The dark web is a subset of the internet that is accessed via special means, such as a TOR browser, and not immediately available from the clear net. The term dark web and darknet are often used interchangeably.
We will refer to the darknet as the network infrastructure, such as the TOR network or I2P network, and dark web as the content aspect that is accessed and viewed by users.
There are a lot of great resources that explain what the dark web is, where it originated from and the nefarious activity that occurs there on a daily basis. This article is focused on identifying safe access options and then the multiple search options available using freely available dark web search engines that crawl the dark web.
Investigators looking to conduct traditional search techniques on the dark web need to operate in a safe manner and be aware of the variation in results that are presented by different search engines & also actors who are active in different types of darknets.
⚠️ Caution: The dark web can contain explicit, disturbing, or illegal content. Use a secure, anonymised browsing setup and follow legal and ethical guidelines when investigating.
Different Dark Nets
Most dark web articles refer to The Onion Router (TOR) as it is the most popular and researched. However, it is important to note that there are many darknets and below is an example of four common ones:
Tor
Anonymous internet proxy network
Data is routed through relays
Supports both internal (.onion) and external browsing
Access Tor here: https://www.torproject.org
I2P
Anonymous peer-to-peer network
Uses garlic routing, an extension of onion routing
Unidirectional "tunnels" for added security
Can be very slow due to decentralisation
Access I2P here https://geti2p.net/en/
Hyphanet (formerly Freenet)
Anonymous data publishing network
Users share portions of their bandwidth and drive
Supports private darknets through strict peer-to-peer friend networks
Access Hyphanet here: https://www.hyphanet.org/pages/download.html
Zeronet
Uses Bitcoin cryptography and BitTorrent tech for decentralised websites
Access Zeronet here: https://zeronet.io/
Diving Deeper on Tor
Focusing on TOR, the browser bundle to connect can be downloaded here: https://www.torproject.org/download/
Simply accessing Tor from your standard machine is not advised due to possible security implications. For a lot of users, they will favor ease-of-use over security and connect directly from their standard workstation, but this has serious security considerations. The Tor browser is built on Firefox as a base, and therefore it is subject to the same vulnerabilities that Firefox has. Whilst the Firefox team might patch vulnerabilities regularly, there can be a delay for the update to reach the Tor bundle and therefore exposure users to risks. Given the nature of the content & site hosts on the dark web, this should be a critical consideration so as to not compromise your machine from both an attribution and malware perspective.
It is recommended to apply safe connection methods so as to protect your attribution and host machine from compromise.
Safe Browsing Options
There are many opinions and options for how to access darknets. Below is a simple chart for three options that you can use when connecting to a darknet to provide a safer level of protection. Each has varying barriers to entry and users will have different requirements, budgets, or considerations as part of their connection approach.
Options for safe dark web browsing include using a:
standard computer with a VPN connecting to a cloud virtual machine
standard computer with local virtual machine connecting to a VPN
dedicated research laptop (using Tails or similar) connecting to a VPN.
Option 1:
Configure a cloud virtual machine or desktop using providers such as:
Amazon Workspaces - https://aws.amazon.com/workspaces/
Google Cloud - https://cloud.google.com/compute
Microsoft Azure VDI - https://azure.microsoft.com/en-au/free/virtual-machines
Paperspace - https://www.paperspace.com/
Note: There are other providers, but these are relatively cost-effective when used for small periods of time.
Install Tor/darknet access on the cloud machine and use that for your research
Connect to the darknet from within the cloud virtual machine
Note: Setting up a VPN on a cloud machine can add an extra layer of security. However, some cloud providers make this difficult, and the technical setup can create additional challenges.
Option 2:
Install and configure a local virtual machine using a platform such as VirtualBox and downloading pre-configured VM's, such as the Trace Labs Virtual Machine. Alternatively, install an operating system from scratch.
