Connect with us

Infosecurity

The Dark Web Unmasked: Separating Fact from Fiction in the Digital Shadows

Published

on

The Dark Web Unmasked: Separating Fact from Fiction in the Digital Shadows

When you hear the term ‘Dark Web,’ what comes to mind? For many, it’s a digital underworld synonymous with hackers, illegal marketplaces, and shadowy dealings. This common perception of the Dark Web as a purely criminal space is one of the most persistent Dark Web myths in circulation today. In reality, the landscape is far more nuanced, serving purposes that range from the illicit to the vitally important for human rights and free expression.

This means that the internet cannot be neatly split into ‘light’ and ‘dark’ sides. Criminal activity is a pervasive issue across the entire digital ecosystem, not a problem confined to one hidden corner. To understand the true nature of these anonymized networks, we must move beyond the sensational headlines.

Why the Dark Web Gets a Bad Reputation

Media portrayal plays a colossal role in shaping public opinion. Consequently, news stories often focus exclusively on the arrests made or the illegal goods seized on darknet markets, reinforcing a monolithic view of criminality. James Chappell, CTO and Co-founder of Digital Shadows, points directly to this coverage as a source of the misconception.

“Looking at some of the press coverage you could be forgiven for thinking that the Dark Web is solely about criminality,” Chappell noted. “In reality, this is not the case.” He emphasizes that criminality is an internet-wide challenge, not one limited to the technologies labeled as the ‘Dark Web.’

Legitimate Uses in the Shadows

Building on this, the core technology enabling the Dark Web—strong anonymity and privacy—is neutral. What matters is the intent of the user. Therefore, these networks provide critical infrastructure for several lawful and socially beneficial activities.

For instance, investigative journalists and whistleblowers in oppressive regimes use these channels to communicate securely and leak information without fear of reprisal. Political dissidents rely on them to organize and access censored news. Ordinary citizens in surveilled countries use them for private messaging and to bypass state firewalls.

A Platform for Privacy and Free Speech

At its heart, the driving force behind all use of the Dark Web, whether lawful or not, is the desire for privacy. In an age of pervasive data collection, the demand for anonymous communication is understandable. Simply put, being on the Dark Web does not automatically make an activity criminal.

As Chappell explains, “criminality exists in almost equal measure on the surface and deep web.” The tools are the same; the outcomes differ based on the user’s choices. You can learn more about protecting your own online privacy on our site.

The Criminal’s Paradox: Anonymity as a Hindrance

Interestingly, the very secrecy that defines the Dark Web can also act as a major obstacle for cybercriminals. Contrary to the image of a ‘hackers’ paradise,’ operating successfully there is fraught with difficulty. Digital Shadows’ research into how criminal groups recruit talent revealed this tension clearly.

The complete anonymity makes establishing trust nearly impossible. With ‘no honor among thieves,’ hackers frequently steal each other’s identities, sabotage rivals’ reputations, and scam one another. This environment makes it perilous for criminal enterprises to vet new members, putting a brake on their growth.

Barriers to Illicit Success

Furthermore, accessing exclusive criminal marketplaces is not straightforward. Some require existing members to vouch for newcomers. Others are invitation-only or demand payment—or even proof of a committed crime—for entry. These barriers create a high-stakes environment where maintaining a credible criminal ‘brand’ is essential, yet any slip-up in operational security can reveal a user’s real-world identity, leading to arrest.

This tricky balance is hard to maintain, and history is filled with cases of criminals who tripped up. For a deeper look at evolving cybercrime trends, explore our analysis.

Dispelling the Core Dark Web Myths

Ultimately, the narrative needs a fundamental shift. The internet is a continuum, not a binary of good and evil. Labeling the Dark Web as universally ‘bad’ ignores its role as a tool for privacy, a sanctuary for free speech, and a complex ecosystem where criminal elements face significant internal challenges.

