Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Network Mapping Transforms

Map relationships between onion sites through inbound and outbound links. These transforms help discover site networks, affiliate relationships, and the dark web link graph.

Overview

Network mapping transforms analyze the hyperlink structure of the dark web:

  • Outbound Links - Links from a site to other onion addresses (who does this site link to?)
  • Inbound Links - Links from other sites to a specific onion address (who links to this site?)

This creates a directed graph of dark web relationships, revealing:

  • Affiliate networks and partnerships
  • Recommended or trusted sites
  • Scam sites trying to impersonate legitimate sites
  • Mirror domains and backup sites
  • Directories and link aggregators

Transform Name: FetchOnionLinks

Description

Extracts all outbound onion links from a specified onion site (i.e., what other .onion addresses does this site link to?).

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.onion - Linked onion site addresses

Properties Returned

  • Link Appearances - Number of times the link appears on the source site
  • Hades Link - Direct link to view each linked onion site in Project Hades web interface

Special Features

  • Self-Reference Filtering - Automatically excludes links from the site to itself
  • Appearance Tracking - Shows how many times each outbound link appears (indicating importance)

Use Cases

  • Discover sites recommended or endorsed by a marketplace
  • Find affiliate networks and partner sites
  • Identify official mirror domains
  • Map vendor networks and related operations
  • Discover hidden or unlisted onion services

Operational Links:

  • Mirror/backup domains owned by the same operator
  • Sister sites or related operations
  • Payment processors or escrow services

Affiliate Links:

  • Partner marketplaces
  • Recommended vendors
  • Affiliate network members

Informational Links:

  • Dark web directories
  • News sites
  • Forums and communities

Infrastructure Links:

  • Image hosting services
  • File storage sites
  • CDN or infrastructure services

Investigation Tips

  • High appearance counts indicate important/frequently referenced sites
  • Multiple links to the same destination suggest strong relationship
  • Links to known scam sites may indicate the source site is also malicious
  • Missing expected links (e.g., to popular directories) may indicate isolation

SearchByOnion

Transform Name: SearchByOnion

Description

Finds all onion sites that link TO a specific onion address (i.e., what sites link to this address?). This is the reverse of FetchOnionLinks.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.onion - Onion site addresses that link to the input address

Properties Returned

  • Hades Link - Direct link to view each referring onion site in Project Hades web interface

Special Features

  • Self-Reference Filtering - Automatically excludes self-links
  • Backlink Discovery - Reveals who is linking to or endorsing a site

Use Cases

  • Discover who links to a marketplace (advertisers, reviewers, affiliates)
  • Identify sites that endorse or recommend a vendor
  • Find directories that list a specific service
  • Discover scam sites impersonating a legitimate marketplace
  • Map a site’s reputation network

High Inbound Link Count:

  • Popular or well-established site
  • Listed in many directories
  • Widely endorsed or recommended
  • Target of scam site impersonation

Low Inbound Link Count:

  • New or obscure site
  • Intentionally unlisted (private/invite-only)
  • Recently launched
  • Potential scam site

Quality of Inbound Links:

  • Links from trusted directories = legitimate site
  • Links from known scam sites = suspicious
  • Links from related services = network membership
  • Links from review sites = active community presence

Investigation Tips

  • Compare inbound links between competing marketplaces
  • Identify which directories are most comprehensive
  • Track changes in inbound links over time (reputation changes)
  • Look for suspicious patterns (many links from new/scam sites)

Investigation Workflow Examples

Marketplace Network Mapping

  1. Map outbound connections

    • Input: marketplace123abc.onion
    • Run: FetchOnionLinks
    • Result: All sites this marketplace links to

  2. Categorize outbound links

    • High appearance count - Official mirrors, important partners
    • Medium appearance - Affiliate sites, related services
    • Low appearance - One-off references, potentially suspicious

  3. Map inbound connections

    • Input: Same marketplace address
    • Run: SearchByOnion
    • Result: All sites that link to this marketplace

  4. Analyze link patterns

    • Mutual links - Sites linking to each other (strong relationship)
    • One-way links - Endorsements or directory listings
    • Link clusters - Groups of sites all linking to each other (networks)

  5. Build network graph

    • Combine outbound and inbound links
    • Visualize the marketplace’s position in the dark web ecosystem
    • Identify key partners, affiliates, and endorsers

Affiliate Network Discovery

  1. Start with known marketplace

    • Input: Legitimate marketplace onion address
    • Run: FetchOnionLinks
    • Result: Sites the marketplace links to

  2. Identify affiliate pattern

    • Select sites that appear to be partners/affiliates
    • For each affiliate:
      • Run FetchOnionLinks to see who they link to
      • Run SearchByOnion to see who links to them

  3. Map the affiliate network

    • Sites that all link to each other = network members
    • Central hub sites (many inbound links) = network coordinators
    • Peripheral sites (few links) = new members or one-off affiliates

