Introduction

HackNotice’s Dark Web Research Service provides comprehensive access to the largest and most actionable collection of dark web data available today. Our platform allows your team to search, investigate, and analyze exposures in real time, leveraging intelligence gathered from deep and dark web forums, marketplaces, Telegram channels, credential dumps, infostealer malware logs, and other underground sources.

Whether you are conducting threat hunting, incident response, digital exposure analysis, or proactive monitoring, the Research Service gives you direct access to over 90 billion unique leaked records, all fully indexed and immediately searchable.

The Research Service provides multiple search capabilities, including Phrase Search, Word Pool Search, and Chatter Search, which together provide a complete investigation workflow by allowing analysts to search both the exposed data itself and the threat actor discussions surrounding that data.

For a deeper look at operational use cases, review the Research Use Case Playbook (link).

In addition to real-time search, customers can also use the Trafficked Data Dashboard for a strategic view of global dark web data trends, volume, and exposure types.
(Link to article: Trafficked Data Dashboard)

Research Search Functionality

The Research Service provides two primary search capabilities accessible under:

Business → Research

• Phrase Search

• Word Pool Search

• Chatter

• Leak Files

Each tool offers different ways to explore the HackNotice Leak Index depending on your investigation needs.

Phrase Search (Business → Research → Phrase)

The Phrase Search tool lets you instantly search for a single term and retrieve all matching results from the HackNotice Leak Index. You can think of this as a specialized, dark-web-focused “Google Search” for exposed data.

You can search for:

• Email addresses

• Names

• Domains

• IP addresses

• Identifiers

• Sensitive numbers

• File names

• Any other string or keyword

Just enter the search term, select your criteria, and hit Search.

Tip: Make sure all desired filters and options are selected before clicking Search, as results are generated in real time.

Search Field Options

These options determine what you are searching for:

• Message - Searches for your term anywhere in the record’s content. This is the most common option for emails, names, domains, and identifiers.

• Filename - Searches the names of dark web files (i.e., Leak Names). Useful for inspecting the contents of a specific breach file.

• Message and Filename - Searches for your term within a specific file. Results include only records from the selected filename that contain your message string.

Search Type Options

These options determine how your term is matched:

• Include Prefixes - Matches your term even if characters appear before it.

  • Example: Searching example.org would return www.example.org.

• Include Suffixes - Matches your term even if characters appear after it.

  • Example: Searching example.org would return example.org/login.

• Include Prefixes and Suffixes - Includes both examples above. Used when the term might appear in the middle of a longer string.

Filters

Enable the Filters checkbox to unlock additional search refinements:

• Start & End Dates - Restricts results to records ingested within a specific timeframe.

• Credential Filter - Shows only results containing passwords.

  • (Applied page-by-page because the search is real-time.)

• Redact Password - Displays password fields with masking for sensitive handling.

• Infostealer Log - Returns only results derived from infostealer malware logs.

• Credential Dump - Returns only results from traditional credential dump files.

• Domain Filter - Limits results to emails or URLs that match your root domain (e.g., searching example.org returns only exposures with that domain).

  • (Only available when searching for a root domain.)

Additional Tools

• Save Search - Save search criteria for easy reuse. Saved searches appear under:

  • Business → Research → Saved

• Download Report - Download the current page of results to CSV for external analysis or triage.

Word Pool Search (Business → Research → Word Pool)

The Word Pool Search tool allows you to search for multiple terms at once—ideal for incident response, threat hunting, and broad exposure investigations.

You can add multiple terms and specify match behavior for each one:

• Exact Match

• Include Prefix

• Include Suffix

• Include Prefix & Suffix

Once your pool is built, choose the number of Matches Required for a record to surface.

Example: If your Word Pool contains 5 search terms and you enter 2 for Matches Required, only records containing at least 2 of the 5 terms will be returned.

This makes Word Pool Search extremely powerful for:

• Identifying clusters of related exposures

• Checking for multiple indicators in a single dataset

• Correlating identifiers during incident response

• Discovering whether a threat actor dataset includes multiple internal signals

Chatter Search (Business → Research → Chatter)

The Chatter Search tool expands the HackNotice Research Service beyond leaked files and credential datasets by allowing users to search directly through threat actor conversations and publishings collected from dark web forums, marketplaces, underground communities, and other monitored sources.

