A study led by researchers from IMDEA Networks and Universidad Carlos III de Madrid (UC3M) has carried out the first large-scale analysis of the volatility, content, and actual infrastructure of hidden websites on the so-called Dark Web. This work was among the recipients of the 2025–2026 Spanish Police Foundation Research Awards, which recognize scientific research that contributes to ensuring public safety and protecting citizens’ rights and freedoms.

The Dark Web refers to content on the World Wide Web that exists within darknets, networks that operate on top of the public internet and require specific software, configurations, or authorization to access, such as Tor. Traditionally, this network has been surrounded by myths, mystery, and scrutiny from both authorities and the general public. But what really lies behind hidden .onion domains? Researchers from the UC3M Department of Computer Science and IMDEA Networks have shed light on this digital corner through their study published in the scientific journal IEEE Transactions on Information Forensics and Security, entitled “Snorkeling in Dark Waters: A Longitudinal Surface Exploration of Unique Tor Hidden Services.”

The study represents one of the most comprehensive analyses ever conducted of the real behavior of this network. Through continuous and systematic monitoring over several months, computer scientists Alfonso Rodríguez Barredo-Valenzuela, Sergio Pastrana, and Guillermo Suárez-Tangil were able to automatically monitor and classify thousands of hidden websites, challenging some of the most widespread assumptions regarding the network’s size and persistence.

Contrary to the common narrative that portrays the Dark Web as an infinite and uncontrollable ocean of criminal activity, the findings show that the actual ecosystem is heavily populated by replicas of .onion sites and is highly unstable. The researchers found that a large proportion of hidden services created on Tor disappear shortly after they emerge.

“This volatility and ephemeral nature likely result from both technical factors and the frequent rotation of domains aimed at evading law enforcement efforts,” explains Guillermo Suárez-Tangil, Research Associate Professor at IMDEA Networks.

To achieve this mapping effort, the team developed a monitoring infrastructure named Mimir, after the guardian of the Well of Wisdom in Norse mythology. Thanks to this tool, the researchers were able to analyze not only the textual content and images hosted on the sites, but also key variables such as security certificates, server technologies, and infrastructure overlaps with the conventional internet ecosystem.

“We managed to reach Dark Web sites that are not easily accessible thanks to a specialized tool that has been crawling websites and collecting data for several months. By applying Machine Learning classification techniques, we were able to gain a better understanding of the content hosted on these sites in a semi-automated manner, even identifying several websites dedicated to the trafficking of child sexual abuse material,” says Sergio Pastrana, another of the study’s authors and a member of the Communications and Information Technologies Security Group (COSEC) at the UC3M Department of Computer Science.

One of the study’s main contributions is its detailed taxonomy of Tor’s uses. Although the network was originally designed to guarantee anonymity for activists, journalists, and citizens living under oppressive regimes, the research reveals a complex duality.

On the one hand, it uncovered a significant number of portals devoted to black markets (including the sale of narcotics, weapons, and leaked data), financial fraud, and cybercrime forums. On the other hand, the study also highlights the presence of mirrors of legitimate news outlets, secure communication platforms, and privacy-enhancing tools, underscoring the importance of preserving the protocol against attempts at global censorship.

This research, which helps provide a clearer understanding of the Dark Web’s structure and content, is also proving useful to law enforcement agencies. In fact, the researchers have already reported all illegal child sexual abuse-related websites they identified to the Spanish National Police, several of which were previously unknown, and have met with authorities to continue their collaboration.

Furthermore, in subsequent work that made use of the same tool, the researchers identified common patterns in the configuration of Dark Web servers and revealed how many hidden services make “mistakes” that expose their real IP addresses or physical commercial hosting servers. This line of research opens new avenues for combating organized cybercrime more efficiently on a global scale.

“Understanding what exists in the depths of the internet, how we can reach it, and how we can analyze it is a key element of our security. Ultimately, the first requirement for protecting people is having the information and knowledge necessary to make the right decisions. That is why we created Mimir,” concludes Alfonso Rodríguez, PhD student at IMDEA Networks and UC3M and lead author of the study.