Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

MCP Server Tool Reference

Complete reference documentation for all 21 Hades MCP Server tools. Tools are organized into 5 categories based on their primary function.

Tool Categories

Cryptocurrency Investigation Tools

search_crypto_wallets

Search for cryptocurrency wallets across dark web sites by type, address, server, or risk level.

Parameters:

  • crypto_type (required) - Type of cryptocurrency: bitcoin, ethereum, monero, litecoin, or dogecoin
  • wallet_address (optional) - Specific wallet address to search for
  • server (optional) - Filter results to specific onion address
  • risk_level (optional) - Filter by server risk: high, medium, or low
  • limit (optional) - Maximum results (default: 100, max: 1000)

Returns:

  • Array of wallet addresses with server information, risk levels, and appearance counts

Use Cases:

  • Find all Bitcoin wallets on high-risk marketplaces
  • Search for a specific Monero address across all servers
  • Discover payment methods used by a particular site

Example:

"Find all Bitcoin wallets on high-risk servers"

find_servers_with_wallet

Find all dark web servers that use a specific cryptocurrency wallet address.

Parameters:

  • wallet_address (required) - The wallet address to search for
  • crypto_type (optional) - Type of crypto (auto-detected if omitted)
  • include_risk_level (optional) - Include risk classification info (default: true)
  • limit (optional) - Maximum results (default: 100)

Returns:

  • List of servers using the wallet with risk levels, titles, intent classifications, and appearance counts

Use Cases:

  • Track a vendor wallet across multiple marketplaces
  • Identify all sites accepting a specific payment address
  • Build network of sites sharing payment infrastructure

Example:

"Find all servers using Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

track_wallet_activity

Track appearances of a cryptocurrency wallet over time across different servers.

Parameters:

  • wallet_address (required) - The wallet to track
  • crypto_type (optional) - Type of cryptocurrency (auto-detected if omitted)
  • time_range_days (optional) - Number of days to look back (default: 30, max: 365)
  • include_server_details (optional) - Include server metadata (default: true)

Returns:

  • Timeline of wallet appearances with dates, servers, risk levels, and activity summary

Use Cases:

  • Monitor when a vendor wallet appears on new sites
  • Track wallet adoption over time
  • Identify temporal patterns in payment address usage

Example:

"Show me the timeline of this Bitcoin address over the last 90 days"

Find all cryptocurrency wallets on a specific server, grouped by type.

Parameters:

  • server (required) - Onion address to analyze
  • crypto_types (optional) - Array of crypto types to search (searches all if omitted)
  • min_appearances (optional) - Minimum appearances threshold (default: 1)

Returns:

  • Wallets grouped by cryptocurrency type with appearance counts and summary statistics

Use Cases:

  • Discover all payment methods a marketplace accepts
  • Compare cryptocurrency adoption across sites
  • Identify wallet clusters (wallets that always appear together)

Example:

"What cryptocurrency wallets are on darkmarket2023.onion?"

cross_reference_wallets

Cross-reference multiple wallet addresses to find servers that accept multiple wallets.

Parameters:

  • wallet_addresses (required) - Array of wallet addresses (max: 20)
  • find_common_servers (optional) - Find shared servers (default: true)

Returns:

  • Common servers accepting multiple wallets with connection patterns and overlap analysis

Use Cases:

  • Identify sites operated by the same vendor (shared wallets)
  • Find marketplace relationships
  • Detect wallet rotation patterns

Example:

"Find servers that accept both of these Bitcoin addresses"

Communication Tracking Tools

search_communication_channels

Search for email addresses, Telegram handles, or Discord invites across dark web sites.

Parameters:

  • channel_type (required) - Type of contact: email, telegram_link, or discord_link
  • channel_value (optional) - Specific contact to search for
  • server (optional) - Filter to specific onion address
  • min_appearances (optional) - Minimum appearances threshold (default: 1)
  • limit (optional) - Maximum results (default: 100)

Returns:

  • Contacts with appearance counts, server lists, and distribution statistics

Use Cases:

  • Find all Telegram handles used by marketplaces
  • Search for a specific email address across the dark web
  • Identify communication patterns by risk level

Example:

"Find all Telegram handles on high-risk drug marketplaces"

find_servers_by_contact

Find all dark web servers using a specific contact method (email, Telegram, Discord).

