Unmasking Dark Web: You’ve Only Seen 4% of the Internet, Here’s the Rest!
Peeking Behind the Onion Curtain.
The internet you and I use every day—Google searches, social media, online shopping—is only the tip of the iceberg. Beneath it lies the Deep Web and, further still, the Dark Web, a hidden layer of the internet that isn’t accessible through regular browsers. This is where onion links, TOR routing, and underground marketplaces come into play.
In this article, we’ll explore the Darkus tool, a powerful search engine built for navigating the Dark Web. Using it, I’ll walk you through how researchers can uncover hidden services, track digital footprints, and even stumble upon massive data leaks that exposed sensitive user information. On that note, lets jump into it.
Darkus is an OSINT and Dark Web reconnaissance tool designed to help cybersecurity researchers, threat analysts, and investigators gather intelligence from hidden services, marketplaces, and forums on the Tor network. It allows users to search for keywords, track links, monitor activity, and organize results in a local database. The tool also provides a web-based interface for easier visualization and management of captured data.
It uses specialized Dark Web search engines like Ahmia, Torch and Notevil to find content on `.onion` sites. These search engines index hidden services, forums, and marketplaces on the Tor network, allowing Darkus to query keywords and retrieve links, posts, and other relevant data that aren’t accessible via regular web search engines.
Those of you who are completely new to this topic, let’s start by understanding the basics first.
Understanding the Web: Clear, Deep, and Dark
Clear Web (Clearnet)
The Clear Web is the part of the internet that most people use every day — websites like Google, YouTube, or Wikipedia. These sites are indexed by search engines, easy to find, and accessible via regular browsers. When you visit them, your activity can be tracked by websites, internet service providers (ISPs), or even governments.
Deep Web
The Deep Web refers to content not indexed by search engines. This includes things like private databases, subscription-only resources, internal company websites, or your email inbox. You need credentials or special access to reach these pages. Most of the Deep Web is legitimate and used every day for private data storage.
Dark Web
The Dark Web is a small portion of the Deep Web that is intentionally hidden and requires special tools to access. It hosts hidden services, marketplaces, forums, and sensitive information that are not meant to be visible on the Clear Web. Because of its anonymity, it’s often associated with illegal activities, but it’s also used for privacy-focused communication by journalists, activists, and researchers.
TOR (The Onion Router)
Tor is a network that enables anonymous browsing on the internet, especially to access the Dark Web. Instead of connecting directly to a website, your internet traffic is bounced through multiple relays around the world. This hides your real IP address and makes it extremely difficult to track your online activity.
Why Tor is needed:
On the Clear Web, your activity can be monitored.
To safely access the Dark Web while keeping your identity hidden, Tor is essential.
Onion Links
Onion links are websites that exist only on the Tor network. They end with `.onion` instead of `.com` or `.org`. You cannot access them with a regular browser — Tor is required.
Why onion links exist:
They provide hidden services such as private forums, marketplaces, or confidential repositories.
Tor ensures anonymity for both visitors and the server, protecting the site’s location and users’ identities.
Well, i think that's enough for an intro, lets jump straight into the action now.
Chapter 1: Darkus in the terminal
We will start off my cloning the github repository in our system.
git clone https://github.com/Lucksi/Darkus
Let’s install it. To do that, we’ll first create a Python virtual environment to avoid any issues while installing the required dependencies. I’ll name my virtual environment “.dark”, but you can name it whatever you like.
Once that’s done, we’ll use the Installer.sh script to install the necessary packages and requirements.
cd Darkus
python3 -m venv .dark
sudo chmod +x Installer.sh
sudo bash Installer.sh
Alright, let’s activate our virtual environment and install the required Python modules listed in the requirements.txt file using the command below.
source .dark/bin/activate
pip3 install -r requirements.txt
Now that we’ve installed all the required modules, let’s fire up the tool using the Main.py script and see how it works.
python3 Main.py
The tool asked us to type “Y” or “N” to accept the terms of use for educational purposes. Once I entered “Y”, the Tor service was activated, but an error occurred afterward.
I researched the error online and found that it was caused by an unmet dependency. To fix this, I needed to install the PySocks Python module, since the tool uses a SOCKS proxy to connect to the internet via Tor.
pip install pysocks
After installing PySocks, I re-ran the script — but, as always, the Demo Gods weren’t on my side. This time, I faced a connection error. The script was attempting to connect to ip-api.com to verify whether our IP address was successfully routed through Tor or not. So, let’s switch into troubleshooting mode.
First, I checked whether my Tor service was running, and according to the results, it indeed was.
Next, I checked whether I could manually curl the website using a SOCKS5 Tor proxy. The result was successful, and it returned all the expected details.
Finally, I examined the Main.py script of the tool and noticed that it was using a socks5h proxy. Out of curiosity, I removed the “h” and saved it as a regular socks5 proxy configuration to test it.
