On April 5, 2023, the FBI and the Dutch National Police He announced that the Genesis market was down, one of the dark web marketplaces. The operation, dubbed “Operation Cookie Monster,” led to the arrest of 119 people and the seizure of more than $1 million in cryptocurrency. You can read the FBI warrant over here Specific details for this case. In light of these events, I’d like to discuss how OSINT can help with dark web investigations.
The anonymity of the dark web attracts a variety of users: from politicians and political activists to cybercriminals and terrorists. There are many techniques used to try and identify the individuals behind these websites and individuals.
While not considered OSINT, there have been instances where technical weaknesses have been identified in the technology used to host dark web sites. These vulnerabilities may exist in the software or may be due to misconfigurations, but sometimes they can reveal the real IP address of the site. Often these software vulnerabilities require pen testing tools and techniques such as Burp Suite to trigger error messages containing the site’s real IP address. Such weaknesses are rare and rarely used.
There have been cases where dark web site operators could be tied to their real IP addresses using services like Shodan or Sensis when using SSL certificates or SSH keys.
Transactions on the dark web involve the exchange of cryptocurrency for illegal goods and services. This opens up the possibility of identifying individuals with the help of blockchain analysis tools.
I can’t go to a bank and open an account because of anti-money laundering laws. These requirements are often known as Anti-Money Laundering (AML) and Know Your Customer (KYC) and require customers to provide government-issued identification for identity verification. Many countries have similar requirements on cryptocurrency exchanges.
For several years, companies have offered blockchain analysis tools that attempt to link cryptocurrency addresses to specific exchanges like Coinbase or Binance. Once an encryption address is associated with a particular exchange, law enforcement and/or legal authority financial investigators may request that the exchange provide the identification information of that account holder.
Historically, these blockchain analytics services have been cost prohibitive for individuals to purchase, but a blockchain analytics provider Bread crumbs It recently launched an analytics platform that offers affordable pricing and a free plan.
Bringing them to the Internet
We won’t discuss the dark web until day five. SANS SEC497 Practical OSINT Course, why? It is important to first be aware of the options available after a communication method found on the dark web is returned to the Internet. Let me explain.
Imagine driving a food truck that is forced to constantly change locations due to a city ordinance that states you cannot be in the same location more than twice a month. How do you try to build brand loyalty and let prospective customers know where you are every day?
You can try to get customers to connect with you on social media or visit your website etc so they know where to find you. Believe it or not, there is a very similar dynamic on the dark web.
What the dark web offers is anonymity and what it lacks is stability and security. Major markets like Silk Road, Alphabet, Hansa, Wall Street and now Genesis have been taken over by law enforcement. Denial of service has become a major problem on the Tor network, as evidenced by the recent shutdown of the popular “Dread” forum for several months due to such attacks. Can you imagine trying to run a business in that environment and earn a steady income?
One way sellers try to gain stability and strength is by selling on multiple marketplaces and offering methods to access them directly. This attempt to provide stability is significant and incredibly useful for OSINT professionals because it provides a means of communication or “selectors” that we can use to access the Internet and bring all of our knowledge, experience, and resources to bear. Consider an example where we were able to retrieve an email address from the dark web and link it to the Internet using Google.
Once we have linked the person(s) to resources on the Internet, we have several options to de-anonymize them. Some of my favorite options include:
Historical WHOIS lookups
Domain registration information such as WHOIS records can provide valuable information about the owner or operator of a website. In some cases, criminals may inadvertently expose their identity or location by using inaccurate or incomplete privacy protection measures. Although WHOIS information is now unknown, there was often, a point in the past where it was not. I’ve seen gaps of about four days where a site was privately registered before and after giving away the owner’s true identity.
OSINT on platforms
Individuals on the dark web participate in forums to communicate, answer questions, etc. OSINT professionals can unwittingly reveal information that helps them learn more about their true identity. The language they use and their special expressions can be extremely helpful.
Even if the email is linked to an anonymous service, the user may have used it on other websites, including forums and social media. If you can legally and ethically use data in your investigations, you can associate an online person with a real name, physical address, etc.
An example of a trend that some investigators find helpful is the release of 10GB data in 2021/2022 by several VPN providers, including SuperVPN, GecoVPN and ChatVPN. This data contains full names, payment details and potentially unique identifiers about the devices used, including the International Mobile Subscriber Identity (IMSI).
Future developments and trends
Future dark web market downloads will use the methods discussed here and will undoubtedly include new technologies. The most obvious development is the use of artificial intelligence (AI) and machine learning (ML) in OSINT. For example, AI can help build web scraping tools that can quickly collect and analyze data from multiple sources, ML algorithms can be trained to identify patterns and relationships in the data. These advances have the potential to save investigators valuable time and resources, allowing them to focus on other aspects of their investigations.
To learn more about SANS Institute, cybersecurity training, certifications and free resources; Now click here!
Note: This article is written and contributed by Special. Matt Edmondsonthe head teacher of SNS.