The underground is changing faster than the security industry is adapting. Here’s what nearly two decades of direct monitoring reveals about what’s coming next.
By Adrian Alexandru — Lead Analyst, Aether Intel (aether-intel.com)
I have spent nearly two decades monitoring dark web ecosystems not through dashboards, not through vendor feeds, not through scraped data. Through direct, sustained presence inside underground communities, forums, and Telegram channels where threat actors recruit, negotiate, build tools, and plan operations.
What I saw in the last 30 days is different from anything I have seen in the previous 18 years. Not because any single thing is unprecedented, but because the rate of change has accelerated to a point where the security industry’s standard response cycles are structurally too slow to keep up.
Here are six observations from June 2026. None of them will show up in your threat feed.
- More new markets than at any point in the last decade New dark web marketplaces are appearing at a rate I have not seen since the post-Silk Road proliferation era of 2014–2015. The difference is what is powering them.
In the mid-2010s, launching a dark web marketplace required a team: developers for the platform, someone who understood escrow systems, someone who could set up the hosting,mods, someone who could handle vendor onboarding. The infrastructure barrier was real. Not everyone could clear it, which meant the ecosystem grew at a pace that defenders could roughly track.
That barrier has collapsed. AI tools now automate the development of marketplace infrastructure storefront generation, escrow logic, vendor verification workflows, even dispute resolution and customer support. What used to take a team of specialists and months of development can now be assembled by a single motivated individual in a weekend.
The result is a proliferation of markets that is outpacing defenders’ ability to catalogue, monitor, and assess them. Most of these new markets will fail they lack the reputation, the vendor base, and the operational depth of established platforms. But even failed markets cause damage while they operate: they facilitate transactions, they attract opportunistic actors, and they create noise that degrades the signal-to-noise ratio for anyone trying to monitor the ecosystem.
The structural point is this: AI did not make the dark web more sophisticated. It made the dark web more accessible. And accessibility, at scale, is more dangerous than sophistication.
- The old forums got smarter While new markets proliferate at the low end, established forums and marketplaces at the high end are integrating AI into their own operations — not for offence, but for defence.
I have observed established platforms deploying AI-driven capabilities across several domains: automated vetting of new vendors to detect law enforcement patterns, behavioural analysis of member activity to identify infiltrators, automated OPSEC auditing of listings to flag operational security failures that could expose the platform, and AI-assisted content moderation that operates at a speed and consistency that human moderators cannot match.
The irony is sharp. The same AI tools that legitimate companies use for fraud detection and content moderation are being adopted by the underground for exactly the same purposes just aimed in the opposite direction. The forums are using AI to detect the people trying to detect them.
This creates a capability arms race that most defenders do not yet recognise they are in. The assumption in much of the security industry is that the underground is technically unsophisticated populated by script kiddies and opportunists running tools they do not fully understand. That assumption was already outdated. It is now dangerously wrong. The top-tier forums are running security operations that would be recognisable to any SOC analyst, because they are using the same conceptual framework and, increasingly, the same AI tooling.
- The Gentleman and at least five others are recruiting simultaneously In the past few weeks,months even,I have observed at least six major threat actorsincluding the group known as The Gentleman launching active recruitment (affiliate programs) campaigns across dark web forums and Telegram channels.
The volume matters. Individual recruitment drives are normal. They happen regularly as groups expand, replace arrested members, or prepare for specific campaigns. Six simultaneous recruitment drives from established threat actors is not normal. It represents either a coordinated expansion, a response to a market opportunity that multiple actors have identified independently, or preparation for a campaign cycle that requires a larger workforce than any individual group currently maintains.
I cannot determine from external monitoring which of these explanations is correct. What I can say from sustained observation is that when multiple established actors recruit simultaneously, the output — the operations those recruits will eventually execute arrives 3–6 months later. The recruitment wave of June 2026 is the workforce build for the attack cycle of late 2026 and early 2027.
The market is growing because the market expects to need more people. That expectation is, in itself, the most important indicator in this report.
- New recruits are passing vetting tests by using AI to cheat them Here is the part that should concern defenders most, and it is the observation I find most analytically significant.
Become a Medium member
When a new recruit approaches one of these groups without an established dark web reputation without the years of forum history, the vouching from known actors, the track record that constitutes credibility in the underground the groups typically administer a vetting test. The tests vary by group and by role, but they generally assess technical capability: can this person do what they claim they can do?
What I am observing now is that the majority of candidates without established reputation are passing these tests by using AI tools to generate the answers. The recruits do not have the technical depth that the tests are designed to verify. They have access to AI tools that can produce technically correct outputs on demand.
