Logo
/
Blog/Identification of Public Infrastructure Associated with the Darkhub Hacking-for-Hire Service
May 6, 20264 min readdarkweb
Share:

Identification of Public Infrastructure Associated with the Darkhub Hacking-for-Hire Service

By Threat Intelligence Unit

Executive Summary

  • A dark web service named Darkhub advertising hacking-for-hire capabilities was identified.
  • The platform promotes a wide range of illicit services, including account compromise, surveillance, and financial manipulation.
  • Infrastructure analysis revealed an associated public IP address hosted on a provider previously flagged for bulletproof hosting characteristics, indicating potential exposure beyond Tor.


Site Analysis

Darkhub presents itself as a structured hacking-for-hire platform accessible via the Tor network, advertising itself as a centralized provider of offensive cyber capabilities covering both targeted and scalable illicit operations.

As with most dark web hacking-for-hire services, the actual operational capability behind these advertised offerings cannot be confirmed through external observation alone. Many such platforms operate primarily as advance-fee scams rather than functional offensive services.

Identified Onion Service

  • 7comssbegmmbxdi7nu7obids2urmkqnmxao5ojbesga3hxmns2yjnxqd.onion
Darkhub hacking-for-hire service site interface

Figure 1. Darkhub hacking-for-hire service site interface

The platform advertises multiple categories of services, including:

Account Compromise

  • Social media platforms (Instagram, Telegram, WhatsApp)
  • Email account access

Device and Communication Surveillance

  • Mobile phone monitoring
  • Message interception

Location Tracking

  • Real-time or historical tracking of individuals

Financially Motivated Operations

  • Unauthorized access to financial accounts
  • Cryptocurrency-related services
  • Credit score manipulation and fund recovery claims

The inclusion of categories such as "credit score manipulation" and "fund recovery" is notable.

These offerings are commonly associated with advance-fee scam operations, where operators target victims of prior fraud with promises of recovering lost funds in exchange for upfront payment. Their presence in the service catalog suggests that at least a portion of Darkhub's advertised offerings may be oriented toward defrauding prospective clients rather than delivering technical capabilities.

Service listing and contact section of the Darkhub site

Figure 2. Service listing and contact information of the Darkhub site

Service offerings displayed on the Darkhub site

Figure 3. Service offerings displayed on the Darkhub site



Infrastructure Analysis

Public IP Identification

Using the dark web intelligence platform Arthur, infrastructure linked to the Darkhub site was identified.

  • Public IP Address: 38.127.***.***
  • Host Provider: ULTAHOST
  • Country: United States
  • ASN: AS44259

The identification of a publicly routable IP suggests that backend services may not be fully confined to Tor-only environments.

Hosting Provider Context

ULTAHOST (AS44259) has been previously identified in third-party reporting as a hosting provider exhibiting bulletproof hosting characteristics. Bolster AI has listed the provider in its bulletproof hosting categorization, and the provider has been the subject of an ICANN compliance notice regarding the handling of phishing-related domain abuse. Public marketing materials associated with the provider emphasize permissive content policies and offshore-style operational positioning.

While the presence of an illicit service on this network does not, by itself, indicate operator complicity, the provider's reputation is consistent with infrastructure choices observed across other dark web service operators seeking permissive hosting environments.

Infrastructure Stability

Observed hosting data indicates:

  • The associated IP address has undergone multiple changes historically
  • The current IP has remained consistent since January 12, 2026

The pattern of IP changes followed by recent stabilization may reflect a range of factors, including hosting account migrations, provider-level reallocations, or operational adjustments. Without additional context regarding the specific reasons for prior changes, definitive attribution of intent is not possible.



Conclusion

The Darkhub site presents itself as a structured hacking-for-hire service offering a broad range of illicit capabilities. The actual operational capability behind the advertised services cannot be confirmed through external observation, and the inclusion of categories such as fund recovery and credit score manipulation suggests that at least part of the platform's offering may be oriented toward defrauding prospective clients.

Infrastructure analysis revealed a publicly accessible IP address associated with the service, suggesting partial exposure beyond Tor-based anonymity. The associated hosting provider has been previously identified in third-party reporting as exhibiting bulletproof hosting characteristics, which is consistent with infrastructure choices commonly observed across other dark web service operators.