The key takeaway is that technology itself is amoral. The same encryption that protects a dissident can hide a fraudster. The challenge for society and security professionals is not to condemn an entire technological layer but to understand its multifaceted reality and address malicious actions wherever they occur—on the surface, in the deep web, or in the darkest corners.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

Cash App owner Block to pay $45 million over claims it misled users on security

Published

on

Cash App settlement

Block Inc. agrees to multi-state payout after security failures exposed users to scammers

The parent company of Cash App is forking over $45 million to resolve claims that it downplayed security risks and left users vulnerable to fraud. State attorneys general from 46 states announced the bipartisan settlement with Block, Inc. on Wednesday, accusing the fintech giant of promising protections it never delivered.

New York Attorney General Letitia James was blunt: the company “failed to help users when they were scammed, misled consumers about the safety of Cash App, and failed to provide the fraud protection and resolution that it promised and was required to provide by law.”

Texas will receive $5 million from the settlement. New York gets $1.6 million. Smaller states are collecting less than $1 million each.

What investigators found: no phone support, fake numbers, and unlimited accounts

The probe uncovered a cascade of basic failures. Cash App didn’t offer a phone number for customer support — so users searched online and wound up calling scammers who had set up fake helplines. Block knew this was happening, James said, but didn’t warn customers or launch a real phone line until 2021.

Signing up required no Social Security number or date of birth. There was no cap on how many accounts one person could open. That allowed a single bad actor to run a whole network of scam accounts, investigators concluded.

Texas Attorney General Ken Paxton described the situation bluntly: “Lax verification standards, a years-long absence of phone support, and deceptive social media promotions left users exposed to scammers.” He added that Cash App dragged its feet on internal fraud investigations and locked victims out of accounts with no way to recover stolen money.

The settlement requires real human support — at least 13.5 hours a day

The consent judgment filed in New York, mirroring those in other states, forces Block to maintain live customer support 24 hours a day. At least 13.5 hours of that must be staffed by “a real person.” That’s a direct response to years of complaints about automated, unhelpful responses.

This agreement also reaffirms a separate federal consent order from January 2025. Under that deal with the Consumer Financial Protection Bureau, Block must distribute between $75 million and $120 million to states. Combined, the two settlements push Block’s total payout over $120 million.

Block stays silent — and faces a credibility problem

As of Wednesday afternoon, neither Block nor Cash App had issued a statement about the settlement. That silence speaks volumes for a company that once built its brand on simplicity and trust.

Founded by Jack Dorsey in 2009, Block also owns the payment platform Square and the music streaming service Tidal. The company has long positioned itself as an alternative to traditional banking. But this settlement suggests its security and customer service fell short of even basic expectations.

What Cash App users should know now

If you use Cash App, a few things are worth keeping in mind:

  • Verify support channels. Only use the official app or website for help. Don’t Google a customer service number — scammers still run fake ones.
  • Watch for account limits. The settlement doesn’t change the fact that Cash App lacks FDIC insurance on most balances. Your money isn’t protected the way it would be in a bank.
  • Report fraud quickly. Block is now required to respond faster to fraud claims. If you’re scammed, document everything and file a report through the app immediately.

The broader lesson? A sleek interface and a famous founder don’t guarantee security. The Cash App settlement is a reminder that when fintech companies cut corners on support and verification, users pay the price.

Continue Reading

Infosecurity

Microsoft’s Record Patch Tuesday: 570 CVEs Fixed as AI-Driven Discovery Reshapes Security

Published

on

Microsoft patches 570 CVEs

A Historic Security Update Drops

On July 14, Microsoft released patches for 570 CVEs — the largest single Patch Tuesday in the company’s history. The sheer scale caught many security teams off guard, though the writing had been on the wall for months.

Earlier this year, Microsoft warned that its use of agentic AI to hunt for flaws would inevitably push update volumes higher. That prediction has now landed, hard.

Why 570? AI Changed the Economics of Bug Hunting

Trey Ford, chief strategy and trust officer at Bugcrowd, put it bluntly: “The real story is economic. AI has collapsed the cost of finding vulnerabilities, and this increase in volume is a new floor, not the ceiling … at least for a while.”

