There is a line of thinking in cybersecurity that stops at knowing your stakeholders, speaking their language, and getting buy-in. That thinking is necessary but it is only half the job. The other half is knowing your adversary just as well. Alex Holden's session at BSides Luxembourg was called Why I Go to the Dark Web Every Day and it was one of the most grounding talks of the conference.
Alex and his company have built a networked presence on the dark web. Not monitoring it from a distance — actually cultivating relationships, understanding communities, learning the culture, and developing the kind of intelligence that lets you anticipate what threat actors are going to do before they do it.
Understanding What Drives Adversaries
Motivation generally falls into four categories: profit, fame, activism, and state sponsorship. That shapes everything about how a threat group operates, how they recruit, how they communicate, and what they consider a successful operation.
The for-fame motivation is worth understanding in its specificity. Alex showed a Hollywood Walk of Fame star with your name here on it. That is an accurate representation of how some threat actors think. Reputation within the community, notoriety, being known for a significant breach. For some groups that is the primary objective — and it drives behaviour that purely profit-motivated groups would never take.
In China, state-sponsored threat actors are not permitted to use Chinese IP addresses when conducting operations. If you see a Chinese IP address in your logs, that is actually a signal that it is probably not a Chinese state group. Real state-sponsored Chinese threat actors will be operating from infrastructure that does not trace back to China at all. It sounds counterintuitive but it is exactly the kind of detail that separates genuine threat intelligence from surface-level attribution.
The Recon Mindset
Before an attack happens, recon happens. The recon methodology Alex described was structured around three things: who to approach, circles of influence, and reputation research. Threat actors study their targets the way a good salesperson studies a prospect. They map the organisation, identify who has access to what, understand who influences whom, and build a picture of where the soft spots are before they ever make contact.
Alex put up a slide with a panda hidden in a dense photograph of bamboo — I know it is hard to believe but there is in fact a panda in this photo. The point was blunt. The threats are already there in your environment. Most organisations just do not have the eyes to see them.
FunkSec — AI-Assisted Ransomware in Practice
FunkSec emerged in late 2024 and within its first month published over 85 claimed victims, surpassing every other ransomware group globally that December. Alex showed their actual dark web page on screen, including their self-description — written like something generated by AI that had never been proofread.
The group was likely operated by inexperienced actors, probably based in Algeria, who used AI to develop and rapidly iterate their malware. They released version updates days apart. Their motivations straddled hacktivism and cybercrime. They charged low ransoms — sometimes as little as $10,000. Many of their claimed victim datasets were recycled from previous campaigns.
What makes FunkSec genuinely significant is not their sophistication. It is the opposite. AI allowed actors without deep expertise to produce functional, evolving attack tooling and to generate communications that crossed language barriers. The messages that went out were grammatically unusual — written by AI, never reviewed by a human. Security awareness training built around recognising conventional ransomware communications will not catch content that reads like it was written with unusual instructions and never reviewed.
The Bigger Point
Dark web intelligence is not about surveillance for its own sake. It is about developing the same quality of understanding of your adversaries that good threat actors develop about their targets. They research you. They map your people. They understand your tools and your gaps. The question is whether you are doing the same work in reverse.
Alex goes to the dark web every day because that is where that knowledge lives. And the organisations that do not have access to that intelligence are making decisions about their security posture with half the picture.
Based on the session by Alex Holden at BSides Luxembourg 2026.