Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Label & Classification Transforms

Access machine learning-based site classifications, threat categories, and risk assessments. These transforms help prioritize investigations based on automated intelligence analysis.

Overview

Label transforms provide access to:

  • ML-based classification of onion sites into 38 intent categories
  • Risk level assessments (high, medium, low)
  • Manually curated tags for additional context
  • Search capabilities to find sites by category or risk level

FetchLabels

Transform Name: FetchLabels

Description

Retrieves the machine learning-based classification labels, intents, risk level, and tags for a specified onion site.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.label - Classification labels and intent categories
  • hades.v2.tag - Manually curated tags

Properties Returned

  • Type - Indicates “Primary Intent” or “Significant Intent”
  • Risk Level - Classification as high, medium, or low risk
  • Hades Link - Direct link to view the onion site in Project Hades web interface

Special Features

  • High-Risk Highlighting - Sites classified as “high” risk are automatically bookmarked with priority 3 for investigator attention

Intent Categories

The ML system classifies sites into categories including:

  • Marketplace (drugs, weapons, fraud, etc.)
  • Forum/Community
  • Hacking/Tools
  • Financial Services
  • Hosting/Infrastructure
  • Information/News
  • Adult Content
  • CSAM (Child Sexual Abuse Material)
  • And 30+ additional categories

Risk Levels

  • High - Sites engaging in serious illegal activity (CSAM, weapons trafficking, etc.)
  • Medium - Sites with potentially illegal content or services
  • Low - Sites with legal or questionable but non-criminal content

Use Cases

  • Quickly understand the nature of an onion site without visiting it
  • Prioritize high-risk sites for immediate investigation
  • Filter large result sets by category
  • Identify site purpose for reporting or documentation

SearchByLabel

Transform Name: SearchByLabel

Description

Finds all onion sites classified with a specific label, intent, or tag. Searches across primary intents, significant intents, and manual tags.

Input Entity

  • hades.v2.label or hades.v2.tag - A classification label or tag
  • Can also manually input label text (e.g., “marketplace”, “drugs”, “hacking”)

Output Entities

  • hades.v2.onion - Onion site addresses

Properties Returned

  • Risk Level - The site’s risk classification
  • Primary Category - The top_intent classification for the site
  • Hades Link - Direct link to view each onion site in Project Hades web interface

Special Features

  • High-Risk Highlighting - Sites with “high” risk level are automatically bookmarked

Use Cases

  • Find all marketplaces in the database
  • Identify all sites related to a specific threat category (e.g., “hacking”, “fraud”)
  • Build collections of sites for category-specific analysis
  • Discover emerging sites in a particular category

Common Label Searches

  • marketplace - Dark web marketplaces and vendor shops
  • drugs - Drug-related sales and information
  • hacking - Hacking tools, services, and forums
  • fraud - Fraud services, carding, identity theft
  • forum - Discussion forums and communities
  • cryptocurrency - Crypto mixing, laundering, services
  • weapons - Weapons sales and information

SearchByRiskLevel

Transform Name: SearchByRiskLevel

Description

Finds all onion sites classified at a specific risk level (high, medium, or low). Limited to 100 results to prevent overwhelming the graph.

Input Entity

  • Text input: high, medium, or low (case-insensitive)

Output Entities

  • hades.v2.onion - Onion site addresses (maximum 100)

Properties Returned

  • Risk Level - The site’s risk classification
  • Primary Category - The top_intent classification for the site
  • Hades Link - Direct link to view each onion site in Project Hades web interface

Special Features

  • Result Limiting - Returns maximum of 100 sites to prevent graph overload
  • High-Risk Highlighting - High risk sites are automatically bookmarked
  • User Notification - Displays message if 100+ results exist, suggesting more specific searches

Use Cases

  • Identify highest priority targets (high-risk sites)
  • Get overview of threat landscape by risk level
  • Build prioritized investigation queues
  • Generate reports on high-risk site prevalence

Investigation Tips

  • High Risk searches are most useful for threat prioritization
  • Use in combination with SearchByLabel for targeted results
  • The 100-result limit encourages focused investigation over broad sweeps

Investigation Workflow Example

Threat Category Investigation

  1. Identify sites by threat category

    • Input: Label text “drugs” or “hacking”
    • Run: SearchByLabel
    • Result: All sites classified in that category

  2. Prioritize by risk level

    • Review the risk levels of returned sites
    • Focus on high-risk (bookmarked) sites first
    • Add medium-risk sites to watch list

  3. Deep dive on priority targets

    • For each high-priority site:
    • Run: FetchBitcoinAddresses to identify payment methods
    • Run: FetchEmailAddresses and FetchTelegramLinks for contacts
    • Run: FetchImages to document content
    • Run: FetchOnionLinks to map their network

High-Risk Site Monitoring

  1. Get all high-risk sites

    • Input: “high”
    • Run: SearchByRiskLevel
    • Result: Up to 100 highest-risk sites in the database

  2. Analyze primary categories

    • Review the “Primary Category” property for each site
    • Identify distribution of high-risk sites across categories
    • Note emerging threat categories

  3. Track specific categories

    • For concerning categories (e.g., “CSAM”, “weapons”)
    • Run: SearchByLabel with that category
    • Build comprehensive intelligence on that threat type

Site Classification Validation

  1. Review automated classification

    • Input: Known onion site
    • Run: FetchLabels
    • Result: ML-assigned labels, intents, and risk level

  2. Validate accuracy

    • Compare automated labels with manual inspection
    • Note any misclassifications for reporting
    • Use labels as starting point, not definitive truth

  3. Cross-reference with content

    • Run: FetchImages to review visual content
    • Run: FetchBitcoinAddresses to see if payment methods align with category
    • Validate risk assessment against actual site content

© 2026 © Aikos Technologies Limited - All Rights Reserved.