On April 5, 2023, the FBI and Dutch National Police announced the takedown of Genesis Market, one of the largest dark web marketplaces. The operation, dubbed "Operation Cookie Monster," resulted in the arrest of 119 people and the seizure of over $1M in cryptocurrency. You can read the FBI's warrant here for details specific to this case. In light of these events, I'd like to discuss how OSINT can assist with dark web investigations.
The Dark Web's anonymity attracts a variety of users, from whistleblowers and political activists to cybercriminals and terrorists. There are several techniques that can be used to try and identify the individuals behind these sites and personas.
While not considered OSINT, there have been instances when technical vulnerabilities have existed in the technology used to host dark websites. These vulnerabilities may exist in the software itself or be due to misconfigurations, but they can sometimes reveal the site's true IP address. Often these software vulnerabilities require pen-testing tools and techniques such as Burp Suite to induce error messages containing the site's true IP address. Vulnerabilities such as these are uncommon and rarely utilized.
There have also been instances when dark website operators have used SSL certs or SSH keys, which can be tied to their true IP address using services like Shodan or Censys.
Transactions on the dark web often involve cryptocurrency in exchange for illegal goods and services. This opens up the possibility of identifying individuals with the help of blockchain analysis tools.
I can't go to a bank and open an account using the name "anonymous" due to laws designed to prevent money laundering. These requirements are often referred to as Anti-Money Laundering (AML) and Know Your Customer (KYC) and require customers provide government-issued identification for proof of identity. Many countries have similar requirements on cryptocurrency exchanges.
For several years, companies have provided blockchain analysis tools that attempt to tie cryptocurrency addresses to specific exchanges, such as Coinbase or Binance. Once a cryptocurrency address is tied to a specific exchange, law enforcement and/or financial investigators with legal authority can request that the exchange provide them with identifying information for the owner of that account.
Historically, these blockchain analysis services have been cost-prohibitive for individuals to purchase, however, the blockchain analytics provider Breadcrumbs recently launched an analytics platform that provides much more affordable prices and a free plan.
Bringing Them Down to the Internet
We don't discuss the dark web until day five of my SANS SEC497 Practical OSINT course, Why? It's important you first learn about the options available once a contact method acquired on the dark web is brought back to the internet. Let me explain.
Imagine you run a food truck constantly forced to change locations due to a city ordinance that you can never be in the same spot more than twice a month. How would you try to build brand loyalty and let prospective customers know where you were located every day?
You would likely try to get customers to connect with you on social media or visit your website, etc., so they can know where to find you. Believe it or not, there is a very similar dynamic on the dark web.
What the dark web provides in anonymity, and what it lacks is stability and security. Major markets such as Silk Road, AlphaBay, Hansa, Wall Street, and now Genesis have all been taken down by law enforcement. Denial of Service attacks have become a major problem on the Tor network, as evidenced by the popular "Dread" forum recently being down for several months due to such attacks. Can you imagine trying to run a business and achieve a stable income in that environment?
One way that sellers try to achieve stability and resiliency is to sell on multiple marketplaces and to provide methods to contact them directly. This attempt to provide stability makes a lot of sense and is incredibly useful for OSINT practitioners because it provides contact methods, or "selectors," which we can use to find them on the internet and bring all our knowledge, experience, and resources to bear. Look at the example below where we were able to take an email address from a dark website and tie it to a site on the internet using Google.
Once we tie the individual(s) to resources on the internet, we have numerous options to deanonymize them. Some of my favorite options include:
Historical WHOIS Lookups
Domain registration information such as WHOIS records can provide helpful information about the owner or operator of a website. In some cases, criminals may inadvertently expose their identity or location using inaccurate or incomplete privacy protection measures. Even if the WHOIS information for a site is currently anonymous, oftentimes, there was a point in the past when it was not. I've seen gaps as small as four days where a site privately registered before and after gave away its owner's true identity.
OSINT on Forums
Individuals on the dark web often participate in forums to communicate, answer questions, etc. They may inadvertently reveal information that can help OSINT practitioners learn more about their true identities. The language they use and their unique sayings can be extremely useful.
Even if an email is tied to an anonymous service, the user may have used it on other sites, including forums and social media. If you're legally and morally able to use breach data in your investigations, you may be able to tie an online persona to a real name, physical address, etc.
An example of a leak that has proven helpful for some investigators was the 2021/2022 leak of 10GB of data from several VPN providers, including SuperVPN, GeckoVPN, and ChatVPN. This data contained full names, billing details, and potentially unique identifiers about the devices used, including the international mobile subscriber identity (IMSI) of mobile devices.
Future Developments and Trends
Future dark web market takedowns will use methods discussed here and will no doubt incorporate emerging technologies. The most obvious development is using Artificial Intelligence (AI) and Machine Learning (ML) in OSINT. For example, AI can help build web scraping tools that can quickly gather and analyze data from multiple sources, while ML algorithms can be trained to identify patterns and relationships in the data. These advancements have the potential to save investigators significant time and resources, allowing them to focus on other aspects of their investigations.
To learn more about The SANS Institute, cybersecurity training, certifications, and FREE resources, click here now!
Note: This article was expertly written and contributed by Matt Edmondson, SANS Principal Instructor.