Is dark web monitoring legally usable in a sanctions or AML file?

Yes, provided the underlying data was obtained passively from third-party publication rather than by intrusion. A ransomware gang's leak-site post, a credential dump indexed by Have I Been Pwned, or a paste-site fragment can all be cited in an enhanced due diligence file as an external signal of compromise or counterparty conduct. The file should record source URL, date of access, and provenance caveat, and should not be used as the sole basis for de-risking decisions without corroboration.

Which Russian-speaking forums matter most for an EDD analyst in 2026?

The legacy archives of Exploit, XSS (formerly DaMaGeLaB), and the RAMP marketplace remain primary references for actor attribution and counterparty footprint. Telegram-resident leak channels have largely displaced live forum chatter for time-sensitive dumps. For drug-and-launder marketplaces, the post-Hydra successor ecosystem (Mega, Blacksprut, Kraken) is the relevant venue, with Garantex referenced repeatedly as the cash-out rail before its March 2025 takedown.

How does dark web monitoring intersect with sanctions screening?

It catches three things sanctions lists cannot: counterparty compromise (credentials, RDP, VPN sold by initial access brokers), reputational signals (mentions of the entity by ransomware gangs), and enabler links (an officer whose corporate email surfaces in a Probiv search or a 2023 combolist suggests poor governance and a wider attack surface). It does not replace OFAC, OFSI or EU list checks; it sits adjacent, as an enhanced-due-diligence layer.

What was Probiv and why does it still show up in 2026 files?

Probiv is the Russian-language term for paid lookup services that resell data from Russian state databases (passports, vehicle registrations, tax, mobile-operator records, traffic-police records) sourced from insider corruption. The market never fully went away despite repeated FSB and MVD takedowns. Historical Probiv leaks, archived on RuNet forums and indexed by investigative outlets, are still used to corroborate identifiers attached to high-risk Russian counterparties.

Can a ransomware leak-site post be used to file a Suspicious Activity Report?

In most jurisdictions yes, provided the analyst documents the source and treats the post as an external indicator rather than verified fact. FinCEN, the FCA, and the FATF have all referenced cyber-event indicators as relevant to SAR filing where the event affects a counterparty's ability to perform, indicates funds derived from cybercrime, or suggests ransom payment routes. The CISA-Treasury 2020 OFAC advisory on ransomware payments remains the authoritative US reference.

How long should dark web findings be retained in a counterparty file?

Treat dark-web monitoring artifacts the same as any other EDD artifact: retain for the duration of the customer relationship plus the jurisdictional record-keeping period (typically five years under the EU AML Directive, five years under the US Bank Secrecy Act, six years under the UK Money Laundering Regulations). Store screenshots, source URLs, and hash digests. Do not store the underlying stolen data itself; reference its existence and indices only.

← All Briefings

2026-05-19 COMPLIANCE 15 min read

Dark Web Monitoring for AML & EDD Analysts: A Working Methodology

When a sanctions analyst opens a counterparty file in 2026, the conventional inputs are obvious — corporate registry extract, beneficial-ownership reconstruction, adverse-media sweep, sanctions-list cross-match. The less obvious input, but increasingly the one that turns a routine onboarding into an escalated review, is what the analyst can read about the counterparty on infrastructure the counterparty never expected to be read on: ransomware leak portals, credential combolists circulating on Telegram, paste-site fragments, the legacy threads of XSS and Exploit, the post-Hydra Russian marketplace ecosystem, and the Probiv lookup services that still resell data extracted from Russian state databases. This briefing is not a tools tour. It is a methodology for folding those sources into a counterparty risk file in a way that survives audit, regulatory scrutiny, and the question every Money Laundering Reporting Officer eventually has to answer in writing: what did you know, and when did you know it?

TL;DR

Dark-web data feeds belong inside the EDD process, not next to it. The five categories that matter for sanctions, AML and counterparty risk teams are: (1) ransomware leak-site posts naming the counterparty or its affiliates; (2) credential and session-token dumps that suggest the counterparty's network has been compromised; (3) paste-site and Telegram-channel leaks exposing officers, suppliers, or customers; (4) RuNet forum archives (Exploit, XSS, RAMP) for actor and infrastructure attribution; and (5) Russian Probiv lookup-service residue indicating identifier coverage of named officers. Each category produces signals with different evidentiary weight; each requires a documented chain-of-custody record in the counterparty file. The March 2025 US-German takedown of the Garantex crypto exchange, and the closure of legacy successor markets through 2025, demonstrate that this data class is increasingly load-bearing for sanctions-evasion typology, not optional context.

