session ended with the advisory statement that no one should enter the dark web without doing research on how to do so safely. “You might not want to go full-fledged into it, but you might want to have a basic understanding of it,” Bhatia said. With all of the available intelligence passing between criminals on the dark web, Bhatia believes it’s not something fraud examiners can continue to ignore.