What Is the Dark Web and Is It Actually Dangerous?

The Silk Road launched in February 2011. It was the first modern dark web marketplace — a site accessible only through the Tor network, where vendors sold narcotics, forged documents, and hacking tools using Bitcoin as payment. At its peak, Silk Road processed approximately $1.2 billion in revenue. The FBI seized it in October 2013, arrested operator Ross Ulbricht (later convicted and sentenced to life in prison), and spent three years investigating how to shut down a market with no physical location, no registered domain, and transactions in pseudonymous cryptocurrency.

Silk Road is the dark web's defining cultural narrative. And like most defining narratives, it's accurate in its specifics and wildly misleading in its implications. The dark web hosts criminal markets — that is true and not meaningfully disputed. It also hosts the BBC, The New York Times, Facebook, and the whistleblowing systems used by major investigative news organizations. It was built by the US government, is maintained by a nonprofit, and is used daily by millions of people who have never purchased a controlled substance in their lives.

Understanding what the dark web actually is — technically, legally, and practically — requires separating the documentary from the myth. This guide does that.

Getting the Terminology Right

These terms are used interchangeably in news coverage and are not the same thing.

The Surface Web

Everything indexed by search engines. If you can find it by searching on Google, Bing, or DuckDuckGo, it's surface web. Estimates of surface web size vary widely, but it represents the smallest portion of total internet content — perhaps 4-10% of all content that exists online.

The Deep Web

Everything not indexed by search engines. This is the largest category by orders of magnitude. Your email inbox is deep web. Your bank's online portal is deep web. Your company's internal SharePoint is deep web. Netflix's streaming library is deep web. Your Dropbox files are deep web. Anything behind authentication, behind a paywall, or excluded by robots.txt is deep web.

The deep web is not inherently secret, sinister, or restricted. The characterization of the deep web as a dangerous place is a media error — conflating a technical description (not indexed) with a normative one (suspicious). Most people access the deep web dozens of times per day.

The Dark Web

A specific technical subset of the deep web that uses overlay network protocols designed to make server locations and user identities anonymous. It cannot be accessed through a standard browser because its routing architecture is fundamentally different from standard TCP/IP routing.

The most common implementation is the Tor network and .onion addresses. I2P (Invisible Internet Project) is a smaller alternative. Freenet is a third option focused on censorship-resistant file storage.

The dark web's defining characteristic is not its content — it's its architecture. The same technology that hosts criminal markets hosts journalism platforms, political dissident communication, and privacy-protecting services for ordinary people in countries where digital surveillance is a tool of state control.

How Tor Works: The Technical Reality

Tor stands for The Onion Router. The name describes its encryption model precisely. Understanding the mechanism is prerequisite to understanding both its privacy guarantees and its limitations.

The History

Tor was developed by the U.S. Naval Research Laboratory (NRL) in the mid-1990s. The original research paper, "Hiding Routing Information," was published in 1996 by David Goldschlag, Michael Reed, and Paul Syverson of the NRL. The U.S. government's interest was strategic: they needed a way to conduct intelligence operations online without the traffic being attributable to government IP addresses. An exclusively government-run anonymous network would be obvious — every connection would come from "government IPs." A network that mixes government traffic with civilian traffic provides meaningful anonymity for government operations.

The Tor software was released as open source in 2002. The Tor Project, a nonprofit, was incorporated in 2006 and took over development. As of 2025, the Tor Project has an annual budget of approximately $5-7 million, funded primarily by the US State Department (via the Broadcasting Board of Governors) and various foundations, including the Ford Foundation and Electronic Frontier Foundation.

This creates an interesting dynamic: the US government simultaneously funds Tor's development (for use by dissidents and journalists in countries the US opposes) and works to undermine Tor's anonymity (through NSA and FBI operations targeting criminal users of the network). Both are true simultaneously.

Onion Routing: Step by Step

Standard internet routing is direct: your device sends a request from your IP address to a destination IP address. Every router along the path can see both source and destination. Your ISP can see everything. The destination server knows who connected to it.

