monitoring-darkweb-sources▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions of organizational assets, leaked credentials, threatened attacks, and threat actor communications to provide early warning intelligence. Use when establishing dark web monitoring coverage, investigating specific data breach claims, or enriching incident investigations with dark web context. Activates for requests involving dark web OSINT, leak site monitoring, credential exposure, Recorded Future dark web, or Tor hidden service intelligence.
| name | monitoring-darkweb-sources |
| description | 'Monitors dark web forums, marketplaces, paste sites, and ransomware leak sites for mentions of organizational assets, leaked credentials, threatened attacks, and threat actor communications to provide early warning intelligence. Use when establishing dark web monitoring coverage, investigating specific data breach claims, or enriching incident investigations with dark web context. Activates for requests involving dark web OSINT, leak site monitoring, credential exposure, Recorded Future dark web, or Tor hidden service intelligence. ' |
| domain | cybersecurity |
| subdomain | threat-intelligence |
| tags | - dark-web - OSINT - credential-monitoring - ransomware-leaks - Recorded-Future - SpiderFoot - CTI |
| version | 1.0.0 |
| author | team-cybersecurity |
| license | Apache-2.0 |
| nist_ai_rmf | - MEASURE-2.7 - MAP-5.1 - MANAGE-2.4 |
| atlas_techniques | - AML.T0070 - AML.T0066 - AML.T0082 |
| nist_csf | - ID.RA-01 - ID.RA-05 - DE.CM-01 - DE.AE-02 |
Monitoring Dark Web Sources
When to Use
Use this skill when:
- Establishing continuous monitoring for organizational domain names, executive names, and product brands on dark web forums
- Investigating a reported data breach claim found on a ransomware leak site or paste site
- Enriching an incident investigation with context about stolen credentials or planned attacks
Do not use this skill without proper operational security measures — dark web browsing without isolation exposes analyst infrastructure to adversary counter-intelligence.
Prerequisites
- Commercial dark web monitoring service (Recorded Future, Flashpoint, Intel 471, or Cybersixgill)
- Isolated operational environment: Whonix OS or Tails OS running in a VM with no persistent storage
- Keyword watchlist: organization domain, key executive names, product names, IP ranges, known credentials
- Legal guidance confirming passive monitoring is authorized in your jurisdiction
Workflow
Step 1: Establish Keyword Monitoring via Commercial Services
Configure dark web monitoring keywords in your CTI platform (e.g., Recorded Future Exposure module):
- Domain variations:
company.com,@company.com,company[dot]com - Executive names: CEO, CISO, CFO full names
- Product/brand names
- Internal codenames or project names (if suspected breach scope is broad)
- Known email domains for credential monitoring
Most commercial services (Flashpoint, Intel 471, Cybersixgill) crawl forums like XSS, Exploit[.]in, BreachForums, and Russian-language cybercriminal communities without analyst exposure.
Step 2: Manual Investigation with Operational Security
For investigations requiring direct dark web access:
Environment setup:
- Use a dedicated physical machine or air-gapped VM (Whonix + VirtualBox)
- Connect via Tor Browser only — never via standard browser
- Use a cover identity with no links to organization
- Never log in with real credentials to any dark web site
- Document all sessions in investigation log with timestamps
Paste site monitoring (clearnet-accessible, no Tor required):
# Hunt paste sites via API
curl "https://psbdmp.ws/api/search/company.com" | jq '.data[].id'
curl "https://pastebin.com/search?q=company.com" # Rate-limited public search
Step 3: Investigate Ransomware Leak Sites
Ransomware groups maintain .onion leak sites. Monitor these through commercial services rather than direct access. When a claim appears about your organization:
- Capture screenshot evidence via commercial service (do not access directly)
- Assess legitimacy: Does the threat actor's claimed data align with any known internal systems?
- Check timestamp: Is this claim recent or historical?
- Cross-reference with any known security incidents or phishing campaigns from that timeframe
- Engage IR team if claim appears credible before public disclosure
Known active ransomware leak site operators (as of early 2025): LockBit (disrupted Feb 2024), ALPHV/BlackCat (disrupted Dec 2023), Cl0p, RansomHub, Play.
