Darknet monitoring is no longer a theoretical discipline for Swiss companies, it is an operational necessity. Stolen credentials, confidential documents and network access are traded daily on criminal marketplaces, often before the affected company even notices the incident. Infostealer malware, Initial Access Broker and automated credential markets have created an ecosystem that industrialises cyberattacks. In this article, we explain how Swiss corporate data ends up on the Darknet, which concrete risks arise from it, and why systematic Darknet monitoring has become indispensable for CISOs and boards of directors.
📑 Contents overview
What is the Darknet, and why does it affect Swiss companies? · How Swiss corporate data ends up on the Darknet · Swiss threat landscape: figures and incidents · How Darknet monitoring works · Why traditional protection measures are no longer enough · Recommendations for CISOs and boards of directors · Frequently asked questions
What is the Darknet, and why does it affect Swiss companies?
The internet can be divided into three layers. The so-called clear web includes everything that can be found via conventional search engines. The deep web refers to content behind logins and paywalls, such as intranets, databases and protected portals. The Darknet, finally, is a deliberately anonymised part of the internet. You can access it only via specialised networks such as Tor, and it hosts a thriving ecosystem for trading stolen data, credentials and attack tools.
For companies, the Darknet matters not because it exists, but because of the specific threats that originate there. Criminal marketplaces trade millions of stolen credentials every day, auction network access to companies, and prepare Ransomware attacks. Without Darknet monitoring, these activities remain invisible to affected organisations until the damage has already occurred.
Stolen corporate data is offered for sale on Darknet marketplaces within hours
Why Darknet monitoring is relevant for every Swiss company
Switzerland is an attractive target for cybercriminals. It is a highly networked business location with strong financial, pharmaceutical and technology sectors. In 2024, investigators tracked 175 confirmed cyber incidents in Switzerland via Darknet leak sites and underground forums. According to Check Point, Switzerland recorded the world’s highest percentage increase in cyberattacks in Q1 2025: +113% year on year.
The reality is clear: Swiss corporate data is already on the Darknet. The question is not whether, but to what extent. Systematic Darknet monitoring makes this exposure visible. Consequently, companies can respond before attackers exploit the stolen data.
How Swiss corporate data ends up on the Darknet: from Infostealer to marketplace
The route from corporate data to the Darknet follows an increasingly industrialised process. Three actors and mechanisms play a central role. Their interaction explains why continuous Darknet monitoring is now part of the foundations of effective cyber risk management.
Infostealer malware: the dominant attack vector
Infostealers are specialised malicious programs that extract saved browser passwords, cookies, autofill data, credit card information, VPN credentials and authenticator backups. Their principle is “smash and grab”. They steal data within seconds and transmit it as so-called “Stealer Logs” to command-and-control servers, Telegram bots or cloud storage. In 2024, Infostealers stole 2.1 billion credentials worldwide. That is almost two thirds of all 3.2 billion compromised credentials globally. IBM X-Force recorded an 84% rise in Infostealer infections via Phishing, followed by a further tripling in early 2025. Particularly alarming: 54% of infected devices had antivirus or Endpoint Detection and Response solutions installed at the time of infection. The most active families currently include Lumma Stealer, RedLine and StealC.
Initial Access Broker: professional door-openers for Ransomware groups
Initial Access Broker have established themselves as an independent industry within the criminal ecosystem. They specialise in the initial breach of corporate networks, and then sell access to Ransomware groups or other threat actors. In 2025, the IAB market received at least 14 million USD in on-chain payments. The average price for corporate access is 2’700 USD. Moreover, 71% of listings include privileged credentials, often with domain admin rights. The consequence is measurable. Between an IAB’s sale of access and the victim’s appearance on a Ransomware leak site, typically only 23 to 36 days pass.
Darknet marketplaces: where stolen data becomes a commodity
In 2025, the Russian Market is the dominant marketplace for stolen credentials. Fresh data appears there within hours of theft. The pricing is differentiated. Simple account data costs 1 to 15 USD, corporate VPN or RDP access 50 to 500 USD, fresh Stealer Logs with session cookies 10 to 100 USD, and banking access 500 to 2’000 USD. Session cookies are particularly dangerous. They enable the takeover of active sessions and can bypass multi-factor authentication entirely. For companies without Darknet monitoring, these listings remain invisible. Meanwhile, attackers use purchased credentials to enter networks.
Swiss threat landscape: why Darknet monitoring must become a priority now
Switzerland is in the sights of international cybercriminals, and increasingly of state-supported actors as well. The following figures and incidents show why now is the right moment to integrate Darknet monitoring into your security strategy.
2.9 billion compromised credential sets were identified in the criminal underground in 2024. This figure includes credentials from businesses and private individuals worldwide, including Swiss organisations.
54% of all Ransomware victims, according to the Verizon DBIR 2025, had Infostealer credential dumps in their domains before the attack. Consequently, the link between exposed credentials on the Darknet and subsequent Ransomware attacks is statistically proven.
