Hades

Dark Web Intelligence Platform for Threat Analysis and Investigation

Welcome to the Hades documentation. Hades is a comprehensive intelligence platform for investigating dark web onion sites, tracking threat actors, and analyzing criminal infrastructure across the Tor network.

Platform Overview

Hades indexes and analyzes the dark web to provide actionable intelligence for security analysts, law enforcement, researchers, and intelligence professionals. The platform continuously crawls Tor hidden services, extracting entities, classifying content, and mapping relationships to enable deep investigative analysis.

Data Coverage

Hades maintains a comprehensive database of dark web intelligence:

• 163,000+ Onion Servers - Active and historical Tor hidden services
• 375,000+ Entities - Cryptocurrency wallets, email addresses, communication channels
• 2.1M+ Images - Extracted images with hash-based tracking
• 214,000+ JavaScript Files - Technology stack analysis and infrastructure fingerprinting
• 36 Risk Categories - Machine learning-based content classification
• 15 MongoDB Collections - Structured intelligence database

Key Capabilities

Entity Extraction & Tracking

• Cryptocurrency wallets (Bitcoin, Ethereum, Monero, Litecoin, Dogecoin)
• Communication channels (Email, Telegram, Discord)
• Payment processors and financial infrastructure
• PGP keys and cryptographic identifiers

Infrastructure Analysis

• Script Hash Values (SHV) for identifying identical infrastructure
• SSH fingerprinting for co-hosting detection
• Technology stack detection and analysis
• Mirror site and clone identification

Risk Classification

• ML-based threat categorization across 36 intent categories
• Risk level assessment (low, medium, high, critical)
• Confidence scoring for classifications
• Threat intelligence feeds

Relationship Mapping

• Vendor attribution through shared indicators
• Network analysis of connected sites
• Temporal tracking of entity appearances
• Cross-platform identity correlation

Access Methods

Hades provides two complementary access methods designed for different workflows:

Maltego Transforms

Visual graph-based investigation through Maltego

The Hades Maltego Transforms provide 35 specialized transforms that integrate directly into Maltego’s graph interface. This approach is ideal for:

• Interactive visual investigations
• Building relationship graphs through point-and-click
• Presentations and reporting with visual evidence
• Analysts who prefer GUI-based workflows

Explore Maltego Transforms →

MCP Server

AI-native conversational intelligence through Claude

The Hades MCP (Model Context Protocol) Server exposes 21 tools for natural language querying through Claude AI. This approach is ideal for:

• Conversational investigations (“Find all sites with this Bitcoin address”)
• Complex multi-step analysis workflows
• Automated investigations and scripting
• Developers building custom integrations

Explore MCP Server →

Primary Use Cases

Marketplace Vendor Investigation

Track vendors across multiple dark web marketplaces by analyzing:

• Shared cryptocurrency wallet addresses
• Common communication channels (Telegram, email)
• Infrastructure patterns and hosting
• Timeline of marketplace presence

Learn more →

Criminal Infrastructure Attribution

Identify related criminal operations through:

• Identical JavaScript infrastructure (SHV matching)
• Co-hosted servers (SSH fingerprints)
• Shared payment addresses and entities
• Technology stack analysis

Learn more →

Threat Intelligence Collection

Monitor the dark web for emerging threats:

• New high-risk marketplace discoveries
• Drug, weapons, and hacking service vendors
• Real-time threat feeds with confidence scores
• Trend analysis and ecosystem monitoring

Learn more →

Law Enforcement Investigations

Build comprehensive intelligence reports with:

• Evidence chains from discovery to attribution
• Network analysis of related operations
• Temporal tracking of criminal activity
• Cross-platform identity correlation

Learn more →

Who Uses Hades?

Security Analysts - SOC teams investigating threats, tracking threat actors, monitoring dark web marketplaces

Law Enforcement - Criminal investigators building cases, tracking vendors, mapping criminal networks

Intelligence Analysts - Government and corporate intelligence teams conducting OSINT investigations

Security Researchers - Academic researchers studying dark web ecosystems, threat trends, and criminal behavior

Fraud Investigators - Financial institutions tracking stolen credentials, payment fraud, and data breaches

Getting Started

Ready to start investigating? Choose your preferred access method:

• Quick Start Guide - Installation and setup
• Maltego Transforms - 35 transforms for graph-based investigation
• MCP Server - AI-native conversational intelligence
• Investigation Workflows - Real-world usage examples

Platform Architecture

Hades is built on a MongoDB database with 15 specialized collections:

Infrastructure Collections

• servers - Onion addresses, status, metadata
• ports - Open ports, services, SSH fingerprints
• http - HTTP responses, content, titles

Content Collections

• images - Extracted images with hashes and EXIF
• javascript - JS files with technology detection
• entities - Cryptocurrency, emails, communications
• labels - ML classifications and risk levels
• shv - Script hash values for infrastructure matching

Supporting Collections

• preprocessed, favourites, api, api_usage, organisations, processor_queue, errors

Authentication & Access

All Hades services require API key authentication. Multiple licensing tiers are available to suit different use cases, from individual analysts to large enterprise teams.

Contact [email protected] for API key provisioning and licensing information.

Support

For questions, issues, or feature requests:

• Support - [email protected]
• Pricing & General Inquiries - [email protected]
• Documentation - https://hades.aikostek.com
• Issues - Report bugs and request features

Hades - Illuminating the dark web for security and intelligence professionals

Quick Start Guide

This guide will help you get started with Hades, whether you’re using Maltego Transforms for visual investigation or the MCP Server for AI-native conversational intelligence.

Prerequisites

Before getting started, you’ll need:

1. Hades API Key - Contact [email protected] for API key provisioning
2. Access Method - Choose between Maltego Transforms or MCP Server (or use both!)

Getting Started with Maltego Transforms

Step 1: Install Maltego

Download and install Maltego from https://www.maltego.com. Hades transforms work with:

• Maltego CE (Community Edition) - Free
• Maltego Classic - Commercial
• Maltego XL - Enterprise

Step 2: Import Hades Transforms

1. Download the Hades transform configuration file from your Hades account portal
2. Open Maltego and navigate to the Transforms menu
3. Select Import Configuration
4. Browse to the downloaded .mtz file and import

Step 3: Configure API Key

After importing, configure your API key:

1. Go to Transforms → Transform Hub
2. Find Hades in the list of installed transforms
3. Click Settings or Configure
4. Enter your API key in the APIKey parameter field
5. Click Save

Step 4: Start Investigating

1. Create a new graph in Maltego
2. Add a hades.v2.onion entity to the graph
3. Set the entity value to an onion address (e.g., darkmarket2023.onion)
4. Right-click the entity and explore available transforms under the Hades menu

Common starting transforms:

• FetchBitcoinAddresses - Extract Bitcoin wallets from a site
• FetchEmailAddresses - Extract email addresses
• FetchTelegramLinks - Find Telegram communication channels
• FetchLabels - Get ML-based risk classification

Explore all 35 Maltego Transforms →

Getting Started with MCP Server

The Hades MCP Server provides AI-native access to dark web intelligence through natural language queries. Once configured, you can investigate using conversational commands through Claude Desktop, Claude CLI, or other AI platforms.

What You Can Do

Ask questions in natural language and Claude will automatically use the appropriate Hades tools:

Example queries:

• “Find all dark web sites using Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh”
• “Show me high-risk drug marketplaces discovered in the last 7 days”
• “Find sites with identical infrastructure to targetmarket.onion”
• “Track this Telegram handle across all servers: @darkvendor”

Claude will automatically use the appropriate Hades MCP tools to answer your questions.

Explore MCP Server Tools →

Optional: Investigation Skills

Enhance your investigations with specialized AI skills that work across Claude, OpenAI, and Ollama:

Available Skills:

• hades-analyst - Comprehensive dark web intelligence analysis
• vendor-tracker - Specialized vendor attribution across marketplaces
• threat-reporter - Creates structured threat intelligence reports

Usage Examples:

Claude Desktop/CLI:

/hades-analyst investigate darkmarket2023.onion
/vendor-tracker find all vendor operations
/threat-reporter create daily brief

OpenAI/Ollama: Load skill as system prompt, then ask your question

Learn About Investigation Skills →

Testing Your Setup

Maltego Transforms

1. Create a new graph in Maltego
2. Add a hades.v2.onion entity with a known onion address
3. Right-click and run FetchBitcoinAddresses
4. If successful, you’ll see cryptocurrency entities appear on the graph

MCP Server

1. Open Claude Desktop
2. Type: “Find all cryptocurrency wallets on darkmarket2023.onion”
3. Claude should respond with results from the Hades database

Troubleshooting

Maltego Transforms

“Authentication failed” error:

• Verify your API key is correctly configured in transform settings
• Check that the API key hasn’t been revoked
• Ensure you haven’t exceeded your monthly query limit

“Transform failed” error:

• Check your internet connection
• Verify the onion address exists in the Hades database
• Try a different transform to isolate the issue

MCP Server

Claude doesn’t show Hades tools:

• Verify your MCP Server configuration is correct
• Restart Claude Desktop after configuration changes
• Contact support if tools are not appearing

“Authentication failed” error:

• Verify your API key is configured correctly
• Check API key hasn’t been revoked
• Ensure you haven’t exceeded monthly limit

Next Steps

Now that you’re set up, explore these resources:

• Investigation Workflows - Real-world usage examples
• Maltego Transforms Reference - All 35 transforms documented
• MCP Server Tool Reference - All 21 tools documented
• Usage Examples - Step-by-step investigation examples

Support

Need help? Contact the Hades support team:

• Support - [email protected]
• Pricing & General Inquiries - [email protected]
• Documentation - https://hades.aikostek.com
• GitHub Issues - Report bugs and request features

Investigation Workflows

This page provides real-world investigation workflows demonstrating how Hades enables comprehensive dark web intelligence analysis. Each workflow combines multiple data points to build actionable intelligence.

Marketplace Vendor Investigation

Objective: Track a vendor across multiple dark web marketplaces and identify all their operations.

Tools Used: Both Maltego Transforms and MCP Server work well for this workflow.

Investigation Steps

1. Initial Discovery

Start with a known marketplace where the vendor operates:

• Maltego: Add hades.v2.onion entity → Run FetchBitcoinAddresses, FetchEmailAddresses, FetchTelegramLinks
• MCP Server: “Find all cryptocurrency wallets and contacts on darkmarket2023.onion”

2. Extract Identifiers

Collect all vendor identifiers:

• Cryptocurrency wallets (Bitcoin, Monero, Ethereum)
• Communication channels (Telegram handles, email addresses, Discord invites)
• PGP keys
• Vendor usernames

3. Cross-Reference Identifiers

Search for these identifiers across the entire dark web:

• Maltego: Run SearchByBitcoinAddress, SearchByTelegramLink, SearchByEmailAddress on each identifier
• MCP Server: “Track these identifiers across all servers: @darkvendor, [email protected], bc1qxy2…”

4. Build Attribution Graph

Identify high-confidence matches:

• Sites with 3+ shared identifiers = Very high confidence (same vendor)
• Sites with 2 shared identifiers = High confidence (likely same vendor)
• Sites with 1 shared identifier = Medium confidence (requires further investigation)

5. Analyze Timeline

Track vendor activity over time:

• Maltego: Build temporal graph showing when vendors appeared on each site
• MCP Server: “Show me the timeline of this Bitcoin address across all marketplaces”

6. Infrastructure Analysis

Check if vendor operates their own infrastructure:

• Maltego: Run FetchSHV and SearchBySHV to find sites with identical JavaScript
• MCP Server: “Find sites with identical infrastructure to this onion address”

Expected Outcomes

• Complete list of all vendor operations across marketplaces
• Confidence scores for each attribution
• Timeline of vendor activity
• Communication channels for monitoring
• Infrastructure patterns (self-hosted vs marketplace vendor)

Use Cases

• Law Enforcement: Building cases against dark web vendors
• Fraud Investigation: Tracking vendors selling stolen credentials
• Threat Intelligence: Monitoring high-risk vendors
• Research: Studying vendor behavior and migration patterns

Infrastructure Attribution

Objective: Identify related criminal operations through shared infrastructure and technical fingerprints.

