The dark web has transformed from a clandestine refuge for cybercriminals into a fully-fledged, sophisticated supply chain for cyberattacks, posing a direct and growing threat to South African organisations.
This hidden segment of the internet now functions as a thriving e-commerce platform where malicious actors trade the tools and data needed to execute damaging attacks, from ransomware to large-scale data breaches.
This underground economy is booming, according to Fortinet’s 2025 Global Threat Landscape Report. In 2024, over 100-billion stolen credential records were shared in dark web forums – a staggering 42% increase from the previous year.
This global trend has severe local implications, with the 2025 Interpol Africa Cyber Assessment Report confirming that SA remains a prime target for financially motivated cybercrime on the continent, much of it enabled by resources purchased on the dark web.
The commercialisation of cybercrime has significantly lowered the barrier to entry for attackers. They no longer need advanced technical skills; they can simply purchase ready-made resources, such as:
- Stolen credentials and identity information: Corporate login details are regularly sold, creating an easy entry point for attackers. Globally, compromised credentials remain the most common attack vector, according to IBM’s 2024 Cost of a Data Breach Report.
- Ransomware-as-a-Service (RaaS): At least four major RaaS services are actively advertised, allowing criminals to essentially ‘subscribe’ to ransomware tools. The discovery of 31 new ransomware groups in 2024 highlights the rapid diversification of this threat.
- Corporate network access: Initial Access Brokers (IABs) sell access to compromised corporate networks, paving the way for larger attacks.
The dark web is the engine room of the modern cyberthreat landscape. Organisations in South Africa must understand that what happens on the dark web directly impacts their security posture. The sale of one employee’s credentials or a vulnerability in a third-party supplier’s software can quickly escalate into a multi-million-rand breach.
A hidden threat ecosystem
The primary risk to organisations stems from the interplay between the visible ‘surface web’ that everyone uses daily, and its hidden counterparts: the vast ‘deep web’ (where protected data like banking portals and corporate intranets reside) and the highly anonymous ‘dark web’. Credentials stolen from a surface web application are frequently sold on dark web marketplaces, which attackers then use to gain unauthorised access to an organisation’s sensitive data stored on the deep web.
The encrypted and anonymous nature of the dark web makes it incredibly difficult for security teams to monitor for data leaks or exposed credentials without specialised tools. By the time an organisation discovers its sensitive information is for sale, it is often too late. A proactive approach is essential, involving advanced threat intelligence and continuous monitoring of these hidden channels to detect threats before they materialise into a full-blown crisis.
As the dark web’s illicit economy professionalises, the risk to unprepared SA organisations grows in tandem. Building resilience requires both defending internal networks as well as gaining comprehensive visibility into external threats, including those originating from the darkest corners of the internet.