Dark Web Monitoring: 3 Months of Watching Your Domain Get Sold

Between January 1 and March 22, 2026, CelvexGroup's threat-intel pipeline continuously scraped seven primary sources for any listing, post, or chat mention that named a customer domain. We monitored XSS.is, Exploit.in, BreachForums Mirror, and four Telegram channels associated with initial-access brokers. The point of the study was simple: figure out whether dark-web monitoring is a real product or a marketing line, and if it's real, what fraction of hits are actually worth a customer's attention.

This post is the honest answer. It's also a small indictment of the category, because most subscription products in this space are either over-counting noise or under-counting the only thing that matters.

What happened

Across 12 weeks we observed 73 distinct posts or listings that mentioned at least one of the 612 monitored domains. The 73 hits broke down like this:

The 13 fresh-access listings are the operationally significant ones. Initial-access brokers post a target — usually a working VPN credential, an exposed RDP foothold, a webshell on a specific subdomain, or a pre-auth bug they've already weaponized — and accept bids in the four-to-five-figure-USD range. The window between listing and resale is short. We saw a median of 38 hours from first post to "sold" tag in our sample. After the sale, the buyer moves to staging within roughly seven days. After staging, ransomware deployment averages another three to five days. The whole timeline from public listing to encryption is typically inside two weeks.

So the 18% slice is where the urgency lives. The other 82% is either old news, noise, or worth a heads-up but not worth waking anyone up at 2 a.m.

The contractor-pattern finding nobody expected

The single most useful subset of the fresh-access listings was the one we found by accident. Of the 13 fresh-access posts, 8% (one in 13, or one across the entire study) was for the customer's primary domain. The remaining 12 were for email patterns matching the customer's contractors and third-party staff — the @vendor.com and @consultancy.com addresses showing up as authorized users on the customer's VPN concentrators or single-sign-on tenant.

The brokers don't care that jane.doe@bigcustomer.com is a "real employee" and jane.doe@bigcontractor.com is "just a contractor." They sell whichever one currently authenticates into the target's environment. From the attacker's standpoint the contractor account is identical — and frequently easier to keep, because the contractor's password rotation cadence is governed by their own employer, not the customer's IT policy.

None of the seven dark-web monitoring tools we benchmarked against during the study would have flagged the contractor listings, because they only correlate against the customer's own registered domain. The lesson is that you have to monitor the entire authorized-identity graph, not just @yourcompany.com.

Why it kept working

Three structural reasons. First, the buyers know the defender's monitoring window. Most enterprise dark-web tools index forum posts on a 24-to-72-hour cycle and cover a small set of high-profile sites. The brokers post on smaller forums and lower-profile Telegram channels first, hold the listing for 24 to 72 hours, then mirror it to the bigger forums after the sale has closed. By the time the indexed crawler picks up the headline, the access has already been resold and the buyer has already used it.

Second, the dark-web ecosystem has fragmented since BreachForums was seized and rebuilt in 2024. Listings now spread across at least 40 distinct venues, with the most active brokers operating on invite-only Telegram channels we had to rotate sock-puppet accounts through every few weeks. A single-source feed misses the fragmentation entirely. We've seen vendor reports claim "monitoring of the dark web" while indexing only one or two of the public forums — meaning their coverage of the actual broker pipeline is single-digit percent.

Third, name collisions and legacy data make the noise floor enormous. Of the 30 stale references in our study, 19 were from breaches that had been public knowledge for over a year. Many vendors will fire an alert every time a stale dump gets re-uploaded under a new file name, because their relevance scoring is just keyword-match. The customer ends up with a dashboard full of red lights that all mean "something we already knew about, two years ago" — and learns to ignore the dashboard.

What to check today

This is a short list because most of it is unglamorous fundamentals.

1. Build your authorized-identity graph. List every email domain that authenticates into your environment. That includes vendors, contractors, MSPs, auditors, and the consulting firms whose laptops show up in your VPN logs. Contracted-staff domains are the slice that dark-web monitoring tools almost always miss.
2. Differentiate your alerts by recency. Anything older than 90 days is a posture check, not an incident. Anything inside 7 days that mentions your environment is worth paging on. The category in between is a triage queue, not a fire alarm.
3. Diversify your sources. A single-source TI feed is worth roughly what you paid for it. You want at least three forum sources plus active coverage of the major Telegram channels associated with initial-access brokers. The list rotates — what was the top channel six months ago is dead today.
4. Test your tool with a control hit. Stand up a throwaway domain you control, deliberately leak a credential to a known scraping target, and time how long until your dark-web monitor alerts. If the answer is "more than 48 hours" or "never," you don't have monitoring; you have a bill.
5. Treat fresh-access listings as incident response, not threat intel. The right response to a verified fresh-access listing is the same as confirmed compromise: rotate the affected credentials, kill the affected sessions, force re-MFA, audit lateral movement. Not "we'll discuss it on Thursday's call."

How CELVEX Group tests for this

Our threat-intel pipeline pulls from 11 forum sources, 23 Telegram channels, and a rotating set of initial-access broker DMs that we monitor through sock-puppet accounts our threat-intel analyst maintains. Every listing is normalized, deduplicated against a 24-month archive, classified into the four buckets above, and scored for recency and identity-graph relevance.

Test THREAT-DARKWEB-DOMAIN-MENTION-001 in core/test_catalog/_supplement_threat_intel_2026-03.py is the orchestration test. It takes an authorized-identity graph (the customer's primary domains plus their contractor domains), runs the full pipeline against the current 12-week archive, classifies every hit, and emits a triage queue ordered by "fresh access" first, "PII dump" second, "combo list" third, "stale" last. The test runs nightly for every Fortress-tier customer.

What you get is not a dashboard of red dots. You get a weekly report showing the new fresh-access mentions that match your identity graph, the affected accounts, the broker handle, the listing URL, and the recommended IR action. If a fresh-access listing matches inside the 48-hour danger window, you get a phone call.

Bottom line

Dark-web monitoring is real, but the median commercial product mostly indexes stale data on a slow crawler against a narrow keyword filter and bills it as "continuous coverage." The signal is in the 18% slice — the fresh-access listings — and that signal disappears within 48 hours of posting if you aren't watching the right rooms.

The other thing worth saying out loud: dark-web monitoring is a downstream control. By the time your domain shows up on a broker's feed, something upstream has already failed. The credential leaked because of a phishing campaign. The VPN was compromised because of a missing patch. The webshell got planted because of an exposed admin endpoint. Watching the dark web is necessary, but it's the smoke alarm — not the fire suppression. The investment that actually moves the dial is closing the upstream paths the brokers are selling.