What this signal monitors
Dark web monitoring for events in SignalGuard's Chatter pillar performs a keyword sweep of the Tor hidden-services index for venue-, performer-, or event-tied content. Realistic scope: most actionable extremist organizing has migrated off Tor to Telegram and private Discords (see /docs/signals/telegram-threats for that higher-signal source). What remains on the dark web that matters for event security is credential dumps mentioning the venue or corporate sponsor, marketplace listings for weapons, IDs, or "services" tied to a city, doxx repositories naming the artist or VIP, and long-tail forum chatter that hasn't yet moved to Telegram. Treat the output as a background sweep — low-volume, occasionally load-bearing.
Data sources
The signal uses Ahmia.fi — a Helsinki-based research project that maintains a search index of .onion sites with content-policy filtering (no CSAM, no live-stream violence). Free, no API key required, clearnet-accessible. SignalGuard's client calls https://ahmia.fi/search/?q=<keyword>, parses the HTML result list (Ahmia's per-result structure is stable: <li class="result"> with <h4><a>TITLE</a></h4>, <cite>onion-url</cite>, <p>SNIPPET</p>), and classifies each hit.
To swap in a paid aggregator later — Webz.io, DarkOwl, or Flashpoint — replace the fetch-and-parse block. The public contract ({ ok, results, threatLevel, ... }) is stable across providers.
How SignalGuard scores severity
Four classifier tiers, scored in priority order. Direct-threat tier (score 4): kill, shoot, shooter, bomb, attack, assassin, hitman, weapon, gun for sale, explosive, detonate. Credential-dump tier (score 3): leak, leaked, dump, breach, database, combo, combolist, pwned, credentials, logins. Marketplace tier (score 2): market, shop, vendor, cart, escrow, btc, monero, xmr, fullz, cc dump, cards, cloned, fake id, passport. Dox tier (score 3): dox, doxx, personal info, home address, phone leak.
Overall severity: Critical if any result has a direct-threat keyword AND the venue or event keyword appears in the result title. High if ≥3 results carry credential-dump or marketplace signals. Medium if ≥1 marketplace-style result is tied to the event location. Low for any indexed results. None for no results. Caching is 30 minutes (onion index changes slowly); stale-cache fallback runs up to 12 hours.
Use cases for event security
Dark web monitoring for events catches credential dumps mentioning a venue's corporate sponsor in the run-up to a high-profile show — an attacker positioning to leverage compromised employee credentials at the gate or backstage.
A music-festival operator preparing for a 6-week-out planning cycle watches the marketplace tier for fake-ID listings tied to the festival name. The pattern is consistent: marketplace vendors advertise fake-ID packages for specific festival ingress, and the catalog listing pre-dates the event by 2-8 weeks.
A high-profile speaker event watches the dox tier for the speaker's name combined with home address or personal info — the canonical pre-doxx publication pattern. Action: alert the protective detail.
Pairs well with
- Telegram threats (
/docs/signals/telegram-threats) — both surfaces cover threat-actor organizing; reading them together captures the operational migration from Tor to Telegram. - News (GDELT) (
/docs/signals/news) — major credential-dump events frequently break in editorial coverage within 48 hours; cross-reference confirms the dark-web hit is real. - FBI crime baseline (
/docs/signals/crime) — local crime context calibrates how seriously to read marketplace listings tied to a city.
Premium upgrade path
Ahmia.fi is free but covers only what its research crawler can index. For deeper coverage — paywalled forums, private marketplaces, longer historical windows — the SignalGuard /integrations catalog includes BYOK paths to DarkOwl (enterprise dark-web monitoring) and Flashpoint (analyst-enriched threat-actor attribution). See /pricing for the integration tier required.
Frequently asked questions
Does SignalGuard actually crawl Tor onions directly? No. The signal uses Ahmia.fi's research-grade clearnet index — Ahmia operates the Tor crawler; SignalGuard reads the resulting public search interface. This is intentional: running our own Tor crawler would be both operationally expensive and indistinguishable, to an investigator, from acting as a Tor mirror for content we don't want to host.
How comprehensive is dark web monitoring for events via Ahmia? Ahmia indexes a substantial slice of the live Tor onion population but explicitly excludes content prohibited by its policies (CSAM, live-stream violence). Per Ahmia's project documentation and the original Tor Project research, Ahmia's index typically covers the majority of indexable .onion services at any given time. For broader coverage, swap in a paid aggregator (DarkOwl, Flashpoint) via the integrations panel.
Why is the dark-web signal sometimes Low even when concerning marketplace listings appear? Severity escalation requires either a direct-threat keyword OR a venue/keyword match in the result title. A generic marketplace listing for fake IDs that doesn't mention your venue's name reads as a backdrop signal — present, but not addressable. The classifier is intentionally conservative here; over-escalation on Tor marketplace noise would drown the real signal.
Is dark web monitoring for events legal? Reading a public clearnet index of .onion services (which is what Ahmia.fi is) does not require accessing Tor itself, and Ahmia's index is published explicitly for security and research use. The Council on Foreign Relations brief on dark-web monitoring frames this as standard practice for corporate threat-intelligence programs.
==========