How to make

How to Make a Dark Web Monitoring Script Using Tor (Step-by-Step Guide)

spyboy's avatarPosted by

The dark web isn’t magic.

It’s just another network layer — but one designed for anonymity.

Threat actors use it to:

  • Sell leaked databases
  • Trade stolen credentials
  • Share breached company data
  • Post ransomware leak sites
  • Exchange hacking tools

Security teams, OSINT researchers, and bug bounty hunters monitor it to:

  • Detect data leaks early
  • Identify brand impersonation
  • Track credential exposure
  • Monitor threat actor chatter

In this guide, you’ll learn how to make a Dark Web monitoring script using Tor and Python. This script will:

  • Route traffic through Tor
  • Access .onion websites
  • Monitor pages for keywords
  • Detect changes
  • Alert when new content appears

This is strictly for defensive monitoring and research. Accessing or interacting with illegal content is not the goal.

What Is Tor?

Tor

Tor (The Onion Router) is an anonymity network that routes traffic through multiple encrypted relays to hide the user’s IP address.

It enables access to:

  • .onion websites
  • Hidden services
  • Anonymous browsing

Tor works by:

  1. Encrypting traffic in layers (like an onion)
  2. Routing it through multiple nodes
  3. Masking the origin IP

For cybersecurity professionals, Tor is useful for:

  • Threat intelligence
  • Monitoring leak sites
  • Researching dark web forums
  • Tracking impersonation domains

What We’re Going to Build

Our monitoring script will:

  • Connect to Tor locally
  • Access a target .onion site
  • Scrape page content
  • Search for keywords (company name, email, domain, etc.)
  • Compare against previous version
  • Alert if new matches are found

Step 1: Install Tor

Windows:

Download and install Tor Browser from the official site.

Linux:

sudo apt install tor

Start Tor service:

sudo service tor start

By default, Tor runs a SOCKS proxy on:

127.0.0.1:9050

Step 2: Install Python Libraries

pip install requests[socks] beautifulsoup4 hashlib

We’ll use:

  • requests (with SOCKS support)
  • BeautifulSoup
  • hashlib
  • time
  • json

Step 3: Configure Tor Proxy in Python

Create tor_monitor.py

import requests
session = requests.Session()
session.proxies = {
    "http": "socks5h://127.0.0.1:9050",
    "https": "socks5h://127.0.0.1:9050"
}
def fetch_page(url):
    try:
        response = session.get(url, timeout=30)
        return response.text
    except Exception as e:
        print("Error:", e)
        return None

The key part is:

socks5h://127.0.0.1:9050

This routes traffic through Tor.

Step 4: Scraping Page Content

from bs4 import BeautifulSoup
def extract_text(html):
    soup = BeautifulSoup(html, "html.parser")
    return soup.get_text()

We strip HTML and focus on readable text.

Step 5: Keyword Monitoring

Define keywords you want to monitor:

keywords = [
    "example.com",
    "companyname",
    "support@example.com"
]

Search for them:

def check_keywords(text):
    findings = []
    for keyword in keywords:
        if keyword.lower() in text.lower():
            findings.append(keyword)
    return findings

Step 6: Detect Page Changes Using Hashing

We don’t want to alert repeatedly for same content.

Use hashing:

import hashlib
import os
def hash_content(content):
    return hashlib.sha256(content.encode()).hexdigest()
def save_hash(hash_value):
    with open("page_hash.txt", "w") as f:
        f.write(hash_value)
def load_previous_hash():
    if os.path.exists("page_hash.txt"):
        with open("page_hash.txt", "r") as f:
            return f.read()
    return None

Step 7: Putting It Together

import time
target_url = "http://exampleonionaddress.onion"
def monitor():
    while True:
        print("[*] Checking dark web page...")
        
        html = fetch_page(target_url)
        if not html:
            time.sleep(300)
            continue
        
        text = extract_text(html)
        current_hash = hash_content(text)
        previous_hash = load_previous_hash()
        if current_hash != previous_hash:
            print("[!] Page content changed")
            
            findings = check_keywords(text)
            if findings:
                print("[ALERT] Keywords found:", findings)
            
            save_hash(current_hash)
        else:
            print("No changes detected.")
        time.sleep(300)
if __name__ == "__main__":
    monitor()

Now your script checks every 5 minutes.

Step 8: Add Alert Notifications

You can extend this to send alerts.

Example using webhook:

import requests
def send_alert(message):
    webhook_url = "YOUR_WEBHOOK_URL"
    requests.post(webhook_url, json={"content": message})

Call this when keywords are detected.

What You Can Monitor

Security teams monitor:

  • Ransomware leak sites
  • Credential dumps
  • Paste-style dark web pages
  • Brand impersonation
  • Marketplace listings

You could monitor:

  • Your email domain
  • Your brand name
  • Your product name
  • Your username

How Attackers Use the Dark Web

Attackers use it to:

  • Sell stolen databases
  • Trade access credentials
  • Offer malware-as-a-service
  • Share breached company info

Monitoring helps detect incidents earlier.

Important Legal Considerations

Monitoring is legal.

But:

  • Downloading illegal content is not.
  • Participating in transactions is illegal.
  • Accessing certain materials may violate law.

Your goal should always be:

Threat detection
Brand monitoring
Defensive research

How to Improve This Script

To make it more powerful:

Add:

  • Multiple onion targets
  • JSON configuration file
  • Structured logging
  • Database storage
  • Email notifications
  • Geo-IP correlation
  • Automatic Tor circuit renewal
  • Scheduled scanning with cron
  • Docker container deployment

You could even build a lightweight alternative to dark web monitoring platforms.

Advanced: Renew Tor Identity Automatically

Tor allows identity rotation.

Install stem:

pip install stem

Then:

from stem import Signal
from stem.control import Controller
def renew_tor_ip():
    with Controller.from_port(port=9051) as controller:
        controller.authenticate(password="yourpassword")
        controller.signal(Signal.NEWNYM)

This rotates your exit node.

Included

  • how to monitor dark web using Python
  • build dark web monitoring tool
  • tor python monitoring script
  • monitor onion sites
  • cybersecurity threat intelligence script

Final Thoughts

Building a dark web monitoring script teaches you:

  • How Tor works
  • How anonymized routing functions
  • How to scrape hidden services
  • How to detect changes intelligently
  • How threat intelligence automation works

You stop thinking of the dark web as mysterious.

You start seeing it as just another monitored data source.

And once you automate monitoring…

You move from reactive security to proactive defense.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.