Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Image Transforms

Track image distribution across the dark web using cryptographic file hashes. These transforms help identify shared content, investigate EXIF metadata leaks, and link sites through common imagery.

Overview

Image transforms allow you to:

  • Extract all images from an onion site with their cryptographic hashes (MD5, SHA1, SHA256)
  • Find all onion sites hosting a specific image
  • Identify images containing EXIF metadata (GPS coordinates, camera info, etc.)

FetchImages

Transform Name: FetchImages

Description

Extracts all images from a specified onion site, returning each image with its cryptographic hashes and metadata indicators.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.image - Image files

Properties Returned

  • MD5 Hash - MD5 cryptographic hash of the image file
  • SHA1 Hash - SHA1 cryptographic hash of the image file
  • SHA256 Hash - SHA256 cryptographic hash of the image file
  • Appearances - Number of times this image appears across the indexed database
  • EXIF Data - Indicator showing “Yes” if the image contains EXIF metadata
  • Hades Link - Direct link to view the image in Project Hades web interface

Special Features

  • EXIF Highlighting - Images containing EXIF metadata are automatically bookmarked with priority 3 for investigator attention
  • EXIF metadata can include GPS coordinates, camera make/model, timestamps, and other identifying information

Use Cases

  • Extract all images from a marketplace to identify products
  • Discover images with EXIF metadata that may reveal location or device information
  • Build a catalog of images associated with a site
  • Track how many sites use the same image across the dark web

Investigation Tips

  • Look for bookmarked (highlighted) images - these contain EXIF data worth investigating
  • High appearance counts indicate widely distributed images (stock photos, logos, etc.)
  • Low appearance counts with multiple sites may indicate shared operators

SearchByImageHash

Transform Name: SearchByImageHash

Description

Finds all onion sites that host a specific image, identified by its cryptographic hash. Accepts MD5, SHA1, or SHA256 hashes.

Input Entity

  • hades.v2.image - An image entity (or you can manually input any hash value)

Output Entities

  • hades.v2.onion - Onion site addresses

Properties Returned

  • Hades Link - Direct link to view each onion site in Project Hades web interface
  • Image Appearances - Total number of times the image appears across all sites

Hash Type Support

This transform automatically detects and searches using any of the following hash types:

  • MD5 - 32-character hexadecimal hash
  • SHA1 - 40-character hexadecimal hash
  • SHA256 - 64-character hexadecimal hash

Use Cases

  • Track the distribution of a specific image across the dark web
  • Identify all marketplaces using the same product photo
  • Find sites sharing logo images (indicating common branding/operators)
  • Discover mirror sites or scam sites copying legitimate marketplace images
  • Investigate where leaked/stolen images are being distributed

Investigation Workflow

  1. Extract images from a site of interest

    • Run FetchImages on an onion site
    • Review the returned images and their hashes

  2. Track specific images

    • Select images of interest (unique products, logos, suspicious content)
    • Run SearchByImageHash on each image
    • Discover all sites hosting the same image

  3. Analyze distribution patterns

    • Images appearing on 2-3 sites may indicate related operators
    • Images on many sites may be stock photos or copied content
    • Unique images appearing on multiple sites warrant deeper investigation

Investigation Workflow Example

Tracking Stolen Content Distribution

  1. Start with a reported image

    • Input: Hash of a known stolen/leaked image
    • Run: SearchByImageHash
    • Result: All dark web sites hosting this image

  2. Investigate each site

    • For each onion site discovered
    • Run: FetchImages to see what other content they host
    • Run: FetchBitcoinAddresses to identify payment methods
    • Run: FetchEmailAddresses or FetchTelegramLinks for contact info

  3. Map the distribution network

    • Visualize all sites sharing the content
    • Identify potential operators through shared payment addresses or contacts
    • Track the spread of specific content across platforms

Identifying Marketplace Relationships

  1. Extract images from a marketplace

    • Input: marketplace123abc.onion
    • Run: FetchImages
    • Result: All product images and their hashes

  2. Search for logo/branding images

    • Select the marketplace’s logo or unique branding images
    • Run: SearchByImageHash
    • Result: Other sites using the same logo

  3. Discover related sites

    • Sites sharing identical logos may be:
      • Mirror sites operated by the same team
      • Franchise operations
      • Scam sites impersonating the legitimate marketplace
    • Cross-reference with other intelligence (wallets, contacts) to confirm relationships

© 2026 © Aikos Technologies Limited - All Rights Reserved.