  4. Cross-reference with other intelligence

    • Run FetchBitcoinAddresses on network members
    • Look for shared payment addresses (revenue sharing)
    • Run FetchTelegramLinks to find shared communication channels
    • Build complete picture of affiliate operations

Mirror Site Identification

  1. Extract official mirrors from main site

    • Input: Known legitimate marketplace
    • Run: FetchOnionLinks
    • Result: All sites linked from the main domain

  2. Identify suspected mirrors

    • Look for links labeled as “mirror” or “backup”
    • High appearance counts suggest official status

  3. Verify mirror authenticity

    • For each suspected mirror:
      • Run FetchSHV (should match main site)
      • Run FetchSSHFingerprints (may or may not match)
      • Run FetchBitcoinAddresses (should match main site)
    • Confirmed mirrors have matching technical fingerprints

  4. Map mirror network

    • Document all official mirrors
    • Track which mirrors are most promoted
    • Monitor for unauthorized mirrors/scam sites

Directory and Discovery Site Analysis

  1. Identify directory sites

    • Dark web directories list many onion addresses
    • Look for sites with many outbound links
    • Input: Known directory addresses
    • Run: FetchOnionLinks

  2. Analyze directory coverage

    • Which sites are listed in which directories?
    • Are there categories or organization schemes?
    • Which directories are most comprehensive?

  3. Reverse analysis

    • Input: Specific marketplace or service
    • Run: SearchByOnion
    • Result: Which directories list this site?
    • Legitimate sites appear in multiple trusted directories

  4. Track directory updates

    • Periodically run FetchOnionLinks on directories
    • Note new onion addresses being added
    • Identify emerging sites and services
    • Track removal of defunct sites

Scam Site Detection

  1. Analyze suspicious site’s outbound links

    • Input: Suspected scam site
    • Run: FetchOnionLinks
    • Result: Sites the scam links to

  2. Check link legitimacy

    • Does scam site link to the legitimate site it’s impersonating?
    • Does it link to other known scam sites?
    • Does it have legitimate operational links (unlikely for scams)?

  3. Check inbound links

    • Input: Suspected scam site
    • Run: SearchByOnion
    • Result: Who links to the scam site?

  4. Scam indicators

    • Few or no inbound links - Not listed in legitimate directories
    • Links from other scams - Part of scam network
    • Links to legitimate site - May be phishing/impersonation
    • No operational links - Not integrated into ecosystem

  1. Baseline link profile

    • Input: Site under monitoring
    • Run: FetchOnionLinks and SearchByOnion
    • Document: Current outbound and inbound links

  2. Periodic re-analysis

    • Regularly re-run both transforms
    • Track changes in link patterns

  3. Detect significant changes

    • New outbound links - New partnerships, expansions, affiliates
    • Removed outbound links - Broken relationships, defunct sites
    • New inbound links - Growing reputation, new endorsements
    • Lost inbound links - Reputation damage, directory removals

  4. Investigate changes

    • Sudden link changes may indicate:
      • Compromise or takeover
      • Major operational changes
      • Response to law enforcement
      • Market consolidation or expansion

Advanced Network Analysis Techniques

Centrality Analysis

Identify the most important sites in the dark web network:

  1. High Outbound Links - Hub sites, directories, coordinators
  2. High Inbound Links - Authorities, popular sites, trusted services
  3. Mutual Links - Strong bilateral relationships

Community Detection

Find clusters of highly interconnected sites:

  1. Run transforms on multiple sites
  2. Identify sites that all link to each other
  3. Map community boundaries
  4. Analyze community characteristics

Trace paths between sites:

  1. Start at Site A
  2. Run FetchOnionLinks to find sites A links to
  3. For each result, run FetchOnionLinks again
  4. Map multi-hop paths through the network
  5. Identify intermediaries and bridges

Trust Network Mapping

Build trust graphs based on endorsements:

  1. Identify trusted “anchor” sites (known legitimate services)
  2. Run FetchOnionLinks to see who they endorse
  3. Sites linked by trusted anchors likely legitimate
  4. Sites not linked by any anchors may be suspicious
  5. Build concentric trust circles

Combining Network Analysis with Other Transforms

Network + Infrastructure:

  • Sites with mutual links + same SSH/SHV = confirmed relationship
  • Map both logical (links) and physical (infrastructure) networks

Network + Financial:

  • Sites with mutual links + shared wallets = revenue sharing
  • Identify affiliate commission structures

Network + Communication:

  • Sites with mutual links + shared contacts = coordinated operations
  • Map communication channels alongside link structures

Network + Content:

  • Sites with mutual links + shared content = mirror network
  • Track content distribution along link paths

Complete Attribution: Combine all signals for strongest attribution:

  1. Mutual links (network relationship)
  2. Shared infrastructure (technical relationship)
  3. Shared payments (financial relationship)
  4. Shared contacts (organizational relationship)
  5. Shared content (operational relationship)

© 2026 © Aikos Technologies Limited - All Rights Reserved.