On April 5, 2023, the FBI and the Dutch National Police announced the closure of one of the largest dark web marketplaces, Genesis Market. Dubbed Operation Cookie Monster, the operation resulted in the arrest of 119 people and the seizure of over $1 million in cryptocurrency. For more information specific to this case, you can read the FBI warrant here. In light of these events, I would like to explain how OSINT can assist in investigating the dark web.
The anonymity of the dark web attracts a wide variety of users, from whistleblowers and political activists to cybercriminals and terrorists. There are several techniques that can be used to identify the individuals behind these sites and personas.
technical vulnerabilities
Although not considered OSINT, technical vulnerabilities may exist in the technology used to host dark websites. These vulnerabilities can be in the software itself or due to misconfigurations, but in some cases they can reveal the real IP address of the site. These software vulnerabilities often require a penetration testing tool or technique such as Burp Suite to trigger an error message containing the actual IP address of the site. Such vulnerabilities are rare and rarely exploited.
There are also examples of dark website operators using SSL certificates or SSH keys that can be tied to real IP addresses using services like Shodan and Censys.
cryptocurrency tracking
Transactions on the dark web often involve cryptocurrencies in exchange for illegal goods and services. This opens up the possibility of using blockchain analysis tools to identify individuals.
Due to anti-money laundering laws, you cannot go to a bank and open an account using the name “anonymous”. These requirements are often referred to as Anti-Money Laundering (AML) and Know Your Customer (KYC), where customers are required to provide government-issued identification to prove their identity. Many countries have similar requirements for cryptocurrency exchanges.
For several years, companies have offered blockchain analysis tools that attempt to associate cryptocurrency addresses with specific exchanges such as Coinbase and Binance. Once a cryptocurrency address is associated with a particular exchange, law enforcement agencies and financial investigators with legal authority can require the exchange to provide identifying information for the owner of that account.
Historically, these blockchain analytics services have been prohibitively expensive for individuals to purchase, but blockchain analytics provider Breadcrumbs recently launched an analytics platform that offers far more affordable prices and a free plan. It was started.
bring them to the internet
I won’t discuss the dark web until my fifth day in office SANS SEC497 Practical OSINT Course, why? It’s important to first learn about the options available to you once your dark web contact methods are back on the internet. Let me explain.
Imagine you run a kitchen truck that is forced to constantly change locations due to city ordinances that say you can’t be in the same place more than twice a month. How can you build brand loyalty and let potential customers know where you are every day?
Chances are, your customers will try to connect with you on social media or visit your website to find out where they can find you. Believe it or not, a similar movement exists on the dark web.
The dark web offers anonymity, but what it lacks is stability and security. Major markets such as Silk Road, Alpha Bay, Hansa, Wall Street and now Genesis have all been shut down by law enforcement. Denial of service attacks are a big problem on the Tor network, as evidenced by the popular ‘Dread’ forum recently going down for months due to such an attack. Can you imagine running a business in such an environment and earning a steady income?
One way sellers try to achieve stability and resilience is by selling in multiple marketplaces and providing a way to contact those marketplaces directly. This attempt to provide stability makes a lot of sense and is very useful for OSINT practitioners. This is to provide a contact method, or ‘selector’, that can be used to find contacts on the Internet and tap into all knowledge, experience and resources. . See the example below. I was able to get an email address from a dark website and use Google to connect it to a site on the internet.
Once you connect an individual to a resource on the Internet, you have many options for de-anonymizing it. Some of my favorite options include:
Historical WHOIS Lookup
Domain registration information such as WHOIS records provide useful information about the website owner or operator. In some cases, criminals may use inaccurate or incomplete privacy safeguards to accidentally reveal their identity or location. Even if his WHOIS information on the site is anonymous now, it’s likely that there were times when it wasn’t. I have seen a privately registered site leak the true identity of its owner in just four days before and after.
Forum OSINT
Individuals on the dark web often participate in forums to communicate and answer questions. They may inadvertently release information that would help OSINT practitioners learn more about their true identities. The language they use and their peculiar sayings are very helpful.
data breach
Even if the e-mail is associated with an anonymous service, the user may have used the e-mail on other sites such as forums or social media. If you can legally and morally use the compromised data in your investigation, you may be able to tie his online persona to his real name, address, etc.
An example of a breach that has proved useful to some investigators is the 2021/2022 breach of 10GB of data from multiple VPN providers such as SuperVPN, GeckoVPN and ChatVPN. This data included the full name of the device used, billing details and potentially unique identifiers, including the mobile device’s International Mobile Subscriber Identity (IMSI).
Future Developments and Trends
Future dark web market dismantling will use the methods described here and will undoubtedly incorporate emerging technologies. The most obvious development is using artificial intelligence (AI) and machine learning (ML) with OSINT. For example, AI can help build web scraping tools that can quickly collect and analyze data from multiple sources. You can also train ML algorithms to identify patterns and relationships in your data. These advances could save investigators significant time and resources, allowing them to focus on other aspects of their investigations.
Click here to learn more about SANS Institute, cybersecurity training, certifications, and free resources today.
Note: This article was professionally written and contributed by SANS Principal Instructor Matt Edmondson.
