You cannot defend what you cannot see: The case for dark web monitoring

André Kannemeyer, Chief Technology Officer at Duxbury Networking. (Image: Duxbury Networking)

---

If you run a business in South Africa in 2025, your customers’ data has already been copied, traded or tested against a login prompt somewhere you cannot see. This is the consequence of a criminal economy that feeds on one thing most organisations still underestimate: stolen credentials.

Verizon’s 2025 Data Breach Investigations Report shows that attackers continue to favour the simplest path into systems, which is using real usernames and passwords harvested elsewhere. In basic web application attacks, approximately 88% of breaches involved stolen credentials. That is the open door that turns a small leak into a major incident. 

Most of that stolen information ends up in one place few people ever see, the dark web. This is a hidden layer of the internet where data is traded, tested and weaponised by criminals.

What sits on the dark web that makes this so dangerous? More than people expect. Credential dumps contain e-mail addresses and passwords in clear text. Info-stealer malware logs go a step further. They exfiltrate browser auto-fill data, saved passwords, authentication cookies, device fingerprints, crypto wallet details and web session tokens. 

A criminal with a fresh stealer log can often bypass multifactor prompts by replaying active session cookies, then move laterally to payroll, cloud consoles or banking portals without ever “hacking” anything. SpyCloud’s 2025 Identity Exposure Report tracks this ecosystem and reports a 22% year-over-year increase to 53.3 billion identity records recaptured from criminal sources. That is a vast supply chain of compromise.

The shift towards info-stealers shows up elsewhere, too. IBM’s 2025 Threat Intelligence Index observed an 84% rise in phishing used to deliver stealer malware and a 12% increase in credentials for sale on the dark web. This is the new normal. Attackers do not need a zero-day when a staff member’s browser has cached everything they need.

This matters to consumers as much as it does to CISOs. The same identity that buys groceries also unlocks mobile accounts, social media and digital banking.

On criminal forums, you will find:

• Personal identifiers: Full names, ID numbers, phone numbers and addresses.
• Financial artefacts: Partial card data, IBANs, account snapshots and “fullz” packages combining know your customer (KYC) fields.
• Authentication data: E-mails and passwords from prior breaches, password re-use maps, one-time password seeds from misconfigured apps and session cookies.
• Recovery hooks: Secondary e-mails, mother’s maiden names and other prompts that enable account takeover without ever touching a password.

This cocktail is why even a minor exposure escalates. The more a criminal can correlate, the more convincingly they can reset credentials, social engineer help desks or apply for credit in someone’s name.

Costs are rising accordingly. The global average is around the mid-$4 million mark per incident, with AI-related shadow AI usage adding hundreds of thousands more in remediation costs when governance is weak. The regions we trade with most often, including the United States and the Middle East, carry even higher averages, which amplifies downstream contractual risk for South African companies with international exposure.

What is the best response? Monitor where criminals operate. Dark web monitoring is not about surfing the dark web. It is the continuous, automated collection and correlation of exposure signals tied to your domains and brands. That includes breach databases, credential dumps and stealer-log markets that are outside the reach of normal search engines.

The value is getting an early warning. When a batch of staff e-mails and passwords lands in a dump, you do not wait for your EDR to light up. You force resets, invalidate tokens, watch for replay attempts and check for lateral movement. If customer identifiers appear, you can move quickly on notification duty, fraud flags and insurer engagement.

That is why we built Duxbury Services’ Dark Web Monitoring offering. It performs daily checks across surface, deep and dark sources for data linked to your business, raises immediate alerts on new exposures and provides audit-ready reporting, which your risk and insurance teams can use. It is designed to demonstrate proactive controls to increasingly selective cyber insurers and to reduce the dwell time between leak and response.

Two practical lessons stand out:

1. Treat credentials as toxic assets: Password discipline is necessary but insufficient. Assume staff identities will be compromised elsewhere and plan for containment. Monitor for exposure, shorten token lifetimes, limit session persistence and enforce MFA that resists cookie replay.
2. Bring identity signals into incident playbooks: When your monitoring picks up a stealer log tied to a senior employee, automate the reset cascade across e-mail, cloud, VPN, CRM and finance systems. Correlate with SIEM telemetry for unusual logins and immediately review delegated access, API keys and service accounts related to that user.

If this is done well, criminals will find less information of value and have less time to use it. That is the difference between a contained account reset and a multi-week breach with customer impact. 

The dark web will not go away. Our visibility can no longer stop at the edge of our network or the boundaries of our SaaS dashboards. It must extend to the places where our identities are traded. That is where modern defence begins.