Why this matters now, in the specific 2026 enforcement context

Three developments through 2024 and 2025 reshaped how enforcement authorities view dark-web evidence in counterparty files. First, the US Treasury's March 2025 action against Garantex — a Russian crypto exchange that processed an estimated 96 billion dollars of activity since its 2019 founding — was supported by leak-site and forum evidence showing how the exchange was used to cash out ransomware proceeds.^[1][2] The action was coordinated with German and Finnish authorities and resulted in the seizure of Garantex's domain infrastructure and the arrest of administrator Aleksej Besciokov in India.^[3] Counterparties that had transacted with Garantex were left explaining why their compliance pipelines had not flagged a venue whose use by ransomware affiliates was documented in primary leak-site sources from 2022 onward.

Second, the EU's 20th sanctions package in 2025 introduced a sectoral prohibition on dealings with Russian crypto-asset service providers, going beyond named-entity sanctions into a structural ban that compliance teams cannot satisfy with simple list-screening.^[4] The package implicitly requires firms to know which exchanges are Russian-registered or Russian-controlled, and the practical answer to that question often sits in OSINT reporting and dark-web infrastructure mapping, not in any official register. We unpack the operational implications of this in our companion piece EU Crypto Sanctions on Russia: The CASP Ban, Decoded.

Third, FinCEN, the FCA, and various EU competent authorities have through 2024 and 2025 increased the number of enforcement actions citing "failure to consider available open-source signals" as a deficiency in EDD programmes. The phrasing varies; the substance is consistent: where information was publicly accessible, the question is no longer whether the firm subscribed to a specific dataset, but whether the firm's EDD process was capable of incorporating accessible signals when they bore on the customer. Dark-web monitoring — once treated as a cyber-security function — has been quietly absorbed into the compliance perimeter.

The five data classes and what each one tells you

Dark-web data is not a single thing. For an EDD analyst, the practical distinction is between data classes that carry different evidentiary weight and require different handling rules.

Class 1 — Ransomware leak-site posts

Ransomware-as-a-service operators (LockBit, ALPHV/BlackCat, Cl0p, Akira, Play, Qilin, and the more recent successor groups that emerged after the February 2024 LockBit Operation Cronos disruption^[5]) maintain Tor-hosted "leak sites" where they publish stolen data from victims who refused to pay.
For an EDD analyst, a leak-site post is a categorical signal: the counterparty was compromised, the gang has its data, and unless the gang's stated extortion deadline has expired without disclosure, the counterparty is in active crisis. This is not subtle reputational data; it is operational continuity data.
The aggregator of record for academic and journalistic reference is Ransomwhere; for live tracking, journalist-curated dashboards (Brett Callow, vx-underground, DarkFeed) and CTI vendor feeds republish the same posts. The original Tor-resident pages are the primary source.
Evidentiary handling: screenshot, hash, archive the source URL (a .onion address; record the date of access). Do not download the bulk leak corpus — doing so creates a possession-of-stolen-data exposure in some jurisdictions and offers no marginal evidentiary benefit.

Class 2 — Credential and session-token dumps

Initial Access Brokers (IABs) advertise access to corporate networks — RDP, VPN, valid AD credentials, session tokens stolen by infostealers such as RedLine, Vidar, Raccoon, Lumma, and Stealc — on forums and increasingly in Telegram channels. Have I Been Pwned and Troy Hunt's broader publication corpus are the public-facing surface, but the underlying data is much larger.^[6]
For EDD, the signal is not "does the counterparty appear in HIBP" — almost every multinational does. The signal is the shape of exposure: how many corporate-domain credentials appear in 2024-2025 vintage stealer logs, what privilege tiers are implied (admin, finance, helpdesk), and whether session-token data is present that would indicate a compromised endpoint rather than a recycled password.
The 16-billion-credential aggregated corpus reported in mid-2025 by Cybernews is illustrative of the scale: it was not a single new breach but a compilation drawn from prior stealer-log exfiltration and reposted on Telegram and paste sites.^[7] A counterparty whose domain appears repeatedly in such corpora warrants escalation regardless of whether a specific public breach has been disclosed.

Class 3 — Paste sites and Telegram leak channels

Paste sites (Pastebin, Doxbin, Ghostbin and their successors) and a long tail of Telegram channels host short-form leak fragments: a single document dump, an internal email chain, a CFO's calendar export. The signal density is high; the noise is higher.
The 2024-2026 shift has been substantial: high-value leaks now appear first on Telegram, often in channels operated by hacktivist personas with a clear geopolitical orientation. Pro-Russian channels surfacing Ukrainian government leaks, and the inverse, are visible daily. For an EDD analyst working on Russian or CIS counterparties, the curated journalist-archive of these channels (preserved by InformNapalm, Bellingcat collaborators, and various academic projects) is the most efficient point of entry.
Evidentiary handling: paste-site material decays. Snapshot to the Wayback Machine immediately on discovery. Where the source is a Telegram channel, capture the message ID, channel ID, and date; do not assume the channel will persist.

