Content Distribution Transforms

Track BitTorrent magnet links across dark web sites to identify file sharing, piracy networks, and content distribution patterns.

Overview

Magnet links are URIs used for BitTorrent peer-to-peer file sharing. They uniquely identify torrents and enable tracking of:

• File distribution across multiple sites
• Piracy networks and warez sites
• Shared content libraries
• Related operators distributing the same files

FetchMagnetLinks

Transform Name: FetchMagnetLinks

Description

Extracts all BitTorrent magnet links found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.magnet - BitTorrent magnet links

Properties Returned

• Appearances - Number of times this magnet link appears across the indexed database
• Hades Link - Direct link to view the onion site in Project Hades web interface

What is a Magnet Link?

Magnet links are URIs that contain:

• Info Hash - Unique identifier (SHA-1 hash) of the torrent content
• Display Name - Optional human-readable name
• Tracker URLs - Optional tracker addresses

Format: magnet:?xt=urn:btih:[HASH]&dn=[NAME]&tr=[TRACKER]

Use Cases

• Catalog all torrents available on a warez/piracy site
• Identify file-sharing sites on the dark web
• Track popular torrents distributed across multiple sites
• Document illegal file distribution networks
• Monitor leaked/stolen data distribution

Investigation Tips

• High appearance counts indicate popular or widely-distributed torrents
• Same magnet link on multiple sites suggests coordinated distribution
• Unique/rare magnet links may indicate exclusive content or direct source
• Magnet links can be tracked on clearnet torrent networks as well

SearchByMagnetLink

Transform Name: SearchByMagnetLink

Description

Finds all onion sites that share a specific BitTorrent magnet link.

Input Entity

• hades.v2.magnet - A BitTorrent magnet link

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track the distribution of a specific torrent across the dark web
• Identify all sites sharing pirated content
• Find related warez/piracy operations
• Monitor where specific leaked data is being distributed
• Discover mirror sites offering the same content

What Shared Magnet Links Mean

Strong Indicators:

• Rare/unique torrents on 2-3 sites - Sites likely related or coordinating
• Recent torrents appearing simultaneously - Active collaboration or mirroring
• Exclusive content - May indicate original source or exclusive distributor

Moderate Indicators:

• Popular torrents on many sites - Common content, less indicative of relationship
• Old torrents - May be legacy content from copied databases

Investigation Required:

• Cross-reference with other intelligence (contacts, payments, infrastructure)
• Check timing - did sites add the magnet link at the same time?
• Review surrounding content for other similarities

Investigation Workflow Examples

Piracy Network Mapping

1. Extract torrents from known warez site

   • Input: warezsite123abc.onion
   • Run: FetchMagnetLinks
   • Result: All torrent magnet links available on the site

2. Track specific torrents

   • Select interesting torrents (new releases, rare content, etc.)
   • Input: Each magnet link
   • Run: SearchByMagnetLink
   • Result: Other sites offering the same torrents

3. Identify the network

   • Sites sharing multiple magnet links are likely:
     • Mirror sites
     • Coordinated distribution network
     • Sites scraping from same source
   • Map the relationships between sites

4. Cross-reference with infrastructure

   • Run FetchSSHFingerprints on sites sharing content
   • Run FetchSHV to check for shared infrastructure
   • Build attribution case combining content sharing and infrastructure

Leaked Data Tracking

1. Start with known leaked data magnet

   • Input: Magnet link for leaked database, documents, or sensitive files
   • Run: SearchByMagnetLink
   • Result: All dark web sites distributing this content

2. Map distribution timeline

   • Note which sites have the content
   • Track if new sites add the magnet link over time
   • Identify original source vs. downstream distributors

3. Investigate distributors

   • For each site distributing the leaked content:
     • Run FetchEmailAddresses and FetchTelegramLinks for contact info
     • Run FetchBitcoinAddresses to see if they’re monetizing access
     • Run FetchOnionLinks to map their connections