49% of companies have already discovered company-related data or credentials on the Darknet. The annual costs of insider incidents, which often trace back to compromised credentials, average 17.4 million USD per company.
26 billion Credential Stuffing attempts per month were recorded by Akamai in 2024. IBM puts the average loss per breach caused by Credential Stuffing at 4.81 million USD.
The chain reaction from stolen credentials to real attacks is illustrated vividly by the Snowflake breach of 2024. Threat actor UNC5537 used Infostealer credentials, some dating back to 2020, to compromise 165 Snowflake customer environments. Among those affected were AT&T, with records for nearly all US mobile customers, and Ticketmaster, with 590 million datasets. Over 80% of compromised accounts had previously been exposed in Infostealer dumps. Not a single one had multi-factor authentication enabled.
In Switzerland itself, the Xplain incident of 2023 remains the most striking warning. At the Bern-based IT service provider for federal authorities, the Play Ransomware group stole 1.3 million files. They included 5’182 files with personal data and 121 classified documents. In 2024 and 2025, attacks followed on BERNINA International by ALPHV/BlackCat (200 GB of stolen data), on TAG Aviation by Black Basta (1.5 TB), as well as massive DDoS campaigns by the NoName057(16) group against federal websites, SBB, banks and 318 municipalities. In total, 58 Swiss organisations have already been confirmed as Ransomware victims in 2025. Akira, Qilin and Play are the most active groups in the country.
How Darknet monitoring works: from source coverage to response
Professional Darknet monitoring operates in four consecutive phases. Together, they form a continuous cycle. Therefore, threats in the criminal underground become visible, assessable and manageable.
Phase 1, source coverage: An effective Darknet monitoring solution tracks a broad range of criminal sources: open and closed underground forums, invite-only communities, Telegram channels, Stealer Log marketplaces, Ransomware leak sites and paste sites. Leading platforms such as BitSight cover more than 1’000 underground forums and marketplaces. In addition, they collect 7 million intelligence items daily from the criminal underground.
Phase 2, data collection and analysis: The collected raw data is filtered, deduplicated and assigned to the monitored company in an automated process. It detects not only username-password pairs, but also exposed session tokens, hashed passwords, ideally converted into plaintext, and contextual information such as the data’s origin and the time of compromise.
Phase 3, alerting and prioritisation: Not every exposed item carries the same risk. Professional Darknet monitoring prioritises findings based on context. A fresh VPN credential with active session cookies requires immediate action. However, a three-year-old password for an inactive account receives lower priority. The time between data appearing on criminal markets and an alert should range from minutes to a few hours in leading solutions.
Phase 4, response and remediation: Darknet monitoring provides the basis for decisions, not the full answer. The response typically includes forced resets of compromised credentials and invalidation of exposed session tokens. Furthermore, teams review affected systems for unauthorised access. Finally, they integrate the findings into Incident Response and defensive operations.
The value of Darknet monitoring lies in early warning. It shows not how you see your own IT, but what attackers already know about your company. Consequently, this perspective can make the difference between a prevented attack and a successful one.
Why traditional protection measures are no longer enough for the Darknet
Many companies rely on proven security measures: firewalls, Endpoint Detection and Response, regular password policies and multi-factor authentication. These tools remain indispensable. However, they have a systematic blind spot. They protect infrastructure, yet they do not monitor what happens outside your perimeter with stolen corporate data.
Traditional security vs. Darknet monitoring: four decisive differences
Field of view: Traditional security tools protect known infrastructure inside the corporate network. Darknet monitoring observes the criminal ecosystem outside the perimeter and detects exposed data traded there.
Timing: Firewalls and EDR respond to attacks that are already under way. Darknet monitoring detects attack preparation, for example when credentials or network access are offered for sale. Therefore, it enables preventive intervention.
Coverage: Password policies and MFA protect only accounts that the company knows and actively manages. Stealer Logs, however, often contain credentials for forgotten accounts, test environments or employees’ personal devices that were connected to corporate resources.
Context: Traditional security systems know your own infrastructure, but not the intentions of external threat actors. Darknet monitoring delivers Threat Intelligence on targeted attacks, Ransomware negotiations and supply-chain targeting. Consequently, it can cover risks that affect your company or its suppliers.
This does not mean Darknet monitoring replaces traditional security tools. Instead, it adds a crucial dimension: visibility into what happens to your data outside your network. Only those who know which credentials are compromised, and where they are traded, can act precisely before the attack begins.
Recommendations for CISOs and boards of directors
Monitoring the Darknet is not a purely technical task. It concerns governance, regulatory obligations and the question of how a company steers cyber risk strategically. Therefore, decision-makers should prioritise the following measures now.
Recommended measures: from initial assessment to strategic integration
1) Determine initial Darknet exposure: Commission an initial assessment of your Darknet exposure. Leading providers can show within a few days whether, and to what extent, your company’s credentials, documents or network access are circulating in the criminal underground. The results provide the starting point for all further steps.
