MCP Server Usage Examples

Step-by-step examples of common dark web investigation workflows using the Hades MCP Server with Claude AI. Each example shows the natural language query and expected results.

Table of Contents

1. Cryptocurrency Wallet Investigation
2. Vendor Attribution Analysis
3. Infrastructure Correlation
4. Threat Intelligence Monitoring
5. Network Analysis

Cryptocurrency Wallet Investigation

Scenario: Track Bitcoin wallet across dark web marketplaces

Goal: Find all sites using a specific Bitcoin address and analyze their risk profiles.

Step 1: Find all servers with the wallet

User Query:

"Find all dark web sites using Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

Claude uses: find_servers_with_wallet

Expected Result:

Found 2 servers using this Bitcoin address:

1. darkmarket5abc.onion
   - Risk Level: High
   - Intent: Illegal drugs
   - Title: "DarkMarket - Premium Drugs"
   - Appearances: 12

2. vendorshop2xyz.onion
   - Risk Level: Medium
   - Intent: Marketplace
   - Title: "Vendor Shop"
   - Appearances: 5

Step 2: Track wallet activity over time

User Query:

"Show me the timeline of this wallet's appearances over the last 90 days"

Claude uses: track_wallet_activity

Expected Result:

Wallet Activity Timeline (Last 90 days):

First Seen: October 28, 2024
Last Seen: January 26, 2025
Total Servers: 2
Total Appearances: 17

Recent Activity:
- darkmarket5abc.onion: Last seen January 15, 2025 (High risk)
- vendorshop2xyz.onion: Last seen December 20, 2024 (Medium risk)

Step 3: Find all other wallets on these servers

User Query:

"What other cryptocurrency wallets are on darkmarket5abc.onion?"

Claude uses: find_related_wallets

Expected Result:

Cryptocurrency wallets on darkmarket5abc.onion:

Bitcoin (2 wallets):
  - bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh (12 appearances)
  - 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa (8 appearances)

Monero (1 wallet):
  - 4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAV5Usx3w... (15 appearances)

Total: 3 wallets across 2 cryptocurrency types

Analysis: This marketplace accepts both Bitcoin and Monero, with Monero being most prominent (15 appearances). The presence of multiple Bitcoin addresses suggests either multiple vendors or wallet rotation.

Vendor Attribution Analysis

Scenario: Identify all operations of a vendor starting from one marketplace

Goal: Build high-confidence attribution showing all sites operated by the same vendor.

Step 1: Perform vendor attribution

User Query:

"Find all related sites operated by the same vendor as darkmarket5abc.onion"

Claude uses: vendor_attribution

Expected Result:

Vendor Attribution Analysis for darkmarket5abc.onion:

Identifiers Found:
- Emails: [email protected]
- Telegram: @darkvendor
- Bitcoin: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
- Monero: 4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAV5Usx3w...

Related Servers (3 found):

1. vendorshop2xyz.onion - VERY HIGH CONFIDENCE (4 shared indicators)
   Shared: @darkvendor, bc1qxy2..., [email protected], Monero wallet
   Risk: High, Intent: Marketplace

2. backupshop7def.onion - HIGH CONFIDENCE (3 shared indicators)
   Shared: @darkvendor, bc1qxy2..., Monero wallet
   Risk: Medium, Intent: Marketplace

3. vendor-mirror.onion - MEDIUM CONFIDENCE (2 shared indicators)
   Shared: @darkvendor, bc1qxy2...
   Risk: High, Intent: Illegal drugs

Interpretation: Very high confidence that vendorshop2xyz.onion is operated by the same vendor (shares all 4 identifiers). backupshop7def.onion is likely a backup or related operation. vendor-mirror.onion requires further investigation.

Step 2: Cross-platform tracking

User Query:

"Track these identifiers across all servers: @darkvendor, [email protected], bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

Claude uses: cross_platform_tracking

Expected Result:

Cross-Platform Tracking Results:

Identifier Distribution:
- @darkvendor: Appears on 5 servers
- [email protected]: Appears on 4 servers
- bc1qxy2...: Appears on 6 servers

Server Overlap Groups:

3 Identifiers (Very High Confidence):
- darkmarket5abc.onion (High risk, Illegal drugs)
- vendorshop2xyz.onion (High risk, Marketplace)

2 Identifiers (High Confidence):
- backupshop7def.onion (Medium risk, Marketplace)
- vendor-site.onion (High risk, Illegal drugs)

1 Identifier (Medium Confidence):
- newmarket.onion (Medium risk, Marketplace)
- exchange-site.onion (Low risk, Cryptocurrency)

Analysis: Strong evidence of a vendor network. Sites with 3 identifiers are almost certainly the same operator. Sites with 2 identifiers are likely related (backups or franchises).

