Exploring dark web myths and realities: a conversation with Roman Sannikov

NeedleStack hosts AJ Nash and Robert Vamosi unpack dark web myths with cyber threat intelligence expert Roman Sannikov — and what the underground really looks like.

The dark web is one of the most overused phrases in cybersecurity — and one of the least understood. Pop culture makes it feel like a single, shadowy destination where anything is possible, but the reality is more nuanced, more regional, and far more organized.

In a recent episode of NeedleStack, hosts AJ Nash and Robert Vamosi sat down with Roman Sannikov, a seasoned expert in cyber threat intelligence and President of Constellation Cyber, to separate myth from reality and explain how underground ecosystems actually operate.

From barriers to entry and vetting processes to professionalized criminal services and legitimate privacy use cases, the conversation highlights what practitioners should really know when assessing dark web risk.

Below are some key takeaways from the episode. To hear the full conversation and Roman’s real-world examples, listen to the episode below.

The deep web and the dark web aren’t the same thing

A common misconception is that “deep web” and “dark web” are interchangeable. In practice, they describe different access models:

• The surface web is indexed and searchable (what most people think of as “the internet”).
• The deep web is unindexed content behind logins or paywalls (think internal portals, paid databases, private dashboards).
• The dark web typically refers to services accessible through specialized networks/tools (like Tor or I2P), and it’s not indexed by mainstream search engines.

That distinction matters because it shapes both risk and investigation. “Dark web” access can be technically easy to initiate, but meaningful access to credible communities is an entirely different challenge.

The underground looks different depending on geography and local norms

Roman emphasized that the “dark web” is not one global monoculture. Underground behavior varies significantly by region, language, and local law enforcement dynamics.

In some ecosystems — particularly historically in parts of the former Soviet space — actors often operated under informal “rules” intended to reduce local scrutiny (for example: avoid certain topics, and avoid targeting victims in your home region). In other environments, including many U.S.-based criminal activities, actors may assume they’re under threat regardless, which changes the level of caution and operational behavior.

For threat intel teams, this is a reminder that context matters. Where a community is based — and what it believes is “enforceable” — can influence targets, tradecraft, and the kinds of services offered.

Downloading Tor is easy. Becoming “trusted” is the real barrier

Many first-time visitors expect the dark web to be instantly full of “action.” But Roman described the more practical truth: credible spaces tend to be gated by reputation, sponsorship, or proof-of-credibility.

Simply showing up with the right browser rarely gets you into the places where serious transactions happen. Instead, many communities require:

• Invitations or vouching
• Paid access or demonstrated “value”
• Ongoing checks to detect suspicious behavior

This creates a balancing act: communities want to keep out researchers and law enforcement, but they also need “new blood” for scale, whether that’s entry-level participants, operational helpers, or fresh sources of money.

Criminal marketplaces operate like businesses because they are

One of the most important reality checks from the episode: modern cybercrime is specialized and professionalized.

Rather than a single “hacker” doing everything end-to-end, Roman described an ecosystem that looks more like an assembly line:

• Initial access brokers break in, confirm access, and sell the “keys”
• Other groups operationalize that access (e.g., ransomware operators)
• Specialists handle hosting, credential collection, monetization, or logistics
• Some groups shift from encryption to data theft + extortion because it’s faster and often more profitable

For defenders, this division of labor is crucial. It means different parts of an incident may have different “owners,” motivations, and methods — and disrupting one node doesn’t necessarily stop the broader machine.

Trust problems drive real security practices: escrow, reputation, and dispute resolution

In a world where you can’t call customer support and “there’s no honor among thieves,” trust becomes a product.

Roman walked through how underground communities reduce fraud and manage disputes through mechanisms that mirror legitimate marketplaces:

• Reputation systems (public reviews, standing, privileges)
• Escrow services (trusted intermediaries holding funds until delivery is confirmed)
• Moderation and enforcement to reduce scams, fake endorsements, and “clone accounts”

Interestingly, communities may be as worried about internal fraud (“rippers”) as they are about outside infiltration. That pressure drives constant detection of “inauthentic behavior,” including identifying bots or scrapers that don’t behave like real users.

The dark web has legitimate uses — and the human story isn’t always what you expect

Robert highlighted that Tor’s early adoption included human rights and secure communications, not just criminal use. Roman reinforced that many legitimate organizations support safe channels for journalists, dissidents, and vulnerable populations — especially under authoritarian conditions.

The conversation also surfaced a less-discussed reality: some participants in criminal ecosystems are recruited, deceived, or coerced, and not everyone involved sees themselves as “the bad guy.” Roman shared how some individuals have later pivoted into legitimate work (or even dedicated themselves to restorative efforts), underscoring that cyber risk is also a human story shaped by incentives, opportunity, and pressure.

Explore more on the NeedleStack podcast

NeedleStack brings together intelligence, cybersecurity, and investigative leaders to unpack real-world threats shaping the digital environment. Each episode delivers practical insight you can apply across access, collection, analysis, and reporting.

Subscribe to NeedleStack to stay ahead of emerging threats and hear directly from experts working at the intersection of security, intelligence, and technology.