His message to leadership teams is direct. Stop treating patch volume like a monthly surprise. Fund it as a fixed operating cost. “The organizations that win won’t be the ones that patch fastest this month. They’ll be the ones who built a process that scales when the next couple months continue to increase.”

This isn’t just a Microsoft story. Google fixed over 460 Edge/Chromium flaws this month alone, and Adobe has shifted its patching cadence to twice monthly. The industry is recalibrating.

Three Zero-Days, Two Actively Exploited

Among the 570 CVEs in this month’s Microsoft patches 570 CVEs batch are three zero-day vulnerabilities. Two have already been exploited in the wild.

CVE-2026-56155: Active Directory Federation Services EoP

This elevation of privilege (EoP) flaw in Active Directory Federation Services lets an authorized attacker elevate privileges locally. Adam Barnett, principal software engineer at Rapid7, noted that eight other AD FS vulnerabilities were also patched, all rated Important on Microsoft’s scale.

“The advisory doesn’t explicitly describe the location of the attacker, but it’s likely that an attacker would need an existing toehold on the target system to chain together with the elevation of privilege opportunity on offer here,” Barnett explained.

CVE-2026-56164: SharePoint Server — No Privileges Needed

The second exploited zero-day is another EoP bug, but this time in Microsoft SharePoint Server. The critical difference? No existing privileges are required. Microsoft has branded exploitation “low complexity.”

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to harden their SharePoint systems in response to active exploitation of this flaw and two others published earlier this year.

CVE-2026-50661: BitLocker Bypass Requires Physical Access

The publicly disclosed zero-day is a Windows BitLocker security feature bypass. It could allow attackers to access encrypted data — but only if they have physical access to the target machine. That constraint limits its immediate danger, but it’s a reminder that encryption alone isn’t a silver bullet.

Breaking Down the Numbers

July’s update flood includes:

  • 254 elevation of privilege (EoP) vulnerabilities
  • 145 remote code execution (RCE) bugs
  • 102 information disclosure flaws
  • 59 rated critical, of which 48 are RCE flaws

The RCE numbers are especially concerning. Remote code execution is the kind of flaw that lets attackers take full control of a system without any user interaction.

What Security Teams Should Do Now

Qualys security research manager Mayuresh Dani observed, “This trend was predicted and we’re seeing the evidence of it happening now. As more advanced and frontier AI models become available, we can expect an upward trend to continue and then slow down.”

He added, “What we’re observing is that AI automated fuzzing, LLM-assisted variant hunting, and static analysis at scale are discovering bugs faster than enterprises can remediate.”

Qualys has urged organizations to take four concrete steps:

  • Move beyond CVSS-only prioritization. Use the Exploit Prediction Scoring System (EPSS) and CISA’s Known Exploited Vulnerabilities (KEV) catalog instead.
  • Adopt tiered-patching SLAs. For example, a KEV-listed CVE or an EPSS score above 0.5 should be patched within 24–36 hours. Classification should be risk-based and will differ per organization.
  • Reduce the attack surface. Ensure systems like Active Directory Federation Services aren’t internet-connected. On-premises SharePoint should not have public access. Remote management tools shouldn’t be reachable from anywhere.
  • Improve patching practices. Validate updates, monitor installs and system stability on a select group, and support automated rollback. Approved patches should then be pushed to all required systems.

The New Normal Isn’t Temporary

Ford’s closing point is worth repeating: “The intake will not be going back down for a while.” For CISOs and IT operations teams, the era of predictable, manageable Patch Tuesdays is over. The question now is whether your organization has the process maturity to survive the next few months — because the volume is only going one direction.

For more on how AI is reshaping vulnerability discovery, read about Anthropic’s Project Glasswing and its approach to using AI for finding critical software flaws.

