Table of Contents
Introduction:
On April 5, 2023, the FBI and Dutch National Police made a significant breakthrough in dark web investigations by taking down Genesis Market, one of the largest dark web marketplaces. This operation, known as “Operation Cookie Monster,” resulted in the arrest of 119 individuals and the seizure of over $1M in cryptocurrency. The warrant provided by the FBI offers detailed insights into this particular case. In light of these events, it is important to discuss how OSINT (Open Source Intelligence) can play a crucial role in assisting with dark web investigations.
Technical Vulnerabilities:
While not directly classified as OSINT, it is worth noting that there have been instances where technical vulnerabilities existed in the technology used to host dark websites. These vulnerabilities could be present in the software itself or due to misconfigurations, potentially revealing the true IP address of the site. Although such software vulnerabilities are uncommon and rarely utilised, they can be exploited using pen-testing tools like Burp Suite to induce error messages containing the site’s true IP address. Additionally, dark website operators have sometimes used SSL certs or SSH keys, which can be linked to their true IP address using services like Shodan or Censys.
Cryptocurrency Tracing:
Transactions on the dark web often involve the use of cryptocurrency for illegal activities. This opens up the possibility of identifying individuals involved through blockchain analysis tools.
While individuals cannot open a bank account using an anonymous name due to Anti-Money Laundering (AML) and Know Your Customer (KYC) regulations, similar requirements are imposed on cryptocurrency exchanges in many countries. Blockchain analysis tools provided by various companies attempt to link cryptocurrency addresses to specific exchanges, such as Coinbase or Binance. With legal authority, law enforcement or financial investigators can request identifying information for the owner of an account tied to a specific cryptocurrency address.
Although blockchain analysis services have historically been expensive for individuals to purchase, Breadcrumbs, a blockchain analytics provider, recently launched an analytics platform with more affordable prices and a free plan.
Bringing Dark Web Contacts to the Internet:
The dark web’s anonymity attracts a diverse range of users, including whistle-blowers, activists, cybercriminals, and terrorists. However, the dark web lacks stability and security, making it challenging for businesses or individuals to establish a stable income or achieve long-term stability. To overcome this, sellers on the dark web often sell on multiple marketplaces and provide contact methods for potential buyers.
This attempt to provide stability offers a valuable opportunity for OSINT practitioners. These contact methods, or “selectors,” can be utilised to find individuals on the Internet, allowing OSINT practitioners to leverage their knowledge, experience, and resources in their investigations. By tying dark web contacts to resources on the Internet, numerous options for deanonymizing them become available.
OSINT Techniques for Dark Web Investigations:
Historical WHOIS Lookups:
Obtaining domain registration information through WHOIS records can provide valuable insights into the owner or operator of a website. Criminals may unintentionally expose their identity or location by using inaccurate or incomplete privacy protection measures. Even if the WHOIS information for a site is currently anonymous, there may have been a point in the past when it was not. Short gaps in privacy protection can sometimes reveal the true identity of a website owner.
OSINT on Forums:
Dark web users often participate in forums to communicate and answer questions. Inadvertently, they may reveal information that can help OSINT practitioners uncover their true identities. Analysing the language they use and their unique sayings can be extremely useful in building a profile.
Breach Data:
Even if an email address is tied to an anonymous service, the user may have used it on other sites, including forums and social media platforms. If legally and ethically permissible, OSINT practitioners can utilise breach data in their investigations to potentially link an online persona to a real name, physical address, and more.
For example, the 2021/2022 leak of 10GB of data from VPN providers like SuperVPN, GeckoVPN, and ChatVPN contained full names, billing details, and potentially unique identifiers about the devices used, including the International Mobile Subscriber Identity (IMSI) of mobile devices.
Future Developments and Trends:
As dark web investigations continue to evolve, new methods and technologies will undoubtedly be incorporated. One prominent development is the use of Artificial Intelligence (AI) and Machine Learning (ML) in OSINT. AI can aid in the development of web scraping tools that gather and analyse data from multiple sources efficiently, while ML algorithms can be trained to identify patterns and relationships within the data. These advancements have the potential to save investigators significant time and resources, allowing them to focus on other aspects of their investigations.
In conclusion, OSINT tools and techniques play a vital role in assisting with dark web investigations. By leveraging technical vulnerabilities, cryptocurrency tracing, and bringing contacts from the dark web to the Internet, investigators can uncover valuable information and potentially deanonymize individuals involved in illegal activities. As technology continues to advance, the integration of AI and ML in OSINT holds great promise for the future of dark web investigations.