惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

B
Blog RSS Feed
Google DeepMind News
Google DeepMind News
罗磊的独立博客
Martin Fowler
Martin Fowler
博客园_首页
Stack Overflow Blog
Stack Overflow Blog
Last Week in AI
Last Week in AI
The GitHub Blog
The GitHub Blog
B
Blog
C
Check Point Blog
WordPress大学
WordPress大学
G
Google Developers Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
量子位
月光博客
月光博客
U
Unit 42
Engineering at Meta
Engineering at Meta
有赞技术团队
有赞技术团队
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
大猫的无限游戏
大猫的无限游戏
博客园 - 聂微东
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Y
Y Combinator Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Vercel News
Vercel News
Application and Cybersecurity Blog
Application and Cybersecurity Blog
博客园 - 【当耐特】
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Jina AI
Jina AI
S
Secure Thoughts
aimingoo的专栏
aimingoo的专栏
D
Darknet – Hacking Tools, Hacker News & Cyber Security
I
Intezer
Latest news
Latest news
V
Vulnerabilities – Threatpost
D
Docker
Attack and Defense Labs
Attack and Defense Labs
Help Net Security
Help Net Security
S
Security @ Cisco Blogs
Forbes - Security
Forbes - Security
MongoDB | Blog
MongoDB | Blog
云风的 BLOG
云风的 BLOG
L
LINUX DO - 热门话题
P
Palo Alto Networks Blog
Cloudbric
Cloudbric
Spread Privacy
Spread Privacy

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Last month I saw something I haven’t seen in 18 years of dark web and underground monitoring.
Adrian Alexandru Stinga · 2026-06-26 · via DEV Community

The underground is changing faster than the security industry is adapting. Here’s what nearly two decades of direct monitoring reveals about what’s coming next.

By Adrian Alexandru — Lead Analyst, Aether Intel (aether-intel.com)

I have spent nearly two decades monitoring dark web ecosystems not through dashboards, not through vendor feeds, not through scraped data. Through direct, sustained presence inside underground communities, forums, and Telegram channels where threat actors recruit, negotiate, build tools, and plan operations.

What I saw in the last 30 days is different from anything I have seen in the previous 18 years. Not because any single thing is unprecedented, but because the rate of change has accelerated to a point where the security industry’s standard response cycles are structurally too slow to keep up.

Here are six observations from June 2026. None of them will show up in your threat feed.

  1. More new markets than at any point in the last decade New dark web marketplaces are appearing at a rate I have not seen since the post-Silk Road proliferation era of 2014–2015. The difference is what is powering them.

In the mid-2010s, launching a dark web marketplace required a team: developers for the platform, someone who understood escrow systems, someone who could set up the hosting,mods, someone who could handle vendor onboarding. The infrastructure barrier was real. Not everyone could clear it, which meant the ecosystem grew at a pace that defenders could roughly track.

That barrier has collapsed. AI tools now automate the development of marketplace infrastructure storefront generation, escrow logic, vendor verification workflows, even dispute resolution and customer support. What used to take a team of specialists and months of development can now be assembled by a single motivated individual in a weekend.

The result is a proliferation of markets that is outpacing defenders’ ability to catalogue, monitor, and assess them. Most of these new markets will fail they lack the reputation, the vendor base, and the operational depth of established platforms. But even failed markets cause damage while they operate: they facilitate transactions, they attract opportunistic actors, and they create noise that degrades the signal-to-noise ratio for anyone trying to monitor the ecosystem.

The structural point is this: AI did not make the dark web more sophisticated. It made the dark web more accessible. And accessibility, at scale, is more dangerous than sophistication.

  1. The old forums got smarter While new markets proliferate at the low end, established forums and marketplaces at the high end are integrating AI into their own operations — not for offence, but for defence.

I have observed established platforms deploying AI-driven capabilities across several domains: automated vetting of new vendors to detect law enforcement patterns, behavioural analysis of member activity to identify infiltrators, automated OPSEC auditing of listings to flag operational security failures that could expose the platform, and AI-assisted content moderation that operates at a speed and consistency that human moderators cannot match.

The irony is sharp. The same AI tools that legitimate companies use for fraud detection and content moderation are being adopted by the underground for exactly the same purposes just aimed in the opposite direction. The forums are using AI to detect the people trying to detect them.

This creates a capability arms race that most defenders do not yet recognise they are in. The assumption in much of the security industry is that the underground is technically unsophisticated populated by script kiddies and opportunists running tools they do not fully understand. That assumption was already outdated. It is now dangerously wrong. The top-tier forums are running security operations that would be recognisable to any SOC analyst, because they are using the same conceptual framework and, increasingly, the same AI tooling.

  1. The Gentleman and at least five others are recruiting simultaneously In the past few weeks,months even,I have observed at least six major threat actorsincluding the group known as The Gentleman launching active recruitment (affiliate programs) campaigns across dark web forums and Telegram channels.

The volume matters. Individual recruitment drives are normal. They happen regularly as groups expand, replace arrested members, or prepare for specific campaigns. Six simultaneous recruitment drives from established threat actors is not normal. It represents either a coordinated expansion, a response to a market opportunity that multiple actors have identified independently, or preparation for a campaign cycle that requires a larger workforce than any individual group currently maintains.