Tor disrupts this through layered encryption and multi-hop routing:

Step 1 — Circuit construction: Your Tor client downloads a consensus directory from Tor directory authority servers. This directory lists all available Tor relays — volunteer-operated servers worldwide — along with their capabilities, bandwidth, and cryptographic keys. Your client selects a three-node circuit: a guard node (entry), a middle relay, and an exit node.

Step 2 — Key exchange: Your client performs Diffie-Hellman key exchange with each node in the circuit separately, establishing a distinct encryption key for each hop. These negotiations are encrypted using each node's long-term public key.

Step 3 — Layered encryption: Your data is encrypted three times before leaving your machine:

First layer: encrypted with the exit node's session key
Second layer: the first layer is wrapped and encrypted with the middle relay's session key
Third layer: the second layer is wrapped and encrypted with the guard node's session key

The result looks like an onion — multiple layers that must be peeled sequentially.

Step 4 — Transmission:

Your device sends the triple-encrypted package to the guard node
The guard node uses its session key to peel one layer, revealing instructions to forward to the middle relay and the doubly-encrypted payload — the guard node cannot read the payload or determine the destination
The middle relay peels another layer, revealing instructions to forward to the exit node and the singly-encrypted payload
The exit node peels the final layer and sends your request to the destination server in the original format (TLS, HTTP, etc.)

The guarantee: No single relay knows both the origin (your IP) and the destination. The guard node knows who you are but not where you're going. The exit node knows where you're going but not who sent it. The middle relay knows neither. This distributes trust across three independently operated servers.

.onion Addresses: Hidden Services

When you connect to a .onion address, the traffic never leaves the Tor network. There is no exit node. This is the mechanism that makes dark web servers difficult to locate and seize.

A .onion address is a 56-character Base32-encoded string (v3 addresses, current standard) derived from the server's Ed25519 public key. Example: duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion is DuckDuckGo's official .onion address.

The key property: The .onion address is a cryptographic commitment to the server's public key. When your Tor client connects to a .onion address, it can verify — using the key embedded in the address itself — that it is communicating with the correct server. No certificate authority is required. No DNS lookup is performed. The address is the identity.

How hidden service connection works:

The hidden service server picks several Tor relays as "introduction points" and establishes circuits to them
The server publishes its introduction point information to a distributed hash table in the Tor network
A client that wants to connect picks a relay as a "rendezvous point" and sends a message (through the Tor network) to an introduction point
The introduction point relays the message to the hidden service
The hidden service connects to the rendezvous point
The client and server communicate through the rendezvous relay without either knowing the other's IP address

Why this matters for law enforcement: To seize a .onion server, you cannot simply serve a subpoena to a domain registrar (there is no domain registrar) or seize the IP address (the server's IP is unknown — traffic is routed through the Tor network). You must either:

Find an operational security (OPSEC) failure that reveals the server's real IP
Compromise the server's Tor circuit through traffic correlation (requires monitoring both ends simultaneously)
Infiltrate the organization operating the server through human intelligence
Compromise the server through software exploitation

Most successful dark web server seizures have used the first method: OPSEC failures. The FBI's seizure of Silk Road came after Ross Ulbricht's early forum posts (under a personal email address) discussing Silk Road before he started covering his tracks. The Silk Road 2.0 takedown involved an FBI informant who was a senior server administrator. AlphaBay's collapse in 2017 came after an OPSEC error in the server's welcome email that revealed the real IP address.

Tor's Limitations

Tor provides strong network-layer anonymity against most adversaries. It does not provide protection against:

Browser fingerprinting: Your browser has a nearly unique fingerprint based on screen resolution, fonts installed, browser version, plugins, JavaScript capabilities, and time zone. This fingerprint can identify you across sessions even without an IP address. The Tor Browser mitigates this by standardizing these values, but it's not perfect.

