Main Pages
Markets
Security
Reference
Darknet Glossary
This glossary defines common terminology used in discussions about the darknet, darknet markets, anonymity technologies, and operational security. Whether you are a researcher or a newcomer following the Beginner's Guide, this reference will help you understand the language of the dark web.
Quick-Reference Table
The following table lists the most essential darknet terms every reader should know:
| Term | Definition |
|---|---|
| .onion | Special-use top-level domain suffix for Tor hidden services, accessible only through the Tor network. |
| Darknet | An overlay network requiring specific software or authorization to access, distinct from the surface and deep web. |
| Tor | The Onion Router — anonymity software that routes traffic through encrypted relays to conceal a user's location. |
| Hidden Service | A website or service hosted on the Tor network, reachable only via a .onion address. |
| Bitcoin | The original decentralized cryptocurrency, widely used on darknet markets before the rise of Monero. |
| Monero | A privacy-focused cryptocurrency with built-in obfuscation, now the preferred payment method on most markets. |
| Escrow | A dispute-resolution mechanism where a market holds funds until the buyer confirms receipt of goods. |
| OPSEC | Operational Security — practices and procedures used to protect sensitive information and maintain anonymity. |
| PGP | Pretty Good Privacy — encryption standard used for signing and encrypting messages and verifying vendor identities. |
| VPN | Virtual Private Network — a service that encrypts internet traffic and routes it through a remote server. |
Core Concepts
Darknet
The darknet is an overlay network that requires specific software, configurations, or authorization to access. It is a subset of the deep web and is distinct from the surface web (the indexed, searchable internet). The term is often used interchangeably with "dark web" in popular media.
Deep Web
The deep web refers to the portion of the internet not indexed by standard search engines. It includes private databases, paywalled content, email inboxes, and medical records. The darknet is a small part of the deep web that is intentionally hidden and requires special tools like Tor to access.
Surface Web
The surface web, also called the visible or indexed web, comprises all websites that search engines like Google can crawl and index. It represents only an estimated 4–10% of the total internet content.
Clear Web
The clear web (or clearnet) refers to the unencrypted, publicly accessible internet that does not route through anonymity networks. It is synonymous with the surface web and is the everyday internet most people use.
Hidden Service
A hidden service is a website or server hosted within the Tor network that can only be reached via a .onion address. These services conceal both the visitor's identity and the server's location through Tor's rendezvous protocol.
Technology & Infrastructure
Tor
Tor (The Onion Router) is free, open-source anonymity software that directs internet traffic through a worldwide volunteer network of relays to hide a user's location and usage from anyone conducting network surveillance or traffic analysis.
.onion
.onion is a special-use top-level domain suffix designating an anonymous hidden service reachable only via the Tor network. Onion addresses are derived from the service's public key and typically consist of a string of 56 alphanumeric characters followed by ".onion".
I2P
I2P (Invisible Internet Project) is an anonymous overlay network similar to Tor but designed primarily for peer-to-peer communication. Unlike Tor's onion routing, I2P uses garlic routing, where multiple messages are bundled together for greater efficiency and anonymity.
Bridge
A Tor bridge is a private or unlisted relay that helps users circumvent censorship. Bridges are not publicly advertised, making it more difficult for ISPs or governments to block access to the Tor network in restrictive regions.
Exit Node
An exit node is the final Tor relay in a circuit, responsible for decrypting the traffic and sending it to its destination on the clearnet. Because exit nodes make the final connection, their operators can be legally scrutinized for traffic that passes through them.
Guard Node
A guard node (or entry node) is the first relay in a Tor circuit. It sees the user's IP address but not where they are going. Guard nodes are chosen from a stable subset of relays to protect against profiling attacks.
Relay
A relay is a server in the Tor network that forwards encrypted traffic between other relays. Volunteers operate relays to contribute bandwidth to the network, and each relay only knows the previous and next hop in the circuit.
