The world has seen a dramatic increase in illegal activities on the Internet. Prior research has investigated different types of cybercrime, especially in the Surface Web, which is the portion of the content on the World Wide Web that popular engines may index. At the same time, evidence suggests cybercriminals are moving their operations to the Dark Web. This portion is not indexed by conventional search engines and is accessed through network overlays such as The Onion Router network. Since the Dark Web provides anonymity, cybercriminals use this environment to avoid getting caught or blocked, which represents a significant challenge for researchers. This research project investigates the modus operandi of cybercriminals on the Surface Web and the Dark Web to understand how cybercrime unfolds in different layers of the Web. Honeypots, specialised crawlers and extraction tools are used to analyse different types of online crimes. In addition, quantitative analysis is performed to establish comparisons between the two Web environments. This thesis is comprised of three studies. The first examines the use of stolen account credentials leaked in different outlets on the Surface and Dark Web to understand how cybercriminals interact with stolen credentials in the wild. In the second study, malvertising is analysed from the user's perspective to understand whether using different technologies to access the Web could influence the probability of malware infection. In the final study, underground forums on the Surface and Dark Web are analysed to observe differences in trading patterns in both environments. Understanding how criminals operate in different Web layers is essential to developing policies and countermeasures to prevent cybercrime more efficiently