JavaScript exploits: JavaScript code running in your browser can make outbound connections that bypass the Tor proxy. The FBI used this technique in 2013 during "Operation Torpedo" — exploiting a Firefox vulnerability to execute code that contacted an FBI server directly, revealing the real IP addresses of Tor Browser users. This is why the Tor Browser has a "Safest" security level that disables JavaScript on all sites.

Application-layer de-anonymization: If you log into a Google account, post on Reddit with your regular username, or access any service linked to your real identity while using Tor, you've de-anonymized yourself at the application layer regardless of the network layer protection.

Correlation attacks: A sophisticated adversary who can observe both your entry point into the Tor network and the destination server's traffic can correlate them through timing analysis — your traffic exits from your machine and arrives at the destination with some time lag. This requires monitoring both ends simultaneously, which is difficult for most adversaries but possible for intelligence agencies with broad network access.

Exit node monitoring: For connections to regular (non-.onion) sites, exit nodes see your traffic in plaintext (or decrypted TLS traffic if they've inserted themselves into the TLS session). Tor Project's guidelines recommend using HTTPS even through Tor — the exit node can see that you're accessing a website but not the content if HTTPS is enforced.

Time-based attacks: If you connect to Tor from your home internet connection every morning at 8:47am, and there's a pattern of traffic on a .onion service that starts at 8:48am, an adversary with access to your connection logs and the service's logs can correlate them.

What's Actually On the Dark Web

The accurate answer is: less than popular culture suggests, and more varied.

Legitimate Uses: The Majority of Traffic

Major news organizations: The BBC, New York Times, Washington Post, Deutsche Welle, and Al Jazeera all operate .onion mirrors of their websites. This is not because they're hiding — their main websites are public. The .onion versions exist specifically to serve readers in countries where those news outlets are blocked. The BBC's .onion service (bbcnewsd73hkzno2ini43t4gblxvycyac5ezdoghbbfmdcmtpvbm7jiad.onion) was launched in 2019 with an explicit statement that it was designed to serve users in countries with internet censorship.

SecureDrop: The secure whistleblowing platform developed by Freedom of the Press Foundation and maintained by major news organizations including The Guardian, Washington Post, New York Times, and dozens of others. SecureDrop is a .onion service that allows sources to submit documents to journalists without the network connection being attributable to the source. The Snowden documents were partly attributed to a SecureDrop predecessor system. If you're reading this and you're a potential whistleblower, SecureDrop is a legitimate and professionally operated tool.

Privacy-preserving versions of mainstream services: Facebook operates an official .onion service (facebookwkhpilnemxj7asber7cyol4na5vwd4dojin2r3njt7h4qhwid.onion). ProtonMail operates a .onion version of its webmail. DuckDuckGo has an official .onion search engine. These exist for the same reason as news organizations — to provide privacy-respecting access in environments where the clearnet versions are monitored or blocked.

Political and privacy forums: Discussion communities focused on privacy, cryptography, political dissent, and civil liberties. Forums where people in authoritarian countries discuss political organizing, where abuse survivors discuss their situations without creating traceable records, where journalists exchange contact information with sources.

Security research and threat intelligence: The dark web is part of the professional threat intelligence landscape. Security companies, threat intelligence platforms, and defensive security operations monitor dark web forums and markets for early warning of breaches, emerging attack tools, and stolen credential sales. Companies including Recorded Future, Flashpoint, and Intel 471 employ analysts whose job is to monitor dark web sources and report intelligence to corporate clients and government customers.

Curiosity and exploration: A significant portion of dark web traffic is casual exploration — people who read about it and want to see what it is. Most of what they find is less interesting than expected: dead links, inactive forums, mirrors of clearnet content, and index directories that haven't been updated since 2019.

The Criminal Component

The criminal activity is real, substantial, and well-documented. Dismissing it would be dishonest. Understanding it accurately is the point.