Step 4: Credential Exposure Monitoring
For leaked credential monitoring:
- Have I Been Pwned Enterprise: Domain-level notification for credential exposures in breach datasets
- SpyCloud: Commercial credential monitoring with anti-cracking and plaintext password recovery from criminal markets
- Flare Systems: Automated monitoring of paste sites and dark web markets for credential dumps
When credential exposures are confirmed:
- Force password reset for affected accounts immediately
- Check if credentials provide access to any organizational systems (SSO, VPN)
- Review access logs for the period between credential exposure and detection for unauthorized access
Step 5: Document and Escalate Findings
For each dark web finding:
- Capture evidence (commercial service screenshot, paste site archive)
- Classify severity: P1 (imminent attack threat or active data exposure), P2 (credential exposure), P3 (general mention)
- Notify appropriate stakeholders within defined SLAs
- Open investigation ticket and link to evidence artifacts
- Apply TLP:RED for any findings referencing named executives or specific attack plans
Key Concepts
| Term | Definition |
|---|---|
| Dark Web | Tor-accessible hidden services (.onion domains) not indexed by standard search engines; hosts both legitimate and criminal content |
| Paste Site | Clearnet text-sharing sites (Pastebin, Ghostbin) frequently used to publish stolen data or malware configurations |
| Ransomware Leak Site | .onion site operated by ransomware group to publish stolen victim data as extortion leverage |
| Operational Security (OPSEC) | Protecting analyst identity and organizational affiliation during dark web investigation |
| Credential Stuffing | Automated use of leaked username/password pairs against authentication systems |
| Stealer Logs | Data packages exfiltrated by infostealer malware containing saved browser credentials, cookies, and session tokens |
Tools & Systems
- Recorded Future Dark Web Module: Automated monitoring of dark web sources with alerting on organization-specific keywords
- Flashpoint: Dark web forum monitoring with human intelligence augmentation for criminal community context
- Intel 471: Closed-source access to cybercriminal communities with structured intelligence on threat actors
- SpyCloud: Credential exposure monitoring with recaptured plaintext passwords from criminal markets
- Have I Been Pwned Enterprise: Domain-level breach notification API for credential monitoring at scale
Common Pitfalls
- Direct access without OPSEC: Accessing dark web forums without Tor and a cover identity can expose analyst IP, browser fingerprint, and organization affiliation to adversaries.
- Overreacting to unverified claims: Ransomware groups and forum posters fabricate attack claims for extortion or reputation. Verify before escalating to incident response.
- Missing clearnet sources: Most dark web intelligence programs miss Telegram channels, Discord servers, and paste sites which operate on the clearnet and host significant criminal activity.
- Inadequate legal review: Dark web monitoring must be reviewed by legal counsel — passive monitoring is generally lawful but active participation in criminal markets is not.
- No evidence preservation: Dark web content disappears rapidly. Capture timestamped evidence immediately upon discovery using commercial service exports.
How to use monitoring-darkweb-sources on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add monitoring-darkweb-sources
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches monitoring-darkweb-sources from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate monitoring-darkweb-sources. Access the skill through slash commands (e.g., /monitoring-darkweb-sources) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.8★★★★★37 reviews- ★★★★★Harper Mehta· Dec 28, 2024
monitoring-darkweb-sources reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Harper Jain· Dec 24, 2024
We added monitoring-darkweb-sources from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
- ★★★★★Ganesh Mohane· Dec 16, 2024
Keeps context tight: monitoring-darkweb-sources is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Aisha Gupta· Nov 23, 2024
Keeps context tight: monitoring-darkweb-sources is the kind of skill you can hand to a new teammate without a long onboarding doc.
- ★★★★★Harper Martinez· Nov 19, 2024
I recommend monitoring-darkweb-sources for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Sakshi Patil· Nov 7, 2024
monitoring-darkweb-sources has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Chaitanya Patil· Oct 26, 2024
Solid pick for teams standardizing on skills: monitoring-darkweb-sources is focused, and the summary matches what you get after install.
- ★★★★★Sofia Thomas· Oct 14, 2024
monitoring-darkweb-sources is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
- ★★★★★Harper Anderson· Oct 10, 2024
Useful defaults in monitoring-darkweb-sources — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Kaira Rahman· Sep 25, 2024
We added monitoring-darkweb-sources from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
showing 1-10 of 37