Parameters:

  • contact (required) - The contact identifier (email, Telegram handle, Discord invite)
  • contact_type (optional) - Type of contact (auto-detected if omitted)
  • include_risk_info (optional) - Include risk levels (default: true)
  • limit (optional) - Maximum results (default: 100)

Returns:

  • Servers using the contact with risk information, titles, and appearance details

Use Cases:

  • Track a vendor Telegram handle across marketplaces
  • Find all sites using a support email
  • Identify vendor operations through shared contacts

Example:

"Find all servers using Telegram handle @darkvendor"

vendor_attribution

Perform comprehensive vendor attribution analysis by finding servers with shared identifiers.

Parameters:

  • server (required) - Starting server to analyze
  • search_crypto (optional) - Include cryptocurrency addresses (default: true)
  • search_communications (optional) - Include communication channels (default: true)
  • min_shared_indicators (optional) - Minimum shared identifiers for match (default: 2)

Returns:

  • Related servers with confidence scores, shared identifiers, and detailed attribution analysis

Use Cases:

  • Identify all operations controlled by a vendor
  • Build high-confidence attribution chains
  • Discover backup sites and mirrors

Example:

"Perform vendor attribution on darkmarket2023.onion with high confidence"

cross_platform_tracking

Track multiple identifiers (wallets, emails, Telegram) across servers to find overlapping operations.

Parameters:

  • identifiers (required) - Array of identifiers to track (wallets, emails, handles)
  • group_by_overlap (optional) - Group servers by identifier overlap (default: true)

Returns:

  • Servers grouped by number of matching identifiers with high-confidence matches highlighted

Use Cases:

  • Track a vendor across multiple identifiers
  • Identify operations with partial identifier overlap
  • Build comprehensive vendor profiles

Example:

"Track these identifiers: @vendor, [email protected], bc1qxy2..."

Infrastructure Fingerprinting Tools

find_shv_matches

Find sites with identical JavaScript infrastructure using Script Hash Values (SHV).

Parameters:

  • server (required) - Server to analyze
  • include_details (optional) - Include JavaScript file details (default: true)
  • limit (optional) - Maximum matches to return (default: 50)

Returns:

  • Sites with matching SHV, script counts, file lists, and confidence scores

Use Cases:

  • Identify mirror sites and backups
  • Discover franchised operations (same codebase)
  • Track infrastructure reuse by threat actors

Example:

"Find sites with identical infrastructure to targetmarket.onion"

search_by_ssh_fingerprint

Find co-hosted sites by SSH fingerprint to identify shared physical infrastructure.

Parameters:

  • fingerprint (optional) - Specific SSH fingerprint to search
  • server (optional) - Get fingerprint from this server and find matches
  • find_cohosted (optional) - Find co-hosted sites (default: true)
  • limit (optional) - Maximum results (default: 100)

Returns:

  • Co-hosted servers with confidence levels and hosting provider analysis

Use Cases:

  • Identify bulletproof hosting providers
  • Find sites hosted on the same physical server
  • Detect hosting patterns

Example:

"Find all sites co-hosted with targetmarket.onion"

infrastructure_clustering

Cluster servers by shared infrastructure (SHV, SSH, or combined).

Parameters:

  • method (optional) - Clustering method: shv, ssh, or combined (default: combined)
  • min_cluster_size (optional) - Minimum servers per cluster (default: 2)
  • include_singletons (optional) - Include isolated servers (default: false)
  • limit (optional) - Maximum clusters to return (default: 50)

Returns:

  • Infrastructure clusters sorted by size with cluster statistics

Use Cases:

  • Identify major hosting providers or shared infrastructure
  • Detect infrastructure patterns across threat actors
  • Discover related operations through infrastructure

Example:

"Cluster servers by shared JavaScript infrastructure"

technology_stack_analysis

Analyze a server’s technology stack and find servers using similar technologies.

Parameters:

  • server (required) - Server to analyze
  • include_similar_tech (optional) - Find similar technology stacks (default: true)
  • limit (optional) - Maximum similar servers (default: 20)

Returns:

  • Detected frameworks, libraries, technologies, and servers with similar stacks

Use Cases:

  • Identify technology adoption patterns
  • Find sites built with the same frameworks
  • Track technology trends in criminal ecosystems

Example:

"Analyze the technology stack of targetmarket.onion"

Server Intelligence Tools

query_servers

Advanced server search with multiple filter criteria.

