Gemini picks up criminal activity buried in dark web noise

To help teams make faster and more accurate decisions on emerging threats, Google has introduced a dark web intelligence capability in Google Threat Intelligence. Powered by Gemini, the feature analyzes millions of dark web events each day and surfaces threats relevant to an organization’s operations.

“Instead of requiring your team to manually input and update keywords, our new dark web intelligence capability uses Gemini to autonomously build an organizational profile that is specific to your business operations and mission, automatically adjusting as these are modified,” Google said.

Google said the feature processes large volumes of data from forums, services, and technical infrastructure, supported by its in-house systems. Analysts from its Google Threat Intelligence Group also contribute context from ongoing monitoring of dark web activity, helping interpret and refine the signals identified by the system.

The company also outlined a scenario in which an initial access broker advertises VPN access to a large European retailer without naming the organization, offering credentials tied to internal systems such as payroll and logistics. Because some legacy tools rely on direct keyword matches, such activity may go undetected when the target is not explicitly identified.

Brandon Wood, Product Manager, Google Threat Intelligence, explained that many existing tools cannot distinguish between terms like apple the fruit and Apple the company, meaning analysts may receive alerts tied to unrelated references such as names or generic terms.

According to Google, the new capability takes a different approach by correlating details such as revenue range, geographic location, and system types with an organization’s profile. This allows the system to associate the activity with a specific entity and flag a potential compromise before access is sold or exploited.