MASH Compliant

Dark Web & Digital Safety

“The Encryption Gap”

Modern exploitation moves from Public (TikTok/Instagram) to Encrypted (Signal/Telegram) within minutes. Once a chat is encrypted, traditional monitoring software often fails.

  • Research & Articles
Down the Rabbit Hole: How Children Are Drawn Into the Dark Web

The Grooming Pipeline From Social Media to Hidden Networks

Children rarely find their way onto the dark web by accident. In the majority of cases documented by the Internet Watch Foundation and the NCA, the journey begins on entirely mainstream platforms — often the same ones every parent recognises.

Understanding how young people end up on hidden networks is essential for anyone working in safeguarding. The assumption that only technically sophisticated or deliberately deviant young people encounter the dark web is dangerously wrong. The process is gradual, manipulative, and frequently orchestrated by adults who know exactly what they are doing.

Stage One: Surface Web Contact

Exploitation almost always begins in plain sight. Groomers, recruiters, and radicalising individuals establish initial contact on platforms where young people already spend time — TikTok, Instagram, Snapchat, Discord, and online gaming environments. These first interactions are typically benign: a compliment, a shared interest, an invitation to join a group or server. There is no immediate request, no obvious red flag. The goal at this stage is simply to establish trust.

The NCA’s 2024 threat assessment identified Discord servers and private Instagram groups as the most common entry points for young people who later appear in dark web exploitation cases. Groomers specifically seek out young people who display markers of vulnerability: social isolation, family conflict, low self-esteem, or a stated desire for excitement and belonging.

Stage Two: The Migration to Encryption

Once a level of trust has been established — a process that can take days or months depending on the target — the conversation is deliberately moved to an encrypted platform. The stated reason is almost always framed positively: “this is more private,” “no one can read our messages here,” “this is where the real group is.” Apps like Telegram, Signal, Session, and Wickr are commonly used at this stage.

This migration is a critical safeguarding indicator. It represents a deliberate move away from platforms where parental monitoring, school filtering, and platform moderation might intervene. At this point, the young person is effectively alone with the contact — whatever boundaries existed on the surface web no longer apply.

Stage Three: Introduction to Hidden Networks

The move to the dark web itself — typically via the Tor browser or I2P network — is usually presented as an exciting secret rather than a risk. Young people may be told they are accessing “exclusive” content, joining an elite group, or participating in something their peers do not know about. The appeal to adolescent psychology here is deliberate: secrecy, status, and belonging are powerful motivators.

What awaits on the other side varies enormously depending on the nature of the exploitation. It may be illegal marketplaces where drugs or weapons are purchased. It may be forums linked to self-harm or suicide. It may be extremist ideological networks. Or it may be the direct production and distribution of child sexual abuse material. In all cases, by the time a young person reaches this stage, they are already significantly compromised.

Warning Signs for Professionals and Parents

  • Sudden secretiveness around device use, including screen tilting and rapid app switching
  • Unexplained installation of VPN, Tor browser, or anonymous messaging applications
  • References to online contacts the young person has never physically met
  • Mention of accessing content “you can’t find on Google”
  • Unexpected receipt of money, cryptocurrency, or gift cards
  • Withdrawal from real-world friendships in favour of online relationships
  • Distress or agitation when access to devices is restricted

If a young person discloses contact from someone encouraging them to move to a different platform or access hidden networks, treat this as a safeguarding concern and refer to your designated lead immediately. Do not attempt to investigate the contact independently.

Click to Buy: Dark Web Marketplaces and the Supply of Drugs and Weapons to Young People

How Hidden Markets Have Changed What Young People Can Access — and How Quickly

Dark web drug markets now operate with the ease of online retail — seller ratings, next-day delivery, customer reviews. For a young person with access to cryptocurrency and a willingness to explore, the barrier to obtaining Class A drugs or illegal weapons has never been lower.

The dark web’s most significant practical impact on youth safeguarding is not ideological radicalisation or online grooming — it is commerce. Hidden marketplaces have fundamentally altered the supply chain for illegal substances and weapons, removing the need for any physical contact with a dealer and replacing street-level risk with what feels, to a teenager, like the familiarity of online shopping.

How Dark Web Markets Work

Marketplaces operating on the Tor network function similarly to legitimate e-commerce sites. Sellers list products with photographs, descriptions, and pricing. Buyers browse categories, read reviews, and complete transactions using cryptocurrency — most commonly Bitcoin or Monero. Goods are posted through the standard mail system, often using sophisticated concealment methods designed to evade postal screening.