The downstream implications are significant. The next wave of threat actors entering the ecosystem will be, on average, less technically skilled than their predecessors. They will have weaker operational security because they do not fully understand the tools they are using. They will make more mistakes. And they will still be capable of causing serious damage — because the tools they are deploying, even when operated by less skilled hands, are powerful enough to breach, encrypt, exfiltrate, and extort.
This is the AI-assisted mediocrity problem, and it is more dangerous than it sounds. A highly skilled threat actor with strong OPSEC is dangerous but predictable they follow patterns, they protect their operations, they can be profiled and tracked. A less skilled actor with weak OPSEC and AI-augmented capability is dangerous and unpredictable — they make erratic decisions, they leave trails that lead nowhere useful, and they cause damage through volume and carelessness rather than through precision.
Defenders are optimised to fight the first type. The second type is what is coming.
- The new generation runs on money and fame — nothing else The previous generation of major threat actors the groups that defined the dark web landscape from roughly 2015 to 2023 operated with a mixture of motivations. Some had ideological commitments. Some had technical pride. Many had community loyalty and a code of behaviour that, while criminal, was internally consistent. They protected their operations because their operations were their identity.
The new wave has none of this.
From observation, the recruits entering the ecosystem now are motivated almost exclusively by two things: money and fame. They want to get paid. They want to be known. They want the screenshot of the ransom note on their Telegram channel. They want the reputation without the years of work that reputation used to require.
For defenders, this shift in motivation profile has direct tactical consequences. Actors motivated by community loyalty and operational longevity are cautious they minimise collateral damage because collateral damage draws attention, and attention threatens their operations. Actors motivated by money and fame are not cautious they maximise impact because impact is the product. The ransomware note is not a means to an end. It is the end. The data exfiltration is not leverage for negotiation. It is content for their channel.
You cannot predict someone who has nothing to protect and nothing to lose. The traditional threat-actor profiling frameworks that work for established groups profiling their operational patterns, their targeting preferences, their negotiation behaviour do not work for actors whose operational pattern is chaos and whose negotiation behaviour is performative.
- The numbers tell a story that is not over A recent report from a Fortune 50 company confirmed what I have been observing from the underground side: cyberattacks increased by 40–50% in 2025 compared to the prior year. Based on what I see in the recruitment patterns, market proliferation, and AI-tool adoption documented in this article, I assess that attacks in 2026 are on track for a 60–80% increase.
But the curve does not plateau there. The recruitment wave happening now the six simultaneous campaigns, the AI-assisted vetting, the influx of money-motivated actors is the workforce build for 2027. The tools being developed and tested in underground environments right now are the tools that will be deployed at scale in Q1 2027 through mid-2028.
The attack curve is not flattening. It is steepening. And the steepening has not started yet.
What this actually means: the prediction nobody wants to hear
Here is the uncomfortable conclusion from all six observations taken together.
In the next few months not years, months the technical skills that currently define cybersecurity hiring will not be sufficient to prevent the coming wave of attacks. SOC analysts who are excellent at reading logs, writing detection rules, and responding to alerts will continue to be essential. But they will not be enough. The attacks that are being built right now will be designed by people using AI tools to generate capability they do not personally possess, launched by people whose operational patterns do not match any existing profile, and funded by an ecosystem that is growing faster than any monitoring programme can track.
What companies, CERTs, and government security teams actually need — and what almost none of them currently have is people with real access to underground ecosystems. People who can see what is being built before it is deployed. People who can think like a threat actor because they have spent years watching threat actors think. People who combine technical understanding with the kind of adversarial imagination that lets them stand in the attacker’s shoes and see the target the way the attacker sees it.
I call them reality dreamers — analysts with enough imagination to predict what has not happened yet, based on what they can see being assembled right now. The security industry is full of people who can tell you what happened yesterday. It has very few people who can tell you what will happen next month. And the gap between those two capabilities is where the next breach will live.
React later = pay more. See it now = prevent it.
The choice is structural, and the window for making it is closing.
Adrian Alexandru is the founder and Lead Analyst at Aether Intel, an independent cyber threat intelligence operation based in Brașov, Romania. He has published 80+ TLP:CLEAR intelligence reports across four analytical series and maintains nearly two decades of direct dark web HUMINT monitoring capability. His work is freely available at aether-intel.com.
This article is based on direct observation of underground ecosystems. No specific forums, marketplaces, or Telegram channels are identified by name except where the actor’s identity is already public. No classified intelligence is cited or implied.
Top comments (0)