Investigation Steps

1. Infrastructure Fingerprinting

Extract technical fingerprints from the target site:

• Maltego: Run FetchSHV (Script Hash Values) and FetchSSHFingerprints
• MCP Server: “Get infrastructure fingerprints for targetmarket.onion”

2. Find Infrastructure Matches

Discover sites with identical or similar infrastructure:

• Maltego: Run SearchBySHV and SearchBySSHFingerprint
• MCP Server: “Find all sites with identical infrastructure to targetmarket.onion”

3. Classify Relationships

Analyze the type of relationship:

Identical SHV + Same SSH Fingerprint:

• Very high confidence they’re related
• Likely mirrors, backups, or related operations by same actor

Identical SHV + Different SSH Fingerprint:

• Same codebase deployed to different servers
• Could be franchised operations or mirrors

Different SHV + Same SSH Fingerprint:

• Co-hosted on the same physical server
• Shared hosting provider (less significant)

4. Technology Stack Analysis

Identify frameworks and patterns:

• Maltego: Run FetchJavaScript to see what technologies are used
• MCP Server: “Analyze the technology stack of targetmarket.onion”

5. Cross-Reference with Entities

Check if infrastructure matches also share entities (crypto, emails):

• MCP Server: “For these infrastructure matches, find shared cryptocurrency wallets”

Expected Outcomes

• Identification of mirror sites and backups
• Discovery of related operations (franchises, multi-marketplace vendors)
• Co-hosting patterns revealing shared infrastructure
• Technology adoption patterns

Use Cases

• Takedown Operations: Identifying all mirrors and backups before law enforcement action
• Attribution: Linking operations to specific threat actor groups
• Hosting Provider Analysis: Identifying bulletproof hosting providers
• Trend Analysis: Tracking technology adoption in criminal ecosystems

Threat Intelligence Collection

Objective: Continuously monitor the dark web for emerging threats, new marketplaces, and high-risk services.

Monitoring Workflows

1. High-Risk Marketplace Discovery

Monitor for new marketplaces by risk category:

• MCP Server: “Show me high-risk drug marketplaces discovered in the last 7 days”
• MCP Server: “Find all sites classified as ‘weapons’ with high confidence scores”

Filter criteria:

• Risk level: High or Critical
• Intent categories: Illegal drugs, weapons, hacking services, malware, ransomware
• Minimum confidence score: 0.7 or higher
• Time range: Last 7-30 days

2. Emerging Threat Patterns

Track new threat actor techniques:

• New cryptocurrency types being adopted
• New communication platforms (emerging alternatives to Telegram)
• New payment processors
• Technology trends (new frameworks, anonymization techniques)

3. Vendor Monitoring

Track known high-risk vendors:

• Create watchlist of cryptocurrency wallets, Telegram handles, emails
• MCP Server: “Alert me if these identifiers appear on new sites”
• Monitor vendor migration between marketplaces

4. Geographic and Categorical Trends

Analyze threat distribution:

• Which intent categories are growing?
• What technologies are threat actors adopting?
• How is the marketplace ecosystem evolving?

Alert Triggers

Set up monitoring for:

• New sites with specific intent categories (drugs, weapons, ransomware)
• Known vendor identifiers appearing on new sites
• Infrastructure matches to known threat actor infrastructure
• Specific cryptocurrency wallet activity

Expected Outcomes

• Real-time feed of emerging threats
• Early warning of new high-risk marketplaces
• Tracking of threat actor migration patterns
• Ecosystem trend analysis

Use Cases

• SOC Teams: Daily threat intelligence briefings
• Law Enforcement: Proactive threat monitoring
• Financial Institutions: Fraud and credential theft monitoring
• Researchers: Dark web ecosystem analysis

Law Enforcement Investigations

Objective: Build comprehensive intelligence reports with evidence chains suitable for legal proceedings.

Investigation Workflow

1. Initial Intelligence Gathering

Start with known indicators (onion address, cryptocurrency wallet, email, etc.):

• Maltego: Build initial graph from seed entity
• MCP Server: “Get complete intelligence profile for targetsite.onion including all entities, risk level, and metadata”

2. Vendor Attribution

Identify all operations controlled by the target:

• MCP Server: “Perform vendor attribution on targetsite.onion with high confidence threshold”
• Document all shared identifiers with confidence scores

3. Evidence Chain Building

Create timeline of criminal activity:

Discovery Evidence:

• When was each site first indexed?
• When did vendor identifiers first appear?
• How have operations evolved over time?

Attribution Evidence:

• Shared cryptocurrency wallets with dates/amounts
• Shared communication channels
• Shared infrastructure fingerprints
• PGP key associations

Network Evidence:

• Related operations discovered through shared indicators
• Co-hosting relationships
• Technology patterns

4. Relationship Mapping

Build comprehensive network graph:

• Maltego: Visual graph showing all related entities and sites
• MCP Server: “Build investigation graph starting from targetsite.onion with depth of 2”

Include:

• All related onion sites
• All entities (crypto, emails, communications)
• Infrastructure relationships
• Temporal relationships (timeline)

5. Risk Assessment

Document threat classification:

• Risk level (low, medium, high, critical)
• Intent categories with confidence scores
• Scale of operation (number of sites, transaction volume)
• Geographic indicators if available

6. Monitoring Plan

Set up ongoing monitoring:

• Track known identifiers for new activity
• Monitor for new mirrors or backups
• Alert on infrastructure changes (potential response to investigation)

Evidence Documentation

For each intelligence finding, document:

• Source: Which Hades collection/tool provided the data
• Timestamp: When the data was collected
• Confidence: Score or classification confidence level
• Context: How this fits into the broader investigation
• Corroboration: Other evidence supporting this finding

Expected Outcomes

• Comprehensive case file with evidence chains
• Attribution confidence scores suitable for legal proceedings
• Network maps showing relationships between operations
• Timeline of criminal activity
• Ongoing monitoring capabilities

Use Cases

• Criminal Investigations: Building cases against dark web vendors and operators
• Takedown Operations: Planning coordinated multi-site takedowns
• Prosecution Support: Providing evidence for court proceedings
• Intelligence Reporting: Briefing stakeholders on threats

Cryptocurrency Wallet Tracking

Objective: Track cryptocurrency wallet usage across the dark web to identify payment patterns and vendor relationships.

Investigation Steps

1. Wallet Discovery

Identify wallets of interest:

• Maltego: FetchBitcoinAddresses, FetchMoneroAddresses, FetchEthereumAddresses on known sites
• MCP Server: “Find all cryptocurrency wallets on darkmarket2023.onion”

2. Cross-Platform Search

Track wallet across all indexed sites:

• Maltego: SearchByBitcoinAddress on each wallet
• MCP Server: “Find all sites using Bitcoin address bc1qxy2…”

3. Temporal Analysis

Analyze wallet usage patterns over time:

• MCP Server: “Track this wallet’s appearances over the last 90 days”
• Identify when wallet first appeared
• Track which sites added/removed the wallet
• Detect migration patterns

4. Co-Occurrence Analysis

Find wallets that appear together:

• MCP Server: “Find all other wallets on sites that use this Bitcoin address”
• Identify wallet clusters (wallets that always appear together)
• Detect vendor wallet rotation patterns

5. Risk Correlation

Analyze risk levels of sites using the wallet:

• Are they all high-risk marketplaces?
• Do they share intent categories (all drug markets, all carding sites)?
• What’s the risk distribution?

Expected Outcomes

• Complete history of wallet appearances
• List of all sites accepting the wallet
• Temporal patterns (when wallet appeared on each site)
• Related wallets (co-occurrence patterns)
• Risk profile of wallet usage

Use Cases

• Ransomware Investigation: Tracking ransom payment wallets
• Vendor Tracking: Following marketplace vendor wallets
• Money Laundering: Identifying wallet rotation patterns
• Threat Intelligence: Profiling payment patterns by threat category

Best Practices

Start Broad, Then Narrow

Begin with general queries to understand the landscape, then drill down:

1. Broad: “Find all high-risk drug marketplaces”
2. Medium: “Get all wallets from these marketplaces”
3. Narrow: “Track this specific wallet across all sites”

Use Confidence Scores

Weight evidence by confidence:

• Very High (4+ shared indicators): Safe to attribute
• High (2-3 shared indicators): Likely related, needs validation
• Medium (1 shared indicator): Requires significant additional investigation
• Low (circumstantial): Use only to generate leads

Combine Multiple Signals

Best intelligence comes from combining:

• Entity evidence (crypto + communications)
• Infrastructure evidence (SHV + SSH fingerprints)
• Temporal evidence (timeline analysis)
• Risk evidence (classification confidence)

Document Everything

For each finding, record:

• Source of intelligence
• Date collected
• Confidence level
• Corroborating evidence
• Analysis notes

Validate Across Methods

Cross-validate findings:

• If Maltego shows a relationship, verify with MCP Server
• If MCP Server suggests attribution, build visual graph in Maltego
• Use multiple data points to confirm each conclusion

Workflow Templates

Quick Vendor Check

Goal: Quickly determine if a vendor operates multiple sites

1. Extract all identifiers from known site
2. Search each identifier across database
3. Flag sites with 2+ matches for review
4. Build attribution graph for high-confidence matches

Comprehensive Investigation

Goal: Complete intelligence report on a target

1. Initial discovery (all entities, infrastructure, risk)
2. Attribution (find all related operations)
3. Network analysis (map relationships)
4. Temporal analysis (build timeline)
5. Evidence documentation
6. Monitoring setup

Daily Threat Monitoring

Goal: Stay informed on emerging threats

1. Query new high-risk sites (last 24-48 hours)
2. Check watchlist identifiers for new appearances
3. Review infrastructure matches to known threats
4. Generate daily threat brief

For step-by-step examples with actual queries and responses, see the MCP Server Examples page.

Cryptocurrency Transforms

Track cryptocurrency wallet addresses across the dark web. These transforms help you identify payment methods, link vendor accounts across multiple marketplaces, and monitor financial flows.

Overview

The cryptocurrency transforms cover five major cryptocurrencies commonly used on dark web marketplaces:

• Bitcoin (BTC)
• Ethereum (ETH)
• Monero (XMR)
• Litecoin (LTC)
• Dogecoin (DOGE)

For each cryptocurrency, there are two transforms:

• Fetch - Extract wallet addresses from an onion site
• Search - Find all onion sites containing a specific wallet address

FetchBitcoinAddresses

Transform Name: FetchBitcoinAddresses

Description

Extracts all Bitcoin wallet addresses found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.bitcoinaddress - Bitcoin wallet addresses

Properties Returned

• Appearances - Number of times the address appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify payment addresses used by dark web marketplaces
• Track vendor Bitcoin wallets across multiple listings
• Monitor cryptocurrency payment methods

SearchByBitcoinAddress

Transform Name: SearchByBitcoinAddress

Description

Finds all onion sites that contain a specific Bitcoin wallet address.

Input Entity

• hades.v2.bitcoinaddress - A Bitcoin wallet address

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track a vendor’s operations across multiple sites
• Identify all marketplaces accepting a specific Bitcoin wallet
• Link related onion sites through shared payment addresses

FetchEthereumAddresses

Transform Name: FetchEthereumAddresses

Description

Extracts all Ethereum wallet addresses found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.ethereumaddress - Ethereum wallet addresses

Properties Returned

• Appearances - Number of times the address appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify Ethereum payment methods on dark web services
• Track vendors using ETH for transactions
• Monitor smart contract addresses

SearchByEthereumAddress

Transform Name: SearchByEthereumAddress

Description

Finds all onion sites that contain a specific Ethereum wallet address.

Input Entity

• hades.v2.ethereumaddress - An Ethereum wallet address

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track Ethereum-based vendors across multiple platforms
• Link sites accepting the same ETH wallet
• Identify related services through shared payment addresses

FetchMoneroAddresses

Transform Name: FetchMoneroAddresses

Description

Extracts all Monero wallet addresses found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.moneroaddress - Monero wallet addresses

Properties Returned

• Appearances - Number of times the address appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify privacy-focused cryptocurrency payment methods
• Track vendors preferring anonymous transactions
• Monitor Monero adoption on dark web marketplaces

SearchByMoneroAddress

Transform Name: SearchByMoneroAddress

Description

Finds all onion sites that contain a specific Monero wallet address.

Input Entity

• hades.v2.moneroaddress - A Monero wallet address

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track vendors using Monero for anonymous payments
• Link marketplaces accepting the same XMR wallet
• Identify networks of sites with shared payment infrastructure

FetchLitecoinAddresses

Transform Name: FetchLitecoinAddresses

Description

Extracts all Litecoin wallet addresses found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.litecoinaddress - Litecoin wallet addresses

Properties Returned

• Appearances - Number of times the address appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify Litecoin payment options on dark web services
• Track vendors accepting LTC
• Monitor alternative cryptocurrency adoption

SearchByLitecoinAddress

Transform Name: SearchByLitecoinAddress

Description

Finds all onion sites that contain a specific Litecoin wallet address.

Input Entity

• hades.v2.litecoinaddress - A Litecoin wallet address

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Link sites accepting the same Litecoin wallet
• Track Litecoin-based vendor operations
• Identify related marketplaces through payment addresses

FetchDogecoinAddresses

Transform Name: FetchDogecoinAddresses

Description

Extracts all Dogecoin wallet addresses found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.dogecoinaddress - Dogecoin wallet addresses

Properties Returned

• Appearances - Number of times the address appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify Dogecoin payment methods
• Track vendors accepting DOGE
• Monitor alternative cryptocurrency usage

SearchByDogecoinAddress

Transform Name: SearchByDogecoinAddress

Description

Finds all onion sites that contain a specific Dogecoin wallet address.