The review and rating system is not incidental — it is central to how these markets maintain trust among participants. A vendor with hundreds of positive reviews and a high completion rate is considered reliable. This language of consumer confidence normalises criminal transactions and gives the entire enterprise a veneer of legitimacy that is particularly effective with young people accustomed to platforms like eBay and Amazon.

The Drugs Pipeline

Operationally, dark web drug markets have shifted power away from street gangs and toward individual buyers. A young person in a rural area — previously insulated from drug markets by geography — can now access the same substances available in urban centres, delivered to their door within 48 hours. Home Office research from 2024 noted a statistically significant increase in drug use among 14-17 year olds in low-deprivation rural areas, which analysts have partially attributed to dark web access.

The range of substances available is extensive and includes synthetic opioids, benzodiazepines, MDMA, cocaine, and increasingly novel psychoactive substances (NPS) that are not yet classified under the Misuse of Drugs Act. The latter are particularly dangerous because their pharmacological effects are unpredictable and neither the buyer nor any medical professional treating an overdose may know what has been ingested.

Weapons and the Postal Route

Law enforcement agencies including the National Crime Agency have documented a consistent increase in the postal interception of weapons sourced from dark web vendors. These include blank-firing firearms converted for live use, component parts for illegal weapons, and — most relevant to knife crime prevention — automatic opening blades and other offensive weapons prohibited under UK law.

The link to youth violence is direct. In several high-profile cases, post-mortem examinations of fatal stab wounds have revealed injuries consistent with specialist blade types traceable to dark web origins. The availability of these weapons at low cost and without any physical transaction means that young people who would not previously have been able to arm themselves now can.

Cryptocurrency and Young People

A common assumption is that cryptocurrency represents a significant barrier to young people accessing dark web markets. In practice, this barrier has largely dissolved. Cryptocurrency exchanges now accept payment by debit card. Peer-to-peer trading platforms allow cash purchases with minimal identification. Gift card to cryptocurrency conversion services operate openly. A determined 15-year-old with access to their own bank account — or cash from a part-time job — can acquire cryptocurrency within an hour.

Safeguarding professionals should be alert to unexplained references to Bitcoin, Monero, or other digital currencies, the installation of cryptocurrency wallet applications, and the acquisition of gift cards in high denominations — all of which may indicate dark web purchasing activity.

Indicators of Dark Web Marketplace Involvement

  • Unexplained packages arriving by post, particularly if the young person is evasive about the contents
  • Possession of substances that could not easily have been purchased locally
  • Knowledge of specific drug types, pricing, or sourcing that suggests online market literacy
  • Cryptocurrency wallet apps or transaction histories on devices
  • Possession of cash in amounts inconsistent with known income — potentially indicating resale activity
  • References to specific dark web terminology (“clearnet,” “DNM,” “escrow,” “PGP”)

Where a young person is suspected of purchasing or selling illegal goods via online markets, this constitutes a serious safeguarding concern that may also require referral to the police. Consult your designated safeguarding lead before taking further action.

 

Invisible Victims: Child Sexual Exploitation and the Hidden Web

What Every Safeguarding Professional Needs to Understand About Online CSEA

The Internet Watch Foundation removed over 275,000 URLs hosting child sexual abuse material in 2024 alone. The vast majority of victims never come forward. The majority of perpetrators are never identified. Understanding how this exploitation operates is not optional for those working with children — it is a professional necessity.

Online child sexual exploitation and abuse (CSEA) is the fastest-growing category of safeguarding concern in the UK. It spans a spectrum from the covert recording of imagery without consent, through the grooming and production of child sexual abuse material (CSAM), to the live-streaming of abuse for payment on hidden networks. This article aims to give safeguarding professionals a clear-eyed understanding of how this exploitation works, who it affects, and what the indicators look like in practice.

The Scale of the Problem

The scale of online CSEA is difficult to comprehend. The Internet Watch Foundation, the UK’s primary body for identifying and removing illegal imagery online, consistently reports year-on-year increases in the volume of material it processes. In 2024, the IWF reported that self-generated imagery — content produced by victims themselves under coercion — now accounts for a substantial majority of the new CSAM it identifies. This shift is significant: it means that the abuse is, increasingly, happening in the victim’s own bedroom, mediated through their own device, without any physical contact from the perpetrator.

Victims are overwhelmingly female and predominantly aged between 11 and 16, though cases involving boys and very young children are more common than official statistics suggest, partly because male victims are significantly less likely to disclose.

How Coercion Works: The Sextortion Model

The most prevalent form of online CSEA currently affecting UK children is what law enforcement terms “sextortion” — the use of illegally obtained or coerced intimate imagery as leverage. The typical pattern involves an offender, often operating from outside the UK, who poses as a peer online and builds a romantic connection with a young person. The victim is gradually persuaded to send intimate images. Once obtained, those images are used as blackmail: share more, or they will be sent to parents, school, and friends.

