Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Infrastructure Fingerprinting

Identify sites with identical JavaScript infrastructure using Script Hash Values (SHV). These transforms reveal relationships between sites through their technical fingerprints.

Overview

The SHV (Script Hash Value) is a unique fingerprint generated from all JavaScript file paths used by a site. Sites with identical SHV values have the exact same JavaScript infrastructure, which strongly indicates:

  • Same operators or development team
  • Sites built from the same codebase
  • Mirror sites or related services
  • Template reuse or framework sharing

FetchSHV

Transform Name: FetchSHV

Description

Retrieves the Script Hash Value (SHV) fingerprint for a specified onion site. The SHV is a SHA256 hash generated from all JavaScript file paths used by the site, sorted alphabetically.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.shv - Script Hash Value fingerprint

Properties Returned

  • Script Count - Number of JavaScript files that contributed to the SHV
  • Scripts Preview - First few JavaScript file paths (up to 3 shown)
  • Hades Link - Direct link to view the onion site in Project Hades web interface

How SHV is Generated

  1. All JavaScript file paths used by the site are collected
  2. Paths are sorted alphabetically
  3. Sorted paths are concatenated together
  4. SHA256 hash is computed from the concatenated string
  5. Result is a unique 64-character hexadecimal fingerprint

Use Cases

  • Generate infrastructure fingerprint for a site of interest
  • Prepare for finding related sites with identical infrastructure
  • Document the JavaScript stack used by a site
  • Track changes in site infrastructure over time (different SHVs = different JS files)

Investigation Tips

  • Sites with many scripts (20+) typically use modern web frameworks
  • Sites with few scripts (<5) may be simple static sites or use inline JavaScript
  • Identical script counts between sites is suspicious but not conclusive - verify with SearchBySHV

SearchBySHV

Transform Name: SearchBySHV

Description

Finds all onion sites with an identical Script Hash Value, indicating they share the exact same JavaScript infrastructure.

Input Entity

  • hades.v2.shv - A Script Hash Value fingerprint

Output Entities

  • hades.v2.onion - Onion site addresses

Properties Returned

  • SHV - The shared Script Hash Value
  • Script Count - Number of JavaScript files in the fingerprint
  • Hades Link - Direct link to view each onion site in Project Hades web interface

Special Features

  • Relationship Indicator - If multiple sites share an SHV, a user message indicates how many sites have identical infrastructure
  • This is one of the strongest technical indicators of related sites

What Identical SHV Means

Strong Indicators (High Confidence):

  • Multiple marketplace sites - Likely operated by same team or franchisees
  • Admin panels - Sites with matching admin infrastructure definitely related
  • Identical custom JS - Sites with unique/custom JavaScript stacks are almost certainly connected

Moderate Indicators (Medium Confidence):

  • Popular framework sites - May just use the same template (e.g., same WordPress theme)
  • Few scripts - Simple sites might coincidentally have matching JS

Investigation Required:

  • Always cross-reference SHV matches with other intelligence
  • Check for shared payment addresses, contacts, or content
  • Review the actual JavaScript files to understand what’s shared

Use Cases

  • Find mirror sites or backup domains for a marketplace
  • Identify sites operated by the same development team
  • Discover franchises or affiliated sites using shared infrastructure
  • Track template/framework adoption across dark web
  • Link sites for attribution investigations

Investigation Workflow Example

  1. Generate fingerprint for known marketplace

    • Input: targetmarket123abc.onion
    • Run: FetchSHV
    • Result: SHV fingerprint and script count

  2. Find sites with identical infrastructure

    • Input: The SHV from step 1
    • Run: SearchBySHV
    • Result: All sites with the exact same JavaScript infrastructure

  3. Analyze the relationship

    • Review each discovered site
    • If 2-3 sites share SHV:
      • Likely mirror domains or related operations
      • Run FetchBitcoinAddresses on each to check for shared wallets
      • Run FetchEmailAddresses to check for shared contacts

  4. Build attribution map

    • Cross-reference findings:
      • Sites with identical SHV + shared wallets = very high confidence relationship
      • Sites with identical SHV + different wallets = possibly franchises or copycats
      • Sites with identical SHV + shared admin emails = confirmed same operators

Template Tracking

  1. Identify marketplace template

    • Many dark web marketplaces use open-source or leaked templates
    • Find a known template-based market
    • Run: FetchSHV

  2. Track template usage

    • Run: SearchBySHV with the template’s fingerprint
    • Result: All marketplaces using that template

  3. Monitor the ecosystem

    • Track how many markets use each popular template
    • Identify newly launched markets using known templates
    • Predict capabilities/vulnerabilities based on template version

Infrastructure Change Detection

  1. Baseline current infrastructure

    • Input: Site under monitoring
    • Run: FetchSHV
    • Document: Current SHV value and timestamp

  2. Periodic re-fingerprinting

    • Regularly run FetchSHV on monitored sites
    • Compare new SHV to baseline

  3. Detect significant changes

    • Different SHV = JavaScript infrastructure changed
      • New version deployed
      • Framework migration
      • Potential security update or compromise
    • Same SHV = Infrastructure unchanged
      • Site stable
      • No major technical updates

Combining SHV with JavaScript Analysis

  1. Use FetchSHV for high-level fingerprint

    • Quick way to identify identical sites
    • Less detailed than individual file analysis

  2. Use FetchJavascriptFiles for detailed analysis

    • See specific files that make up the SHV
    • Identify which libraries/frameworks are used

  3. Combined approach

    • Start with FetchSHV to find related sites quickly
    • Use FetchJavascriptFiles to understand what makes them related
    • Use SearchByJavascriptHash to track specific critical files

Example workflow:

  1. Run FetchSHV on Site A → Get SHV_1
  2. Run SearchBySHV on SHV_1 → Find Sites B, C, D
  3. Run FetchJavascriptFiles on all sites → Understand their technical stack
  4. Identify the custom application JS file
  5. Run SearchByJavascriptHash on that file → Find even more related sites

© 2026 © Aikos Technologies Limited - All Rights Reserved.