Input Entity

• hades.v2.dogecoinaddress - A Dogecoin wallet address

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track Dogecoin-accepting vendors across platforms
• Link related sites through shared DOGE wallets
• Identify marketplace networks

Investigation Workflow Example

Tracking a Vendor Across Multiple Markets

1. Start with a known marketplace

   • Input: examplemarket123abc.onion
   • Run: FetchBitcoinAddresses
   • Result: Multiple Bitcoin addresses used on the site

2. Track each Bitcoin address

   • Input: Each Bitcoin address from step 1
   • Run: SearchByBitcoinAddress
   • Result: Other onion sites using the same Bitcoin wallet

3. Cross-reference with other cryptocurrencies

   • For each discovered site, run FetchEthereumAddresses, FetchMoneroAddresses, etc.
   • Build a comprehensive map of the vendor’s payment infrastructure

4. Identify vendor patterns

   • Sites sharing multiple wallet addresses likely operated by the same vendor
   • Use this intelligence to track vendor activity, migration between markets, and revenue streams

Image Transforms

Track image distribution across the dark web using cryptographic file hashes. These transforms help identify shared content, investigate EXIF metadata leaks, and link sites through common imagery.

Overview

Image transforms allow you to:

• Extract all images from an onion site with their cryptographic hashes (MD5, SHA1, SHA256)
• Find all onion sites hosting a specific image
• Identify images containing EXIF metadata (GPS coordinates, camera info, etc.)

FetchImages

Transform Name: FetchImages

Description

Extracts all images from a specified onion site, returning each image with its cryptographic hashes and metadata indicators.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.image - Image files

Properties Returned

• MD5 Hash - MD5 cryptographic hash of the image file
• SHA1 Hash - SHA1 cryptographic hash of the image file
• SHA256 Hash - SHA256 cryptographic hash of the image file
• Appearances - Number of times this image appears across the indexed database
• EXIF Data - Indicator showing “Yes” if the image contains EXIF metadata
• Hades Link - Direct link to view the image in Project Hades web interface

Special Features

• EXIF Highlighting - Images containing EXIF metadata are automatically bookmarked with priority 3 for investigator attention
• EXIF metadata can include GPS coordinates, camera make/model, timestamps, and other identifying information

Use Cases

• Extract all images from a marketplace to identify products
• Discover images with EXIF metadata that may reveal location or device information
• Build a catalog of images associated with a site
• Track how many sites use the same image across the dark web

Investigation Tips

• Look for bookmarked (highlighted) images - these contain EXIF data worth investigating
• High appearance counts indicate widely distributed images (stock photos, logos, etc.)
• Low appearance counts with multiple sites may indicate shared operators

SearchByImageHash

Transform Name: SearchByImageHash

Description

Finds all onion sites that host a specific image, identified by its cryptographic hash. Accepts MD5, SHA1, or SHA256 hashes.

Input Entity

• hades.v2.image - An image entity (or you can manually input any hash value)

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface
• Image Appearances - Total number of times the image appears across all sites

Hash Type Support

This transform automatically detects and searches using any of the following hash types:

• MD5 - 32-character hexadecimal hash
• SHA1 - 40-character hexadecimal hash
• SHA256 - 64-character hexadecimal hash

Use Cases

• Track the distribution of a specific image across the dark web
• Identify all marketplaces using the same product photo
• Find sites sharing logo images (indicating common branding/operators)
• Discover mirror sites or scam sites copying legitimate marketplace images
• Investigate where leaked/stolen images are being distributed

Investigation Workflow

1. Extract images from a site of interest

   • Run FetchImages on an onion site
   • Review the returned images and their hashes

2. Track specific images

   • Select images of interest (unique products, logos, suspicious content)
   • Run SearchByImageHash on each image
   • Discover all sites hosting the same image

3. Analyze distribution patterns

   • Images appearing on 2-3 sites may indicate related operators
   • Images on many sites may be stock photos or copied content
   • Unique images appearing on multiple sites warrant deeper investigation

Investigation Workflow Example

Tracking Stolen Content Distribution

1. Start with a reported image

   • Input: Hash of a known stolen/leaked image
   • Run: SearchByImageHash
   • Result: All dark web sites hosting this image

2. Investigate each site

   • For each onion site discovered
   • Run: FetchImages to see what other content they host
   • Run: FetchBitcoinAddresses to identify payment methods
   • Run: FetchEmailAddresses or FetchTelegramLinks for contact info

3. Map the distribution network

   • Visualize all sites sharing the content
   • Identify potential operators through shared payment addresses or contacts
   • Track the spread of specific content across platforms

Identifying Marketplace Relationships

1. Extract images from a marketplace

   • Input: marketplace123abc.onion
   • Run: FetchImages
   • Result: All product images and their hashes

2. Search for logo/branding images

   • Select the marketplace’s logo or unique branding images
   • Run: SearchByImageHash
   • Result: Other sites using the same logo

3. Discover related sites

   • Sites sharing identical logos may be:
     • Mirror sites operated by the same team
     • Franchise operations
     • Scam sites impersonating the legitimate marketplace
   • Cross-reference with other intelligence (wallets, contacts) to confirm relationships

JavaScript Transforms

Analyze JavaScript files to identify shared infrastructure, frameworks, and templates across dark web sites. These transforms help discover relationships between sites through their technical implementation.

Overview

JavaScript transforms allow you to:

• Extract all JavaScript files used by an onion site
• Identify API endpoints extracted from JavaScript code
• Find all sites using identical JavaScript files (indicating shared developers or infrastructure)

FetchJavascriptFiles

Transform Name: FetchJavascriptFiles

Description

Extracts all JavaScript files referenced by a specified onion site, including their hashes, file sizes, and discovered endpoints.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.javascript - JavaScript file entities

Properties Returned

• File Path - The full path/URL to the JavaScript file
• MD5 Hash - MD5 cryptographic hash of the file
• SHA1 Hash - SHA1 cryptographic hash of the file
• SHA256 Hash - SHA256 cryptographic hash of the file
• File Size - Size of the JavaScript file in bytes
• Endpoints Found - Number of API endpoints discovered in the code
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Catalog all JavaScript dependencies used by a site
• Identify custom vs. library JavaScript files
• Discover API endpoints hardcoded in client-side code
• Compare JavaScript files between suspected related sites
• Identify sites using the same web frameworks or templates

Investigation Tips

• Large files with many endpoints often indicate custom application code
• Small files with no endpoints are typically third-party libraries
• Unique file paths can reveal framework choices (e.g., /static/js/react.min.js)

SearchByJavascriptHash

Transform Name: SearchByJavascriptHash

Description

Finds all onion sites using a specific JavaScript file, identified by its cryptographic hash. Accepts MD5, SHA1, or SHA256 hashes.

Input Entity

• hades.v2.javascript - A JavaScript file entity (or manually input hash)

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Hash Type Support

This transform automatically detects and searches using:

• MD5 - 32-character hexadecimal hash
• SHA1 - 40-character hexadecimal hash
• SHA256 - 64-character hexadecimal hash

Use Cases

• Identify all sites using the same custom JavaScript framework
• Find sites built with the same template or codebase
• Discover sites sharing the same developers or development team
• Track the distribution of specific JavaScript malware or tracking code
• Link marketplaces through shared technical infrastructure

What Shared JavaScript Reveals

• Identical custom JS - Strong indicator of same operator/developer
• Shared libraries - May indicate same framework (less conclusive)
• Unique bundled code - Sites sharing minified/bundled JS likely related
• Admin panels - Sites with identical admin JS likely share operators

Investigation Workflow Example

Identifying Shared Infrastructure

1. Analyze a known site’s JavaScript

   • Input: marketplace123abc.onion
   • Run: FetchJavascriptFiles
   • Result: List of all JavaScript files used by the site

2. Focus on custom code

   • Identify custom JavaScript (not common libraries like jQuery)
   • Look for files with unique names or many endpoints
   • Select these files for further investigation

3. Find sites with identical code

   • Input: Hash of custom JavaScript file
   • Run: SearchByJavascriptHash
   • Result: Other sites using the exact same JavaScript file

4. Confirm relationships

   • Sites sharing custom JavaScript are likely:
     • Operated by the same team
     • Built from the same source code/template
     • Part of a related network
   • Cross-reference with other intelligence (wallets, contacts, SHV fingerprints)

Framework Fingerprinting

1. Extract JavaScript from target site

   • Run: FetchJavascriptFiles
   • Review file paths and names to identify frameworks

2. Search for framework-specific files

   • Select framework configuration or initialization files
   • Run: SearchByJavascriptHash
   • Find other sites using the same framework configuration

3. Build framework profile

   • Identify common patterns among sites using the same framework
   • This can help predict functionality, vulnerabilities, or operational patterns

Tracking Template Reuse

1. Identify marketplace template

   • Many dark web marketplaces use shared templates or forks
   • Extract JavaScript from a known template-based marketplace
   • Run: FetchJavascriptFiles

2. Track template distribution

   • Select the main application JavaScript file
   • Run: SearchByJavascriptHash
   • Discover all marketplaces using the same template

3. Analyze the ecosystem

   • Map the network of sites using the same underlying code
   • Track how templates spread and evolve
   • Identify markets that may share vulnerabilities

Label & Classification Transforms

Access machine learning-based site classifications, threat categories, and risk assessments. These transforms help prioritize investigations based on automated intelligence analysis.

Overview

Label transforms provide access to:

• ML-based classification of onion sites into 38 intent categories
• Risk level assessments (high, medium, low)
• Manually curated tags for additional context
• Search capabilities to find sites by category or risk level

FetchLabels

Transform Name: FetchLabels

Description

Retrieves the machine learning-based classification labels, intents, risk level, and tags for a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.label - Classification labels and intent categories
• hades.v2.tag - Manually curated tags

Properties Returned

• Type - Indicates “Primary Intent” or “Significant Intent”
• Risk Level - Classification as high, medium, or low risk
• Hades Link - Direct link to view the onion site in Project Hades web interface

Special Features

• High-Risk Highlighting - Sites classified as “high” risk are automatically bookmarked with priority 3 for investigator attention

Intent Categories

The ML system classifies sites into categories including:

• Marketplace (drugs, weapons, fraud, etc.)
• Forum/Community
• Hacking/Tools
• Financial Services
• Hosting/Infrastructure
• Information/News
• Adult Content
• CSAM (Child Sexual Abuse Material)
• And 30+ additional categories

Risk Levels

• High - Sites engaging in serious illegal activity (CSAM, weapons trafficking, etc.)
• Medium - Sites with potentially illegal content or services
• Low - Sites with legal or questionable but non-criminal content

Use Cases

• Quickly understand the nature of an onion site without visiting it
• Prioritize high-risk sites for immediate investigation
• Filter large result sets by category
• Identify site purpose for reporting or documentation

SearchByLabel

Transform Name: SearchByLabel

Description

Finds all onion sites classified with a specific label, intent, or tag. Searches across primary intents, significant intents, and manual tags.

Input Entity

• hades.v2.label or hades.v2.tag - A classification label or tag
• Can also manually input label text (e.g., “marketplace”, “drugs”, “hacking”)

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Risk Level - The site’s risk classification
• Primary Category - The top_intent classification for the site
• Hades Link - Direct link to view each onion site in Project Hades web interface

Special Features

• High-Risk Highlighting - Sites with “high” risk level are automatically bookmarked

Use Cases

• Find all marketplaces in the database
• Identify all sites related to a specific threat category (e.g., “hacking”, “fraud”)
• Build collections of sites for category-specific analysis
• Discover emerging sites in a particular category

Common Label Searches

• marketplace - Dark web marketplaces and vendor shops
• drugs - Drug-related sales and information
• hacking - Hacking tools, services, and forums
• fraud - Fraud services, carding, identity theft
• forum - Discussion forums and communities
• cryptocurrency - Crypto mixing, laundering, services
• weapons - Weapons sales and information

SearchByRiskLevel

Transform Name: SearchByRiskLevel

Description

Finds all onion sites classified at a specific risk level (high, medium, or low). Limited to 100 results to prevent overwhelming the graph.