Infrastructure Correlation

Scenario: Find mirror sites and related infrastructure

Goal: Identify all sites with identical infrastructure to detect mirrors, backups, and related operations.

Step 1: Find SHV matches

User Query:

"Find sites with identical infrastructure to targetmarket.onion"

Claude uses: find_shv_matches

Expected Result:

Infrastructure Analysis for targetmarket.onion:

SHV: a7f3b2c8d9e1f0a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6
Script Count: 24 JavaScript files
Key Scripts:
- /static/js/main.chunk.js
- /static/js/vendor.chunk.js
- /js/react-bundle.js

Matching Sites (4 found):

1. targetmarket-mirror.onion
   - Script Count: 24 (identical)
   - Risk: High, Intent: Marketplace
   - Title: "TargetMarket Mirror"
   - Confidence: VERY HIGH

2. targetmarket-backup.onion
   - Script Count: 24 (identical)
   - Risk: High, Intent: Marketplace
   - Title: "TargetMarket Backup"
   - Confidence: VERY HIGH

3. tm-v2.onion
   - Script Count: 24 (identical)
   - Risk: High, Intent: Marketplace
   - Title: "TM v2"
   - Confidence: VERY HIGH

4. related-market.onion
   - Script Count: 22 (similar)
   - Risk: Medium, Intent: Marketplace
   - Confidence: MEDIUM

Interpretation: First 3 sites are confirmed mirrors (identical JavaScript, similar titles). related-market.onion has similar but not identical infrastructure - possibly franchised or using modified codebase.

Step 2: Check SSH fingerprints for co-hosting

User Query:

"Are targetmarket.onion and targetmarket-mirror.onion hosted on the same server?"

Claude uses: search_by_ssh_fingerprint

Expected Result:

SSH Fingerprint Analysis:

Source: targetmarket.onion
SSH Fingerprint: SHA256:abc123def456...

Co-hosted Sites:
1. targetmarket-mirror.onion (CONFIRMED)
   - Same SSH fingerprint
   - Risk: High
   - Confidence: VERY HIGH - Same physical server

2. unrelated-site.onion
   - Same SSH fingerprint
   - Risk: Low
   - Confidence: MEDIUM - Shared hosting provider

Analysis:

• targetmarket.onion and targetmarket-mirror.onion: Identical JavaScript AND same SSH = Confirmed mirrors on same server
• unrelated-site.onion: Same SSH but different SHV = Just shared hosting, not related operations

Threat Intelligence Monitoring

Scenario: Daily monitoring of new high-risk drug marketplaces

Goal: Stay informed on newly discovered threats and emerging marketplaces.

User Query:

"Show me high-risk drug marketplaces discovered in the last 7 days"

Claude uses: threat_intelligence

Expected Result:

Threat Intelligence Feed (Last 7 days)

Time Range: January 20 - January 27, 2025
Total Threats Found: 5 high-risk drug marketplaces

1. newmarket8xyz.onion
   - Discovered: January 25, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (94% confidence)
   - Also classified: Marketplace (89%)
   - Title: "NewMarket - Drugs & More"

2. vendor42abc.onion
   - Discovered: January 23, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (87% confidence)
   - Title: "Vendor 42 Shop"

3. darkpharm-v3.onion
   - Discovered: January 21, 2025
   - Risk Level: Critical
   - Top Intent: Illegal drugs (96% confidence)
   - Also classified: Pharmaceutical (91%)
   - Title: "DarkPharm v3"

4. street-market.onion
   - Discovered: January 20, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (82% confidence)
   - Title: "Street Market"

5. euro-vendor.onion
   - Discovered: January 20, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (79% confidence)
   - Title: "European Vendor Shop"

Summary:
- All 5 sites are high/critical risk
- Average confidence score: 87.6%
- Most common secondary category: Marketplace

Follow-up queries:

• “Get complete details on darkpharm-v3.onion”
• “Find if any of these share infrastructure”
• “Check if these vendors operate other sites”

Network Analysis

Scenario: Analyze connections between known marketplaces

Goal: Understand relationships between multiple marketplaces to identify cartels or shared operators.