Drug markets: Since Silk Road, drug markets have operated in a cyclical pattern: a market launches, grows, is seized by law enforcement (or more commonly, exit-scams by the operators who take deposited funds and disappear), and is replaced by successors. Major markets that have been seized through law enforcement operations:

Silk Road — seized October 2013, $28.5 million in Bitcoin seized, operator sentenced to life imprisonment
Silk Road 2.0 — seized November 2014, operated by an FBI informant who had become a senior administrator
AlphaBay — the largest market at time of seizure (2017), over 200,000 users, operator Alexandre Cazes found dead in Thai prison cell; FBI, DEA, and Europol coordinated takedown
Hansa — seized July 2017, the Dutch National Police had been secretly operating the market for 27 days before announcing the seizure, allowing them to collect buyer and vendor data; 10,000 external accounts seized in coordinated action
DarkMarket — European's largest market at time of seizure (January 2021), operator arrested in Germany near the Moldova border, over $170 million in cryptocurrency value transacted
Hydra — the dominant Russian-language market, seized April 2022 by German and US authorities, approximately $25 million in Bitcoin seized; had processed an estimated $5 billion in transactions over its lifetime

Markets continue to operate. Empirically, drug market law enforcement succeeds at disrupting specific markets without eliminating the phenomenon. The 2019 Global Drug Survey found that between 10-20% of drug users in countries where dark web markets are accessible had purchased drugs through them at some point.

Credential and data markets: This is operationally more significant for most people than drug markets. Breach databases — email/password combinations from hacked sites — are sold in bulk. Pricing in 2024 for credential data varies based on:

Freshness: New breach data sells for $5-10/record; older data sells for $0.50-2/record
Type: Banking credentials command premium pricing ($20-100/record for verified active accounts); social media accounts cost $1-10; email/password combos without known high-value association cost $0.10-1/record
Volume: Bulk purchases at significant discount (1 million records at $0.01/record)

Initial access brokers sell footholds into compromised corporate networks — pre-established remote access into a company's environment that another attacker can purchase to deploy ransomware or conduct espionage. These sell for $500-$50,000 depending on the target's size, industry, and level of access.

Ransomware leak sites: Ransomware groups have operated dark web "leak sites" that publish stolen data from victims who refuse to pay. The leak site functions as a pressure tactic — pay the ransom or your customer data, trade secrets, and internal documents become public. LockBit's leak site (before the February 2024 law enforcement seizure) listed dozens of active victims at any given time. REvil, Conti, ALPHV/BlackCat, and Cl0p operated similar sites. These are visible to anyone with Tor Browser.

Scams targeting dark web visitors: A category less discussed: much of what appears to be criminal services on the dark web is itself criminal toward dark web visitors. "Hire a hitman" sites are scams. "Buy nuclear material" sites are scams. "Counterfeit currency" sites generally take payment and deliver nothing. Dark web fraud targeting curious visitors exploits the same psychological dynamics as clearnet fraud — it just uses the dark web's reputation to appear more legitimate. The victim doesn't report the fraud because they were trying to do something illegal.

The appropriate takeaway: illegal markets exist and function, law enforcement actively works to disrupt them with meaningful success rates, and the anonymity they rely on is imperfect in practice despite being strong in theory. The dark web is not a consequence-free criminal sanctuary.

The Mundane Reality

A significant portion of what you encounter exploring dark web directories is disappointing in the mundane direction:

Dead links to services that shut down months or years ago
Empty forums with occasional spam posts
"Under Construction" pages from services that never launched
Mirrors of Wikipedia and other clearnet content with no added value
Index sites ("The Hidden Wiki" variants) that are mostly outdated

The dark web lacks the search infrastructure of the clearnet. Google's crawlers don't index .onion sites (with some exceptions). Discovery is by link, which means the dark web ecosystem is more fragmented and harder to navigate than most visitors expect. Most of what exists on the dark web is invisible to casual exploration precisely because there's no organized directory of what's there.