Input Entity

• Text input: high, medium, or low (case-insensitive)

Output Entities

• hades.v2.onion - Onion site addresses (maximum 100)

Properties Returned

• Risk Level - The site’s risk classification
• Primary Category - The top_intent classification for the site
• Hades Link - Direct link to view each onion site in Project Hades web interface

Special Features

• Result Limiting - Returns maximum of 100 sites to prevent graph overload
• High-Risk Highlighting - High risk sites are automatically bookmarked
• User Notification - Displays message if 100+ results exist, suggesting more specific searches

Use Cases

• Identify highest priority targets (high-risk sites)
• Get overview of threat landscape by risk level
• Build prioritized investigation queues
• Generate reports on high-risk site prevalence

Investigation Tips

• High Risk searches are most useful for threat prioritization
• Use in combination with SearchByLabel for targeted results
• The 100-result limit encourages focused investigation over broad sweeps

Investigation Workflow Example

Threat Category Investigation

1. Identify sites by threat category

   • Input: Label text “drugs” or “hacking”
   • Run: SearchByLabel
   • Result: All sites classified in that category

2. Prioritize by risk level

   • Review the risk levels of returned sites
   • Focus on high-risk (bookmarked) sites first
   • Add medium-risk sites to watch list

3. Deep dive on priority targets

   • For each high-priority site:
   • Run: FetchBitcoinAddresses to identify payment methods
   • Run: FetchEmailAddresses and FetchTelegramLinks for contacts
   • Run: FetchImages to document content
   • Run: FetchOnionLinks to map their network

High-Risk Site Monitoring

1. Get all high-risk sites

   • Input: “high”
   • Run: SearchByRiskLevel
   • Result: Up to 100 highest-risk sites in the database

2. Analyze primary categories

   • Review the “Primary Category” property for each site
   • Identify distribution of high-risk sites across categories
   • Note emerging threat categories

3. Track specific categories

   • For concerning categories (e.g., “CSAM”, “weapons”)
   • Run: SearchByLabel with that category
   • Build comprehensive intelligence on that threat type

Site Classification Validation

1. Review automated classification

   • Input: Known onion site
   • Run: FetchLabels
   • Result: ML-assigned labels, intents, and risk level

2. Validate accuracy

   • Compare automated labels with manual inspection
   • Note any misclassifications for reporting
   • Use labels as starting point, not definitive truth

3. Cross-reference with content

   • Run: FetchImages to review visual content
   • Run: FetchBitcoinAddresses to see if payment methods align with category
   • Validate risk assessment against actual site content

Infrastructure Fingerprinting

Identify sites with identical JavaScript infrastructure using Script Hash Values (SHV). These transforms reveal relationships between sites through their technical fingerprints.

Overview

The SHV (Script Hash Value) is a unique fingerprint generated from all JavaScript file paths used by a site. Sites with identical SHV values have the exact same JavaScript infrastructure, which strongly indicates:

• Same operators or development team
• Sites built from the same codebase
• Mirror sites or related services
• Template reuse or framework sharing

FetchSHV

Transform Name: FetchSHV

Description

Retrieves the Script Hash Value (SHV) fingerprint for a specified onion site. The SHV is a SHA256 hash generated from all JavaScript file paths used by the site, sorted alphabetically.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.shv - Script Hash Value fingerprint

Properties Returned

• Script Count - Number of JavaScript files that contributed to the SHV
• Scripts Preview - First few JavaScript file paths (up to 3 shown)
• Hades Link - Direct link to view the onion site in Project Hades web interface

How SHV is Generated

1. All JavaScript file paths used by the site are collected
2. Paths are sorted alphabetically
3. Sorted paths are concatenated together
4. SHA256 hash is computed from the concatenated string
5. Result is a unique 64-character hexadecimal fingerprint

Use Cases

• Generate infrastructure fingerprint for a site of interest
• Prepare for finding related sites with identical infrastructure
• Document the JavaScript stack used by a site
• Track changes in site infrastructure over time (different SHVs = different JS files)

Investigation Tips

• Sites with many scripts (20+) typically use modern web frameworks
• Sites with few scripts (<5) may be simple static sites or use inline JavaScript
• Identical script counts between sites is suspicious but not conclusive - verify with SearchBySHV

SearchBySHV

Transform Name: SearchBySHV

Description

Finds all onion sites with an identical Script Hash Value, indicating they share the exact same JavaScript infrastructure.

Input Entity

• hades.v2.shv - A Script Hash Value fingerprint

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• SHV - The shared Script Hash Value
• Script Count - Number of JavaScript files in the fingerprint
• Hades Link - Direct link to view each onion site in Project Hades web interface

Special Features

• Relationship Indicator - If multiple sites share an SHV, a user message indicates how many sites have identical infrastructure
• This is one of the strongest technical indicators of related sites

What Identical SHV Means

Strong Indicators (High Confidence):

• Multiple marketplace sites - Likely operated by same team or franchisees
• Admin panels - Sites with matching admin infrastructure definitely related
• Identical custom JS - Sites with unique/custom JavaScript stacks are almost certainly connected

Moderate Indicators (Medium Confidence):

• Popular framework sites - May just use the same template (e.g., same WordPress theme)
• Few scripts - Simple sites might coincidentally have matching JS

Investigation Required:

• Always cross-reference SHV matches with other intelligence
• Check for shared payment addresses, contacts, or content
• Review the actual JavaScript files to understand what’s shared

Use Cases

• Find mirror sites or backup domains for a marketplace
• Identify sites operated by the same development team
• Discover franchises or affiliated sites using shared infrastructure
• Track template/framework adoption across dark web
• Link sites for attribution investigations

Investigation Workflow Example

Finding Related Marketplaces

1. Generate fingerprint for known marketplace

   • Input: targetmarket123abc.onion
   • Run: FetchSHV
   • Result: SHV fingerprint and script count

2. Find sites with identical infrastructure

   • Input: The SHV from step 1
   • Run: SearchBySHV
   • Result: All sites with the exact same JavaScript infrastructure

3. Analyze the relationship

   • Review each discovered site
   • If 2-3 sites share SHV:
     • Likely mirror domains or related operations
     • Run FetchBitcoinAddresses on each to check for shared wallets
     • Run FetchEmailAddresses to check for shared contacts

4. Build attribution map

   • Cross-reference findings:
     • Sites with identical SHV + shared wallets = very high confidence relationship
     • Sites with identical SHV + different wallets = possibly franchises or copycats
     • Sites with identical SHV + shared admin emails = confirmed same operators

Template Tracking

1. Identify marketplace template

   • Many dark web marketplaces use open-source or leaked templates
   • Find a known template-based market
   • Run: FetchSHV

2. Track template usage

   • Run: SearchBySHV with the template’s fingerprint
   • Result: All marketplaces using that template

3. Monitor the ecosystem

   • Track how many markets use each popular template
   • Identify newly launched markets using known templates
   • Predict capabilities/vulnerabilities based on template version

Infrastructure Change Detection

1. Baseline current infrastructure

   • Input: Site under monitoring
   • Run: FetchSHV
   • Document: Current SHV value and timestamp

2. Periodic re-fingerprinting

   • Regularly run FetchSHV on monitored sites
   • Compare new SHV to baseline

3. Detect significant changes

   • Different SHV = JavaScript infrastructure changed
     • New version deployed
     • Framework migration
     • Potential security update or compromise
   • Same SHV = Infrastructure unchanged
     • Site stable
     • No major technical updates

Combining SHV with JavaScript Analysis

1. Use FetchSHV for high-level fingerprint

   • Quick way to identify identical sites
   • Less detailed than individual file analysis

2. Use FetchJavascriptFiles for detailed analysis

   • See specific files that make up the SHV
   • Identify which libraries/frameworks are used

3. Combined approach

   • Start with FetchSHV to find related sites quickly
   • Use FetchJavascriptFiles to understand what makes them related
   • Use SearchByJavascriptHash to track specific critical files

Example workflow:

1. Run FetchSHV on Site A → Get SHV_1
2. Run SearchBySHV on SHV_1 → Find Sites B, C, D
3. Run FetchJavascriptFiles on all sites → Understand their technical stack
4. Identify the custom application JS file
5. Run SearchByJavascriptHash on that file → Find even more related sites

Communication Transforms

Extract and search for communication channels including email addresses, Telegram links, and Discord invites. These transforms help identify vendor contacts, customer support channels, and link operators across platforms.

Overview

Communication transforms cover three main channels commonly used on the dark web:

• Email - Contact addresses for vendors, support, and communications
• Telegram - Popular encrypted messaging platform used for customer support
• Discord - Community and support servers

For each communication type, there are two transforms:

• Fetch - Extract contacts from an onion site
• Search - Find all onion sites using a specific contact

Email Transforms

FetchEmailAddresses

Transform Name: FetchEmailAddresses

Description

Extracts all email addresses found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.email - Email addresses

Properties Returned

• Appearances - Number of times the email appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify vendor contact emails
• Extract customer support addresses
• Find administrative contacts
• Discover hidden contact information in page source

SearchByEmail

Transform Name: SearchByEmail

Description

Finds all onion sites that contain a specific email address.

Input Entity

• hades.v2.email - An email address

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track a vendor’s operations across multiple sites
• Identify all marketplaces where a vendor is active
• Link sites operated by the same person/team
• Monitor where a specific contact email is advertised

Investigation Tips

• Email addresses shared across multiple sites strongly indicate same operator
• Look for patterns in email domains (e.g., protonmail, tutanota for privacy-focused operators)
• Cross-reference with cryptocurrency addresses for stronger attribution

Telegram Transforms

FetchTelegramLinks

Transform Name: FetchTelegramLinks

Description

Extracts all Telegram links and handles found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.telegram - Telegram links/handles

Properties Returned

• Appearances - Number of times the Telegram link appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify customer support channels
• Find vendor Telegram handles
• Extract community group links
• Discover communication channels for marketplace disputes

What Gets Extracted

• Telegram usernames (e.g., @vendorname)
• Telegram invite links (t.me/…)
• Telegram group links
• Telegram channel links

SearchByTelegramLink

Transform Name: SearchByTelegramLink

Description

Finds all onion sites that reference a specific Telegram link or handle.

Input Entity

• hades.v2.telegram - A Telegram link or handle

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track a vendor across multiple marketplaces
• Identify all sites using the same support channel
• Link related operations through shared Telegram contacts
• Monitor where specific Telegram groups are advertised

Investigation Tips

• Vendors often use the same Telegram handle across multiple platforms
• Shared Telegram support channels may indicate affiliated marketplaces
• Active Telegram accounts can be monitored separately from dark web presence

Discord Transforms

FetchDiscordInvites

Transform Name: FetchDiscordInvites

Description

Extracts all Discord invite links found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.discord - Discord invite links

Properties Returned

• Appearances - Number of times the Discord invite appears on the site
• Hades Link - Direct link to view the onion site in Project Hades web interface

Use Cases

• Identify community Discord servers
• Find customer support channels
• Extract marketplace community links
• Discover hidden communication platforms

What Gets Extracted

• Discord invite links (discord.gg/…)
• Discord server invites (discord.com/invite/…)

SearchByDiscordInvite

Transform Name: SearchByDiscordInvite

Description

Finds all onion sites that share a specific Discord invite link.

Input Entity

• hades.v2.discord - A Discord invite link

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Find all sites linking to the same Discord community
• Identify related marketplaces through shared Discord servers
• Track community presence across multiple sites
• Link sites operated by the same team

Investigation Tips

• Multiple sites linking to the same Discord server are likely related
• Discord servers can be infiltrated separately from dark web sites
• Discord invites may be time-limited or use-limited - document them quickly

Investigation Workflow Examples

Vendor Attribution Across Platforms

1. Extract contacts from known vendor

   • Input: Vendor’s marketplace listing page
   • Run: FetchEmailAddresses, FetchTelegramLinks, FetchDiscordInvites
   • Result: All contact methods used by the vendor

2. Search for each contact across dark web

   • Input: Each email, Telegram, Discord found
   • Run: SearchByEmail, SearchByTelegramLink, SearchByDiscordInvite
   • Result: All sites where vendor advertises each contact

3. Build vendor presence map

   • Map all sites where vendor is active
   • Identify which marketplaces vendor prefers
   • Track vendor migration between platforms
   • Note primary vs. backup contact methods

4. Cross-reference with financial intelligence

   • For each site where vendor is active:
   • Run: FetchBitcoinAddresses and other crypto transforms
   • Link contact information with payment addresses
   • Build comprehensive vendor profile

Marketplace Network Analysis

1. Extract support channels

   • Input: Multiple known marketplaces
   • Run: FetchTelegramLinks and FetchDiscordInvites on each
   • Result: Support/community channels for each marketplace

2. Identify shared channels

   • Look for marketplaces sharing the same Telegram or Discord
   • Run: SearchByTelegramLink or SearchByDiscordInvite on shared contacts
   • Result: Network of sites using common support infrastructure

3. Analyze relationships

   • Shared support channels indicate:
     • Same operators running multiple markets
     • Affiliated marketplaces
     • Marketplace franchises
     • Merged operations after market takedowns

4. Map ecosystem

   • Visualize marketplace clusters based on shared communications
   • Track how support channels change over time
   • Identify primary vs. backup marketplaces in a network

Customer Support Chain Analysis

1. Start with marketplace

   • Input: Marketplace onion address
   • Run: FetchEmailAddresses, FetchTelegramLinks, FetchDiscordInvites
   • Result: All official support channels

2. Verify channel authenticity

   • Check if support channels appear on multiple trusted sources
   • Compare with known scam/phishing contacts
   • Document official vs. suspicious channels

3. Monitor support presence

   • Track which communication platforms are prioritized
   • Note changes in support channels over time
   • Identify backup communication methods

4. Infiltration opportunities

   • Active Telegram/Discord channels may be accessible for intelligence gathering
   • Support staff may leak operational information
   • Community discussions can reveal marketplace issues, disputes, and insider information

Contact Evolution Tracking

1. Baseline current contacts

   • Document all email, Telegram, and Discord contacts for target sites
   • Note which platforms are used for which purposes

2. Periodic re-extraction

   • Regularly run Fetch transforms on monitored sites
   • Compare new contacts to baseline

3. Detect changes

   • New contacts added - Expansion or diversification
   • Contacts removed - Compromise, abandonment, or service changes
   • Contact replacement - Security incident or operational security improvement

4. Investigate changes

   • When contacts change, run Search transforms on both old and new contacts
   • Track migration patterns
   • Identify if old contacts are still active elsewhere

Security Transforms

Track SSH fingerprints to identify shared server infrastructure across dark web sites. These transforms reveal hosting relationships and infrastructure reuse.

