What happens when your email appears on the dark web

Why we added dark-web monitoring in the first place

When we built ARK, we knew a security score was only half the story. You could have perfect device hygiene, strong permissions, no stalkerware - and still be vulnerable because your credentials were floating somewhere on the criminal internet, harvested from a breach you had nothing to do with.

The problem was real. Our early users kept asking the same question: "Has my data been leaked?" We could point them to free breach checkers, but that felt incomplete. They deserved to know their exposure wasn't a one-time lookup. Breaches happen. New leaks surface constantly. So we integrated with breach databases and built monitoring that runs quietly in the background, checking whether your email has appeared in newly indexed dark-web credentials.

The feature sits in Shield tier because it's not essential baseline security, but it's the kind of thing that makes a real difference to anyone who's ever had their account compromised. It's passive. It runs without nagging. When something is found, you get a notification and a clear next step.

How the dark-web monitor actually scans

Here's what happens under the hood, stripped of the jargon. When you enable dark-web monitoring in Shield, ARK takes your email address and checks it against aggregated databases of leaked credentials that have surfaced on the dark web, forums, and paste sites. We don't store your email in plain text. On iOS, it lives in SecureStore. On Android, it's encrypted in EncryptedSharedPreferences. The lookup itself is privacy-first: on-device processing where possible, and we don't log analytics on what we find.

The scanning runs periodically. You're not hammering the internet with requests every five minutes. It's intelligent throttling. When a match is detected, you'll see a notification on your device. The notification tells you which breach exposed the credential, when it likely occurred, and what data was compromised (email, password, username, depending on what the breach contained).

This matters because it's different from antivirus scanning. We're not looking for malware on your phone. We're checking whether your identity exists in criminal databases, which is a completely separate threat vector. It's also different from a password manager; we don't store your passwords. We're only monitoring your email or username against known leaks.

The moment a breach shows up in real time

I remember testing this feature the week we launched Shield. A major retailer's database had been dumped, and within hours, the credentials were indexed on dark-web forums. Our monitoring system caught it. A test email I'd set up for the scan immediately showed as exposed. It was unsettling, even though I'd designed it. That's the point.

When you see that notification, you're seeing something genuinely useful. You're not getting a vague alert telling you something "might" be wrong. You're getting specific information: this email was in this breach, on this date, with this data type. From there, the app gives you a one-tap action. You can navigate directly to the breached company's password reset page, or you can open your password manager to change the credential across other sites.

We intentionally made the next step obvious because we knew people often don't act on breach notifications. The friction had to be near zero. Tap the notification, read the summary, reset your password. That's it.

What dark-web monitoring isn't (and why that matters)

A few clarifications, because I've seen people misunderstand this feature. Dark-web monitoring isn't a guarantee. It's not a protective barrier that stops breaches from happening. It's early warning. New leaks surface constantly, and no monitoring service catches every single one immediately. What it does is give you visibility into whether your data is already out there, so you can act faster than waiting for a company to notify you (which, let's be honest, some never do).

It's also not a replacement for a password manager or strong passwords. And it's not antivirus. It's one layer of a larger picture. ARK's full score includes your device permissions, network exposure, stalkerware detection, and (in Shield and Fortress) phishing detection, Wi-Fi security analysis, 2FA audits, and DNS leak testing. Dark-web monitoring fits into that ecosystem, answering one specific question: has my identity been compromised in a data breach?

Why privacy matters when you're monitoring the dark web

The irony isn't lost on us. We're asking you to trust us with your email to check if it's been leaked. So we built the feature to work as privately as possible. Your email is encrypted on your device. The lookup happens with minimal data transmission. We don't create tracking profiles or analytics around your breach history. If you delete the app, the data is gone.

This is the one area where a lot of security apps have failed their users. They collect breach data as marketing intelligence. "See, you were in 47 breaches." Sensational. Profitable. Corrosive to trust. We don't do that. Shield tier is £2.99 per month or £29.99 per year. That's the revenue. Not your metadata.