Class 4 — RuNet forum archives (Exploit, XSS, RAMP legacy)

The Russian-speaking cybercrime forums Exploit (exploit.in) and XSS (xss.is, formerly DaMaGeLaB) remain the actor-attribution reference for affiliates and tool authors, even where current-day activity has migrated to invitation-only Jabber and Telegram channels. RAMP, the post-Hydra ransomware-affiliate marketplace, continued operations through 2024-2025 despite intermittent disruption.
For EDD, these archives are rarely used to find the counterparty directly. They are used to attribute behaviour: an IAB advertising "VPN access to a German Mittelstand pharma with EUR 280m revenue" can be cross-referenced against a known affected counterparty. Threat-actor handles that appear in counterparty incident reporting can be searched against forum reputation history.
The June 2025 international operation against XSS, which led to its takedown and the indictment of its alleged administrator, illustrates that even long-running RuNet forums are no longer beyond enforcement reach.^[8] Archives of the closed forums remain accessible through journalistic archives and academic CTI collections.

Class 5 — Probiv residue and the post-Hydra marketplace ecosystem

"Probiv" is the Russian term for the underground trade in lookups from Russian state databases: passport records, vehicle registrations, mobile-operator subscriber data, MVD traffic-police records, tax filings, and bank-account details. The market is fed by insider corruption inside the relevant ministries and operators. It has been the subject of repeated FSB and MVD actions through 2022-2025; the structural conditions that produce it — low salaries and high data access — have not changed.^[9]
The post-Hydra Russian-speaking marketplace ecosystem — principally Mega, Blacksprut and Kraken following the April 2022 BKA takedown of Hydra^[10] — is the venue for narcotics and laundering services. Garantex was the predominant fiat-crypto cash-out rail before its March 2025 takedown.^[1][3]
For EDD, Probiv residue and marketplace presence rarely involve the counterparty itself; they involve named officers, related parties, or transactional counterparties of the entity under review. An officer whose passport and mobile-operator records appear in archived Probiv listings is a person whose identity has been weaponised at some point, which is itself a risk indicator.

Folding the signals into the counterparty file

The five data classes above are inputs, not conclusions. The discipline that distinguishes a defensible EDD file from an indefensible one is how the analyst integrates them with the rest of the workup. The pattern we apply, and that we recommend to clients building in-house capability:

Step 1: Run the conventional screen first. Sanctions cross-match, registry pull, beneficial-ownership tier reconstruction, adverse-media. Establish the baseline risk classification. Do not start with dark-web monitoring; doing so biases the analyst toward over-weighting cyber signals relative to the broader risk picture. The free public infrastructure for the baseline screen — OFAC SDN search, OFSI consolidated list, EU FSF, OpenSanctions — is discussed in our free sanctions screening tool guide.

Step 2: Run the dark-web sweep against named identifiers, not free-text descriptions. The identifiers that produce signal: the counterparty's primary corporate domain and its top three subsidiary domains; the personal and corporate email addresses of named officers; the INN and OGRN for Russian entities, the registered company number for non-Russian; the named brand assets that the counterparty publicly attaches to itself; and where the case warrants it, the personal mobile numbers of senior officers (sourced from publicly disclosed regulatory filings, not from intrusive collection).

Step 3: Classify each hit by signal class and freshness. A leak-site post from yesterday is operationally urgent. A 2019 paste-site fragment containing an officer's historic credentials is context, not a live signal. The taxonomy should be explicit in the file: which class, what date, what evidentiary handling.

Step 4: Cross-reference cyber signals against the sanctions-evasion typologies you already track. The most useful integration is not "this counterparty was breached, therefore higher risk." It is "this counterparty appears repeatedly in stealer-log corpora that also feature credentials for entities in our 287-tanker dataset on Russian shadow-fleet operators" — that is, dark-web data as a network indicator that surfaces relationships invisible to corporate-registry methods. Our companion briefing Russia's Shadow Fleet: How 287 Sanctioned Tankers Keep Urals Crude Flowing documents the registry-based reconstruction; the dark-web layer is its complement.

Step 5: Document, do not warehouse. The file should reference the existence and source of the dark-web finding; it should not contain the underlying stolen data. Possession of breach corpora exposes the firm to data-protection liability and, in some jurisdictions, possession-of-stolen-data exposure. Reference the existence and the URL; archive the screenshot; store the hash; do not store the corpus.

