Dark Web and Cybersecurity Predictions for 2023

New Year Evolutions

The dark web is never static. New sites, forums, markets, threat actors, and gangs are continuously emerging. It is the frontier of criminal activity – where new malicious techniques are conceived, new technology is developed, and new alliances are struck.

However, insight into this dark web activity – the reconnaissance and resource development of cybercriminals – can provide us with early indicators of emerging threats that we should prepare for in the months to come.

These are three trends our experts are keeping an eye on as we enter a new year:

Diversification of Dark Web Networks

Dr. Gareth Owenson, Co-Founder and CTO of Searchlight Cyber:

This year we can expect to see more diversification in the dark webs that cybercriminals use to conduct their malicious activity.

To date, Tor has been by far the most popular dark web network because it is the easiest to use. However, like many dark web networks, it’s plagued by low latency and we’ve recently observed some movement over to the Invisible Internet Project (I2P), an alternative dark web network to Tor. In particular, users of the popular dark web forum Dread have been migrating to its I2P mirror because its dark web site has been taken offline by a denial-of-service (DoS) attack.

Tor is well funded and the best known dark web network, so it isn’t likely to be usurped in 2023. However, its high profile makes it a target, and we could well see cybercriminals simultaneously use multiple dark web networks like I2P to maintain their operations, as the administrators of Dread have done.

Read our blog What is the Invisible Internet Project to find out more about I2P.

Cybercriminals Migrate to Safe Harbors

Laurence Pitt, Director of Product at Searchlight Cyber:

Russian-affiliated gangs already include some of the biggest and most active names and in 2023 we might see more groups move to Russia, attracted by the protection perceived to be on offer. Researchers have already seen signs of threat actors outside of Russia migrating their infrastructure to the region, such as the phishing-as-a-service (PhaaS) platform Robin Banks.

It’s an attractive location for cybercriminal gangs of all types because local law enforcement tend to turn a blind eye to any activities and will not cooperate with international investigations, as long as they do not target Russian businesses or the government.

This freedom will be attractive to ransomware groups in particular, who see their Russian counterparts more ably promote their activities, while they are being put under increasing pressure by coordinated law enforcement efforts in Europe and the US.

If this migration does take place, it’s likely that we’ll see an even more competitive and aggressive ransomware market develop in Russia, while it becomes more difficult for law enforcement to disrupt cybercriminal operations.

International Collaboration Against Ransomware

Jim Simpson, Director of Threat Intelligence at Searchlight Cyber:

It is likely that in the next twelve months we will see the beginnings of tougher legislation to force organizations to better prepare for ransomware threats. We will also see law enforcement agencies clamp down on ransomware operators and infrastructure that falls within their jurisdictions.

The key element to both of these strategies is international collaboration. One government’s legislation or unilateral law enforcement efforts aren’t going to be enough to stop ransomware groups. Ransomware is a global problem, so it needs a globally coordinated solution.

As discussed by Laurence, the problem is that rogue states like Russia, for example, let groups act with impunity as long as they don’t cross certain lines. The West may try to use diplomatic means to encourage rogue states to cooperate but, equally, ransomware is a way for certain governments to get funding that offsets the negative impact of sanctions, creating an incentive for them not to fall into line.

Unfortunately, this means that 2023 is unlikely to be the last time ransomware features in the round of annual predictions. However, we can hope the continued efforts to limit the “safe havens” for ransomware groups (both online and offline) may offset some of net-gain for ransomware groups in conducting their operations. This may lead to more splintering of groups and a larger number of smaller actors in the space, which makes it more important than ever before for organizations to track groups.