While Phrase Search and Word Pool Search focus on the contents of exposed datasets and files, Chatter enables analysts to investigate the discussions, advertisements, claims, negotiations, and intelligence-sharing activity taking place across underground communities.

This provides valuable context during:

• Threat hunting
• Incident response investigations
• Third-party breach investigations
• Brand monitoring
• Ransomware and extortion monitoring
• Threat actor research
• Supply chain investigations

Each Chatter search consumes 1 credit per search page, consistent with the standard Research Service search tools.

Single Phrase Search

The Single Phrase search allows users to search for a specific term or phrase across all indexed threat actor postings.

Searches are performed against:

• Post titles
• Post content/body text

Common search examples include:

• Company names
• Domains
• Executive names
• Product names
• Threat actor aliases
• Cryptocurrency wallets
• Email addresses
• Vulnerability identifiers (CVEs)
• Industry-specific keywords

Simply enter the desired term, select the preferred match type, and click Search.

Search Type Options

Chatter supports the same matching methods available throughout the Research Service:

Exact Match

Returns only posts containing the exact phrase entered.

Example: Searching example.org returns only occurrences of example.org.

Include Prefixes

Matches when additional characters appear before the search term.

Example: Searching example.org may return www.example.org.

Include Suffixes

Matches when additional characters appear after the search term.

Example: Searching example.org may return example.org/login.

Include Prefixes and Suffixes

• Matches the search term anywhere within a larger string.

Chatter Word Pool Search

Chatter Word Pool Search enables users to search for multiple terms simultaneously across threat actor postings.

Each term can be assigned its own search type:

• Exact Match
• Include Prefixes
• Include Suffixes
• Include Prefixes and Suffixes

Users can then specify the Minimum Terms to Match value.

Example

A Word Pool containing:

• company.com
• ransomware
• credentials
• VPN

with a Minimum Terms to Match value of 2 will return only posts containing at least two of those terms.

This capability is especially useful when:

• Investigating suspected breaches
• Monitoring multiple brands simultaneously
• Correlating indicators during incident response
• Identifying discussions related to specific technologies or vendors
• Finding posts that contain combinations of high-priority indicators

Advanced Filters

Selecting Show Advanced Options provides additional filtering capabilities to refine investigations.

Source Name

Limit results to a specific forum, marketplace, channel, or source.

Example:

• breachforums
• exploit
• darknetarmy

Author

Search for content published by a specific threat actor or username.

Example:

• ShinyHunters
• DBHunter
• IntelBroker

Source Section

Restrict results to a particular section within a source.

Examples:

• Databases
• leaksmarket

Source Type

Filter by source category.

Examples:

• Forum
• Marketplace

Thread ID

Search within a specific discussion thread.

This is particularly useful when analysts want to review the complete conversation associated with a known posting.

Original Post

Many underground communities contain reposted or duplicated content.

Options include:

• Any
• Yes (Original Posts Only)
• No (Duplicates Only)

Selecting Yes (Original Posts Only) can help eliminate duplicate content and focus investigations on the initial publication.

Date Range

Limit results to postings published during a specific timeframe using:

• Start Date
• End Date

This is useful when investigating incidents that occurred during a known exposure window.

Sort Order

Results can be sorted by:

• Newest First
• Oldest First

Understanding Results

Each Chatter result provides visibility into the original publication and its associated metadata.

Results display:

• Publication date
• Source platform
• Source category
• Threat actor username
• Post title
• Post content preview
• Thread ID

This allows analysts to quickly determine:

• Who made the post
• Where it was published
• When it was published
• What was discussed
• Whether additional investigation is required

For example, a search for a company domain may uncover:

• Discussions of a recent compromise
• Advertisements for stolen databases
• Credential sale listings
• Initial access offerings
• Threat actor negotiations
• Mentions within larger breach discussions

Chatter vs. Traditional Research Searches

Summary

The HackNotice Research Service gives your team direct access to one of the world’s largest and most actionable dark web data collections. With powerful real-time search, flexible filtering, multi-term word pools, and the Trafficked Data Dashboard for strategic insight, your analysts can:

• Identify exposures quickly

• Confirm breach scope

• Support IR investigations

• Monitor emerging threats

• Enhance threat hunting and intelligence operations