Overview

SSH (Secure Shell) fingerprints are unique cryptographic identifiers for SSH servers. When multiple onion sites share the same SSH fingerprint, they are:

• Hosted on the same physical or virtual server
• Using the same SSH keys (indicating same administrator)
• Part of shared infrastructure

This is one of the strongest indicators of infrastructure relationships.

FetchSSHFingerprints

Transform Name: FetchSSHFingerprints

Description

Extracts all SSH fingerprints found on or associated with a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.sshfingerprint - SSH server fingerprints

Properties Returned

• Appearances - Number of times this SSH fingerprint appears in the database
• Hades Link - Direct link to view the onion site in Project Hades web interface

How SSH Fingerprints Are Collected

SSH fingerprints can be discovered through:

• Direct SSH connection attempts to the server
• Banner grabbing and service enumeration
• SSL/TLS certificate analysis
• Server response headers
• Embedded fingerprints in page source

Use Cases

• Identify the underlying server infrastructure for an onion site
• Prepare for finding co-hosted sites
• Document server fingerprints for infrastructure attribution
• Track server migrations or infrastructure changes

Investigation Tips

• Appearance count >1 means multiple sites share this SSH server
• SSH fingerprints are difficult to fake or spoof
• Sites on the same server may not be operated by the same people (shared hosting exists)
• Cross-reference with other intelligence before concluding relationship

SearchBySSHFingerprint

Transform Name: SearchBySSHFingerprint

Description

Finds all onion sites that share a specific SSH fingerprint, indicating they are hosted on the same server or use the same SSH keys.

Input Entity

• hades.v2.sshfingerprint - An SSH server fingerprint

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

What Shared SSH Fingerprints Mean

Strong Indicators (High Confidence):

• Identical SSH keys - Sites definitely share server infrastructure
• 2-3 sites - Likely operated by same person/team
• Small marketplaces - Often share hosting to reduce costs

Moderate Indicators (Medium Confidence):

• Many sites (10+) - Could be shared hosting provider serving multiple customers
• Mix of unrelated content - Likely shared hosting, not same operator

Requires Investigation:

• Always cross-reference SSH fingerprint matches with other intelligence
• Check for shared payment addresses, contacts, or content
• Consider timing - did sites appear on the server at the same time?

Use Cases

• Find all sites hosted on the same server
• Identify server infrastructure shared by multiple marketplaces
• Discover related operations through hosting relationships
• Map dark web hosting providers and their customers
• Track server migrations when SSH fingerprints change

Investigation Workflow Examples

Co-Hosting Discovery

1. Extract SSH fingerprint from target site

   • Input: targetmarket123abc.onion
   • Run: FetchSSHFingerprints
   • Result: SSH fingerprint(s) for the server

2. Find co-hosted sites

   • Input: SSH fingerprint from step 1
   • Run: SearchBySSHFingerprint
   • Result: All onion sites on the same server

3. Analyze co-hosting patterns

   • 2-3 related sites - Likely same operator’s portfolio
   • Many unrelated sites - Probably commercial hosting provider
   • Mix of marketplaces - Could be marketplace-specific hosting service

4. Build infrastructure attribution

   • For small groups of co-hosted sites:
     • Run FetchBitcoinAddresses on each site
     • Run FetchEmailAddresses and FetchTelegramLinks
     • Look for shared contacts or payment addresses
   • If shared contacts/wallets + shared SSH = very strong attribution

Hosting Provider Mapping

1. Identify a dark web hosting provider

   • Find known bulletproof hosting or dark web infrastructure services
   • Run: FetchSSHFingerprints
   • Result: SSH fingerprints for their servers

2. Map the provider’s customers

   • Input: Each SSH fingerprint
   • Run: SearchBySSHFingerprint
   • Result: All sites hosted by this provider

3. Analyze the customer base

   • What types of sites use this provider?
   • Are high-risk sites concentrated with certain providers?
   • Track provider reliability and longevity

4. Monitor provider changes

   • Regularly re-run transforms on known hosted sites
   • Detect when sites migrate to different servers/providers
   • Identify provider takedowns or shutdowns

Infrastructure Migration Tracking

1. Baseline current SSH fingerprints

   • Input: Sites under monitoring
   • Run: FetchSSHFingerprints
   • Document: Current SSH fingerprint and timestamp

2. Periodic re-fingerprinting

   • Regularly run FetchSSHFingerprints on monitored sites
   • Compare new fingerprints to baseline

3. Detect migrations

   • Different SSH fingerprint = Server change
     • Site moved to new hosting provider
     • Server upgrade or infrastructure change
     • Response to compromise or law enforcement action
   • Same SSH fingerprint = Still on same server
     • Stable hosting arrangement
     • No infrastructure changes

4. Investigate migration patterns

   • When sites migrate:
     • Run SearchBySSHFingerprint on the NEW fingerprint
     • See if site moved to a server with other known sites
     • Track migration pathways between hosting providers
     • Identify preferred backup hosting providers

Combining SSH with Other Infrastructure Intelligence

SSH fingerprints are most powerful when combined with other transforms:

1. SSH + SHV Analysis

   • Run: FetchSSHFingerprints and FetchSHV on target site
   • Sites with matching SSH + matching SHV = very strong relationship
   • Sites with matching SSH but different SHV = likely unrelated (shared hosting)

2. SSH + JavaScript Analysis

   • Run: FetchSSHFingerprints and FetchJavascriptFiles
   • Co-hosted sites with identical JavaScript = definitely related
   • Co-hosted sites with different JavaScript = possibly unrelated

3. SSH + Payment/Contact Analysis

   • Run: FetchSSHFingerprints, FetchBitcoinAddresses, FetchEmailAddresses
   • Sites with shared SSH + shared wallets/contacts = confirmed same operator
   • Sites with shared SSH but different contacts = probably just shared hosting

Attribution Confidence Levels

Very High Confidence (3+ matches):

• Shared SSH fingerprint
• Shared cryptocurrency wallets
• Shared email/Telegram contacts
• → Definitely same operator

High Confidence (2 matches):

• Shared SSH fingerprint
• Shared SHV (JavaScript infrastructure)
• → Very likely same operator or closely related

Medium Confidence (1-2 matches):

• Shared SSH fingerprint
• Similar content or category
• → Possibly related, requires more investigation

Low Confidence (1 match only):

• Shared SSH fingerprint alone
• → Could be coincidental shared hosting
• → Requires additional evidence

Server Infrastructure Ecosystem Analysis

1. Collect SSH fingerprints from many sites

   • Run FetchSSHFingerprints on a large sample of onion sites
   • Build a database of server fingerprints

2. Cluster analysis

   • Group sites by shared SSH fingerprints
   • Identify major hosting clusters
   • Map the dark web hosting ecosystem

3. Track ecosystem evolution

   • Monitor which servers grow (gaining new sites)
   • Identify servers that disappear (hosting provider shutdowns)
   • Track migration patterns when servers go offline

4. Risk assessment

   • Identify high-risk servers hosting many illegal marketplaces
   • Prioritize investigation of sites on high-risk infrastructure
   • Predict which sites may go offline together if server is seized

Tracking & Analytics Transforms

Discover Google Analytics and Google AdSense tracking IDs to link sites by operator. These transforms leverage clearnet tracking codes inadvertently or intentionally embedded in dark web sites.

Overview

Many dark web sites, especially those with clearnet mirror sites or sites operated by less sophisticated administrators, include Google tracking codes. These provide strong attribution signals:

• Google Analytics - Web analytics tracking IDs (format: UA-XXXXXX-X or G-XXXXXXXXXX)
• Google AdSense - Advertising revenue tracking IDs (format: ca-pub-XXXXXXXXXXXXXXXX)

Sites sharing these IDs are operated by the same person or organization, as these IDs are tied to Google accounts.

Google Analytics Transforms

FetchGoogleAnalytics

Transform Name: FetchGoogleAnalytics

Description

Extracts all Google Analytics tracking IDs found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.googleanalytics - Google Analytics tracking IDs

Properties Returned

• Appearances - Number of times this Analytics ID appears in the database
• Hades Link - Direct link to view the onion site in Project Hades web interface

Analytics ID Formats

• Universal Analytics - UA-XXXXXX-X (older format)
• Google Analytics 4 - G-XXXXXXXXXX (newer format)

Use Cases

• Identify sites tracked by the same Google account
• Link clearnet and dark web presences of operators
• Track amateur operators who don’t understand operational security
• Find forgotten tracking codes left in site templates

Investigation Tips

• Google Analytics on dark web sites is a major operational security failure
• Sites sharing Analytics IDs are definitively operated by the same Google account holder
• High appearance count suggests widely-used template with tracking ID left in
• Can potentially correlate with clearnet sites using the same Analytics ID

SearchByGoogleAnalytics

Transform Name: SearchByGoogleAnalytics

Description

Finds all onion sites that use a specific Google Analytics tracking ID.

Input Entity

• hades.v2.googleanalytics - A Google Analytics tracking ID

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Find all dark web sites operated by the same Google account holder
• Link an operator’s entire portfolio of sites
• Track clearnet-to-dark web connections
• Identify related operations through shared analytics

What Shared Analytics IDs Mean

• Same Analytics ID = Same Google account = Same operator (very high confidence)
• This is one of the strongest attribution signals available
• Can potentially be verified through Google Analytics data if accessible

Google AdSense Transforms

FetchGoogleAdSense

Transform Name: FetchGoogleAdSense

Description

Extracts all Google AdSense publisher IDs found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.googleadsense - Google AdSense publisher IDs

Properties Returned

• Appearances - Number of times this AdSense ID appears in the database
• Hades Link - Direct link to view the onion site in Project Hades web interface

AdSense ID Format

• Publisher ID - ca-pub-XXXXXXXXXXXXXXXX

Use Cases

• Identify sites monetized by the same Google account
• Track revenue generation across site portfolios
• Link clearnet and dark web operations
• Identify operators trying to monetize dark web traffic

Investigation Tips

• Google AdSense on dark web sites is extremely rare (against Google ToS)
• When found, it’s a critical operational security failure
• Sites sharing AdSense IDs are definitively operated by same account holder
• AdSense accounts can be investigated separately through Google

SearchByGoogleAdSense

Transform Name: SearchByGoogleAdSense

Description

Finds all onion sites that use a specific Google AdSense publisher ID.

Input Entity

• hades.v2.googleadsense - A Google AdSense publisher ID

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Find all sites monetized through the same Google account
• Link an operator’s revenue-generating site portfolio
• Track attempts to monetize dark web traffic
• Connect clearnet and dark web operations

What Shared AdSense IDs Mean

• Same AdSense ID = Same Google account = Same operator (very high confidence)
• Indicates commercial intent (trying to generate revenue)
• Can potentially be verified through Google AdSense reporting

Investigation Workflow Examples

Operator Portfolio Discovery

1. Extract tracking IDs from target site

   • Input: targetsite123abc.onion
   • Run: FetchGoogleAnalytics and FetchGoogleAdSense
   • Result: Tracking IDs found on the site

2. Find all sites with same tracking

   • Input: Each Google Analytics or AdSense ID
   • Run: SearchByGoogleAnalytics or SearchByGoogleAdSense
   • Result: Complete portfolio of sites tracked by the same Google account

3. Analyze the portfolio

   • Review all sites discovered
   • Identify mix of clearnet and dark web sites
   • Note content types and business models
   • Map the operator’s entire web presence

4. Build operator profile

   • Cross-reference with other intelligence:
     • Run FetchBitcoinAddresses on each site
     • Run FetchEmailAddresses and other contact transforms
   • Sites with shared Google tracking + shared contacts = definitive attribution

Clearnet-to-Dark Web Linking

1. Start with dark web site using Google tracking

   • Input: Dark web onion address with Analytics ID
   • Run: FetchGoogleAnalytics
   • Result: Google Analytics ID

2. Search for Analytics ID across platforms

   • Use external tools to search clearnet for the same Analytics ID
   • Many websites leak their Analytics IDs in source code
   • Build a list of all sites (dark web and clearnet) using this ID

3. Identify the operator

   • Clearnet sites may have:
     • WHOIS registration information
     • Contact forms with real emails
     • Social media links
     • Business registration details
   • This can reveal true identity of dark web operator

4. Operational security assessment

   • Document the opsec failure
   • Note if operator is aware of the exposure
   • Track if they eventually remove the tracking codes

Template Tracking Code Analysis

1. Identify sites with common Analytics ID

   • Input: Google Analytics ID found on multiple sites
   • Run: SearchByGoogleAnalytics
   • Result: All sites sharing this ID

2. Determine if it’s template-based

   • Many unrelated sites - Likely a template with tracking ID left in
   • Few related sites - Likely same operator’s portfolio
   • Check if sites use same template/framework