Parameters:

  • risk_level (optional) - Risk level: high, medium, or low
  • intent_category (optional) - Intent category (e.g., drugs, weapons, hacking)
  • intent_threshold (optional) - Minimum intent confidence score 0-1 (default: 0.5)
  • has_crypto (optional) - Only servers with cryptocurrency wallets
  • crypto_type (optional) - Specific crypto type filter
  • has_communications (optional) - Only servers with contact methods
  • date_discovered_after (optional) - ISO date string for minimum discovery date
  • date_discovered_before (optional) - ISO date string for maximum discovery date
  • limit (optional) - Maximum results (default: 100, max: 500)

Returns:

  • Filtered servers with full metadata including risk, intent, entities, and dates

Use Cases:

  • Find all high-risk drug marketplaces discovered recently
  • Search for hacking services with cryptocurrency
  • Build targeted threat intelligence feeds

Example:

"Find high-risk marketplaces with Bitcoin discovered in the last 30 days"

get_server_details

Get comprehensive intelligence report for a specific server.

Parameters:

  • server (required) - Onion address to analyze
  • include_entities (optional) - Include crypto, emails, contacts (default: true)
  • include_ports (optional) - Include port scan results (default: true)
  • include_images (optional) - Include extracted images (default: false)
  • include_javascript (optional) - Include JavaScript files (default: false)

Returns:

  • Complete server profile with all available intelligence

Use Cases:

  • Generate comprehensive intelligence reports
  • Gather all data for a target in one query
  • Build case files for investigations

Example:

"Get complete intelligence profile for darkmarket2023.onion"

risk_assessment

Calculate threat scores and aggregate risk statistics.

Parameters:

  • server (optional) - Specific server to assess
  • aggregate_by (optional) - Aggregation type: intent, risk_level, or technology (default: intent)
  • time_range_days (optional) - Time range for analysis (default: 30, max: 365)
  • top_n (optional) - Number of top results (default: 20)

Returns:

  • Threat scores, risk factors, and aggregated statistics

Use Cases:

  • Assess overall threat landscape
  • Identify trending threat categories
  • Calculate risk scores for specific servers

Example:

"Show me the top 10 threat categories in the last 30 days"

threat_intelligence

Real-time feed of high-risk discoveries with configurable filters.

Parameters:

  • threat_types (optional) - Array of threat categories to monitor
  • risk_levels (optional) - Array of risk levels (default: ["high"])
  • discovered_in_last_days (optional) - Recent discoveries only (default: 7, max: 90)
  • min_intent_score (optional) - Minimum confidence threshold (default: 0.7)
  • limit (optional) - Maximum results (default: 50, max: 200)

Returns:

  • Recent high-risk threats with classifications, intent scores, and summaries

Use Cases:

  • Daily threat intelligence briefings
  • Monitor for specific threat types (drugs, weapons, malware)
  • Early warning of emerging threats

Example:

"Show me high-risk drug marketplaces discovered in the last 7 days"

Relationship Mapping Tools

trace_relationships

Build investigation graphs by tracing relationships from a starting point.

Parameters:

  • start_point (required) - Server or entity to start from
  • start_type (required) - Type of starting point: server or entity
  • relationship_types (required) - Array of relationship types to trace:
    • shared_entities - Shared crypto/emails/communications
    • shv_match - Identical JavaScript infrastructure
    • ssh_match - Co-hosted servers
    • linked_onions - Sites linking to each other
    • similar_content - Content similarity
  • max_depth (optional) - Traversal depth (default: 2, max: 3)
  • limit_per_level (optional) - Max nodes per depth level (default: 10)

Returns:

  • Graph with nodes, edges, relationship types, and statistics

Use Cases:

  • Build comprehensive investigation graphs
  • Discover indirect relationships between servers
  • Map criminal networks

Example:

"Build investigation graph from darkmarket2023.onion with depth 2"

temporal_analysis

Track how a server or entity changes over time.

Parameters:

  • target (required) - Server or entity to analyze
  • target_type (required) - Type: server or entity
  • time_range_days (optional) - Days to analyze (default: 90, max: 365)
  • track_changes (optional) - Array of change types to track (default: ["new_entities"]):
    • new_entities - New crypto/emails/contacts appearing
    • content_changes - Title, content modifications
    • status_changes - Online/offline status changes
    • infrastructure_changes - SHV, SSH changes

Returns:

  • Timeline of events, change summaries, and evolution analysis

Use Cases:

  • Track how a marketplace evolved
  • Identify when vendors became active
  • Detect infrastructure changes (potential response to investigation)

Example:

"Show me how targetmarket.onion has changed over the last 90 days"

network_analysis

Analyze connections between multiple servers to find relationships.

