Sources
Darkfield’s primary source is Orizon’s own Tor-based crawling of operator leak sites and dark web infrastructure. That first-party collection is then cross-checked and enriched against a set of reputable public feeds, so no single source is taken at face value:
| Proprietary .onion crawling | Primary source. Tor-based collection directly from operator leak sites and dark web markets. |
| RansomLook · ransomware.live · RansomWatch | Cross-checking layer for leak-site disclosures and operator activity. |
| crt.sh | Certificate-transparency lookups for infrastructure and domain corroboration. |
| IntelX phonebook | Selector and identifier enrichment for entities under investigation. |
| MalwareBazaar / abuse.ch | Malware sample and indicator feeds tied to operator tooling. |
| MITRE ATT&CK (STIX) | Technique mapping for operator tradecraft. |
| CISA KEV | Known-exploited-vulnerability signal feeding the zero-day radar. |
| GitHub YARA repositories | Detection-rule corpus for family attribution. |
We do not buy commercial third-party threat-intelligence feeds, and we do not host, mirror or redistribute any data stolen by the operators we track. Darkfield records the existence and metadata of a disclosure — never its contents.
Collection cadence
Crawling runs continuously. Leak-site and operator indexes are reconciled on a rolling basis, with a full cross-source consistency pass daily. New victim disclosures typically surface in the public corpus within hours of an operator posting them. Each record carries its own discovery and disclosure timestamps so you can see exactly when it entered the dataset.
Deduplication & enrichment
The same victim is frequently claimed under inconsistent names, across multiple operator panels, or re-posted after a takedown. Before a record is published we:
- collapse operator aliases into a single canonical group identity;
- deduplicate repeated or re-listed victim claims;
- canonicalise organisation names, then enrich with sector, country and approximate size where it can be established;
- map operator tradecraft to MITRE ATT&CK techniques.
Enrichment is produced with AI assistance and reviewed before it is relied upon. It is presented as an evidence pointer, never as a legal or forensic conclusion.
Definitions
Operator (group). A distinct ransomware brand or affiliate program. Marked active when it has posted a new disclosure within the recent activity window, otherwise dormant.
Victim disclosure.A single instance of an operator publicly naming an organisation on a leak site. It is the operator’s claim, with our structured metadata attached.
Sector / country.The classified industry and headquarters geography of the named organisation, after canonicalisation. Records we cannot confidently classify are excluded from sector and country rollups rather than bucketed as “unknown”.
Limitations
A leak-site listing is an assertion by a criminal operator, not a verified fact. Operators exaggerate, re-post old victims, and occasionally fabricate. Counts reflect public claims, so they understate attacks that are never disclosed (paid ransoms, private extortion) and can momentarily overstate during re-listing waves. Sector and geography are best-effort attributions. Treat the corpus as a high-fidelity map of the public leak-site ecosystem — not a complete census of all ransomware activity.
Corrections & contact
Found an error, or need a record about your organisation amended? Email [email protected]. For the broader picture of what Darkfield is and who runs it, see About.