Early access: New content posts daily — updates are frequent and you may notice work in progress.
OSINTBench
Tools threat intelligence ·dark web monitoring deepdarkCTI
deepdarkCTI logo

deepdarkCTI Review

A structured reference of dark web and deep web CTI sources — ransomware tracking sites, IOC feeds, paste monitors, and threat actor Telegram channels — organized for feed coverage auditing.

3.9/5
free Free (open source) Professional Brief overview Reviewed 2026-04-07
Affiliate disclosure: OSINTBench may earn a commission if you purchase through links on this page, at no extra cost to you. Affiliate relationships do not influence our ratings or recommendations. Full policy →

Quick Verdict

CTI analysts and SOC threat intelligence practitioners auditing their dark web and underground source coverage and identifying gaps in ransomware tracking, paste monitoring, and IOC feed ingestion.

Pros

  • + Ransomware tracking and paste site sections aggregate sources that are otherwise scattered — a single reference for the dark web and underground coverage gaps most CTI programs underinvest in
  • + IOC feed section lists free sources directly ingestible by MISP, OpenCTI, and IntelOwl — a practical starting list before evaluating commercial feeds
  • + Organized by source type rather than alphabetically — targeted browsing for a specific coverage gap takes minutes rather than reading the entire repository
  • + Includes clearnet-accessible sources alongside .onion entries — partial value without Tor access for programs that cannot operate on the dark web

Cons

  • No quality indicators or reliability ratings — actively maintained high-signal feeds and abandoned or low-value sources appear identically in the list
  • List currency depends on community contributions — some sources go offline or change without the repository reflecting it; verify before building automated ingestion pipelines
Visit deepdarkCTI →

deepdarkCTI: Curated Collection of Dark Web and Deep Web CTI Sources

Most CTI programs cover the basics: commercial feeds, ISAC sharing, public IOCs. Gaps remain, and they are likely to be found in ransomware victim sites, paste sites, threat actor Telegram channels, and dark web forums.

The deepdarkCTI catalogues these gaps. It provides a map that categorizes sources and guides you to where to find more information. It is a good starting point for a CTI analyst doing a coverage audit.

What deepdarkCTI Contains

deepdarkCTI is a GitHub repository that catalogues threat intelligence sources from the dark and deep web. No code. No tool. Just a list.

Sources are grouped by type, including ransomware leak sites, cybercriminal forums, paste site aggregators, IOC feeds, breach notifications, malware trackers, threat actor Telegram channels.

The repository allows you to audit coverage; it is useful. Sources are organized by what they offer, not just listed alphabetically. There is a section for ransomware victim monitoring sources. There is a section for free IOC feeds for MISP. The list matches your audit questions.

The list stays current through community contributors.

Source Categories and What Each Covers

Ransomware tracking sources are key for organizations that need early warnings when clients, partners, or monitored groups get listed by ransomware gangs. These gangs run .onion and clearnet sites to publish stolen data and victim names. The deepdarkCTI repository catalogs these sites by gang. You can monitor them manually or via a service. This gets you victim listings before they hit the news or breach notifications, sometimes days or weeks earlier.

IOC feed aggregators and free intelligence sources offer direct operational value, especially for MISP and OpenCTI users. These are structured feeds in STIX2, MISP, or CSV formats from sources like abuse.ch, URLhaus, MalwareBazaar, Feodo Tracker, OpenPhish, and ThreatFox. No dark web access needed. The deepdarkCTI list puts them in one place. Setup is straightforward; just work through the list.

Paste site and leak monitoring sources provide near-real-time data that complements breach database searches. Breach databases like HaveIBeenPwned have a lag of months. Paste sites get dumps and docs in real time, often before breaches are disclosed. Monitoring services, paste aggregators, and platform references for major paste sites are covered here. Sensitive data often surfaces first on these sites.

Using deepdarkCTI Effectively

CTI Coverage Audit: A Practical Workflow

Your current CTI source inventory serves as the baseline. Track it against the repository's categories: ransomware tracking, paste monitoring, IOC feeds, and forum coverage.

Identify Gaps

Identify your current sources. Identify the gaps. Those gaps become your to-do list.

IOC Feeds: A Starting Point

For MISP or OpenCTI users, start with IOC feeds. Free community feeds are available from abuse.ch and OpenPhish. They are well-maintained, machine-readable, and free. Configure them first. Paid sources come later.

Finding IOC Feeds

deepdarkCTI lists IOC feeds. No research is needed. Just configure them.

Ransomware Tracking

Bookmark ransomware sites. Incident responders should check relevant leak sites. The list provides URLs.

Threat Actor Telegram Channels

Analysts should track Telegram channels of initial access brokers and ransomware affiliates. Many of these channels are public. Monitor them through Telegram or a service for early warnings before formal feeds are available.

Next Steps

You have identified your gaps. You have configured your feeds. The list does its job. You are on top of CTI coverage.

Limitations

Limitations for Analysts

The most glaring issue with automated ingestion pipelines is the lack of quality indicators. All sources look equal. A daily-updated source with good data and a stale source from 18 months ago appear identical. Before setting up a new source as a MISP feed or IntelOwl analyzer, you must verify it's active, updates regularly, and produces useful data. A broken feed creates false confidence.

Access Restrictions

Dark web .onion entries need Tor. Without Tor, access is limited. Clearnet sources like paste monitors and free IOC feeds still provide value, but for full coverage, Tor is required.

Maintenance Dependency

Repository entries rely on community updates. When a ransomware group rebrands or a paste site goes dark, entries may lag. Spot-check entries before use, especially if they haven't been updated recently. Analysts should verify the freshness and accuracy of the data.

The tool is best suited for CTI analysts and threat intelligence practitioners who need to audit dark web and underground source coverage. They can use it for feed gap identification, MISP/OpenCTI feed setup, and ransomware victim monitoring. The tool is available on GitHub at fastfire/deepdarkCTI.

Similar Tools

Crucix

27 parallel intelligence feeds, push alerts to your phone, and LLM-powered briefings on demand — self-hosted, no cloud dependency.

4.3/5 free

Arkham Intel

On-chain intelligence platform that deanonymizes blockchain addresses and maps crypto fund flows

4.1/5 freemium

Hudson Rock

Infostealer intelligence platform exposing compromised credentials from malware-infected machines worldwide

4.1/5 freemium

Recorded Future

The leading threat intelligence platform for enterprise security teams

4.1/5 enterprise

Community Rating

Ratings from security researchers. No third-party tracking.

☆☆☆☆☆
No ratings yet

Rate this tool:

This review reflects testing as of 2026-04-07. OSINT tools change frequently — check the vendor's current documentation for pricing and feature updates. Report an error →

View deepdarkCTI on Wayback Machine →