As soon as I ran the tool again, it displayed the Tor IP address along with its location. Sweet!
To confirm whether our traffic is completely routed through Tor, I used the dig utility on Linux. This revealed something interesting: the DNS server my machine is using is 127.0.0.53, which is the local default resolver.
However, the Tor service runs on port 9053 by default. This prompted me to go on a short research journey, and I discovered the following:
Our system is using systemd-resolved’s stub resolver (`127.0.0.53`), which in turn forwards DNS queries to our ISP’s or our configured upstream DNS. That means when we use `socks5://` in Python, the DNS lookups leak outside Tor before the connection is routed through it.
That explains:
Why `socks5://` works (DNS resolution is done locally, then Tor connects to the IP).
Why `socks5h://` fails (Tor is supposed to handle DNS, but our setup isn’t telling Tor to accept DNS requests).
The things to note here is that:
socks5:// = **DNS leak risk** (our ISP can see queries like `ip-api.com`).
socks5h:// = forces DNS through Tor, but our your case it times out → which usually means Tor’s DNS port (9053) isn’t exposed or PySocks is hitting a bug.
dig ip-api.com
In this case, I could continue using the tool with a regular socks5 proxy, but that carries the risk of a DNS leak, which could reveal our real IP — potentially detrimental in a real engagement or investigation. So, as usual, I chose the harder path: setting up the socks5h proxy with a little extra configuration.
To do this, we first need to modify our torrc file. We’ll add instructions to use DNSPort 9053 for Tor and enable AutomapHostsOnResolve, which allows Tor to resolve hostnames that don’t exist in the normal DNS system by creating a fake `.onion` mapping for them.
sudo gedit /etc/tor/torrc
DNSPort 9053
AutomapHostsOnResolve 1
Once we’ve completed the configuration, let’s restart the Tor service to apply the changes.
sudo systemctl restart torNext, we’ll update the DNS resolution configuration and set it to use port 9053 for DNS queries instead of the default port 53.
sudo gedit /etc/resolv.conf
At last, we will again change the socks5 to socks5h in the Main.py file and hit save.
Now, when we run our script, DNS resolution is handled through Tor, and everything works perfectly. Nice!
If we double check it with dig again, we can see we are resolving through port 9053.
Chapter 2: Drop your Hacking Tools!
Now that we have a working setup of our Darkus tool, let’s see how we can use it.
I first checked its help menu using the "help" command and discovered several useful options. According to the output, we can create a local database to store queried results, deactivate it if needed, and check whether a given URL is included on the Ahmia blacklist.
I started by creating a new database using the following command. Once it’s created, we can access it via the web interface on port 5600.
DB-A
The web interface provides a convenient way to query our results once we’ve completed an investigation. Sweet!
Now that everything is set up, let’s search for something interesting, like “hacking tools”, on the Dark Web. I hit Enter, selected option 4 for “All Results,” and boom! We retrieved a total of 2,522 links containing that keyword or related topics. Quite interesting!
Next, the tool prompted me to search for images. I went ahead, and it queried Torch and Notevil, but didn’t find any noteworthy results.
Moving on, we can also save the web report in our output folder.
Once we’ve completed our searches, we can use the web UI to view the results. It displays all the links that the tool has captured, which is great if you prefer a visual representation over terminal text. Personally, I’m comfortable with both.
So, I opened one of the .onion links from the results and found an online Darknet marketplace selling a tool related to Bitcoin.
I opened the product listing and found a tempting offer from a trusted 5-star vendor called “Mr. Hacking Kingpin.” He is selling “CrypTOR 2.1 – Find Free Bitcoin” for $75. The tool claims to search for keys from existing crypto wallets, essentially running in the background to brute-force wallet keys and notifying the user if it finds any.
There are some reviews for the tool as well — all 5 stars, which supposedly proves how good it is (just kidding).
As a genuine buyer, I added the tool to my cart and proceeded to checkout.
But wait what! Our beloved owner of our beloved Maria Shop which is actually a darknet marketplace for illegal stuff has put up a warning for the genuine users just like us. Cautioning us that there are multiple copy cats in the market that are ripping off the work of our owner and making the reputation of Maria Shop to go down the drain. That's really concerning.
Also, as a legit marketplace, Maria Shop also offers refund if we cancel our order within 12 days. Truely Professional!
Once we reach the checkout page, we can fill in our shipping details so that the order can be delivered. After that, we can pay with Bitcoin to complete the purchase.
This is the payment page, where you can send Bitcoin to their wallet address and confirm your order. Jokes aside, most darknet marketplaces are scams, and if they’re not, they’re very likely FBI honeypots. So, proceed with extreme caution!
After exploring the hacking tools that Maria Shop is selling, I decided to browse through their other products. To my surprise, I came across some rather… inspirational items, reminiscent of the “cooking lab” of the likes of Jesse Pinkman and Walter White.