IP Address
An Internet Protocol address is a numerical label assigned to each device on a network. In the context of darknet anonymity, an IP address is the primary piece of identifying information that users seek to conceal from markets, law enforcement, and other third parties.
VPN
A Virtual Private Network encrypts a user's internet connection and routes it through a remote server, masking their IP address. Many darknet users layer a VPN before Tor ("VPN over Tor") or use a VPN as an alternative to Tor for basic privacy needs.
Markets & Commerce
Darknet Market
A darknet market is a commercial website operating as a hidden service that facilitates transactions between buyers and vendors, typically for goods or services that are illegal or privacy-sensitive. These markets function similarly to e-commerce platforms like eBay but with cryptocurrency payments and escrow systems.
Market
A shortened term for a darknet market, used by community members when referring to specific platforms or the marketplace ecosystem as a whole.
Vendor
A vendor is a seller on a darknet market who lists products, sets prices, and fulfills orders. Vendors are typically rated by buyers and may use PGP-encrypted profiles to verify their identity across multiple platforms.
Escrow
Escrow is a transaction model where the market holds the buyer's payment until the order is received and confirmed. If there is a dispute, moderators can release funds to either party, reducing the risk of fraud for both buyers and vendors.
Multisig
Multisig (multi-signature) escrow requires two or more cryptographic signatures to release funds — typically any two of the buyer, vendor, and market moderator. This reduces the risk of market exit scams because no single party can unilaterally control the funds.
FE (Finalize Early)
Finalize Early is a transaction status in which a buyer releases the escrowed funds before receiving the product. FE is generally discouraged because it exposes the buyer to vendor fraud, though trusted vendors may require it for repeat customers.
Mirror
A mirror is an alternative .onion address for the same darknet market or hidden service. Mirrors provide redundancy in case one address becomes unavailable due to DDoS attacks, server issues, or domain changes.
AlphaBay
AlphaBay was a massive darknet market launched in 2014 that grew to become the largest on the web by transaction volume. It was taken down in 2017 in a coordinated international law enforcement operation, leading to its founder's arrest.
Silk Road
Silk Road was the first modern darknet market, launched in 2011 by Ross Ulbricht (operating under the pseudonym Dread Pirate Roberts). It pioneered the escrow-based, cryptocurrency-driven marketplace model and was shuttered by the FBI in 2013.
Hydra
Hydra was a Russian-language darknet market that dominated the Eastern European underground until its seizure by German law enforcement in 2022. Unlike most markets, Hydra operated with a unique in-person delivery model restricted to Russia and neighboring countries.
Grams
Grams was a search engine for darknet markets that allowed users to search listings across multiple platforms simultaneously. Often compared to Google for the darknet, it was shut down in 2017 as part of the AlphaBay takedown.
Security & Privacy
OPSEC
Operational Security (OPSEC) encompasses the habits, tools, and procedures that darknet users adopt to protect their identity, location, and activities. Good OPSEC includes using dedicated anonymous operating systems, never reusing usernames, compartmentalizing activities, and practicing disciplined information security.
PGP (Pretty Good Privacy)
PGP is an encryption program that provides cryptographic privacy and authentication for data communication. On darknet markets, vendors and buyers use PGP keys to encrypt messages, sign listings, and verify each other's identities through digital signatures.
Tails
Tails (The Amnesic Incognito Live System) is a privacy-focused Debian-based Linux distribution designed to be booted from a USB drive. It routes all traffic through Tor and leaves no trace on the host computer, making it a gold-standard operating system for darknet activity.
Whonix
Whonix is a security-focused operating system consisting of two virtual machines: a gateway that forces all traffic through Tor, and a workstation where the user works. If the workstation is compromised, the attacker still cannot learn the user's real IP address.
Captcha
CAPTCHAs are challenge-response tests used by many darknet markets on login or registration pages to distinguish human users from bots, DDoS scripts, or automated scraping tools attempting to enumerate the site.