I cannot determine from external monitoring which of these explanations is correct. What I can say from sustained observation is that when multiple established actors recruit simultaneously, the output — the operations those recruits will eventually execute arrives 3–6 months later. The recruitment wave of June 2026 is the workforce build for the attack cycle of late 2026 and early 2027.

The market is growing because the market expects to need more people. That expectation is, in itself, the most important indicator in this report.

  1. New recruits are passing vetting tests by using AI to cheat them Here is the part that should concern defenders most, and it is the observation I find most analytically significant.

Become a Medium member
When a new recruit approaches one of these groups without an established dark web reputation without the years of forum history, the vouching from known actors, the track record that constitutes credibility in the underground the groups typically administer a vetting test. The tests vary by group and by role, but they generally assess technical capability: can this person do what they claim they can do?

What I am observing now is that the majority of candidates without established reputation are passing these tests by using AI tools to generate the answers. The recruits do not have the technical depth that the tests are designed to verify. They have access to AI tools that can produce technically correct outputs on demand.

The downstream implications are significant. The next wave of threat actors entering the ecosystem will be, on average, less technically skilled than their predecessors. They will have weaker operational security because they do not fully understand the tools they are using. They will make more mistakes. And they will still be capable of causing serious damage — because the tools they are deploying, even when operated by less skilled hands, are powerful enough to breach, encrypt, exfiltrate, and extort.

This is the AI-assisted mediocrity problem, and it is more dangerous than it sounds. A highly skilled threat actor with strong OPSEC is dangerous but predictable they follow patterns, they protect their operations, they can be profiled and tracked. A less skilled actor with weak OPSEC and AI-augmented capability is dangerous and unpredictable — they make erratic decisions, they leave trails that lead nowhere useful, and they cause damage through volume and carelessness rather than through precision.

Defenders are optimised to fight the first type. The second type is what is coming.

  1. The new generation runs on money and fame — nothing else The previous generation of major threat actors the groups that defined the dark web landscape from roughly 2015 to 2023 operated with a mixture of motivations. Some had ideological commitments. Some had technical pride. Many had community loyalty and a code of behaviour that, while criminal, was internally consistent. They protected their operations because their operations were their identity.

The new wave has none of this.

From observation, the recruits entering the ecosystem now are motivated almost exclusively by two things: money and fame. They want to get paid. They want to be known. They want the screenshot of the ransom note on their Telegram channel. They want the reputation without the years of work that reputation used to require.

For defenders, this shift in motivation profile has direct tactical consequences. Actors motivated by community loyalty and operational longevity are cautious they minimise collateral damage because collateral damage draws attention, and attention threatens their operations. Actors motivated by money and fame are not cautious they maximise impact because impact is the product. The ransomware note is not a means to an end. It is the end. The data exfiltration is not leverage for negotiation. It is content for their channel.

You cannot predict someone who has nothing to protect and nothing to lose. The traditional threat-actor profiling frameworks that work for established groups profiling their operational patterns, their targeting preferences, their negotiation behaviour do not work for actors whose operational pattern is chaos and whose negotiation behaviour is performative.

  1. The numbers tell a story that is not over A recent report from a Fortune 50 company confirmed what I have been observing from the underground side: cyberattacks increased by 40–50% in 2025 compared to the prior year. Based on what I see in the recruitment patterns, market proliferation, and AI-tool adoption documented in this article, I assess that attacks in 2026 are on track for a 60–80% increase.

But the curve does not plateau there. The recruitment wave happening now the six simultaneous campaigns, the AI-assisted vetting, the influx of money-motivated actors is the workforce build for 2027. The tools being developed and tested in underground environments right now are the tools that will be deployed at scale in Q1 2027 through mid-2028.

The attack curve is not flattening. It is steepening. And the steepening has not started yet.

What this actually means: the prediction nobody wants to hear
Here is the uncomfortable conclusion from all six observations taken together.

In the next few months not years, months the technical skills that currently define cybersecurity hiring will not be sufficient to prevent the coming wave of attacks. SOC analysts who are excellent at reading logs, writing detection rules, and responding to alerts will continue to be essential. But they will not be enough. The attacks that are being built right now will be designed by people using AI tools to generate capability they do not personally possess, launched by people whose operational patterns do not match any existing profile, and funded by an ecosystem that is growing faster than any monitoring programme can track.

What companies, CERTs, and government security teams actually need — and what almost none of them currently have is people with real access to underground ecosystems. People who can see what is being built before it is deployed. People who can think like a threat actor because they have spent years watching threat actors think. People who combine technical understanding with the kind of adversarial imagination that lets them stand in the attacker’s shoes and see the target the way the attacker sees it.

I call them reality dreamers — analysts with enough imagination to predict what has not happened yet, based on what they can see being assembled right now. The security industry is full of people who can tell you what happened yesterday. It has very few people who can tell you what will happen next month. And the gap between those two capabilities is where the next breach will live.

React later = pay more. See it now = prevent it.

The choice is structural, and the window for making it is closing.

Adrian Alexandru is the founder and Lead Analyst at Aether Intel, an independent cyber threat intelligence operation based in Brașov, Romania. He has published 80+ TLP:CLEAR intelligence reports across four analytical series and maintains nearly two decades of direct dark web HUMINT monitoring capability. His work is freely available at aether-intel.com.

This article is based on direct observation of underground ecosystems. No specific forums, marketplaces, or Telegram channels are identified by name except where the actor’s identity is already public. No classified intelligence is cited or implied.