2) Address compromised credentials immediately: Reset identified exposed credentials without delay. Prioritise accounts with privileged rights, VPN and RDP access, and credentials with active session cookies. In parallel, verify whether unauthorised access has already occurred via these accounts.
3) Implement continuous Darknet monitoring: A one-off assessment is not enough. Stealer Logs appear on marketplaces within hours, and new data is published daily. Therefore, invest in a solution that monitors the Darknet continuously and alerts in real time. When selecting a provider, focus on breadth of source coverage, alert speed and the ability to detect exposed session tokens.
4) Integrate Darknet intelligence into existing processes: Darknet monitoring reaches its full value only when insights flow into existing Incident Response, SIEM/SOAR and third-party risk management workflows. Automated alerts should trigger tickets directly in the Security Operations Center. Furthermore, they should feed into supplier risk assessments.
5) Raise employee awareness: Infostealers often reach endpoints via Phishing, compromised software downloads and infected adverts. Train employees specifically on these vectors. In addition, establish clear policies for password managers and prohibit storing corporate credentials in the browser.
6) Prepare for regulatory obligations: The nDSG requires immediate notification of data breaches to the FDPIC. The mandatory BACS reporting obligation requires operators of critical infrastructures to report within 24 hours. Darknet monitoring provides early warning, which can be decisive for meeting these deadlines.
Conclusion
The Darknet is not an abstract phenomenon at the fringes of the internet. It is a highly efficient ecosystem in which Swiss corporate data is actively traded and prepared for attacks. Infostealers steal credentials in seconds. Initial Access Broker monetise network access within days. Then, Ransomware groups exploit this groundwork for attacks that can cost companies millions.
In a Switzerland that recorded the world’s steepest rise in cyberattacks in 2025, tightened regulatory requirements, and faces growing attention from international threat actors, Darknet monitoring is not an optional add-on. It is a pillar of cyber defence. It delivers the early warning that traditional security tools cannot provide. Consequently, it enables sound decisions at CISO and board level.
Understand your Darknet exposure
Would you like to know whether your company’s credentials, documents or network access are already being traded on the Darknet? As an advisory partner for cyber risk intelligence, we support you with an initial Darknet assessment, the evaluation of your exposure, and the implementation of a sustainable monitoring strategy.
🎯 Key takeaways for decision-makers
Summary for the board of directors, executive management and the CISO:
✓ Swiss corporate data is already on the Darknet: In 2024, 2.9 billion compromised credential sets were identified in the criminal underground. 49% of companies have discovered their own data on the Darknet.
✓ Infostealers are the dominant attack vector: In 2024, Infostealers alone stole 2.1 billion credentials. 54% of infected devices had antivirus or EDR solutions installed.
✓ Stolen credentials lead to Ransomware: 54% of all Ransomware victims had credential dumps in their domains beforehand. Between IAB sale and Ransomware attack, typically only 23 to 36 days pass.
✓ Darknet monitoring is early warning: It detects exposed credentials, session tokens and network access before attackers use them. Therefore, it adds a crucial dimension to traditional security tools.
✓ Regulatory pressure is rising: The nDSG, FINMA circulars and the mandatory BACS reporting obligation require fast detection and response. Darknet monitoring provides the basis for this.
Frequently asked questions: FAQ on Darknet monitoring
What is Darknet monitoring?
Darknet monitoring is the systematic and continuous monitoring of criminal forums, marketplaces, Telegram channels and leak sites on the Darknet for company data. The goal is to detect stolen credentials, exposed documents and network access offered for sale at an early stage, so that organisations can respond before attackers use the data.
How does Swiss corporate data end up on the Darknet?
The most common route is Infostealer malware, which steals credentials from browsers, VPN clients and authentication systems. This data is sold as Stealer Logs on Darknet marketplaces. Initial Access Broker use the stolen credentials to break into corporate networks and then sell access to Ransomware groups. Often, only a few hours pass between theft and resale.
Why are antivirus and a firewall not enough to protect against the Darknet?
Traditional security tools protect internal infrastructure. However, they do not monitor what happens outside the company with stolen data. The figures underline this: 54% of devices infected by Infostealers had antivirus or EDR solutions installed. Darknet monitoring complements perimeter protection with an outside view and detects exposed data in the criminal underground before it is used for attacks.
Is Darknet monitoring also relevant for Swiss SMEs?
Yes. Infostealers do not distinguish between large enterprises and SMEs. Smaller organisations often have fewer resources to monitor compromised credentials, and therefore face heightened risk. Swiss SMEs are increasingly targeted by Ransomware attacks because attackers expect weaker protection measures. Darknet monitoring makes it possible to identify the biggest exposures with reasonable effort, and then address them in a targeted way.
How are Darknet monitoring and Swiss reporting obligations connected?
Since 1 April 2025, operators of critical infrastructures must report cyberattacks to BACS within 24 hours. The nDSG requires immediate notification of data breaches to the FDPIC. Darknet monitoring enables early detection of compromises, and therefore creates the basis for identifying incidents in time and reporting them within deadlines. Without this monitoring, organisations often lack the foundation for effective incident detection.