Cloning
Cloning refers to the practice of creating a fake copy of a legitimate darknet market or hidden service, often with a similar .onion address, to steal login credentials or trick users into sending cryptocurrency to the attacker's wallet.
Key Pair
A key pair consists of a public key and a private key used in asymmetric cryptography. In PGP, users share their public key freely while keeping the private key secret. Messages encrypted with the public key can only be decrypted with the corresponding private key.
Address
In the cryptocurrency context, an address is a string of alphanumeric characters representing a destination on a blockchain network. Each address is derived from a public key and can receive or send funds. In the market context, "address" may also refer to a physical shipping address — which users must protect with strict OPSEC.
Cryptocurrency
Cryptocurrency
A cryptocurrency is a digital or virtual currency secured by cryptography and typically operating on a decentralized blockchain. Cryptocurrencies became the standard medium of exchange on darknet markets because they offer pseudonymity and do not require traditional financial intermediaries.
Bitcoin
Bitcoin (BTC) is the first and most well-known cryptocurrency, introduced in 2009 by Satoshi Nakamoto. While widely used on early darknet markets like Silk Road, its transparent public ledger makes it vulnerable to blockchain analysis, leading many users to switch to privacy coins.
Monero
Monero (XMR) is a privacy-focused cryptocurrency that uses ring signatures, stealth addresses, and confidential transactions to obfuscate the sender, receiver, and amount of every transaction. It has become the de facto payment method on most contemporary darknet markets.
XMR
XMR is the ticker symbol for Monero on cryptocurrency exchanges. It is the most commonly requested payment currency on darknet markets due to its strong privacy guarantees and resistance to blockchain analysis.
Blockchain
A blockchain is a distributed, immutable ledger that records transactions across a network of computers. Each block contains a cryptographic hash of the previous block, creating a chain that makes it extremely difficult to alter historical data. Bitcoin and Monero both use blockchain technology but with different privacy properties.
Tumbler
A tumbler (also called a mixer) is a service that pools and shuffles cryptocurrency from multiple users before redistributing it to destination addresses. Tumblers are used to break the on-chain link between a sender and recipient, adding an additional layer of privacy over Bitcoin's transparent ledger.
Law Enforcement & Risks
LE (Law Enforcement)
Law enforcement refers to government agencies that investigate and prosecute illegal activity on the darknet. Notable examples include the FBI, Europol, DEA, and the UK's National Crime Agency, which have conducted major takedowns of markets and hidden services.
Seizure
A seizure is the legal act of law enforcement taking control of a darknet market's servers, domains, or cryptocurrency wallets. Seized sites are often replaced with a banner announcing the takedown, serving as a warning to users and operators.
Fentanyl
Fentanyl is a potent synthetic opioid that has been widely sold on darknet markets, often misrepresented as less dangerous substances. Its prevalence on the darknet has drawn intense law enforcement attention and contributed to the opioid crisis narrative in media coverage.
FUD
FUD (Fear, Uncertainty, and Doubt) is a propaganda tactic used to spread misinformation or exaggerated warnings about the darknet, a specific market, or a technology. It may originate from media outlets, competitors, or law enforcement aiming to deter users.
Phishing
Phishing is a social engineering attack in which an attacker creates a fraudulent website or message mimicking a legitimate market or service to steal login credentials, PGP keys, or cryptocurrency. Phishing links are often distributed through forums like Dread.
SE (Social Engineering)
Social engineering is the psychological manipulation of people into divulging confidential information or performing actions that compromise security. On the darknet, SE attacks may target vendors, support staff, or users through impersonation, pretexting, or baiting.
Dread (forum)
Dread is a popular Reddit-like discussion forum accessible as a Tor hidden service, serving as the primary community hub for darknet market users and vendors. It features market reviews, vendor feedback, security discussions, and announcements regarding ongoing scams or takedowns.