4. Containment and attribution

   • Document all distribution points
   • Identify primary sources for takedown efforts
   • Track how content spreads through the dark web

Content Source Attribution

1. Identify exclusive content

   • Find torrents with low appearance counts (1-3 sites)
   • Input: Magnet link
   • Run: SearchByMagnetLink
   • Result: Small number of sites with this content

2. Determine original source

   • Analyze timing - which site had it first?
   • Check content type - does it match site’s specialty?
   • Look for watermarks or identifying information in torrent metadata

3. Track distribution from source

   • Monitor if magnet link appears on more sites over time
   • Map how content spreads from original source
   • Identify key distribution nodes in the network

4. Build operator profile

   • If site is original source of unique content:
     • Major player in piracy ecosystem
     • May have insider access or direct relationships
     • Priority target for investigation

Mirror Site Detection

1. Extract content from target site

   • Input: Marketplace or content site
   • Run: FetchMagnetLinks
   • Result: All torrents available on the site

2. Search for each major torrent

   • Select representative sample of magnet links
   • Run: SearchByMagnetLink on each
   • Result: Other sites offering the same torrents

3. Identify mirrors

   • Sites offering the exact same collection of torrents may be:
     • Official mirror sites
     • Scam sites copying legitimate site
     • Backup domains operated by same team
   • Look for patterns in which torrents are shared

4. Verify mirror relationships

   • Run FetchBitcoinAddresses - mirrors may share payment addresses
   • Run FetchSSHFingerprints - mirrors may share infrastructure
   • Run FetchSHV - mirrors likely have identical JavaScript
   • Confirmed mirrors if multiple indicators match

Torrent Tracker Analysis

1. Extract magnet links with tracker information

   • Many magnet links include tracker URLs
   • Input: Onion site
   • Run: FetchMagnetLinks
   • Result: Magnet links (review tracker information manually)

2. Identify common trackers

   • Which BitTorrent trackers are used by dark web sites?
   • Are there dark web-specific trackers?
   • Which clearnet trackers are commonly used?

3. Track tracker usage patterns

   • Sites using the same private trackers may be related
   • Custom/private trackers indicate coordinated networks
   • Clearnet tracker usage indicates less sophisticated operators

Combining Magnet Links with Other Intelligence

Multi-source Attribution:

1. Content + Infrastructure

   • Sites sharing magnet links + same SSH fingerprint = strong relationship
   • Sites sharing magnet links + same SHV = likely same codebase

2. Content + Financial

   • Sites sharing magnet links + same Bitcoin addresses = confirmed same operator
   • Especially strong if monetizing access to torrents

3. Content + Communication

   • Sites sharing magnet links + same Telegram/Discord = coordinated network
   • May indicate organized distribution group

4. Temporal Analysis

   • Track when magnet links appear on different sites
   • Identify lead sites (first to have content) vs. followers
   • Map information flow through the piracy network

Magnet Link Intelligence Value

Why Track Magnet Links?

Network Relationships:

• Identify coordinated piracy networks
• Map content distribution chains
• Discover mirror and backup sites

Content Tracking:

• Monitor distribution of specific files
• Track leaked sensitive data
• Identify sources of pirated content

Operational Patterns:

• Understand how piracy networks operate
• Identify key nodes in distribution networks
• Track content emergence and spread

Attribution:

• Link sites through shared content libraries
• Identify original sources vs. redistributors
• Build cases against major piracy operators

Limitations

Not Always Conclusive:

• Popular torrents appear on many unrelated sites
• Sites may scrape content from each other
• Historical torrents may persist on defunct site mirrors

Requires Context:

• Always combine with other intelligence
• Consider timing and exclusivity
• Verify relationships with infrastructure and financial intelligence

External Tracking:

• Magnet links can be tracked on clearnet BitTorrent networks
• Public tracker statistics may provide additional context
• DHT network may reveal peer information