Continue Reading

Infosecurity

One Prompt, Full Breach: Researchers Show ChatGPT-5.5 Can Execute Entire Cyber-Attack Chain in Under 40 Minutes

Published

on

ChatGPT-5.5 cyber-attack chain

The 40-Minute Hack: One Prompt Is All It Takes

It took one sentence. A single, high-level prompt fed to OpenAI‘s ChatGPT-5.5 — and within 40 minutes, the model had mapped a network, escalated privileges, and seized domain-level control. That’s the finding from Cato Networks, a cybersecurity firm that tested how far a so-called agentic attack could go when a frontier large language model (LLM) is given autonomy and a clear objective.

The experiment, detailed in a paper published July 15, was run inside a controlled Active Directory environment built to mirror a typical enterprise. The result? The model planned and executed the entire attack lifecycle: reconnaissance, exploitation, internal discovery, privilege escalation, lateral movement, and exfiltration. All from a single prompt.

Why GPT-5.5? The Frontier Model Accessible to Attackers

Cato Networks didn’t just pick any model. They tested both GPT-5.5 and the cybersecurity-specific GPT-5.5-Cyber. But they focused on the general-purpose version. Why? Because it reflects what most attackers can actually get their hands on.

“While both GPT-5.5 and GPT-5.5-Cyber were evaluated during the research, the later scenarios focused on GPT-5.5 to better reflect the publicly available frontier models accessible to most attackers at the time of the study,” the firm explained in a blog post.

The exact prompts used to direct the model remain undisclosed. That’s intentional — revealing them would hand malicious actors a ready-made blueprint. But the broader lesson is clear: the safety guardrails on public AI models can be bypassed with the right framing.

Six Scenarios, One Adaptive Attacker

The researchers ran six different test scenarios. In each, the environment changed. The model didn’t break stride. It adapted on the fly.

When a planned attack path failed, the agent didn’t stall. It generated custom vulnerability probes. It modified its data collection workflows. It designed alternative communication paths. In one test, the model built an SMB-based tunneling approach to move data through an existing foothold — a technique that requires real understanding of how Windows networks operate.

“Several executions demonstrated adaptive behavior when expected attack paths failed or environmental conditions changed,” the researchers noted. “Rather than following a rigid sequence of actions, the agent adjusted its approach based on observations gathered during execution.”

That flexibility is what made the difference. By combining lessons from earlier scenarios, the model reached its objective — admin-level privileges — in roughly 40 minutes. Speed, they found, came from adaptation, not brute force.

What This Means for Enterprise Defenders

The researchers were careful not to overstate the findings. “While these observations should not be interpreted as evidence of novel attack discovery, they do suggest that frontier models can contribute goal-oriented problem solving during offensive operations,” they wrote.

In plain English: the AI isn’t inventing new attack techniques. It’s applying known ones faster and with less human input. That’s the real risk. A threat actor with moderate skills can now orchestrate a multi-stage attack that previously required a team of specialists.

“A threat actor is only one part of the risk,” said Dr. Guy Waizel, tech evangelist at Cato Networks. “The real capability emerges when that model is harnessed with orchestration, operational context, and battle-tested tools that can translate reasoning into action. Our research shows that this combination can dramatically accelerate known attack workflows, reduce the amount of hands-on expertise required, and enable more coordinated execution across multiple stages of the attack lifecycle.”

AI-Driven Attacks Are Accelerating — and Evolving

Cato Networks, a member of OpenAI’s Daybreak Program, stressed that the patterns they observed may not be universal across all enterprise environments. But the trend is unmistakable. AI tools are becoming more embedded in workplaces, and malicious actors are learning to weaponize them — especially to compress the timeline of an attack.

This capability is likely to improve. Frontier models are getting smarter, faster, and more accessible. Jailbreaking techniques are evolving. The window between a prompt and a breach is shrinking.

For cybersecurity leaders, the takeaway is straightforward: assume that attackers have access to AI agents that can plan, adapt, and execute. Defenses need to be just as dynamic. That means monitoring for unusual lateral movement, segmenting networks aggressively, and treating every prompt-engineered query as a potential reconnaissance probe.

Infosecurity has contacted OpenAI for comment. The company has not yet responded.

Continue Reading

Trending