The psychological impact on victims is catastrophic. Many young people who find themselves in this position feel they have no way out. The shame, the fear of parental reaction, and the perceived permanence of digital exposure all contribute to a sense of absolute entrapment. The NSPCC has documented multiple cases where sextortion has been a direct contributing factor in the suicide of young victims — a consequence that underlines the severity of this form of abuse.

Live-Streaming and the Dark Web Economy

A distinct and deeply disturbing strand of online CSEA involves the live-streaming of abuse for financial payment via hidden networks. In these cases, an adult — sometimes a parent or carer of the victim — streams footage of a child being abused to paying viewers on dark web platforms. Payment is made in cryptocurrency, ensuring both parties remain anonymous. The NCA has identified this as one of the fastest-growing categories of CSEA, driven by the combination of accessible technology, cryptocurrency anonymity, and the global demand that hidden networks make possible.

From a safeguarding perspective, identifying children subject to this form of abuse is exceptionally challenging. The abuse may leave no obvious physical signs. The child may not understand that what is happening constitutes abuse. Disclosure, if it comes at all, is frequently triggered by something unrelated — a conversation at school, a pastoral check-in, the intervention of a trusted adult.

AI-Generated CSAM: An Emerging Threat

Law enforcement agencies and child protection organisations have issued increasingly urgent warnings about the use of artificial intelligence to generate synthetic child sexual abuse imagery. AI image generation tools, some of which have been specifically adapted for this purpose, are accessible on dark web forums and increasingly on the surface web. The legal position in the UK is clear — AI-generated CSAM is illegal under the same legislation as imagery of real children — but the enforcement challenge is profound.

The safeguarding implication extends beyond the existence of this material. AI tools are also being used to generate “deepfake” imagery of real, identifiable children — including, in documented cases, pupils at specific schools — using photographs sourced from social media. The production and distribution of such material causes direct harm to identifiable victims even where no physical abuse has occurred.

Disclosure Barriers and What Professionals Can Do

Children who have been subject to online CSEA face enormous barriers to disclosure. Shame and self-blame are near-universal. Fear of parental punishment — particularly around the circumstances that led to image-sharing — frequently outweighs fear of the perpetrator. Many victims believe, erroneously, that they are complicit in their own abuse and that disclosing will result in punishment rather than support.

Creating an environment in which young people feel able to disclose is therefore one of the most important things a school or organisation can do. This means:

  • Delivering age-appropriate education about online relationships and consent that explicitly addresses coercion and blackmail
  • Making clear to young people that they will not be in trouble for disclosing, regardless of what they sent or did
  • Ensuring pastoral staff are trained to recognise the behavioural indicators of online exploitation
  • Having clear referral pathways that do not rely on the child to make a formal complaint

Behavioural Indicators of Online CSEA

  • Withdrawal from friendships and social activities without explanation
  • Visible distress after using a device, or when a device notification arrives
  • Reluctance to attend school or leave the house
  • Sudden deletion of apps or social media accounts
  • Unexplained gifts, money, or new items
  • References to older online contacts, or to “someone who has photos of me”
  • Self-harm, expressions of hopelessness, or sudden deterioration in mental health

If a child discloses or you suspect online CSEA, do not attempt to view or retain any imagery. Do not contact the suspected perpetrator. Refer immediately to your designated safeguarding lead and, where appropriate, the police. The CEOP Command (Child Exploitation and Online Protection) operates a specialist reporting function at ceop.police.uk.

The Dark Web: Checklist for Parents

  • Check for 'Tor' or 'Onion'

Standard browsers cannot reach the Dark Web. Look for the ‘Tor Browser’ app on laptops or mobile devices.

  • Burner SIMs

Encrypted apps often require a phone number. Exploited youth may have a second SIM card for secret accounts.

  • VPN Applications

VPNs hide browsing activity and location. While legitimate uses exist, they can indicate hidden activity.

  • Cryptocurrency Wallets

Bitcoin apps may indicate involvement in illegal marketplaces or receiving payment for exploitation.

Encrypted Apps: Advice For Parents

  • Signal

End-to-end encrypted, disappearing messages

  • Telegram

Secret chats, self-destruct timers

  • WhatsApp

Encrypted but metadata visible

  • Wickr

No phone number required

  • Session

No personal info to sign up

  • Discord

Private servers, minimal oversight

What Parents Should Do

  • Have open conversations about online safety without judgment
  • Know what apps are installed on your child’s devices
  • Understand that monitoring software has limitations
  • Focus on building trust rather than surveillance
  • Know the signs of exploitation beyond digital indicators
Return to the Safeguarding Hub