How to Access the Dark Web Safely

This section is for people with legitimate purposes: researchers, security professionals, journalists, privacy advocates, curious individuals, and people in restricted environments who need censorship-circumventing tools.

Tor Browser: The Correct Starting Point

Download Tor Browser only from torproject.org. The site is frequently spoofed. There are fake Tor Browser downloads on third-party sites that include malware. Verify the download signature before installing.

# Download Tor Browser for Linux, then verify the signature:
gpg --auto-key-locate nodefault,wkd --locate-keys torbrowser@torproject.org
gpg --verify tor-browser-linux64-13.x_ALL.mar.asc tor-browser-linux64-13.x_ALL.mar
 
# On Windows, verify the file hash against the one published on torproject.org:
certutil -hashfile tor-browser-windows-x86_64-portable-13.x.exe SHA256

Configuration:

Tor Browser's security level is set via the shield icon in the toolbar:

Standard: JavaScript enabled, all features active — appropriate for casual browsing of .onion sites
Safer: JavaScript disabled on HTTP sites, some JavaScript features disabled on HTTPS sites — appropriate for security research
Safest: JavaScript disabled on all sites, audio/video disabled, some fonts disabled — appropriate for high-risk operations; many sites will be broken

For most purposes, "Safer" is appropriate. "Safest" for anything involving real risk (journalist communicating with sources, research on sensitive content).

Do not do these things in Tor Browser:

Install extensions or plugins (unique fingerprint; potentially leaks data)
Log into any account linked to your real identity (Gmail, Reddit, social media)
Enable Flash, WebGL, or other media plugins
Change window size from default (screen size contributes to fingerprint)
Download files and open them outside the Tor Browser environment (they can make outbound connections that reveal your real IP)
Use your regular browser alongside Tor Browser for the same session

Tails OS: For Serious Use Cases

Tails (The Amnesic Incognito Live System) is a Debian-based operating system that boots from a USB drive, routes all internet traffic through Tor, and leaves no trace on the host computer after shutdown.

Why Tails matters: Tor Browser running on a standard OS provides network-layer anonymity but doesn't protect against:

Malware on your computer that can bypass the proxy
Documents opened outside the browser making clearnet connections
Forensic recovery of files downloaded during the Tor session
The host OS logging your Tor Browser activity

Tails runs in RAM, routes all traffic through Tor (not just the browser), and wipes memory on shutdown. It's what privacy-critical use cases actually require.

Download from tails.boum.org. Verify the download against the published signature. Write to USB using Balena Etcher or GNOME Disks. Boot from USB on any computer.

Tails' persistent storage: You can optionally enable persistent storage for files, bookmarks, and configuration — stored in an encrypted partition on the USB. This is the correct way to save data between Tails sessions without leaving traces on the host machine.

Operational security with Tails: The USB you boot Tails from should not be one associated with your identity (purchased with cash, or at least not used for anything else). The network you use Tails on reveals your network-level identity to the Tor guard node. For maximum anonymity, use a network not associated with your identity (public Wi-Fi, not your home connection) — but be aware of surveillance cameras and physical identification at the location.

Threat Model Assessment

Your required precautions scale with the stakes:

Curiosity / research: Tor Browser at "Safer" level, from your home connection.

Protects: which .onion sites you access from your ISP
Doesn't protect: you from malware in downloaded files, you from browser fingerprinting, your IP from exit node monitoring of clearnet sites
Acceptable for: learning how it works, security research, reading news via .onion mirrors, accessing privacy tools

Journalism / source protection: Tails OS, ideally on a network not associated with your identity, with "Safest" security level.

Protects: against your computer being compromised, against clearnet connections from opened files, against forensic recovery
Doesn't protect: against timing correlation by nation-state adversaries with broad network visibility
Required for: communicating with sources via SecureDrop, investigating criminal organizations that might target you, journalism in authoritarian countries

Whistleblowing / high-risk dissent: Tails OS on a network physically distant from your identity (not home, not office), with air-gapped preparation of sensitive documents, using Tor bridges to hide the use of Tor itself.

