Introduction

HackNotice’s Dark Web Research Service provides comprehensive access to the largest and most actionable collection of dark web data available today. Our platform allows your team to search, investigate, and analyze exposures in real time, leveraging intelligence gathered from deep and dark web forums, marketplaces, Telegram channels, credential dumps, infostealer malware logs, and other underground sources.

Whether you are conducting threat hunting, incident response, digital exposure analysis, or proactive monitoring, the Research Service gives you direct access to almost 80 billion unique leaked records—all fully indexed and immediately searchable.

For a deeper look at operational use cases, review the Research Use Case Playbook (link).

In addition to real-time search, customers can also use the Trafficked Data Dashboard for a strategic view of global dark web data trends, volume, and exposure types.
(Link to article: Trafficked Data Dashboard)

Research Search Tools

The Research Service provides two primary search capabilities accessible under:

Business → Research

• Phrase Search

• Word Pool Search

Each tool offers different ways to explore the HackNotice Leak Index depending on your investigation needs.

Phrase Search (Business → Research → Phrase)

The Phrase Search tool lets you instantly search for a single term and retrieve all matching results from the HackNotice Leak Index. You can think of this as a specialized, dark-web-focused “Google Search” for exposed data.

You can search for:

• Email addresses

• Names

• Domains

• IP addresses

• Identifiers

• Sensitive numbers

• File names

• Any other string or keyword

Just enter the search term, select your criteria, and hit Search.

Tip: Make sure all desired filters and options are selected before clicking Search, as results are generated in real time.

Search Field Options

These options determine what you are searching for:

• Message - Searches for your term anywhere in the record’s content. This is the most common option for emails, names, domains, and identifiers.

• Filename - Searches the names of dark web files (i.e., Leak Names). Useful for inspecting the contents of a specific breach file.

• Message and Filename - Searches for your term within a specific file. Results include only records from the selected filename that contain your message string.

Search Type Options

These options determine how your term is matched:

• Include Prefixes - Matches your term even if characters appear before it.

  • Example: Searching example.org would return www.example.org.

• Include Suffixes - Matches your term even if characters appear after it.

  • Example: Searching example.org would return example.org/login.

• Include Prefixes and Suffixes - Includes both examples above. Used when the term might appear in the middle of a longer string.

Filters

Enable the Filters checkbox to unlock additional search refinements:

• Start & End Dates - Restricts results to records ingested within a specific timeframe.

• Credential Filter - Shows only results containing passwords.

  • (Applied page-by-page because the search is real-time.)

• Redact Password - Displays password fields with masking for sensitive handling.

• Infostealer Log - Returns only results derived from infostealer malware logs.

• Credential Dump - Returns only results from traditional credential dump files.

• Domain Filter - Limits results to emails or URLs that match your root domain (e.g., searching example.org returns only exposures with that domain).

  • (Only available when searching for a root domain.)

Additional Tools

• Save Search - Save search criteria for easy reuse. Saved searches appear under:

  • Business → Research → Saved

• Download Report - Download the current page of results to CSV for external analysis or triage.

Word Pool Search (Business → Research → Word Pool)

The Word Pool Search tool allows you to search for multiple terms at once—ideal for incident response, threat hunting, and broad exposure investigations.

You can add multiple terms and specify match behavior for each one:

• Exact Match

• Include Prefix

• Include Suffix

• Include Prefix & Suffix

Once your pool is built, choose the number of Matches Required for a record to surface.

Example: If your Word Pool contains 5 search terms and you enter 2 for Matches Required, only records containing at least 2 of the 5 terms will be returned.

This makes Word Pool Search extremely powerful for:

• Identifying clusters of related exposures

• Checking for multiple indicators in a single dataset

• Correlating identifiers during incident response

• Discovering whether a threat actor dataset includes multiple internal signals

Summary

The HackNotice Research Service gives your team direct access to one of the world’s largest and most actionable dark web data collections. With powerful real-time search, flexible filtering, multi-term word pools, and the Trafficked Data Dashboard for strategic insight, your analysts can:

• Identify exposures quickly

• Confirm breach scope

• Support IR investigations

• Monitor emerging threats

• Enhance threat hunting and intelligence operations