What this does not tell you

Five limitations the methodology cannot overcome, stated plainly:

Absence of evidence is not evidence of absence. A counterparty that does not appear on a single leak site has not been verified to be uncompromised; it has been verified to be either uncompromised, compromised but not yet leaked, or compromised by an actor that does not maintain a public leak portal. State-sponsored intrusions, in particular, rarely surface on commercial extortion sites.
Attribution is rough. Forum handles, leak-site claims, and IAB advertising are subject to false flags, recycled access, and competitor spoofing. Treat actor attribution as a hypothesis, not a finding.
Source decay is fast. Telegram channels go down, paste sites are wiped, Tor leak portals rotate. The half-life of a dark-web source is measured in weeks. The file must reflect access date, not just publication date.
Legal posture varies. The EU's NIS2 directive, the UK's evolving incident-reporting regime under the Cyber Security and Resilience Bill (proposed 2024-2025), and various US state breach-notification regimes interact with what firms can do with dark-web evidence and what they must report. Counsel should review the firm's standard operating procedure annually.
Cyber signal is not financial conduct. A counterparty that was breached is not, on that basis, laundering money. The bridge between cyber compromise and financial-crime typology has to be drawn explicitly; it cannot be assumed. Many of the EDD outcomes we have produced from dark-web data were exonerative, not inculpatory.

Where to invest in-house capability versus where to commission

Most compliance teams should not build dark-web monitoring as an in-house cyber-intelligence function. The skill set, the operational security posture, the access infrastructure, and the legal hygiene required are not native to a sanctions or AML team. What the team should build is the integration layer: the workflow that takes dark-web signal — whether from commercial CTI feeds, journalistic archives, or commissioned investigations — and folds it into the EDD file under documented governance.

Where the in-house team should commission rather than build: live Tor-resident leak-site monitoring; access to invitation-only forums; Telegram channel scraping at scale; targeted infostealer-log searches; and Russian-language forum archive search. Each of these has both a technical and a tradecraft cost, and each can be retained as a service. Our dark web monitoring service is structured around this division: we provide the collection and triage; the client's compliance team owns the EDD integration.

The geographic case for this approach is sharpest in the Russia and CIS context, where the relevant sources are predominantly Russian-language, the marketplace ecosystem has changed three times since 2022, and the regulatory environment around sanctions enforcement is moving faster than most firms can recalibrate. The behavioural ecosystem of post-Hydra marketplaces, the residency of Garantex's successor cash-out infrastructure, the displacement of Cypriot Russian-resident deposits into UAE structures (we map this in Cyprus to UAE: The 18.4B Russian Deposit Exodus), and the parallel maritime opacity stack are all related phenomena. A counterparty file that treats them as separate is a file that has missed the connections.

Closing note

Dark-web monitoring, treated as a sanctions and AML input rather than a cyber function, is not a 2026 innovation. It is the catching-up of EDD practice with what regulators have, in successive enforcement actions through 2024 and 2025, already signalled is expected. The shift in framing — from "did you check the lists" to "did you incorporate the available signals" — is the substantive change. The methodology above is the operational consequence. The next time a counterparty appears in a leak-site post 48 hours after onboarding, the analyst who can produce a documented record showing the signal had not yet existed at decision time, and whose firm's process is structured to ingest the signal when it does exist, is the analyst whose firm will not feature in the next enforcement notice.

Sources and further reading

Treasury Sanctions Cryptocurrency Exchange and Network Enabling Sanctions Evasion and Cyber Criminals. U.S. Department of the Treasury, OFAC, March 2025 — Garantex re-designation and Grinex successor designation.
Two Garantex Cryptocurrency Exchange Administrators Charged with Money Laundering. US Department of Justice press release, March 2025.
United States and Allies Take Action Against Garantex. US Treasury press notice on the coordinated international action.
EU sanctions against Russia following the invasion of Ukraine. European Commission, current restrictive measures including the CASP sectoral prohibition.
Operation Cronos: NCA-led disruption of LockBit. UK National Crime Agency, February 2024.
Have I Been Pwned. Troy Hunt's breach-corpus aggregator, the primary public-facing surface for credential-exposure verification.
16 billion credentials leaked in compilation database. Cybernews investigation, 2025, on the aggregated stealer-log corpus.
Global operation takes down XSS cybercrime forum. Europol announcement, 2025.
The Russian Probiv Trade. Recorded Future Insikt Group reporting on insider-sourced lookup services.
Hydra Market: Largest illegal darknet marketplace worldwide shut down. Bundeskriminalamt, April 2022.
Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. OFAC, 2021 update, the controlling US guidance on ransomware-payment compliance.
FinCEN Advisory on Ransomware and the Use of the Financial System. FinCEN, 2021.
OpenSanctions consolidated sanctions dataset. Cross-list reference for entity matching.
OCCRP Aleph. Investigative dataset and corporate records platform.
Ransomwhere. Open ransomware-payment tracking dataset.

Need dark-web monitoring scoped to a specific counterparty or supply chain?

We collect and triage leak-site, forum, paste-site, and RuNet marketplace signal against named identifiers and deliver findings in a format your EDD process can ingest — with documented chain-of-custody and evidentiary handling consistent with EU AML and US BSA record-keeping expectations.

Explore Dark Web Services