What the Dark Web Already Knows
The credentials, source code and deal intelligence already listed and traded, how actors weaponise it, and what monitoring really delivers.
In August 2025, a group that investigators track as UNC6395 got into the Salesforce systems of hundreds of companies without cracking a single password. It used authentication tokens stolen from a sales chatbot integration called Salesloft Drift and walked in through the front door, multi-factor authentication and all. Google's Threat Intelligence Group, which published the advisory, found the attackers had one priority once inside: search the exported data for more keys, specifically Amazon Web Services access keys, passwords and Snowflake tokens. The break-in was the cheap part. The reward was everything that first access unlocked next.
Most organisations still picture a breach as a wall being scaled. The evidence points elsewhere. In the 2025 Verizon Data Breach Investigations Report, stolen credentials were the way in for 22 percent of breaches, the single most common method, and 88 percent of attacks against basic web applications used valid logins rather than exploits. The uncomfortable detail is where those credentials come from. Many are already sitting in a marketplace, harvested, packaged and priced, before the targeted company has any reason to suspect a problem.
In the 2025 Verizon DBIR, stolen credentials were the way into 22 percent of breaches, the single most common method of all.
The supply chain behind the login
The trade runs as a supply chain, and each tier has a specialist. At the entry level sit infostealers, lightweight malware that quietly copies saved passwords, session cookies and browser tokens from an infected machine. Verizon's analysis of infostealer logs is sobering: 30 percent of the compromised systems were enterprise-managed corporate devices, and 46 percent of unmanaged devices that held corporate logins were personal machines being used for work. A contractor's home laptop becomes a doorway into a company that never issued it.
Those harvested logs feed the next tier. Initial access brokers buy or generate working access, confirm that it functions, then list it for sale. According to Rapid7's 2025 Access Brokers Report, the average listing went for around 2,700 US dollars, roughly four in ten sold for between 500 and 1,000 dollars, and seven in ten came bundled with a level of privilege already attached. Virtual private network, remote desktop and domain user access were the common offerings. For the price of a laptop, a ransomware crew can skip the difficult part and buy a foothold that someone else built and tested.
Rapid7 found the average broker listing for corporate access sold for around 2,700 US dollars, often with administrative privilege already attached.
Source code is the multiplier
Credentials are the start. Source code raises the stakes. When a repository leaks, the code itself often matters less than what developers leave inside it: hardcoded API keys, cloud tokens, database connection strings and the blueprint for how a system trusts itself. Palo Alto Networks' Unit 42 documented one route plainly in 2025, finding North Korean IT workers who had copied employer code repositories from platforms such as GitHub into personal accounts, then threatened to leak proprietary code unless the company paid. The Salesloft case showed the same logic working from the outside in. The attackers' first objective was not to read code for its own sake. It was to find the embedded secrets that opened the next door.
The third category is the quietest and frequently the most expensive. Modern extortion groups rarely bother encrypting files first. They steal, then publish. Unit 42, which monitors these leak sites, has tracked the steady shift toward data theft as the primary form of leverage, and the material on offer increasingly includes the documents a board would least like to see in public: merger and acquisition files, draft financial results, legal contracts and negotiation records. For a law firm or an advisory business, the damage lands on the client. A confidential deal appearing on a public page does harm that no amount of system downtime ever could.
What it costs a board
Translate that into the numbers a board already tracks. IBM's 2025 Cost of a Data Breach report put the global average breach at 4.44 million US dollars, with the United States average reaching a record 10.22 million. The global breach lifecycle fell to 241 days, the shortest in nine years, yet breaches that begin with stolen credentials remain among the slowest of all to detect, for a plain reason: a valid login raises no alarm. Unit 42's 2025 incident response findings recorded business disruption, whether operational downtime, reputational damage or both, in 86 percent of cases. The cost is rarely the ransom alone. It is the months of undetected access, the regulatory notifications and the customers who quietly leave.
IBM put the global average breach at 4.44 million US dollars in 2025, and credential-based breaches remain among the slowest of all to detect.
What monitoring actually delivers
This is where dark web monitoring earns its place, and where it is often oversold. Monitoring does not stop a credential from being stolen, and it cannot retrieve data that has already been sold. What it does is close the gap between exposure and awareness. It converts an unknown exposure into a dated, specific alert: this credential, this employee, this token, seen here, on this date. That single fact is what lets a team act before the buyer does.
Four moves turn that capability into a defence rather than a dashboard.
Monitor for your own credentials and tokens across infostealer logs, paste sites and broker forums, and wire each alert to an automatic response: force a reset, revoke the session, challenge the login. An alert that no one acts on is just a subscription.
Treat secrets in code as credentials, because attackers do. Scan repositories for embedded keys and tokens, rotate anything exposed, and move secrets into a managed vault so a leaked file does not hand over live access.
Extend the same monitoring to your key vendors and integrations. The Salesloft case began in a third party. A supplier's stolen token becomes your breach, and your contracts should require disclosure when their credentials appear for sale.
Shorten what an exposed credential can do. Phishing-resistant multi-factor authentication, short token lifetimes and least-privilege access mean a login bought on a forum opens a cupboard rather than the whole building.
Return to that August morning. The attackers did not need to be brilliant. They needed a token that someone had left reachable and a window of time in which no one was watching. Dark web monitoring cannot make an organisation impossible to compromise. What it can do is tell you, while it still matters, what the dark web already knows about you. The decision a board actually faces is whether to learn that from a monitoring alert or from a ransom note.
Sources
Verizon, 2025 Data Breach Investigations Report — https://www.verizon.com/business/resources/reports/dbir/
IBM, Cost of a Data Breach Report 2025 — https://www.ibm.com/reports/data-breach
Palo Alto Networks Unit 42, Extortion and Ransomware Trends, January to March 2025 — https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/
Google Threat Intelligence Group and Mandiant, Widespread Data Theft Targets Salesforce Instances via Salesloft Drift — https://cloud.google.com/blog/topics/threat-intelligence/data-theft-salesforce-instances-via-salesloft-drift
Rapid7, 2025 Access Brokers Report — https://www.rapid7.com/blog/post/tr-initial-access-broker-shift-high-value-targets-premium-pricing/
Disclaimer
This article is provided for general information and educational purposes. It summarises publicly reported research and incidents current as of publication and does not constitute legal, regulatory or security advice for any specific organisation. The statistics cited reflect the methodologies and reporting periods of the named sources. Threat activity, pricing and figures change over time. Organisations should validate any findings against their own environment and seek qualified professional advice before acting.
What the Dark Web
Already Knows
The questions boards and security teams ask once they understand the credentials, source code and deal data already in circulation.
Working credentials and session tokens, access to corporate networks listed by initial access brokers, leaked source code containing embedded secrets, and stolen business data such as financial and merger documents published on extortion leak sites.
Valid logins bypass perimeter defences and often multi-factor authentication, so no exploit or malware is needed. Stolen credentials are now the most common single route to initial access, used in roughly 22 percent of breaches, and in 88 percent of attacks against basic web applications.
Less than most business laptops. The average broker listing for corporate access sold for around 2,700 US dollars, with many priced between 500 and 1,000 dollars and most including some level of privilege already attached.
No. Monitoring detects exposed credentials and data rather than preventing theft. Its value is shortening the time between exposure and response, so a credential can be reset or revoked before the buyer uses it.
Reset the affected credentials, revoke active sessions and tokens, rotate any exposed secrets in code, investigate for unauthorised access, and extend monitoring to vendors whose access could reach your systems.