Addresses: traffic correlation, Tor usage detection, physical attribution
Consult organizations like the Electronic Frontier Foundation, Freedom of the Press Foundation, or Access Now for situation-specific guidance

Most people's threat model: Tor Browser from home is fine. If you're curious about what the dark web is and want to explore legitimate .onion services (BBC, DuckDuckGo, Facebook's .onion, ProtonMail), Tor Browser is appropriate without Tails. If you're doing something that has actual consequences if you're identified, scale up accordingly.

Navigating Without Google

There's no Google for .onion addresses. Discovery requires different methods:

Tor Project's curated list: The Tor Project maintains a list of official .onion addresses for known legitimate services at community.torproject.org/onion-services/

Published addresses from clearnet sources: Organizations that run .onion mirrors publish their addresses on their clearnet websites. The BBC's .onion address is published at bbc.com/news/technology-50150981. The New York Times published theirs at nytimes.com. ProtonMail's is published in their security documentation.

Dark web search engines (limited):

Ahmia.fi — indexes a subset of .onion sites, filters known illegal content, accessible from both clearnet and .onion
OnionSearch (onionseacj5hkdtd.onion) — dark web-only search engine
Not Evil (notevilmtxf74stu.onion) — another dark web search engine

These search engines index far less content than Google indexes the clearnet — they're incomplete directories, not comprehensive indexes.

Caution: Many "Hidden Wiki" and link directory sites on the dark web link to both legitimate and illegal content. Use curated sources from established organizations rather than random directories.

Legal Considerations

Using Tor Is Legal

Using Tor Browser is legal in the United States, European Union, United Kingdom, Canada, Australia, and most democracies. Tor is used by journalists, researchers, security professionals, law enforcement (including the FBI, which uses it for undercover operations), and ordinary citizens.

Some countries block or criminalize Tor use: China (where Tor traffic is blocked by the Great Firewall, though bridges and obfuscation tools can circumvent the block), Russia (where Roskomnadzor has issued blocking orders), Iran, Belarus, and others. Using Tor to circumvent these blocks is legal from the perspective of US or EU law — but it is illegal under the laws of those countries.

What Is Actually Illegal

The content, not the network: Accessing child sexual abuse material is a federal crime under 18 U.S.C. § 2256 (PROTECT Act) regardless of which network you access it through. The Tor network provides no legal immunity. Multiple convictions have come from dark web CSAM sites, including the FBI's takedown of Playpen in 2015 (which resulted in charges against 900 users) and subsequent operations.

Purchasing illegal goods: Buying narcotics, weapons, or other controlled items from dark web markets is illegal under applicable federal and state law. The Tor network doesn't change the underlying legality of the purchase.

Hacking services and tools: Purchasing malware, exploit kits, or access to compromised systems falls under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) regardless of network.

Money laundering: Converting cryptocurrency obtained from illegal activity through dark web mixing services is money laundering under 18 U.S.C. § 1956.

The network itself is neutral: The FBI has explicitly stated on multiple occasions that Tor use alone is not probable cause for investigation. Using Tor is legal. What you do on Tor is subject to exactly the same legal analysis as what you do on the clearnet.

Law Enforcement Capability

Don't underestimate it. Dark web anonymity is real but imperfect, and law enforcement has developed significant capabilities to work around it:

Cryptocurrency tracing: This is where most dark web criminal prosecutions originate. Bitcoin is not anonymous — it's pseudonymous. Every transaction is permanently recorded on a public blockchain. Blockchain analytics firms (Chainalysis, Elliptic, CipherTrace) have developed tools that trace Bitcoin flow across many transactions and identify cash-out points where cryptocurrency is converted to fiat. The seizure of $1 billion in Bitcoin from the Silk Road case in 2020 (from a wallet belonging to a hacker who had stolen it from Silk Road in 2012) came from IRS-CI using blockchain analytics to trace the movement of funds over eight years.

