Hades

Dark Web Intelligence Platform for Threat Analysis and Investigation

Welcome to the Hades documentation. Hades is a comprehensive intelligence platform for investigating dark web onion sites, tracking threat actors, and analyzing criminal infrastructure across the Tor network.

Platform Overview

Hades indexes and analyzes the dark web to provide actionable intelligence for security analysts, law enforcement, researchers, and intelligence professionals. The platform continuously crawls Tor hidden services, extracting entities, classifying content, and mapping relationships to enable deep investigative analysis.

Data Coverage

Hades maintains a comprehensive database of dark web intelligence:

163,000+ Onion Servers - Active and historical Tor hidden services
375,000+ Entities - Cryptocurrency wallets, email addresses, communication channels
2.1M+ Images - Extracted images with hash-based tracking
214,000+ JavaScript Files - Technology stack analysis and infrastructure fingerprinting
36 Risk Categories - Machine learning-based content classification
15 MongoDB Collections - Structured intelligence database

Key Capabilities

Entity Extraction & Tracking

Cryptocurrency wallets (Bitcoin, Ethereum, Monero, Litecoin, Dogecoin)
Communication channels (Email, Telegram, Discord)
Payment processors and financial infrastructure
PGP keys and cryptographic identifiers

Infrastructure Analysis

Script Hash Values (SHV) for identifying identical infrastructure
SSH fingerprinting for co-hosting detection
Technology stack detection and analysis
Mirror site and clone identification

Risk Classification

ML-based threat categorization across 36 intent categories
Risk level assessment (low, medium, high, critical)
Confidence scoring for classifications
Threat intelligence feeds

Relationship Mapping

Vendor attribution through shared indicators
Network analysis of connected sites
Temporal tracking of entity appearances
Cross-platform identity correlation

Access Methods

Hades provides two complementary access methods designed for different workflows:

Maltego Transforms

Visual graph-based investigation through Maltego

The Hades Maltego Transforms provide 35 specialized transforms that integrate directly into Maltego’s graph interface. This approach is ideal for:

Interactive visual investigations
Building relationship graphs through point-and-click
Presentations and reporting with visual evidence
Analysts who prefer GUI-based workflows

Explore Maltego Transforms →

MCP Server

AI-native conversational intelligence through Claude

The Hades MCP (Model Context Protocol) Server exposes 21 tools for natural language querying through Claude AI. This approach is ideal for:

Conversational investigations (“Find all sites with this Bitcoin address”)
Complex multi-step analysis workflows
Automated investigations and scripting
Developers building custom integrations

Explore MCP Server →

Primary Use Cases

Marketplace Vendor Investigation

Track vendors across multiple dark web marketplaces by analyzing:

Shared cryptocurrency wallet addresses
Common communication channels (Telegram, email)
Infrastructure patterns and hosting
Timeline of marketplace presence

Learn more →

Criminal Infrastructure Attribution

Identify related criminal operations through:

Identical JavaScript infrastructure (SHV matching)
Co-hosted servers (SSH fingerprints)
Shared payment addresses and entities
Technology stack analysis

Learn more →

Threat Intelligence Collection

Monitor the dark web for emerging threats:

New high-risk marketplace discoveries
Drug, weapons, and hacking service vendors
Real-time threat feeds with confidence scores
Trend analysis and ecosystem monitoring

Learn more →

Law Enforcement Investigations

Build comprehensive intelligence reports with:

Evidence chains from discovery to attribution
Network analysis of related operations
Temporal tracking of criminal activity
Cross-platform identity correlation

Learn more →

Who Uses Hades?

Security Analysts - SOC teams investigating threats, tracking threat actors, monitoring dark web marketplaces

Law Enforcement - Criminal investigators building cases, tracking vendors, mapping criminal networks

Intelligence Analysts - Government and corporate intelligence teams conducting OSINT investigations

Security Researchers - Academic researchers studying dark web ecosystems, threat trends, and criminal behavior

Fraud Investigators - Financial institutions tracking stolen credentials, payment fraud, and data breaches

Getting Started

Ready to start investigating? Choose your preferred access method:

Quick Start Guide - Installation and setup
Maltego Transforms - 35 transforms for graph-based investigation
MCP Server - AI-native conversational intelligence
Investigation Workflows - Real-world usage examples

Platform Architecture

Hades is built on a MongoDB database with 15 specialized collections:

Infrastructure Collections

servers - Onion addresses, status, metadata
ports - Open ports, services, SSH fingerprints
http - HTTP responses, content, titles

Content Collections

images - Extracted images with hashes and EXIF
javascript - JS files with technology detection
entities - Cryptocurrency, emails, communications
labels - ML classifications and risk levels
shv - Script hash values for infrastructure matching

Supporting Collections

preprocessed, favourites, api, api_usage, organisations, processor_queue, errors

Authentication & Access

All Hades services require API key authentication. Multiple licensing tiers are available to suit different use cases, from individual analysts to large enterprise teams.

Contact [email protected] for API key provisioning and licensing information.

Support

For questions, issues, or feature requests:

Support - [email protected]
Pricing & General Inquiries - [email protected]
Documentation - https://hades.aikostek.com
Issues - Report bugs and request features

Hades - Illuminating the dark web for security and intelligence professionals

Keyboard shortcuts

Hades - Documentation