dark web
Dark Web Myths Debunked — 5 Claims Examined
Dark web myths distort how people think about Tor, privacy, and risk. We break down the five most persistent false claims with facts and sources.
Sensational coverage of hitmen and hacker bazaars spreads faster than corrections. The result is a mental model built mostly on fiction. Below are five persistent claims — and what evidence actually supports.
"The Dark Web Is 10× the Size of the Surface Web" — Overcooked
You've seen this claim in mainstream media, infographics, and corporate cybersecurity marketing: the dark web is "10 times larger" or "500 times larger" than the surface web. It's a compelling number. It's also almost certainly wrong — because it conflates the dark web with the deep web.
The deep web — unindexed pages requiring authentication — is genuinely massive. Database-driven content, private intranets, academic archives, email inboxes — this dwarfs the surface web by any measure. The UC Berkeley Web Characterization Project estimated in 2001 that the deep web was 500× larger, and the ratio has grown since.
The dark web is a small subset of the deep web. Active .onion service counts are tracked by researchers and consistently come in at a few thousand active sites. Daniel's Hosting, one of the largest .onion hosting providers until it was hacked in 2018, hosted fewer than 10,000 services — and many were inactive or spam.
Mixing these numbers is a category error. The dark web is small. The difference between dark web and deep web matters, and conflating them serves no one except people trying to make cybersecurity products sound more necessary.
"Hitman Sites Are Real" — Almost Universally Scams
Every few years, a story circulates about a "murder-for-hire" dark web site. Besa Mafia was exposed as a scam in 2016 — it collected payments and never delivered. Chechen Hit Men, Hire A Killer, and similar sites follow the same pattern: take the Bitcoin, do nothing.
Security researchers who study these sites consistently find they're exit scams. There's no evidence of an organized murder-for-hire industry on the dark web. The FBI and Europol have shut down a large number of dark web criminal operations; documented murder-for-hire operations are not among them.
This matters for two reasons:
- People waste money. Reports of people attempting to hire hitmen via dark web sites and losing their payments are documented in court cases. They get nothing — except potential money-laundering charges.
- It distorts threat modeling. If your fear of the dark web is organized assassination services, you're worried about something that doesn't functionally exist while ignoring things that do (credential theft, malware, fraud).
The sensational narrative is more valuable to news publishers than it is to your understanding of actual risk.
"Tor Was Built by the CIA" — Partial Truth, Missing Context
Tor's onion routing concept was developed by Paul Syverson, Michael Reed, and David Goldschlag at the U.S. Naval Research Laboratory — not the CIA. It was funded by the Office of Naval Research. The first public release of Tor as a free software project happened in 2002.
The partial truth here: yes, U.S. government money was involved in Tor's origins. The Defense Advanced Research Projects Agency (DARPA) and the State Department have also funded Tor Project work over the years, including specifically to help dissidents in censored countries bypass restrictions.
This is not a gotcha. The Tor Project has been open about its funding history. The code is open source and auditable. The reasoning for government funding is straightforward: the U.S. government wants dissidents in adversarial countries to have working anonymity tools, and Tor is the best available.
The claim that this makes Tor a CIA honeypot ignores that the code is public, independently audited, and used by organizations actively working against U.S. government interests. The Tor Project's transparency reports and open-source codebase are the relevant evidence — not the funding source alone.
"VPN + Tor Is Always Safer" — Depends on Threat Model
The advice "use a VPN with Tor" circulates widely in privacy communities as if it's an unconditional improvement. It's not.
VPN-over-Tor (connecting to the VPN after Tor): Your VPN provider can see your traffic. You've traded one trust anchor for another. Your VPN provider now knows you're using Tor; your ISP doesn't. Useful if hiding Tor from your ISP is the priority.
Tor-over-VPN (connecting to Tor after the VPN): Your ISP sees the VPN, not Tor. Your VPN provider knows you're using Tor but not what you're doing inside it. This configuration is what most people mean. It's not categorically better — it means trusting your VPN provider to not log or cooperate with adversaries.
The argument against both: you've added a node that knows something about your traffic. Tor's design minimizes trust by distributing it across multiple parties who don't know each other. Adding a single point of trust (a VPN) that sees your full traffic before it enters Tor is a design step backward for some threat models.
We recommend neither configuration as a default. If you're in a country where connecting to Tor directly is blocked, use Tor bridges — an obfuscated transport built into Tor Browser that hides Tor traffic specifically, without requiring you to trust a VPN provider.
Read our threat modeling guide to work out whether your specific situation benefits from one of these configurations.
"Going on the Dark Web Will Get You Hacked Just by Visiting" — False (With Caveats)
The myth: the dark web is a place where hackers can attack you just for showing up, without any action on your part. This is not how it works.
Passive network observation — someone seeing your IP because you visited their site — is what Tor specifically prevents. A .onion site cannot see your real IP address. The routing makes that impossible.
What can happen:
- Drive-by exploits via JavaScript: If a malicious site runs JavaScript and your browser has a vulnerability, it could be exploited. This is why Tor Browser's Safest mode disables JavaScript globally. It's not theoretical — the FBI used a JavaScript-based exploit in 2013 to de-anonymize users of the Freedom Hosting service.
- Malicious downloads: If you download and open a file from a dark web site, that file may contain malware. This is true on the clearnet too.
- Phishing: Sites that impersonate legitimate services and steal credentials exist on both the clearnet and dark web.
The mitigation is Tor Browser on Safest mode, no extension installs, and not opening downloads while online. If you do that — and read how to access the dark web safely — visiting a .onion site is not the ambient danger zone of popular imagination.
For broader context on what the dark web actually is, start with what is the dark web.
Frequently Asked Questions
Is the dark web as dangerous as people say?
The dangers are real but specific, not ambient. The risks are: accidentally revealing your identity through behavioral mistakes, downloading malicious files, falling for scams on fake markets, or accessing illegal content that attracts law enforcement attention. None of those require the dark web to be some supercharged threat environment — they're the same categories of risk that apply to high-risk activities anywhere.
Do dark web markets actually work?
Some have, historically. The original Silk Road operated from 2011 until the FBI shut it down in 2013 and arrested its operator, Ross Ulbricht. Markets since have had shorter lifespans on average, with many exiting with user funds (exit scams) before law enforcement could act. The ecosystem of markets we currently track and vet is in our markets directory.
Is Tor fully anonymous?
Tor significantly raises the cost and difficulty of identifying a user. It doesn't guarantee anonymity. Operational mistakes — logging into real accounts, using consistent usernames, leaking metadata in files — are the most common way people get identified. The math is solid; the human behavior is the variable.