User Query:

"Analyze the connections between these 3 marketplaces: marketplace1.onion, marketplace2.onion, marketplace3.onion"

Claude uses: network_analysis

Expected Result:

Network Analysis Results:

Servers Analyzed: 3

Connections Found: 2

Connection 1: marketplace1.onion ↔ marketplace2.onion
  Type: Shared Entities
  Shared Identifiers (3):
    - Bitcoin: bc1q...
    - Telegram: @admin
    - Email: [email protected]
  Confidence: VERY HIGH

Connection 2: marketplace2.onion ↔ marketplace3.onion
  Type: SHV Match
  Details: Identical JavaScript infrastructure
  SHV: a7f3b2c8d9e1f0a2b3c4d5e6f7a8b9c0...
  Confidence: VERY HIGH

Network Statistics:
- Total Connections: 2
- Connection Types:
  - Shared Entities: 1
  - SHV Match: 1
- Most Connected Server: marketplace2.onion (2 connections)

Interpretation:
- marketplace1 & marketplace2 share Bitcoin, Telegram, email = Same operators
- marketplace2 & marketplace3 have identical infrastructure = Related/franchised
- marketplace2 is the hub connecting the network

Follow-up analysis:

"Perform vendor attribution on marketplace2.onion to find all related sites"

Investigation Best Practices

Start Simple, Build Complexity

Good Workflow:

1. "Find all sites using Bitcoin address bc1qxy2..."
2. "What other wallets are on darkmarket5abc.onion?"
3. "Find all sites operated by the same vendor as darkmarket5abc.onion"
4. "Build investigation graph from darkmarket5abc.onion"

Why: Each query builds on previous results, progressively expanding the investigation.

Use Confidence Scores

Interpreting Results:

• 4+ shared indicators = Very high confidence, safe to attribute
• 2-3 shared indicators = High confidence, likely related
• 1 shared indicator = Medium confidence, needs more investigation
• Infrastructure only = Lower confidence unless combined with entities

Combine Multiple Signals

Strong Attribution Evidence:

1. Shared crypto wallets + shared communications
2. Identical infrastructure (SHV) + shared entities
3. Co-hosting (SSH) + shared contacts

Weaker Evidence (Requires Corroboration):

• Single shared entity
• Similar (not identical) infrastructure
• Co-hosting alone (shared hosting provider)

Validate Findings

Cross-Validation:

1. Use vendor_attribution to find related sites
2. Use find_shv_matches to check infrastructure
3. Use cross_platform_tracking to verify shared identifiers
4. Use network_analysis to map complete relationships

Multiple tools confirming the same relationship = High confidence

Common Query Patterns

Quick Vendor Check

"Find all sites operated by the same vendor as targetsite.onion"

Single query for quick attribution analysis.

Comprehensive Investigation

1. "Get complete intelligence profile for targetsite.onion"
2. "Find all sites operated by the same vendor"
3. "Analyze connections between [list of related sites]"
4. "Show me how targetsite.onion has changed over the last 90 days"

Complete investigation from discovery to timeline.

Daily Threat Monitoring

"Show me high-risk marketplaces discovered in the last 24 hours with Bitcoin wallets"

Daily intelligence briefing.

Infrastructure Attribution

1. "Find sites with identical infrastructure to targetsite.onion"
2. "Are these sites co-hosted on the same server?"
3. "Analyze the technology stack of targetsite.onion"

Complete infrastructure analysis.

Tips for Effective Queries

Be Specific

Good: “Find all high-risk drug marketplaces with Bitcoin discovered in the last 7 days” Less Effective: “Find marketplaces”

Use Natural Language

You don’t need to remember exact tool names or parameters:

Good:

• “Track this wallet across all sites”
• “Find related operations”
• “Show me the timeline”

Unnecessary:

• “Use find_servers_with_wallet tool with wallet_address parameter”

Follow-Up Questions

Claude maintains context, so you can ask follow-up questions:

User: "Find all sites using Bitcoin address bc1qxy2..."
Claude: [Shows 5 sites]

User: "What other wallets are on the first one?"
Claude: [Understands "first one" refers to first result]

User: "Find sites with identical infrastructure to that site"
Claude: [Continues investigation on same target]

Request Formatting

If you need results in a specific format:

"Find all sites operated by this vendor and format as a table with risk levels and confidence scores"

"Show me the timeline as a bulleted list"

"Summarize the top 3 threats discovered this week"

Troubleshooting Common Issues

No Results Found

Query: “Find all sites using Bitcoin address 1ABC123…”

If no results:

• Verify wallet address format (Bitcoin addresses start with 1, 3, or bc1)
• Try searching without filters: “Search for any cryptocurrency wallets”
• Wallet may not be in database (too new, obscure site, not yet indexed)

Too Many Results

Query: “Find all sites with Bitcoin”

If overwhelmed with results:

• Add filters: “Find high-risk sites with Bitcoin”
• Narrow time range: “…discovered in the last 30 days”
• Be more specific: “…drug marketplaces with Bitcoin wallets”

Unclear Relationships

When connections aren’t clear:

• Use vendor_attribution for high-confidence matches
• Check confidence scores (2+ shared indicators minimum)
• Verify with infrastructure: “Do these sites share infrastructure?”
• Review timeline: “When did this wallet appear on each site?”

For complete tool documentation, see the Tool Reference page.

For conceptual investigation workflows, see Investigation Workflows.