Dark web actors vary in sophistication from complete novices to nation-state-sponsored hackers. Some of the main categories of hackers on the dark web include:

• Script Kiddies;
• Proficient Hackers;
• Crime Syndicates;
• APTs.

The various levels of hackers also seek out different types of malware on the dark web. For example, script kiddies are more likely to have or be looking for a password cracker, while APTs are generally the only ones with access to many zero-day exploits. In most cases, high-reward malware, such as ransomware, is in the hands of organised crime or APTs.

Surface Web: The surface web is the part of the Internet that is indexed by search engines like Google. This content is designed to be easily discoverable and accessible to the general public.

Dark Web: The dark web is a section of the internet that can only be accessed using the Tor browser, and that is certainly intentional. The purpose of Tor is to make it difficult or impossible to link an internet user with the dark web content that they are viewing. This focus on privacy means that the dark web is a popular forum for criminal content.

Deep Web: The deep web includes content that is accessible via normal web browsers (Firefox, Chrome, Safari, etc.) but is not designed for unlimited public distribution. This includes any content that is protected by an authentication portal such as university libraries and corporate networks. The deep web also includes personal content accessible via the internet such as personal email, messages on platforms such as WhatsApp or Signal, and social media private messages. Cybercriminals commonly use deep web messaging platforms for collaboration, making them an important potential source of threat intelligence data.