Here, we’re talking about OG Colombian cocaine, LSD tablets, and, of course, crystal meth. Clearly, this place is a true hangout spot for recreational users.
Chapter 3: Welcome to the Chatroom
Woah! That was intense. Let’s take it a step further. There are stories of so-called “Red Rooms” on the Dark Web, where people are supposedly tortured live and the events are broadcast online. While this is generally not technologically feasible over Tor due to bandwidth limitations, we can still search for related chat rooms and discussions.
Let’s begin our search.
From the results, I came across a Hidden Wiki page containing a .onion link to a chat app called PFPMD Chat.
I accessed the chat, and it felt a bit strange. Most of the messages seemed to be in Russian, so I couldn’t decipher much of what was going on. However, among the conversations, I noticed a user named “Aera” who was promoting their own chat platform.
As a normal curious homo sapien, I decided to try out my buddy’s chat app. The main page asked me to enter a codename and solve a captcha. Once completed, I was redirected to the main chat interface.
The chat app looked like a 90s-style IRC and was a bit buggy. There wasn’t much interesting happening there, but I noticed three other links being promoted. Naturally, I decided to check those out as well.
The first link led to another chat app called “Abyss Chat,” which focused on hacking and cybersecurity discussions. I entered my details and successfully logged in.
But here too the audience was kinda dull. Maybe i am not at the right time here.
I also came across my guy Aera’s Discord, but I didn’t join. Remember, we’re on the Dark Web, and linking it to a well-known service with your real account would be a major OPSEC failure as an investigator. If you ever need to do this, make sure to use a burner account.
The second link led to a Blackhat forum, which I chose not to join. The final link was a secretive social network called “The Devil’s Playground.”
Chapter 4: Spill some Tea!
Now that we’ve finished playing with the tool, let’s get down to business.
Recently In July 2025, the women-only “Tea” dating-advice app—marketed as a safe space for sharing “red-flag” warnings—was breached, exposing around 72,000 user images (including 13,000 selfies and IDs) and over 1.1 million private messages. The leaked data, shared on platforms like 4chan and X shows that this app asks for the "Driving License" picture of women as a form of authentication.
But Hackers exploited a misconfigured Firebase storage bucket, leaving it publicly accessible and without authentication. Through that open endpoint—its URL embedded within the app—they fetched tens of thousands of user images and over a million private messages and the data was then dumped to 4chan.
Well, this is a serious privacy concern but for OSINT investigators it is a goldmine of information. Now its hard to find the breached data on the clear net but what about dark web. Lets find out.
So, i used the keyword "tea app hack" which gave me a bunch of result.
Out of which, i found a forum which has links to the archived 4chan boards and posts related to tea app hack.
Upon accessing those links, I came across some screenshots floating online related to users of the Tea app. I’ve blurred out certain details in the screenshot below to protect their privacy. But honestly, it’s quite alarming!
Now this was all good, but as a researcher my heart wants more - the complete data dump of the hack. So, I sifted through dozens of 4chan posts and eventually found a magnet link to download the full dump.
Next, i fired up the Transmission app, pasted the link, and the download began - A 240+ GB of data including the app's metadata, assets, user pictures, DL pictures, their chat attachments, their posts, their comments and what not.
As per the result below, i was able to dump all the pictures of the ladies on the app.
I found a couple of imposters too between all of these. Here's one of them.
But the most alarming part of this breach is the exposure of Personally Identifiable Information (PII), such as Driving Licenses. As shown in the screenshot below, anyone with access to this dump essentially has all the sensitive details of the app’s users. This includes their Name, Address, Gender, Height, and Date of Birth (DOB).
Well, I have redacted the information on my end to maintain the privacy of the individuals. However, this incident raises a serious concern in today’s world of AI-powered apps. Vibe coding is fine if you’re just experimenting or playing around with AI capabilities, but the moment you put it online for thousands of users, security of their data must be a top priority.
This breach is a stark reminder of how easily personal data can end up in the public domain due to a single mistake. And once your information is out there—there’s no taking it back.
Chapter 5: Conclusion
Exploring the Darkus tool gave us a unique glimpse into how the dark web can be navigated, queried, and analyzed for real-world intelligence. From understanding how the tool leverages TOR and hidden services to uncovering the infamous Tea App hack dump, one thing becomes clear—**the dark web is both a goldmine of information and a minefield of risks.**
While the technology is fascinating, the exposure of highly sensitive PII in breaches like these highlights just how fragile digital trust can be. Tools like Darkus are powerful in the hands of researchers, but they also remind us of the responsibility that comes with peering into hidden corners of the internet.
If you found this breakdown insightful and want to dive deeper into offensive security, OSINT research, and real-world case studies, make sure to subscribe to our newsletter - God Access Labs. Here I share weekly research, investigations, and podcasts that decode the hidden layers of cybersecurity, hacking, and intelligence gathering.
Stay curious, stay cautious, and most importantly—stay ahead.