3. Template attribution

   • If it’s a template:
     • Track which dark web sites use this template
     • Identify template creator through Analytics ID
     • Map template distribution network
   • If it’s an operator portfolio:
     • Build comprehensive attribution of all sites
     • Track operator’s expansion and activities

Operational Security Monitoring

1. Baseline tracking code presence

   • Regularly run FetchGoogleAnalytics and FetchGoogleAdSense on monitored sites
   • Document which sites have tracking codes

2. Monitor for changes

   • New tracking codes appear - Site added analytics (major opsec failure)
   • Tracking codes removed - Operator became aware of exposure
   • Tracking codes changed - Switched to new Google account

3. Investigate changes

   • When tracking codes change, search for both old and new IDs
   • Track if sites migrate to new tracking accounts together
   • Note improvements or degradations in operational security

Cross-Platform Attribution

Google tracking codes can be combined with other attribution methods:

High Confidence Attribution Stack:

1. Same Google Analytics/AdSense ID (Google account match)
2. Same cryptocurrency wallets (financial link)
3. Same email/Telegram contacts (communication link)
4. Same SSH fingerprint (infrastructure link)
5. Same SHV (code/template link)

Investigation Priority:

• Start with Google tracking (strongest attribution signal)
• Use other transforms to build supporting evidence
• Create multi-dimensional attribution profile

Example Workflow:

1. Find sites with shared Analytics ID → Get suspect sites
2. Run FetchBitcoinAddresses on all → Identify shared wallets
3. Run FetchEmailAddresses on all → Identify shared contacts
4. Run FetchSSHFingerprints on all → Identify shared infrastructure
5. Build attribution case with multiple corroborating indicators

Why Google Tracking on Dark Web is Significant

Operational Security Failures

• Reveals Google account associated with dark web operations
• Links clearnet identity to dark web activities
• Provides law enforcement with subpoena target (Google account)
• Exposes real-world financial information (AdSense payments)

Attribution Value

• Definitive link - Same Google account = same operator (no ambiguity)
• Clearnet connection - Google accounts require real information
• Financial trail - AdSense payments go to real bank accounts
• Persistent identifier - Tracking IDs rarely change once set

Intelligence Opportunities

• Google Analytics data may be accessible to law enforcement
• Can reveal visitor statistics, traffic sources, user behavior
• AdSense account information includes payment details
• Historical data may show site evolution and growth

Content Distribution Transforms

Track BitTorrent magnet links across dark web sites to identify file sharing, piracy networks, and content distribution patterns.

Overview

Magnet links are URIs used for BitTorrent peer-to-peer file sharing. They uniquely identify torrents and enable tracking of:

• File distribution across multiple sites
• Piracy networks and warez sites
• Shared content libraries
• Related operators distributing the same files

FetchMagnetLinks

Transform Name: FetchMagnetLinks

Description

Extracts all BitTorrent magnet links found on a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.magnet - BitTorrent magnet links

Properties Returned

• Appearances - Number of times this magnet link appears across the indexed database
• Hades Link - Direct link to view the onion site in Project Hades web interface

What is a Magnet Link?

Magnet links are URIs that contain:

• Info Hash - Unique identifier (SHA-1 hash) of the torrent content
• Display Name - Optional human-readable name
• Tracker URLs - Optional tracker addresses

Format: magnet:?xt=urn:btih:[HASH]&dn=[NAME]&tr=[TRACKER]

Use Cases

• Catalog all torrents available on a warez/piracy site
• Identify file-sharing sites on the dark web
• Track popular torrents distributed across multiple sites
• Document illegal file distribution networks
• Monitor leaked/stolen data distribution

Investigation Tips

• High appearance counts indicate popular or widely-distributed torrents
• Same magnet link on multiple sites suggests coordinated distribution
• Unique/rare magnet links may indicate exclusive content or direct source
• Magnet links can be tracked on clearnet torrent networks as well

SearchByMagnetLink

Transform Name: SearchByMagnetLink

Description

Finds all onion sites that share a specific BitTorrent magnet link.

Input Entity

• hades.v2.magnet - A BitTorrent magnet link

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

• Track the distribution of a specific torrent across the dark web
• Identify all sites sharing pirated content
• Find related warez/piracy operations
• Monitor where specific leaked data is being distributed
• Discover mirror sites offering the same content

What Shared Magnet Links Mean

Strong Indicators:

• Rare/unique torrents on 2-3 sites - Sites likely related or coordinating
• Recent torrents appearing simultaneously - Active collaboration or mirroring
• Exclusive content - May indicate original source or exclusive distributor

Moderate Indicators:

• Popular torrents on many sites - Common content, less indicative of relationship
• Old torrents - May be legacy content from copied databases

Investigation Required:

• Cross-reference with other intelligence (contacts, payments, infrastructure)
• Check timing - did sites add the magnet link at the same time?
• Review surrounding content for other similarities

Investigation Workflow Examples

Piracy Network Mapping

1. Extract torrents from known warez site

   • Input: warezsite123abc.onion
   • Run: FetchMagnetLinks
   • Result: All torrent magnet links available on the site

2. Track specific torrents

   • Select interesting torrents (new releases, rare content, etc.)
   • Input: Each magnet link
   • Run: SearchByMagnetLink
   • Result: Other sites offering the same torrents

3. Identify the network

   • Sites sharing multiple magnet links are likely:
     • Mirror sites
     • Coordinated distribution network
     • Sites scraping from same source
   • Map the relationships between sites

4. Cross-reference with infrastructure

   • Run FetchSSHFingerprints on sites sharing content
   • Run FetchSHV to check for shared infrastructure
   • Build attribution case combining content sharing and infrastructure

Leaked Data Tracking

1. Start with known leaked data magnet

   • Input: Magnet link for leaked database, documents, or sensitive files
   • Run: SearchByMagnetLink
   • Result: All dark web sites distributing this content

2. Map distribution timeline

   • Note which sites have the content
   • Track if new sites add the magnet link over time
   • Identify original source vs. downstream distributors

3. Investigate distributors

   • For each site distributing the leaked content:
     • Run FetchEmailAddresses and FetchTelegramLinks for contact info
     • Run FetchBitcoinAddresses to see if they’re monetizing access
     • Run FetchOnionLinks to map their connections

4. Containment and attribution

   • Document all distribution points
   • Identify primary sources for takedown efforts
   • Track how content spreads through the dark web

Content Source Attribution

1. Identify exclusive content

   • Find torrents with low appearance counts (1-3 sites)
   • Input: Magnet link
   • Run: SearchByMagnetLink
   • Result: Small number of sites with this content

2. Determine original source

   • Analyze timing - which site had it first?
   • Check content type - does it match site’s specialty?
   • Look for watermarks or identifying information in torrent metadata

3. Track distribution from source

   • Monitor if magnet link appears on more sites over time
   • Map how content spreads from original source
   • Identify key distribution nodes in the network

4. Build operator profile

   • If site is original source of unique content:
     • Major player in piracy ecosystem
     • May have insider access or direct relationships
     • Priority target for investigation

Mirror Site Detection

1. Extract content from target site

   • Input: Marketplace or content site
   • Run: FetchMagnetLinks
   • Result: All torrents available on the site

2. Search for each major torrent

   • Select representative sample of magnet links
   • Run: SearchByMagnetLink on each
   • Result: Other sites offering the same torrents

3. Identify mirrors

   • Sites offering the exact same collection of torrents may be:
     • Official mirror sites
     • Scam sites copying legitimate site
     • Backup domains operated by same team
   • Look for patterns in which torrents are shared

4. Verify mirror relationships

   • Run FetchBitcoinAddresses - mirrors may share payment addresses
   • Run FetchSSHFingerprints - mirrors may share infrastructure
   • Run FetchSHV - mirrors likely have identical JavaScript
   • Confirmed mirrors if multiple indicators match

Torrent Tracker Analysis

1. Extract magnet links with tracker information

   • Many magnet links include tracker URLs
   • Input: Onion site
   • Run: FetchMagnetLinks
   • Result: Magnet links (review tracker information manually)

2. Identify common trackers

   • Which BitTorrent trackers are used by dark web sites?
   • Are there dark web-specific trackers?
   • Which clearnet trackers are commonly used?

3. Track tracker usage patterns

   • Sites using the same private trackers may be related
   • Custom/private trackers indicate coordinated networks
   • Clearnet tracker usage indicates less sophisticated operators

Combining Magnet Links with Other Intelligence

Multi-source Attribution:

1. Content + Infrastructure

   • Sites sharing magnet links + same SSH fingerprint = strong relationship
   • Sites sharing magnet links + same SHV = likely same codebase

2. Content + Financial

   • Sites sharing magnet links + same Bitcoin addresses = confirmed same operator
   • Especially strong if monetizing access to torrents

3. Content + Communication

   • Sites sharing magnet links + same Telegram/Discord = coordinated network
   • May indicate organized distribution group

4. Temporal Analysis

   • Track when magnet links appear on different sites
   • Identify lead sites (first to have content) vs. followers
   • Map information flow through the piracy network

Magnet Link Intelligence Value

Why Track Magnet Links?

Network Relationships:

• Identify coordinated piracy networks
• Map content distribution chains
• Discover mirror and backup sites

Content Tracking:

• Monitor distribution of specific files
• Track leaked sensitive data
• Identify sources of pirated content

Operational Patterns:

• Understand how piracy networks operate
• Identify key nodes in distribution networks
• Track content emergence and spread

Attribution:

• Link sites through shared content libraries
• Identify original sources vs. redistributors
• Build cases against major piracy operators

Limitations

Not Always Conclusive:

• Popular torrents appear on many unrelated sites
• Sites may scrape content from each other
• Historical torrents may persist on defunct site mirrors

Requires Context:

• Always combine with other intelligence
• Consider timing and exclusivity
• Verify relationships with infrastructure and financial intelligence

External Tracking:

• Magnet links can be tracked on clearnet BitTorrent networks
• Public tracker statistics may provide additional context
• DHT network may reveal peer information

Network Mapping Transforms

Map relationships between onion sites through inbound and outbound links. These transforms help discover site networks, affiliate relationships, and the dark web link graph.

Overview

Network mapping transforms analyze the hyperlink structure of the dark web:

• Outbound Links - Links from a site to other onion addresses (who does this site link to?)
• Inbound Links - Links from other sites to a specific onion address (who links to this site?)

This creates a directed graph of dark web relationships, revealing:

• Affiliate networks and partnerships
• Recommended or trusted sites
• Scam sites trying to impersonate legitimate sites
• Mirror domains and backup sites
• Directories and link aggregators

FetchOnionLinks

Transform Name: FetchOnionLinks

Description

Extracts all outbound onion links from a specified onion site (i.e., what other .onion addresses does this site link to?).

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.onion - Linked onion site addresses

Properties Returned

• Link Appearances - Number of times the link appears on the source site
• Hades Link - Direct link to view each linked onion site in Project Hades web interface

Special Features

• Self-Reference Filtering - Automatically excludes links from the site to itself
• Appearance Tracking - Shows how many times each outbound link appears (indicating importance)

Use Cases

• Discover sites recommended or endorsed by a marketplace
• Find affiliate networks and partner sites
• Identify official mirror domains
• Map vendor networks and related operations
• Discover hidden or unlisted onion services

Types of Outbound Links

Operational Links:

• Mirror/backup domains owned by the same operator
• Sister sites or related operations
• Payment processors or escrow services

Affiliate Links:

• Partner marketplaces
• Recommended vendors
• Affiliate network members

Informational Links:

• Dark web directories
• News sites
• Forums and communities

Infrastructure Links:

• Image hosting services
• File storage sites
• CDN or infrastructure services

Investigation Tips

• High appearance counts indicate important/frequently referenced sites
• Multiple links to the same destination suggest strong relationship
• Links to known scam sites may indicate the source site is also malicious
• Missing expected links (e.g., to popular directories) may indicate isolation

SearchByOnion

Transform Name: SearchByOnion

Description

Finds all onion sites that link TO a specific onion address (i.e., what sites link to this address?). This is the reverse of FetchOnionLinks.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.onion - Onion site addresses that link to the input address

Properties Returned

• Hades Link - Direct link to view each referring onion site in Project Hades web interface

Special Features

• Self-Reference Filtering - Automatically excludes self-links
• Backlink Discovery - Reveals who is linking to or endorsing a site

Use Cases

• Discover who links to a marketplace (advertisers, reviewers, affiliates)
• Identify sites that endorse or recommend a vendor
• Find directories that list a specific service
• Discover scam sites impersonating a legitimate marketplace
• Map a site’s reputation network

What Inbound Links Reveal

High Inbound Link Count:

• Popular or well-established site
• Listed in many directories
• Widely endorsed or recommended
• Target of scam site impersonation

Low Inbound Link Count:

• New or obscure site
• Intentionally unlisted (private/invite-only)
• Recently launched
• Potential scam site

Quality of Inbound Links:

• Links from trusted directories = legitimate site
• Links from known scam sites = suspicious
• Links from related services = network membership
• Links from review sites = active community presence