Parameters:

  • servers (required) - Array of onion addresses (min: 1, max: 20)
  • find_connections (optional) - Find connections between servers (default: true)
  • connection_types (optional) - Types to find (default: ["shared_entities", "shv_match"]):
    • shared_entities - Shared crypto/communications
    • shv_match - Identical infrastructure
    • ssh_match - Co-hosting
    • linked_onions - Sites linking to each other

Returns:

  • Network graph with nodes, edges, connection statistics, and most connected server

Use Cases:

  • Analyze marketplace cartels
  • Find connections between threat actors
  • Build network maps for presentations

Example:

"Analyze connections between these 3 marketplaces"

entity_evolution

Track how an entity (wallet, email, etc.) appears and evolves across servers over time.

Parameters:

  • entity_value (required) - The entity to track (wallet, email, Telegram handle, etc.)
  • entity_type (optional) - Type of entity (auto-detected if omitted)
  • track_over_days (optional) - Days to track (default: 90, max: 365)

Returns:

  • Timeline of entity appearances, server details, risk distribution, and evolution patterns

Use Cases:

  • Track vendor migration between marketplaces
  • Monitor when a wallet gets adopted by new sites
  • Identify temporal patterns in entity usage

Example:

"Track this Bitcoin address across time and servers over 180 days"

Tool Selection Guide

When to Use Which Tool

For Cryptocurrency Investigations:

  • Start with find_servers_with_wallet to locate all servers
  • Use track_wallet_activity for temporal patterns
  • Use find_related_wallets to discover payment methods
  • Use cross_reference_wallets for multi-wallet attribution

For Vendor Attribution:

  • Use vendor_attribution as primary tool (analyzes both crypto and communications)
  • Use cross_platform_tracking for multi-identifier tracking
  • Use find_servers_by_contact for specific communication channels
  • Use trace_relationships to build comprehensive attribution graph

For Infrastructure Analysis:

  • Use find_shv_matches to find identical infrastructure
  • Use search_by_ssh_fingerprint for co-hosting detection
  • Use infrastructure_clustering for ecosystem-wide patterns
  • Use technology_stack_analysis for framework detection

For Threat Intelligence:

  • Use threat_intelligence for daily monitoring feeds
  • Use query_servers for specific targeted searches
  • Use risk_assessment for aggregated threat statistics
  • Use get_server_details for comprehensive target analysis

For Network Mapping:

  • Use network_analysis to analyze connections between known servers
  • Use trace_relationships to discover connections from a single starting point
  • Use temporal_analysis to understand evolution over time
  • Use entity_evolution to track specific identifiers

Common Query Patterns

Pattern: Find Everything About a Server

1. get_server_details - Get full intelligence profile
2. vendor_attribution - Find related operations
3. trace_relationships - Build network graph
4. temporal_analysis - Track evolution

Pattern: Track a Vendor

1. find_servers_with_wallet - Locate vendor wallet
2. find_servers_by_contact - Find Telegram/email usage
3. vendor_attribution - High-confidence attribution
4. cross_platform_tracking - Multi-identifier correlation

Pattern: Monitor Threats

1. threat_intelligence - Daily feed of new threats
2. query_servers - Targeted searches
3. risk_assessment - Aggregate statistics

Pattern: Infrastructure Correlation

1. find_shv_matches - Identical infrastructure
2. search_by_ssh_fingerprint - Co-hosting
3. infrastructure_clustering - Ecosystem patterns

Parameter Notes

Common Defaults

  • Most tools default to limit: 100 results
  • Time ranges default to 30 or 90 days
  • Confidence thresholds default to 0.5-0.7
  • Optional includes default to true for common use cases

Auto-Detection

Several tools auto-detect types:

  • find_servers_with_wallet - Auto-detects crypto type from wallet format
  • find_servers_by_contact - Auto-detects if email, Telegram, or Discord
  • entity_evolution - Auto-detects entity type

Performance Tips

  • Use narrower time ranges for faster queries
  • Set lower limits when possible
  • Use specific filters instead of broad searches
  • Combine filters to reduce result sets

For practical examples of using these tools together, see the Usage Examples page.

© 2026 © Aikos Technologies Limited - All Rights Reserved.