On April 5, 2023, the FBI and the Dutch National Police announced the delisting of Genesis Market, one of the largest dark web marketplaces. The operation, dubbed “Operation Cookie Monster”, resulted in the arrest of 119 people and the seizure of more than $1 million in cryptocurrency. You can read the FBI warrant Here for details specific to this case. In light of these events, I’d like to discuss how OSINT can assist dark web investigations.
The anonymity of the Dark Web attracts a wide range of users, from political reporters and activists to cyber criminals and terrorists. There are several techniques that can be used to try and identify the individuals behind these sites and personas.
While not considered OSINT, there have been instances when technical vulnerabilities existed in the technology used to host dark websites. These vulnerabilities may be in the software itself or due to misconfiguration, but can sometimes reveal a site’s true IP address. Often these software vulnerabilities require pen testing tools and techniques such as Burp Suite to induce an error message containing the actual IP address of the site. Such vulnerabilities are rare and rarely exploited.
There are also instances when dark website operators use SSL certificates or SSH keys, which can be associated with their actual IP addresses using services such as Shodan or Censys.
Transactions on the dark web often involve cryptocurrency in exchange for illegal goods and services. This opens up the possibility of identifying individuals with the help of blockchain analysis tools.
I can’t go to a bank and open an account using an “anonymous” name because of laws designed to prevent money laundering. These requirements are often referred to as Anti-Money Laundering (AML) and Know Your Customer (KYC) and require customers to provide government-issued identification as proof of identity. Many countries have similar requirements on cryptocurrency exchanges.
For several years, the company has provided blockchain analysis tools that attempt to tie cryptocurrency addresses to specific exchanges, such as Coinbase or Binance. Once a cryptocurrency address is associated with a particular exchange, law enforcement and/or financial investigators with legal authority may request that the exchange provide them with identifying information about the account owner.
Historically, these blockchain analysis services have been a cost barrier for individuals to purchase, but blockchain analytics providers are Bread crumbs recently launched an analytics platform that provides a much more affordable price and free plan.
Take Them to the Internet
We didn’t cover the dark web until my fifth day SANS SEC497 Practical OSINT course, Why? It is important that you first study the options available after contact methods obtained on the dark web are brought back to the internet. Let me explain.
Imagine you run a food truck that is constantly forced to change locations because of a city ordinance that you can’t be in the same place more than twice a month. How do you try to build brand loyalty and let potential customers know where you are every day?
You might try to get customers to connect with you on social media or visit your website, etc., so they know where to find you. Believe it or not, there’s a very similar dynamic on the dark web.
What the dark web provides is anonymity, and what it lacks is stability and security. Major markets like Silk Road, AlphaBay, Hansa, Wall Street and now Genesis have all been busted by law enforcement. Denial of Service attacks have become a huge problem on the Tor network, as evidenced by the popular forum “Dread” which recently went down for several months due to such attacks. Can you imagine trying to run a business and achieve a steady income in that environment?
One way sellers try to achieve stability and resilience is selling in multiple markets and providing a method of contacting them directly. This attempt to provide stability makes a lot of sense and is very useful for OSINT practitioners as it provides contact methods, or “selectors”, that we can use to find them on the internet and draw on all our knowledge, experience and resources. See an example below where we were able to take an email address from a dark web and tie it to a site on the internet using Google.
Once we’ve tied individuals to resources on the internet, we have many options for deanonymizing them. Some of my favorite options include:
Historical WHOIS Search
Domain registration information such as WHOIS records can provide useful information about a website owner or operator. In some cases, criminals may inadvertently reveal their identity or location using inaccurate or incomplete privacy protection measures. Even if the WHOIS information for a site is currently anonymous, often, at some point in the past it was not. I’ve seen loopholes as small as four days where sites that privately registered before and after gave the owner’s real identity.
OSINT on the Forums
Individuals on the dark web often participate in forums to communicate, answer questions, etc. They may inadvertently reveal information that can help OSINT practitioners learn more about their true identity. The language they use and their unique speech can go a long way.
Even if the email is associated with an anonymous service, users may have used it on other sites, including forums and social media. If you are legally and morally able to use breach data in an investigation, you may be able to link online personas with real names, physical addresses, etc.
An example of a leak that has proved useful to some investigators is the 2021/2022 10GB data leak from several VPN providers, including SuperVPN, GeckoVPN, and ChatVPN. This data includes the full name, billing details, and possibly a unique identifier about the device used, including the mobile device’s international mobile subscriber identity (IMSI).
Future Developments and Trends
The future elimination of the dark web market will use the methods discussed here and will undoubtedly incorporate new technologies. The most obvious development is the use of Artificial Intelligence (AI) and Machine Learning (ML) in OSINT. For example, AI can help build web scraping tools that can quickly collect and analyze data from multiple sources, while ML algorithms can be trained to identify patterns and relationships in data. This advancement has the potential to significantly save investigators time and resources, allowing them to focus on other aspects of their investigation.
To learn more about The SANS Institute, FREE cybersecurity training, certifications and resources, click here now!
Note: This article was expertly written and contributed by Matt EdmondsonSANS Principal Instructor.