Dark Web Searching

The dark web is a subset of the internet that is accessed via special means, such as a TOR browser, and not immediately available from the clear net. The term dark web and darknet are often used interchangeably.

We will refer to the darknet as the network infrastructure, such as the TOR network or I2P network, and dark web as the content aspect that is accessed and viewed by users.

There are a lot of great resources that explain what the dark web is, where it originated from and the nefarious activity that occurs there on a daily basis. This article is focused on identifying safe access options and then the multiple search options available using freely available dark web search engines that crawl the dark web.

Investigators looking to conduct traditional search techniques on the dark web need to operate in a safe manner and be aware of the variation in results that are presented by different search engines & also actors who are active in different types of darknets.

⚠️ Caution: The dark web can contain explicit, disturbing, or illegal content. Use a secure, anonymised browsing setup and follow legal and ethical guidelines when investigating.

Different Dark Nets

Most dark web articles refer to The Onion Router (TOR) as it is the most popular and researched. However, it is important to note that there are many darknets and below is an example of four common ones:

Tor

• Anonymous internet proxy network

• Data is routed through relays

• Supports both internal (.onion) and external browsing

• Access Tor here: https://www.torproject.org

I2P

• Anonymous peer-to-peer network

• Uses garlic routing, an extension of onion routing

• Unidirectional "tunnels" for added security

• Can be very slow due to decentralisation

• Access I2P here https://geti2p.net/en/

Hyphanet (formerly Freenet)

• Anonymous data publishing network

• Users share portions of their bandwidth and drive

• Supports private darknets through strict peer-to-peer friend networks

• Access Hyphanet here: https://www.hyphanet.org/pages/download.html

Zeronet

• Uses Bitcoin cryptography and BitTorrent tech for decentralised websites

• Access Zeronet here: https://zeronet.io/

Diving Deeper on Tor

Focusing on TOR, the browser bundle to connect can be downloaded here: https://www.torproject.org/download/

Simply accessing Tor from your standard machine is not advised due to possible security implications. For a lot of users, they will favor ease-of-use over security and connect directly from their standard workstation, but this has serious security considerations. The Tor browser is built on Firefox as a base, and therefore it is subject to the same vulnerabilities that Firefox has. Whilst the Firefox team might patch vulnerabilities regularly, there can be a delay for the update to reach the Tor bundle and therefore exposure users to risks. Given the nature of the content & site hosts on the dark web, this should be a critical consideration so as to not compromise your machine from both an attribution and malware perspective.

It is recommended to apply safe connection methods so as to protect your attribution and host machine from compromise.

Safe Browsing Options

There are many opinions and options for how to access darknets. Below is a simple chart for three options that you can use when connecting to a darknet to provide a safer level of protection. Each has varying barriers to entry and users will have different requirements, budgets, or considerations as part of their connection approach.

Options for safe dark web browsing include using a:

1. standard computer with a VPN connecting to a cloud virtual machine

2. standard computer with local virtual machine connecting to a VPN

3. dedicated research laptop (using Tails or similar) connecting to a VPN.

Option 1:

• Configure a cloud virtual machine or desktop using providers such as:

  • Amazon Workspaces - https://aws.amazon.com/workspaces/

  • Google Cloud - https://cloud.google.com/compute

  • Microsoft Azure VDI - https://azure.microsoft.com/en-au/free/virtual-machines

  • Paperspace - https://www.paperspace.com/

Note: There are other providers, but these are relatively cost-effective when used for small periods of time.

• Install Tor/darknet access on the cloud machine and use that for your research

• Connect to the darknet from within the cloud virtual machine

Note: Setting up a VPN on a cloud machine can add an extra layer of security. However, some cloud providers make this difficult, and the technical setup can create additional challenges.

Option 2:

• Install and configure a local virtual machine using a platform such as VirtualBox and downloading pre-configured VM's, such as the Trace Labs Virtual Machine. Alternatively, install an operating system from scratch.

• Install Tor/darknet access on the virtual machine

• Configure a VPN on your standard workstation

• Connect to the darknet from within the virtual machine

Option 3:

• Provision a standalone research laptop/computer (consider using bootable operating systems such as Tails for lower attribution)

• Configure a VPN on your research laptop

• Install Tor/darknet access natively on the research laptop

• Connect to the darknet natively from your research laptop

Disclaimer: anything you view on the darknet that is rendered locally can still be stored in local caches on any of the options above. You must consider the legal aspects of what you are viewing in the context of your respective governing laws. OSINT Combine takes no responsibility for the content viewed or access methods detailed above.

Dark Web Searching

The dark web is indexed by various non-standard providers, as traditional search engines like Google and Bing do not crawl .onion sites on the Tor network. However, proxied Tor sites—those that use TOR2WEB services to make dark web content accessible through standard browsers—are regularly indexed on Google. Despite this, accessing these sites via a proxy is not recommended due to attribution risks.

Search engines frequently update their .onion addresses, and some may go offline from time to time. If any of the links below become unavailable or you're searching for the latest search engine URLs, sites like https://onion.live/ or https://tor.link are excellent resources. Simply search for the search engine name to find its current address, if required.

Alternatively, several sites offer curated lists of dark web resources, including up-to-date search engine URLs.

