homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Free Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training & Resources
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
      • Webcasts Listings
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
        • Wait Just an Infosec
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • Brazil
    • France
    • Japan
    • United Kingdom
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations
370x370_Matt-Edmondson.jpg
Matt Edmondson

Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations

The Dark Web's anonymity attracts a variety of users. Explore the various techniques used to identify the individuals behind these sites and personas.

April 10, 2023

On April 5, 2023, the FBI and Dutch National Police announced the takedown of Genesis Market, one of the largest dark web marketplaces. The operation, dubbed "Operation Cookie Monster," resulted in the arrest of 119 people and the seizure of over $1 million in cryptocurrency. You can read the FBI’s Warrant here for details specific to this case, but it seemed like a good opportunity to write about how OSINT Tools can assist with dark web investigations.

The Dark Web's anonymity attracts a variety of users, from whistleblowers and political activists to cybercriminals and terrorists. When attempting to identify the individuals behind these sites and personas, various techniques are used.

Technical Vulnerabilities

While not considered OSINT, there have been instances when technical vulnerabilities have existed in the technology used to host dark websites. These vulnerabilities may exist in the software itself or be due to misconfigurations, but they can sometimes reveal the site’s true IP address. Often these require pen-testing tools and techniques such as using Burp Suite to induce error messages containing the site’s true IP address. Vulnerabilities such as these are uncommon and rarely utilized.

There have also been instances when dark website operators have used SSL certs or SSH keys, which can be tied to their true IP address using services like Shodan or Censys.

Cryptocurrency Tracing

Transactions on the dark web often involve cryptocurrency in exchange for illegal goods and services. This opens up the possibility of identifying individuals with the help of blockchain analysis tools.

I can’t go to the bank and open an account using the name “anonymous” due to laws designed to prevent money laundering. These requirements are often referred to as “Anti Money Laundering & Know Your Customer” or AML/KYC and require customers to provide government-issued IDs to prove their identity. Many countries have put similar requirements on cryptocurrency exchanges as well.

For several years, companies have provided blockchain analysis tools that attempt to tie cryptocurrency addresses to specific exchanges, such as Coinbase or Binance. Once a cryptocurrency address is tied to a specific exchange, law enforcement and/or financial investigators with legal authority can request that the exchange provide them with the identifying information for the owner of that account.

Historically these blockchain analysis services have been cost-prohibitive for individuals to purchase, but recently, a site called Breadcrumbs was launched at https://www.breadcrumbs.app/, which provides much more affordable prices, including a free plan.

Bringing Them Down to the Internet

In my SANS SEC497 Practical OSINT course, we discuss the dark web on the afternoon of Day 5. That placement was on purpose; I’ll explain why in this section.

Imagine you run a food truck constantly forced to change locations due to a city ordinance that you can never be in the same spot more than twice a month. How would you try to build brand loyalty and let prospective customers know where you were located that day??

You would likely try to get customers to connect with you on Facebook, follow you on Twitter, visit your website, etc., so they can know where to find you. Believe it or not, there is a very similar dynamic on the dark web.

What the dark web provides in anonymity, it lacks stability and security. Major markets such as Silk Road, AlphaBay, Hansa, Wall Street, and now Genesis have all been taken down by law enforcement. Denial of Service attacks have become a major problem on the Tor network, as evidenced by the popular “Dread” forum recently being down for several months due to such attacks. Can you imagine trying to run a business and achieve a stable income in that environment?

One way that sellers try to achieve stability and resiliency is to sell on multiple marketplaces and to provide methods to contact them directly. This makes a lot of sense but is incredibly useful for OSINT practitioners since now we have these contact methods, or “selectors,” which we can use to find them on the internet and bring all of our knowledge, experience, and resources to bear. Look at the example below where we’re able to take an email address from a dark website and tie it to a site on the internet using Google.

Once we’ve tied the individual(s) to resources on the internet, we have numerous options to deanonymize them. Some of my favorite options include:

Historial WHOIS lookups

Domain registration information, such as WHOIS records, can provide helpful information about the owner or operator of a website. In some cases, criminals may inadvertently expose their identity or location using inaccurate or incomplete privacy protection measures. Even if the WHOIS information for a site is currently anonymous, oftentimes, there was a point in the past when it was not. I’ve seen gaps as small as four days where a site privately registered before and after gave away its owner’s true identity.

OSINT on Forums

Individuals in this space often participate in forums to communicate, answer questions, etc. They may inadvertently reveal information that can help OSINT practitioners learn more about their true identities. The language they use or unique sayings can be extremely useful.

Breach Data

Even if an email is tied to an anonymous service, the user may have used it on other sites, including forums and social media. If you’re legally and morally able to use breach data in your investigations, you may be able to tie an online persona to a real name, physical address, etc.

An example of a leak that has proven helpful for some investigators was the 2021/2022 leak of 10GB of data from several VPN providers, including SuperVPN, GeckoVPN, and ChatVPN. This data contained full names, billing details, and potentially unique identifiers about the devices used, including the IMSI of mobile devices.

These topics and numerous others are covered in the SEC497 course before the dark web so students can easily understand the options we have once we bring a selector acquired on the dark web back to the internet.

Future Developments and Trends

Future dark web market takedowns will use the methods discussed here but will no doubt incorporate some emerging technologies. The most obvious development is using Artificial Intelligence (AI) and Machine Learning (ML) in OSINT.

For example, AI can help build web scraping tools that can quickly gather and analyze data from multiple sources, while ML algorithms can be trained to identify patterns and relationships in the data. These advancements have the potential to save investigators significant time and resources, allowing them to focus on other aspects of their investigations.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • FOR572: Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response
  • SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis
  • SEC504: Hacker Tools, Techniques, and Incident Handling

Tags:
  • Open-Source Intelligence (OSINT)

Related Content

Blog
Open-Source Intelligence (OSINT)
October 28, 2022
Geolocation Resources for OSINT Investigations
There are numerous free tools and resources to help boost your geolocation and vehicle tracking skills to further your OSINT investigations.
Emily_Neuens_370x370.png
Emily Neuens
read more
Blog
Spotlight_340x340.png
Open-Source Intelligence (OSINT)
July 5, 2022
Instructor Spotlight: Ritu Gill
Get to know Ritu Gill, instructor for SEC487 Open-Source Intelligence (OSINT) Gathering and Analysis.
Ritu_Gill.jpg
Ritu Gill
read more
Blog
Spotlight_340x340.png
Open-Source Intelligence (OSINT)
May 31, 2022
Instructor Spotlight: Matt Edmondson
Get to know Matt Edmondson, author and instructor SEC497: Practical Open-Source Intelligence (OSINT)
370x370_Matt-Edmondson.jpg
Matt Edmondson
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn