Federal agencies have spent the past several years dismantling some of the largest criminal marketplaces hidden on the dark web, from the seizure of Hydra Market to the disruption of Genesis Market and its network of over 1.5 million compromised computers. Those headline-grabbing operations have left many ordinary internet users wondering whether simply opening a Tor browser could expose them to prosecution. The short answer, based on federal statute and Department of Justice charging policy, is that browsing alone is not a crime, but the line between legal access and criminal liability is thinner than most people assume.
What Federal Law Actually Prohibits
The statute that governs computer-related offenses in the United States is the Computer Fraud and Abuse Act, codified at 18 U.S.C. § 1030. The CFAA targets specific conduct: accessing a computer without authorization, exceeding authorized access to obtain information, causing damage to protected computers, trafficking in passwords, and using computers in connection with extortion. Nowhere does the statute criminalize the mere act of installing an anonymizing browser, connecting to the Tor network, or visiting a site hosted on an overlay network. That distinction matters because it separates passive access (typing an address into a browser) from the kinds of technical intrusion or harmful conduct that can trigger federal charges.
The Department of Justice has reinforced this boundary in its own internal guidance. Under Justice Manual section 9‑48.000, federal prosecutors are instructed not to base “exceeds authorized access” charges solely on violations of terms of service, employment policies, or other contractual restrictions. In other words, breaking a website’s rules, by itself, is not enough for a CFAA prosecution. That policy, combined with the statutory language, means that using Tor to reach a .onion address does not automatically satisfy the elements of a computer crime. During arguments in Van Buren v. United States, several justices expressed concern that an overly broad reading of the CFAA could turn routine computer use into a federal offense whenever a user strayed from written policies. Taken together, the statute and charging guidance indicate that federal enforcement is aimed at clearly unauthorized access and demonstrable harm, not at the technology people use to browse.
Where Browsing Ends and Criminal Exposure Begins
The legal picture shifts sharply once a user moves beyond passive viewing and participates in conduct that furthers a crime. When the Justice Department disrupted Genesis Market in a coordinated international operation, investigators described a sprawling criminal service that had offered access to credentials from more than 1.5 million compromised devices and tens of millions of stolen accounts. Buying or selling those credentials, no matter how small the purchase or how casually it is framed, means trafficking in stolen data. That conduct can implicate the CFAA, wire fraud statutes, identity theft laws, and conspiracy provisions, even if the buyer never personally breaks into a system. In practice, Justice Department charging decisions focus on participation in these markets and the downstream harms they enable, not on the act of discovering that such a market exists.
Other categories of activity on the dark web carry similar risks. Marketplaces that advertise illegal drugs, weapons, or malware typically operate in ways that implicate federal narcotics, firearms, and fraud statutes. Even users who believe they are only “window shopping” can cross a legal line if they place an order, send payment, or help others navigate to contraband listings. The law generally does not distinguish between a one-time buyer and a frequent customer when it comes to the core offense: knowingly purchasing illegal goods or services. Once a user moves from passive observation to active participation (whether by buying stolen credentials, ordering controlled substances, or reselling illicit digital tools), the legal protections that apply to ordinary browsing fall away quickly.
Sanctions, Payments, and Non-Hacking Liability
Separate from hacking laws, sanctions rules create an additional layer of exposure that many dark web users overlook. The U.S. Department of the Treasury designated Russia-based Hydra Market and virtual currency exchange Garantex under its economic sanctions authorities, describing Hydra as a major hub for ransomware proceeds, stolen financial information, and illegal drugs in an official Treasury announcement. Once an entity is on the sanctions list, U.S. persons are generally prohibited from providing funds, goods, or services to it, directly or indirectly. That prohibition can apply even if the user never accesses the underlying marketplace through a browser at all and interacts only through a cryptocurrency wallet or payment service.
Sanctions enforcement also operates on a strict liability model in many circumstances: a person can face civil penalties for transacting with a sanctioned party even if they did not intend to support illegal activity. The Office of Foreign Assets Control has issued compliance guidance for virtual currency businesses that stresses the need for screening customers and transactions against sanctions lists, including those connected to darknet services. For individual users, this means that routing a cryptocurrency payment through a sanctioned exchange, or paying a vendor whose deposit address has been linked to a sanctioned marketplace, can create sanctions exposure independent of any CFAA violation. The risk is not theoretical. Treasury’s actions against Hydra and Garantex were accompanied by warnings that participants in those ecosystems could face consequences even if they never touched a line of malicious code.
The Anonymity Myth and Law Enforcement Reach
Many people assume that Tor and similar tools make them untouchable, but recent enforcement actions show that anonymity on the dark web is limited and conditional. In cases involving darknet drug markets and credential shops, investigators have combined traditional techniques (undercover purchases, confidential sources, and physical surveillance) with technical methods such as server seizures and blockchain analysis. When U.S. authorities coordinated with foreign partners to shut down Hydra, the U.S. Attorney’s Office for the Northern District of California described it as the largest online darknet marketplace and emphasized that the operation relied on cross-border cooperation and technical access to infrastructure that users had assumed was hidden. These kinds of actions demonstrate that law enforcement does not need to break Tor’s core encryption to identify key players.
The practical lesson for ordinary users is that Tor offers privacy benefits, but not immunity from investigation. Metadata about when and how a user connects, patterns in cryptocurrency transactions, reused usernames or email addresses, and simple operational mistakes—logging in from a non-Tor connection even once, for example—have all played roles in past cases linking darknet activity to real-world identities. Even passive browsing can be logged by site operators or intermediaries who later become cooperating witnesses. For anyone tempted to test the limits of the law, the enforcement record suggests that relying on technical tools alone to avoid accountability is a high-risk strategy.
Scams That Exploit Dark Web Fear
The dark web’s ominous reputation also creates fertile ground for fraudsters who target people who have never used it at all. The Federal Trade Commission has warned about a common phishing tactic in which scammers send alarming messages claiming that a recipient’s Social Security number, passwords, or other personal information are being sold on hidden websites. These emails often demand payment or urge the recipient to click a link to “scan” the dark web and remove the data. In its consumer alert on these emails, the FTC advises people not to click suspicious links, not to pay anyone who claims they can erase information from secret markets, and instead to update passwords and enable multi-factor authentication on important accounts.
Victims of such scams, or anyone who receives a threatening message invoking the dark web, can help authorities by filing a report with the FTC at its fraud-reporting portal. Those reports feed into law-enforcement databases that track emerging fraud patterns and support investigations. The persistence of these schemes underscores a broader point: public anxiety about hidden corners of the internet often exceeds public understanding of what those spaces are and how they work. That gap allows scammers to use the phrase “dark web” as a kind of magic word to intimidate recipients into hasty decisions. Building a basic understanding of the legal and technical realities (what is merely scary-sounding, what is actually illegal, and what steps to take when something seems off) can reduce the likelihood of both overreacting to harmless claims and underestimating genuine risks.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