Tor Taxi is one site offering verified links and real-time uptime monitoring to help users navigate safely. It also maintains a journal of darknet events for tracking key developments. It can be found here:

http://tortaxi2dev6xjwbaydqzla77rrnth7yn2oqzjfmiuwn5h6vsk2a4syd.onion/

Dark Fail is another platform that provides verified links to Tor hidden services, helping users avoid phishing sites. It also monitors site uptime and verifies URLs using PGP signatures for security. It can be found here: http://darkfailenbsdla5mal2mxn2uz66od5vtzd5qozslagrfzachha3f3id.onion/

Dark Web Search Engines

Ahmia

• Ahmia aims, (according to their website) to be the leading search engine for services on the Tor anonymity network, providing insights, statistics, and news about the Tor project. As an open-source initiative, its code is available on GitHub. Ahmia also claims that no child exploitation material will appear in its search results, but it’s still important to be cautious about what you click on, as the dark web can contain harmful or illegal content.

• http://juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion

• You can also reach this search engine via the surface web bu going to  https://ahmia.fi/

HayStack

• Haystak was reportedly developed by a group of privacy advocates who believe the internet should be free from state surveillance. It uses a custom-built crawler designed specifically for the darknet, allowing it to (apparently) find and index all reachable pages. That said, it's important to remember that none of these search engines are Google—some content will inevitably be missed.

• http://haystak5njsmn2hqkewecpaxetahtwhsbsa64jom2k22z5afxhnpxfid.onion

Tor66

• Tor66 aims to provide a quality search engine for .onion (Tor-hidden) websites. However, its search results are based solely on the content of each site's homepage (index page), which can limit the depth of its indexing.

• http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion

Torch

• One of the oldest dark web search engines, Torch claims to index millions of .onion pages. Like all darknet search tools, results can be inconsistent, and some content may be outdated.

• http://xmh57jrknzkhv6y3ls3ubitzfqnkrwxhopf5aygthi7d6rplyvk3noyd.onion

OnionLand

• OnionLand is a search engine designed to help users discover hidden services on the Tor network and eepsites on the I2P network.

• http://3bbad7fauom4d6sgppalyqddsqbf5u5p56b5k5uk2zxsy3d6ey2jobad.onion

Not all search engines are created equal. They differ in search results, depending on which sites their crawlers index, as well as in advanced search capabilities, such as Boolean operators or multilingual support. Some are built for general discovery, while others focus on specific types of content. For investigators, using multiple search engines and comparing results is key to a thorough investigation. Targeting searches to engines that specialise in certain areas can also improve efficiency and accuracy.

Onion Watching

Some investigators may need to identify and monitor new .onion sites as they emerge. This can help track patterns, uncover new vectors, or build pipelines of fresh .onion URLs for custom crawling engines.

Here are three useful resources for discovering and monitoring dark web sites:

DarkWebSitesLinks

• Provides detailed information on various dark web tools, including search engines and marketplaces.

• http://darkwev6xtagl7742tqu24v2j4namr5ocfsfpha74a5nh4bwyp27a3ad.onion

  
  

Tor Links

• Indexes .onion sites with metadata, including language, title, URL, and descriptions.

• http://torlinksge6enmcyyuxjpjkoouw4oorgdgeo7ftnq3zodj7g2zxi3kyd.onion

  
  

Tor66 Fresh Onions

• A feature of the Tor66 search engine that provides a rolling list of newly identified .onion sites, including timestamps, descriptions, and detected languages.

• ⚠️http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion/fresh⚠️

• Caution: This site in particular may contain explicit content, including graphic images and links to illicit material. Exercise caution and ensure appropriate security measures are in place before accessing.

Information Slippage

Investigating individuals on the dark web often relies on linking their activities to the surface web through information slippage—when identifiable markers like usernames, PGP keys, or cryptocurrency addresses are used across both environments.

In most cases, attribution is possible due to poor operational security (OPSEC) habits. Users may unintentionally reuse the same credentials, leave digital traces, or interact with services that expose metadata, making it easier to connect their dark web activities to real-world identities.

A key aspect of attribution is social network analysis once identifiable markers are found on the surface web. Social groups tend to cluster around shared interests or direct connections, making it possible to map networks and identify relationships. Analysing language patterns, image metadata, and posting habits can provide further clues, but there’s no silver bullet—false positives are common, so a thorough and methodical approach is essential.

For de-anonymizing and identifying site hosts, more technical investigations may be required, such as examining SSL certificates. For an introduction to this process, Hunchly provides a useful guide.

One key takeaway from this discussion is the importance of using multiple search methods to maximise the chances of finding relevant leads. The dark web is vast, and no single search engine indexes everything, so diversifying your approach is essential. Equally important is establishing an efficient workflow to avoid being overwhelmed by the sheer volume of information.

For those interested in more in-depth dark web training, check out our online, self-paced OSINT Combine Academy at https://academy.osintcombine.com, or contact us about our platform NexusXplore - while paid tools aren’t essential, they can greatly improve efficiency, safety, and scalability in investigations, while lowering the barrier to entry for time or resource-poor individuals or teams.

For those needing advanced, scaled Dark Web capabilities, NexusXplore has comprehensive search features—including both live access, and historical post retrieval with advanced filtering and translation options. Its text-only mode offers safe, sanitised content inspection, while integrated Tor browsing ensures secure, anonymised access to underground forums. It's coverage also extends beyond Tor to more obscure dark nets like I2P and Hyphanet. This simplifies the ability to pivot between deep, dark, and surface web sources.