Install Tor/darknet access on the virtual machine
Configure a VPN on your standard workstation
Connect to the darknet from within the virtual machine
Option 3:
Provision a standalone research laptop/computer (consider using bootable operating systems such as Tails for lower attribution)
Configure a VPN on your research laptop
Install Tor/darknet access natively on the research laptop
Connect to the darknet natively from your research laptop
Disclaimer: anything you view on the darknet that is rendered locally can still be stored in local caches on any of the options above. You must consider the legal aspects of what you are viewing in the context of your respective governing laws. OSINT Combine takes no responsibility for the content viewed or access methods detailed above.
Dark Web Searching
The dark web is indexed by various non-standard providers, as traditional search engines like Google and Bing do not crawl .onion sites on the Tor network. However, proxied Tor sites—those that use TOR2WEB services to make dark web content accessible through standard browsers—are regularly indexed on Google. Despite this, accessing these sites via a proxy is not recommended due to attribution risks.
Search engines frequently update their .onion addresses, and some may go offline from time to time. If any of the links below become unavailable or you're searching for the latest search engine URLs, sites like https://onion.live/ or https://tor.link are excellent resources. Simply search for the search engine name to find its current address, if required.
Alternatively, several sites offer curated lists of dark web resources, including up-to-date search engine URLs.
Tor Taxi is one site offering verified links and real-time uptime monitoring to help users navigate safely. It also maintains a journal of darknet events for tracking key developments. It can be found here:
Dark Fail is another platform that provides verified links to Tor hidden services, helping users avoid phishing sites. It also monitors site uptime and verifies URLs using PGP signatures for security. It can be found here: http://darkfailenbsdla5mal2mxn2uz66od5vtzd5qozslagrfzachha3f3id.onion/
Dark Web Search Engines
Ahmia
Ahmia aims, (according to their website) to be the leading search engine for services on the Tor anonymity network, providing insights, statistics, and news about the Tor project. As an open-source initiative, its code is available on GitHub. Ahmia also claims that no child exploitation material will appear in its search results, but it’s still important to be cautious about what you click on, as the dark web can contain harmful or illegal content.
http://juhanurmihxlp77nkq76byazcldy2hlmovfu2epvl5ankdibsot4csyd.onion
You can also reach this search engine via the surface web bu going to https://ahmia.fi/
HayStack
Haystak was reportedly developed by a group of privacy advocates who believe the internet should be free from state surveillance. It uses a custom-built crawler designed specifically for the darknet, allowing it to (apparently) find and index all reachable pages. That said, it's important to remember that none of these search engines are Google—some content will inevitably be missed.
http://haystak5njsmn2hqkewecpaxetahtwhsbsa64jom2k22z5afxhnpxfid.onion
Tor66
Tor66 aims to provide a quality search engine for .onion (Tor-hidden) websites. However, its search results are based solely on the content of each site's homepage (index page), which can limit the depth of its indexing.
http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion
Torch
One of the oldest dark web search engines, Torch claims to index millions of .onion pages. Like all darknet search tools, results can be inconsistent, and some content may be outdated.
http://xmh57jrknzkhv6y3ls3ubitzfqnkrwxhopf5aygthi7d6rplyvk3noyd.onion
DeepSearch
DeepSearch is a relatively new dark web search engine that claims to prioritise privacy and use a custom .onion crawler with a unique ranking system. While it reportedly indexed 160,000 web pages within its first two weeks, these figures cannot be independently verified.
http://search7tdrcvri22rieiwgi5g46qnwsesvnubqav2xakhezv4hjzkkad.onion
OnionLand
OnionLand is a search engine designed to help users discover hidden services on the Tor network and eepsites on the I2P network.
http://3bbad7fauom4d6sgppalyqddsqbf5u5p56b5k5uk2zxsy3d6ey2jobad.onion
Not all search engines are created equal. They differ in search results, depending on which sites their crawlers index, as well as in advanced search capabilities, such as Boolean operators or multilingual support. Some are built for general discovery, while others focus on specific types of content. For investigators, using multiple search engines and comparing results is key to a thorough investigation. Targeting searches to engines that specialise in certain areas can also improve efficiency and accuracy.
Onion Watching
Some investigators may need to identify and monitor new .onion sites as they emerge. This can help track patterns, uncover new vectors, or build pipelines of fresh .onion URLs for custom crawling engines.