Investigation Tips

• Compare inbound links between competing marketplaces
• Identify which directories are most comprehensive
• Track changes in inbound links over time (reputation changes)
• Look for suspicious patterns (many links from new/scam sites)

Investigation Workflow Examples

Marketplace Network Mapping

1. Map outbound connections

   • Input: marketplace123abc.onion
   • Run: FetchOnionLinks
   • Result: All sites this marketplace links to

2. Categorize outbound links

   • High appearance count - Official mirrors, important partners
   • Medium appearance - Affiliate sites, related services
   • Low appearance - One-off references, potentially suspicious

3. Map inbound connections

   • Input: Same marketplace address
   • Run: SearchByOnion
   • Result: All sites that link to this marketplace

4. Analyze link patterns

   • Mutual links - Sites linking to each other (strong relationship)
   • One-way links - Endorsements or directory listings
   • Link clusters - Groups of sites all linking to each other (networks)

5. Build network graph

   • Combine outbound and inbound links
   • Visualize the marketplace’s position in the dark web ecosystem
   • Identify key partners, affiliates, and endorsers

Affiliate Network Discovery

1. Start with known marketplace

   • Input: Legitimate marketplace onion address
   • Run: FetchOnionLinks
   • Result: Sites the marketplace links to

2. Identify affiliate pattern

   • Select sites that appear to be partners/affiliates
   • For each affiliate:
     • Run FetchOnionLinks to see who they link to
     • Run SearchByOnion to see who links to them

3. Map the affiliate network

   • Sites that all link to each other = network members
   • Central hub sites (many inbound links) = network coordinators
   • Peripheral sites (few links) = new members or one-off affiliates

4. Cross-reference with other intelligence

   • Run FetchBitcoinAddresses on network members
   • Look for shared payment addresses (revenue sharing)
   • Run FetchTelegramLinks to find shared communication channels
   • Build complete picture of affiliate operations

Mirror Site Identification

1. Extract official mirrors from main site

   • Input: Known legitimate marketplace
   • Run: FetchOnionLinks
   • Result: All sites linked from the main domain

2. Identify suspected mirrors

   • Look for links labeled as “mirror” or “backup”
   • High appearance counts suggest official status

3. Verify mirror authenticity

   • For each suspected mirror:
     • Run FetchSHV (should match main site)
     • Run FetchSSHFingerprints (may or may not match)
     • Run FetchBitcoinAddresses (should match main site)
   • Confirmed mirrors have matching technical fingerprints

4. Map mirror network

   • Document all official mirrors
   • Track which mirrors are most promoted
   • Monitor for unauthorized mirrors/scam sites

Directory and Discovery Site Analysis

1. Identify directory sites

   • Dark web directories list many onion addresses
   • Look for sites with many outbound links
   • Input: Known directory addresses
   • Run: FetchOnionLinks

2. Analyze directory coverage

   • Which sites are listed in which directories?
   • Are there categories or organization schemes?
   • Which directories are most comprehensive?

3. Reverse analysis

   • Input: Specific marketplace or service
   • Run: SearchByOnion
   • Result: Which directories list this site?
   • Legitimate sites appear in multiple trusted directories

4. Track directory updates

   • Periodically run FetchOnionLinks on directories
   • Note new onion addresses being added
   • Identify emerging sites and services
   • Track removal of defunct sites

Scam Site Detection

1. Analyze suspicious site’s outbound links

   • Input: Suspected scam site
   • Run: FetchOnionLinks
   • Result: Sites the scam links to

2. Check link legitimacy

   • Does scam site link to the legitimate site it’s impersonating?
   • Does it link to other known scam sites?
   • Does it have legitimate operational links (unlikely for scams)?

3. Check inbound links

   • Input: Suspected scam site
   • Run: SearchByOnion
   • Result: Who links to the scam site?

4. Scam indicators

   • Few or no inbound links - Not listed in legitimate directories
   • Links from other scams - Part of scam network
   • Links to legitimate site - May be phishing/impersonation
   • No operational links - Not integrated into ecosystem

Link Evolution Tracking

1. Baseline link profile

   • Input: Site under monitoring
   • Run: FetchOnionLinks and SearchByOnion
   • Document: Current outbound and inbound links

2. Periodic re-analysis

   • Regularly re-run both transforms
   • Track changes in link patterns

3. Detect significant changes

   • New outbound links - New partnerships, expansions, affiliates
   • Removed outbound links - Broken relationships, defunct sites
   • New inbound links - Growing reputation, new endorsements
   • Lost inbound links - Reputation damage, directory removals

4. Investigate changes

   • Sudden link changes may indicate:
     • Compromise or takeover
     • Major operational changes
     • Response to law enforcement
     • Market consolidation or expansion

Advanced Network Analysis Techniques

Centrality Analysis

Identify the most important sites in the dark web network:

1. High Outbound Links - Hub sites, directories, coordinators
2. High Inbound Links - Authorities, popular sites, trusted services
3. Mutual Links - Strong bilateral relationships

Community Detection

Find clusters of highly interconnected sites:

1. Run transforms on multiple sites
2. Identify sites that all link to each other
3. Map community boundaries
4. Analyze community characteristics

Link Path Analysis

Trace paths between sites:

1. Start at Site A
2. Run FetchOnionLinks to find sites A links to
3. For each result, run FetchOnionLinks again
4. Map multi-hop paths through the network
5. Identify intermediaries and bridges

Trust Network Mapping

Build trust graphs based on endorsements:

1. Identify trusted “anchor” sites (known legitimate services)
2. Run FetchOnionLinks to see who they endorse
3. Sites linked by trusted anchors likely legitimate
4. Sites not linked by any anchors may be suspicious
5. Build concentric trust circles

Combining Network Analysis with Other Transforms

Network + Infrastructure:

• Sites with mutual links + same SSH/SHV = confirmed relationship
• Map both logical (links) and physical (infrastructure) networks

Network + Financial:

• Sites with mutual links + shared wallets = revenue sharing
• Identify affiliate commission structures

Network + Communication:

• Sites with mutual links + shared contacts = coordinated operations
• Map communication channels alongside link structures

Network + Content:

• Sites with mutual links + shared content = mirror network
• Track content distribution along link paths

Complete Attribution: Combine all signals for strongest attribution:

1. Mutual links (network relationship)
2. Shared infrastructure (technical relationship)
3. Shared payments (financial relationship)
4. Shared contacts (organizational relationship)
5. Shared content (operational relationship)

MCP Server: Overview & Setup

What is the Hades MCP Server?

The Hades MCP (Model Context Protocol) Server is an AI-native interface to the Hades dark web intelligence platform. It exposes 21 specialized tools for natural language querying through Claude AI, transforming complex database queries into conversational intelligence gathering.

Instead of writing MongoDB queries or clicking through Maltego transforms, you can simply ask questions:

• “Find all dark web sites using Bitcoin address bc1qxy2…”
• “Show me high-risk drug marketplaces discovered in the last 7 days”
• “Track this Telegram handle across all servers: @darkvendor”
• “Analyze the connections between these 3 marketplaces”

Claude automatically selects the appropriate Hades tools, executes queries, and synthesizes results into actionable intelligence.

Key Features

AI-Native Conversational Interface

Query dark web intelligence using natural language instead of learning complex query syntax or visual tools.

Traditional Approach:

db.entities.aggregate([
  { $match: { type: 'bitcoin', value: 'bc1qxy2...' } },
  { $lookup: { from: 'http', localField: 'source_url', foreignField: 'server', as: 'server_data' } },
  { $lookup: { from: 'labels', localField: 'source_url', foreignField: 'server', as: 'labels' } },
  { $unwind: '$server_data' },
  { $unwind: '$labels' },
  { $project: { server: '$source_url', title: '$server_data.title', risk: '$labels.risk_level' } }
])

MCP Server Approach:

"Find all sites using this Bitcoin address"

21 Specialized Tools

The MCP Server provides 21 tools across 5 categories:

Cryptocurrency Investigation (5 tools)

• Track wallets across the dark web
• Find servers accepting specific crypto
• Monitor wallet activity over time
• Cross-reference multiple wallets

Communication Tracking (4 tools)

• Search emails, Telegram, Discord
• Find servers by contact method
• Vendor attribution analysis
• Cross-platform identity tracking

Infrastructure Fingerprinting (4 tools)

• Identify identical infrastructure (SHV)
• Find co-hosted sites (SSH fingerprints)
• Cluster servers by infrastructure
• Technology stack analysis

Server Intelligence (4 tools)

• Advanced server queries with filters
• Comprehensive server profiles
• Risk assessment and scoring
• Real-time threat intelligence feeds

Relationship Mapping (4 tools)

• Build investigation graphs
• Temporal analysis and timelines
• Network analysis between servers
• Track entity evolution

View Complete Tool Reference →

Direct Database Access

The MCP Server queries the Hades database directly with:

• 15 Collections - servers, http, labels, entities, ports, javascript, shv, images, preprocessed, favourites, api, api_usage, organisations, processor_queue, errors
• 3M+ Documents - 163K+ servers, 375K+ entities, 2.1M+ images
• Optimized Queries - Aggregation pipelines for efficient cross-collection joins
• Real-Time Data - Direct access to latest intelligence

Architecture

Technology Stack

• Node.js + TypeScript - Modern, type-safe backend
• MongoDB Driver - Direct database access with connection pooling
• MCP SDK - Model Context Protocol for Claude integration
• Zod - Runtime type validation for all inputs
• Docker - Containerized deployment

Data Flow

User Question (Claude Desktop)
    ↓
Claude AI (selects appropriate MCP tools)
    ↓
Hades MCP Server (validates input, builds query)
    ↓
MongoDB (executes aggregation pipeline)
    ↓
MCP Server (formats results)
    ↓
Claude AI (synthesizes into answer)
    ↓
User receives actionable intelligence

Authentication & Licensing

The MCP Server supports API key authentication with usage-based licensing:

Licensing Tiers:

• Free - 100 queries/month (research & testing)
• Professional - 10,000 queries/month (analysts & consultants)
• Enterprise - Unlimited queries (large teams)
• Academic - 50,000 queries/month (universities & research)

Usage automatically resets on the 1st of each month.

Integration Options

Hades MCP Server works with multiple AI platforms for different use cases:

Claude Desktop

Best for: Interactive investigations with best-in-class AI reasoning

The easiest way to access Hades intelligence through natural language. Claude Desktop provides an intuitive conversational interface with excellent multi-tool reasoning for complex investigations.

What you can do:

• Ask questions in natural language
• Conduct multi-step investigations
• Build comprehensive intelligence reports
• Use specialized Claude Code skills

Claude CLI

Best for: Terminal-based workflows and automation

Command-line access to Hades intelligence for investigators who prefer terminal environments or need to integrate with scripts and workflows.

What you can do:

• Terminal-based investigations
• Script-friendly automation
• Integration with existing CLI workflows
• Specialized investigation skills

Ollama (Local AI)

Best for: Air-gapped environments and privacy-sensitive investigations

Use Hades with locally-running AI models (Llama, Mistral) for environments where dark web intelligence must stay on-premise.

What you can do:

• Fully local inference (no cloud)
• Air-gapped investigations
• Cost-effective high-volume queries
• Data sovereignty compliance

OpenAI Integration

Best for: Custom applications and programmatic access

Integrate Hades with GPT-4 or GPT-3.5 for building custom applications, automation, or existing OpenAI-based workflows.

What you can do:

• Custom application development
• Programmatic API access
• Integration with existing GPT workflows
• Flexible model selection

Comparison: Which Integration to Use?

Recommendations:

Use Claude Desktop/CLI if:

• You need best-in-class reasoning for complex investigations
• Cost is not a primary concern
• You want the easiest setup experience

Use Ollama if:

• Dark web intelligence must stay on-premise (air-gapped)
• You have powerful local hardware (32GB+ RAM for 70B models)
• Cost is a constraint for high-volume usage

Use OpenAI if:

• You’re building custom applications or integrations
• You need programmatic access for automation
• You want to use specific GPT models (GPT-4, GPT-3.5)

Getting Started

To get started with the Hades MCP Server, contact [email protected] for:

1. API Key - Your authentication credentials
2. Setup Instructions - Platform-specific configuration guidance
3. Support - Technical assistance with integration

Once configured, you’ll have immediate access to all 21 Hades MCP tools through your chosen AI platform.

