On April 5, 2023, a collaboration between the FBI and Dutch National Police led to the disruption of Genesis Market, one of the most significant dark web marketplaces. The operation, codenamed “Operation Cookie Monster,” resulted in the detention of 119 individuals and the confiscation of over $1M in cryptocurrency. For specific details on this case, refer to the FBI’s warrant. In the wake of these developments, I aim to highlight how OSINT can support investigations into dark web activities.
The Dark Web’s cloak of anonymity entices a broad spectrum of users, ranging from whistleblowers and political activists to cybercriminals and terrorists. Several techniques can be employed to try and unmask the individuals operating these sites and personas.
Technical Vulnerabilities# Even though it’s not categorized as OSINT, there have been cases where technical vulnerabilities have been present in the technology that hosts dark websites. These vulnerabilities may be inherent to the software or result from misconfigurations, but they can sometimes disclose the site’s real IP address. Tools and techniques like Burp Suite, typically used for pen-testing, are often required to extract error messages containing the site’s actual IP address through these software vulnerabilities. However, such vulnerabilities are rare and infrequently exploited.
There have been instances where operators of dark websites have used SSL certs or SSH keys, which can be linked to their real IP address using platforms like Shodan or Censys.
Tracing Cryptocurrency# Dark web transactions frequently involve cryptocurrency in return for illicit goods and services. This situation presents an opportunity to identify individuals using blockchain analysis tools.
Due to anti-money laundering laws, I can’t walk into a bank and open an account under the name “anonymous”. These regulations, often referred to as Anti-Money Laundering (AML) and Know Your Customer (KYC), demand customers provide government-issued identification to prove their identity. Similar requirements are imposed on cryptocurrency exchanges in many countries.
For years, companies have offered blockchain analysis tools that strive to associate cryptocurrency addresses with specific exchanges, like Coinbase or Binance. Once a cryptocurrency address is associated with a particular exchange, law enforcement and/or financial investigators with legal jurisdiction can ask the exchange to provide them with the account owner’s identifying information.
Historically, these blockchain analysis services have been too costly for individuals to buy, however, the blockchain analytics provider Breadcrumbs recently introduced an analytics platform that offers more affordable pricing and a free plan.
Reverting to the Internet# In my SANS SEC497 Practical OSINT course, we don’t touch upon the dark web until day five. Why? It’s crucial to understand the options available once a contact method acquired on the dark web is traced back to the internet. Let me elucidate.
Imagine operating a food truck that’s constantly forced to relocate due to a city ordinance that prevents you from being in the same spot more than twice a month. How would you strive to build brand loyalty and let potential customers know your daily location?
You’d probably encourage customers to connect with you on social media or visit your website, etc., so they can track you. Surprisingly, a very similar dynamic exists on the dark web.
What the dark web offers in anonymity, it lacks in stability and security. Major markets like Silk Road, AlphaBay, Hansa, Wall Street, and now Genesis have all been shut down by law enforcement. The Tor network has been plagued by Denial of Service attacks, as shown by the popular “Dread” forum being down for several months due to such attacks. Can you visualize striving to run a business and secure a stable income in that climate?
Sellers often aim to achieve stability and resilience by selling on multiple marketplaces and providing direct contact methods. This attempt to maintain stability is incredibly beneficial for OSINT practitioners as it provides contact methods, or “selectors,” which we can use to trace them back to the internet and apply all our knowledge, experience, and resources. The example below demonstrates how we were able to take an email address from a dark website and link it to an internet site using Google.