Here are three useful resources for discovering and monitoring dark web sites:
DarkWebSitesLinks
Provides detailed information on various dark web tools, including search engines and marketplaces.
http://darkwev6xtagl7742tqu24v2j4namr5ocfsfpha74a5nh4bwyp27a3ad.onion
Tor Links
Indexes .onion sites with metadata, including language, title, URL, and descriptions.
http://torlinksge6enmcyyuxjpjkoouw4oorgdgeo7ftnq3zodj7g2zxi3kyd.onion
Tor66 Fresh Onions
A feature of the Tor66 search engine that provides a rolling list of newly identified .onion sites, including timestamps, descriptions, and detected languages.
⚠️http://tor66sewebgixwhcqfnp5inzp5x5uohhdy3kvtnyfxc2e5mxiuh34iid.onion/fresh⚠️
Caution: This site in particular may contain explicit content, including graphic images and links to illicit material. Exercise caution and ensure appropriate security measures are in place before accessing.
Information Slippage
Investigating individuals on the dark web often relies on linking their activities to the surface web through information slippage—when identifiable markers like usernames, PGP keys, or cryptocurrency addresses are used across both environments.
In most cases, attribution is possible due to poor operational security (OPSEC) habits. Users may unintentionally reuse the same credentials, leave digital traces, or interact with services that expose metadata, making it easier to connect their dark web activities to real-world identities.
A key aspect of attribution is social network analysis once identifiable markers are found on the surface web. Social groups tend to cluster around shared interests or direct connections, making it possible to map networks and identify relationships. Analysing language patterns, image metadata, and posting habits can provide further clues, but there’s no silver bullet—false positives are common, so a thorough and methodical approach is essential.
For de-anonymizing and identifying site hosts, more technical investigations may be required, such as examining SSL certificates. For an introduction to this process, Hunchly provides a useful guide.
Light Up the Dark (Web) - Uncover More with NexusXplore.
This article provides a basic guide to conducting dark web searches using only free resources. While paid tools aren’t essential, they can greatly improve efficiency, safety, and scalability in investigations.
For those needing more advanced capabilities, contact us for a demonstration of our world-leading OSINT solution.
NexusXplore is the world’s premier OSINT platform, delivering scale, efficiency, and speed to the modern analyst working in today's complex information landscape. NexusXplore contains a comprehensive dark web search and investigative functionality, allowing analysts to shine a light into the deepest and darkest recesses of the online environment.
NexusXplore’s Dark Web Capabilities
Search the dark web safely and swiftly with a single click. No need for dedicated laptops, misattribution infrastructure or configured virtual machines, which take time to establish and maintain.
Seamlessly pivot from dark to deep or surface web within the same platform to identify information slippage and drag dark web actors into the light. For example, investigating linked Telegram channels or identifying further online presence and biographical information tied to user handles.
Access historical dark web posts and pages, allowing for access to valuable information which may have since been taken down or altered.
Conduct advanced searches to find actionable information with ease. This includes filtering options, boolean-enabled search functionality, and translation capability.
Explore the lesser-known dark nets such as I2P and Hyphanet which are often overlooked in investigations due to the higher barrier to entry.
Two Secure Search Options
Text-only: cut through the noise and reduce your team’s exposure to vicarious trauma by retrieving sanitised, text-only results
Live Tor browsing: investigate dark web actors and networks in their native habitat safely and securely using our integrated, sandboxed, and anonymised Tor portal.
With NexusXplore, analysts can safely and efficiently uncover, track, and expose dark web threats—all in a single, streamlined platform.
One key takeaway from this discussion is the importance of using multiple search methods to maximise the chances of finding relevant leads. The dark web is vast, and no single search engine indexes everything, so diversifying your approach is essential. Equally important is establishing an efficient workflow to avoid being overwhelmed by the sheer volume of information.
For those interested in more in-depth dark web training, check out our online, self-paced OSINT Combine Academy at https://academy.osintcombine.com, or contact us to learn more about our bespoke training options.