OPSEC failures are the norm: Most prosecuted dark web operators made identifiable mistakes. The administrator of Hansa made 25 operational security errors documented in the Dutch police's post-operation report. AlphaBay's operator used the same email address for the marketplace and a personal Bitcoin forum account from 2010. The administrator of Welcome to Video (a CSAM site) was identified partly because he failed to correctly configure his server's Tor settings, briefly exposing his real IP address.

Server seizures: Law enforcement has seized servers for dark web markets by exploiting vulnerabilities in the sites themselves, using informants who had access to server credentials, and compromising the administrators' own computers. Once server access is obtained, user account data — including Bitcoin addresses and communication patterns — can be used to identify participants.

The Dark Web's Legitimate Role in a Surveillance World

The temptation is to resolve the dark web's complexity into a simple verdict: good or bad, useful or criminal. The technically correct answer is that it's a network overlay with a range of uses, and evaluating it requires thinking about what alternative you're comparing it to.

In the United States in 2026, internet service providers are legally permitted to sell your browsing history (a right established by the 2017 Congressional review of FCC privacy regulations). Federal agencies operate mass surveillance programs. Social media companies build detailed behavioral profiles and share them with data brokers. The "normal" internet is already a heavily surveilled environment.

In Iran, Russia, China, Belarus, Saudi Arabia, and dozens of other countries, internet access is actively filtered, monitored, and used as a tool of political control. Journalists, dissidents, LGBTQ individuals, religious minorities, and ordinary people who hold unpopular political views face real consequences for expressing themselves online.

For these populations, Tor and the dark web are not tools for criminal activity — they're tools for exercising rights that exist on paper and are denied in practice. The BBC operates a .onion service because the BBC's clearnet version is blocked in countries with authoritarian censorship, and the BBC considers serving those readers worth the infrastructure investment.

The same technology that protects the drug dealer also protects the journalist. That is not a bug to be fixed — it is the fundamental property that makes the technology work. Anonymizing networks that protect criminals but not dissidents would be designed with a backdoor, and backdoors don't stay exclusive.

Understanding the dark web accurately means understanding both realities simultaneously: the criminal markets that law enforcement has legitimate interest in disrupting, and the civil liberties infrastructure that serves people the government of a democratic country should want to protect.

You can hold both of those things at once.

Practical Starting Points for Legitimate Exploration

If you want to explore the dark web — for research, for security education, or because you want to see what it actually is rather than what the news says it is — here are legitimate .onion addresses for services you've likely heard of on the clearnet:

News:

BBC: bbcnewsd73hkzno2ini43t4gblxvycyac5ezdoghbbfmdcmtpvbm7jiad.onion
The New York Times: nytimesn7cgmftshazwhfgzm37qxb44r64ytbb2dj3x62d2lljsciiyd.onion

Search:

DuckDuckGo: duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion

Email:

ProtonMail: protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion

Services:

Facebook: facebookwkhpilnemxj7asber7cyol4na5vwd4dojin2r3njt7h4qhwid.onion (for users in countries where Facebook is blocked)
Tor Project itself: 2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion

Whistleblowing:

SecureDrop directory: sdolvtfhatvsysc6l34d65ymdwxcujausv7k5jk4cy5ttzhjoi6fzvyd.onion

These addresses are published by the organizations on their clearnet websites. Verify any .onion address against the clearnet source before using it for anything sensitive — phishing versions of popular .onion sites exist, with addresses that look similar but differ in a few characters.

Access all of these through Tor Browser from torproject.org. You do not need special skills, criminal intent, or a technical background. The process is: download Tor Browser, open it, paste the .onion address.

The dark web is less mysterious and more interesting than its reputation. It's also more dangerous in some ways that media coverage underplays — not because the criminal markets are omnipresent, but because the dark web's anonymity protection is real enough to be worth preserving, which means understanding it accurately matters for anyone who cares about privacy as a civil right rather than a cover for wrongdoing.