Example Investigations

Cryptocurrency Tracking

Query: “Find all dark web sites using Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh”

What happens:

1. Claude uses find_servers_with_wallet tool
2. Returns all servers with this Bitcoin address
3. Includes risk levels, site titles, and related entities
4. Synthesizes into actionable intelligence

Vendor Attribution

Query: “Find all marketplaces operated by the same vendor as darkmarket2023.onion”

What happens:

1. Claude uses vendor_attribution tool
2. Searches for shared cryptocurrency wallets and communication channels
3. Identifies related operations with confidence scores
4. Provides evidence chain for attribution

Threat Intelligence

Query: “Show me high-risk drug marketplaces discovered in the last 7 days”

What happens:

1. Claude uses threat_intelligence tool
2. Filters by risk level, intent category, and discovery date
3. Returns prioritized threat list
4. Includes risk scores and confidence levels

Infrastructure Analysis

Query: “Find sites with identical infrastructure to targetmarket.onion”

What happens:

1. Claude uses find_shv_matches tool
2. Identifies sites with matching Script Hash Values
3. Detects mirrors, backups, or franchised operations
4. Provides infrastructure relationship analysis

Next Steps

Now that you understand the MCP Server capabilities:

• Tool Reference - Complete documentation of all 21 tools
• Usage Examples - Step-by-step investigation workflows
• Investigation Workflows - Real-world use cases
• Investigation Skills - Specialized investigation skills

Support

For MCP Server questions or setup assistance:

• Support - [email protected]
• Pricing & General Inquiries - [email protected]
• Documentation - https://hades.aikostek.com
• GitHub Issues - Report bugs and request features

Ready to start investigating? Contact [email protected] to get your API key and setup instructions.

MCP Server Tool Reference

Complete reference documentation for all 21 Hades MCP Server tools. Tools are organized into 5 categories based on their primary function.

Tool Categories

• Cryptocurrency Investigation Tools (5 tools)
• Communication Tracking Tools (4 tools)
• Infrastructure Fingerprinting Tools (4 tools)
• Server Intelligence Tools (4 tools)
• Relationship Mapping Tools (4 tools)

Cryptocurrency Investigation Tools

search_crypto_wallets

Search for cryptocurrency wallets across dark web sites by type, address, server, or risk level.

Parameters:

• crypto_type (required) - Type of cryptocurrency: bitcoin, ethereum, monero, litecoin, or dogecoin
• wallet_address (optional) - Specific wallet address to search for
• server (optional) - Filter results to specific onion address
• risk_level (optional) - Filter by server risk: high, medium, or low
• limit (optional) - Maximum results (default: 100, max: 1000)

Returns:

• Array of wallet addresses with server information, risk levels, and appearance counts

Use Cases:

• Find all Bitcoin wallets on high-risk marketplaces
• Search for a specific Monero address across all servers
• Discover payment methods used by a particular site

Example:

"Find all Bitcoin wallets on high-risk servers"

find_servers_with_wallet

Find all dark web servers that use a specific cryptocurrency wallet address.

Parameters:

• wallet_address (required) - The wallet address to search for
• crypto_type (optional) - Type of crypto (auto-detected if omitted)
• include_risk_level (optional) - Include risk classification info (default: true)
• limit (optional) - Maximum results (default: 100)

Returns:

• List of servers using the wallet with risk levels, titles, intent classifications, and appearance counts

Use Cases:

• Track a vendor wallet across multiple marketplaces
• Identify all sites accepting a specific payment address
• Build network of sites sharing payment infrastructure

Example:

"Find all servers using Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

track_wallet_activity

Track appearances of a cryptocurrency wallet over time across different servers.

Parameters:

• wallet_address (required) - The wallet to track
• crypto_type (optional) - Type of cryptocurrency (auto-detected if omitted)
• time_range_days (optional) - Number of days to look back (default: 30, max: 365)
• include_server_details (optional) - Include server metadata (default: true)

Returns:

• Timeline of wallet appearances with dates, servers, risk levels, and activity summary

Use Cases:

• Monitor when a vendor wallet appears on new sites
• Track wallet adoption over time
• Identify temporal patterns in payment address usage

Example:

"Show me the timeline of this Bitcoin address over the last 90 days"

find_related_wallets

Find all cryptocurrency wallets on a specific server, grouped by type.

Parameters:

• server (required) - Onion address to analyze
• crypto_types (optional) - Array of crypto types to search (searches all if omitted)
• min_appearances (optional) - Minimum appearances threshold (default: 1)

Returns:

• Wallets grouped by cryptocurrency type with appearance counts and summary statistics

Use Cases:

• Discover all payment methods a marketplace accepts
• Compare cryptocurrency adoption across sites
• Identify wallet clusters (wallets that always appear together)

Example:

"What cryptocurrency wallets are on darkmarket2023.onion?"

cross_reference_wallets

Cross-reference multiple wallet addresses to find servers that accept multiple wallets.

Parameters:

• wallet_addresses (required) - Array of wallet addresses (max: 20)
• find_common_servers (optional) - Find shared servers (default: true)

Returns:

• Common servers accepting multiple wallets with connection patterns and overlap analysis

Use Cases:

• Identify sites operated by the same vendor (shared wallets)
• Find marketplace relationships
• Detect wallet rotation patterns

Example:

"Find servers that accept both of these Bitcoin addresses"

Communication Tracking Tools

search_communication_channels

Search for email addresses, Telegram handles, or Discord invites across dark web sites.

Parameters:

• channel_type (required) - Type of contact: email, telegram_link, or discord_link
• channel_value (optional) - Specific contact to search for
• server (optional) - Filter to specific onion address
• min_appearances (optional) - Minimum appearances threshold (default: 1)
• limit (optional) - Maximum results (default: 100)

Returns:

• Contacts with appearance counts, server lists, and distribution statistics

Use Cases:

• Find all Telegram handles used by marketplaces
• Search for a specific email address across the dark web
• Identify communication patterns by risk level

Example:

"Find all Telegram handles on high-risk drug marketplaces"

find_servers_by_contact

Find all dark web servers using a specific contact method (email, Telegram, Discord).

Parameters:

• contact (required) - The contact identifier (email, Telegram handle, Discord invite)
• contact_type (optional) - Type of contact (auto-detected if omitted)
• include_risk_info (optional) - Include risk levels (default: true)
• limit (optional) - Maximum results (default: 100)

Returns:

• Servers using the contact with risk information, titles, and appearance details

Use Cases:

• Track a vendor Telegram handle across marketplaces
• Find all sites using a support email
• Identify vendor operations through shared contacts

Example:

"Find all servers using Telegram handle @darkvendor"

vendor_attribution

Perform comprehensive vendor attribution analysis by finding servers with shared identifiers.

Parameters:

• server (required) - Starting server to analyze
• search_crypto (optional) - Include cryptocurrency addresses (default: true)
• search_communications (optional) - Include communication channels (default: true)
• min_shared_indicators (optional) - Minimum shared identifiers for match (default: 2)

Returns:

• Related servers with confidence scores, shared identifiers, and detailed attribution analysis

Use Cases:

• Identify all operations controlled by a vendor
• Build high-confidence attribution chains
• Discover backup sites and mirrors

Example:

"Perform vendor attribution on darkmarket2023.onion with high confidence"

cross_platform_tracking

Track multiple identifiers (wallets, emails, Telegram) across servers to find overlapping operations.

Parameters:

• identifiers (required) - Array of identifiers to track (wallets, emails, handles)
• group_by_overlap (optional) - Group servers by identifier overlap (default: true)

Returns:

• Servers grouped by number of matching identifiers with high-confidence matches highlighted

Use Cases:

• Track a vendor across multiple identifiers
• Identify operations with partial identifier overlap
• Build comprehensive vendor profiles

Example:

"Track these identifiers: @vendor, [email protected], bc1qxy2..."

Infrastructure Fingerprinting Tools

find_shv_matches

Find sites with identical JavaScript infrastructure using Script Hash Values (SHV).

Parameters:

• server (required) - Server to analyze
• include_details (optional) - Include JavaScript file details (default: true)
• limit (optional) - Maximum matches to return (default: 50)

Returns:

• Sites with matching SHV, script counts, file lists, and confidence scores

Use Cases:

• Identify mirror sites and backups
• Discover franchised operations (same codebase)
• Track infrastructure reuse by threat actors

Example:

"Find sites with identical infrastructure to targetmarket.onion"

search_by_ssh_fingerprint

Find co-hosted sites by SSH fingerprint to identify shared physical infrastructure.

Parameters:

• fingerprint (optional) - Specific SSH fingerprint to search
• server (optional) - Get fingerprint from this server and find matches
• find_cohosted (optional) - Find co-hosted sites (default: true)
• limit (optional) - Maximum results (default: 100)

Returns:

• Co-hosted servers with confidence levels and hosting provider analysis

Use Cases:

• Identify bulletproof hosting providers
• Find sites hosted on the same physical server
• Detect hosting patterns

Example:

"Find all sites co-hosted with targetmarket.onion"

infrastructure_clustering

Cluster servers by shared infrastructure (SHV, SSH, or combined).

Parameters:

• method (optional) - Clustering method: shv, ssh, or combined (default: combined)
• min_cluster_size (optional) - Minimum servers per cluster (default: 2)
• include_singletons (optional) - Include isolated servers (default: false)
• limit (optional) - Maximum clusters to return (default: 50)

Returns:

• Infrastructure clusters sorted by size with cluster statistics

Use Cases:

• Identify major hosting providers or shared infrastructure
• Detect infrastructure patterns across threat actors
• Discover related operations through infrastructure

Example:

"Cluster servers by shared JavaScript infrastructure"

technology_stack_analysis

Analyze a server’s technology stack and find servers using similar technologies.

Parameters:

• server (required) - Server to analyze
• include_similar_tech (optional) - Find similar technology stacks (default: true)
• limit (optional) - Maximum similar servers (default: 20)

Returns:

• Detected frameworks, libraries, technologies, and servers with similar stacks

Use Cases:

• Identify technology adoption patterns
• Find sites built with the same frameworks
• Track technology trends in criminal ecosystems

Example:

"Analyze the technology stack of targetmarket.onion"

Server Intelligence Tools

query_servers

Advanced server search with multiple filter criteria.

Parameters:

• risk_level (optional) - Risk level: high, medium, or low
• intent_category (optional) - Intent category (e.g., drugs, weapons, hacking)
• intent_threshold (optional) - Minimum intent confidence score 0-1 (default: 0.5)
• has_crypto (optional) - Only servers with cryptocurrency wallets
• crypto_type (optional) - Specific crypto type filter
• has_communications (optional) - Only servers with contact methods
• date_discovered_after (optional) - ISO date string for minimum discovery date
• date_discovered_before (optional) - ISO date string for maximum discovery date
• limit (optional) - Maximum results (default: 100, max: 500)

Returns:

• Filtered servers with full metadata including risk, intent, entities, and dates

Use Cases:

• Find all high-risk drug marketplaces discovered recently
• Search for hacking services with cryptocurrency
• Build targeted threat intelligence feeds

Example:

"Find high-risk marketplaces with Bitcoin discovered in the last 30 days"

get_server_details

Get comprehensive intelligence report for a specific server.

Parameters:

• server (required) - Onion address to analyze
• include_entities (optional) - Include crypto, emails, contacts (default: true)
• include_ports (optional) - Include port scan results (default: true)
• include_images (optional) - Include extracted images (default: false)
• include_javascript (optional) - Include JavaScript files (default: false)

Returns:

• Complete server profile with all available intelligence

Use Cases:

• Generate comprehensive intelligence reports
• Gather all data for a target in one query
• Build case files for investigations

Example:

"Get complete intelligence profile for darkmarket2023.onion"

risk_assessment

Calculate threat scores and aggregate risk statistics.

Parameters:

• server (optional) - Specific server to assess
• aggregate_by (optional) - Aggregation type: intent, risk_level, or technology (default: intent)
• time_range_days (optional) - Time range for analysis (default: 30, max: 365)
• top_n (optional) - Number of top results (default: 20)

Returns:

• Threat scores, risk factors, and aggregated statistics

Use Cases:

• Assess overall threat landscape
• Identify trending threat categories
• Calculate risk scores for specific servers

Example:

"Show me the top 10 threat categories in the last 30 days"

threat_intelligence

Real-time feed of high-risk discoveries with configurable filters.

Parameters:

• threat_types (optional) - Array of threat categories to monitor
• risk_levels (optional) - Array of risk levels (default: ["high"])
• discovered_in_last_days (optional) - Recent discoveries only (default: 7, max: 90)
• min_intent_score (optional) - Minimum confidence threshold (default: 0.7)
• limit (optional) - Maximum results (default: 50, max: 200)

Returns:

• Recent high-risk threats with classifications, intent scores, and summaries

Use Cases:

• Daily threat intelligence briefings
• Monitor for specific threat types (drugs, weapons, malware)
• Early warning of emerging threats

Example:

"Show me high-risk drug marketplaces discovered in the last 7 days"

Relationship Mapping Tools

trace_relationships

Build investigation graphs by tracing relationships from a starting point.

Parameters:

• start_point (required) - Server or entity to start from
• start_type (required) - Type of starting point: server or entity
• relationship_types (required) - Array of relationship types to trace:
  • shared_entities - Shared crypto/emails/communications
  • shv_match - Identical JavaScript infrastructure
  • ssh_match - Co-hosted servers
  • linked_onions - Sites linking to each other
  • similar_content - Content similarity
• max_depth (optional) - Traversal depth (default: 2, max: 3)
• limit_per_level (optional) - Max nodes per depth level (default: 10)

Returns:

• Graph with nodes, edges, relationship types, and statistics

Use Cases:

• Build comprehensive investigation graphs
• Discover indirect relationships between servers
• Map criminal networks

Example:

"Build investigation graph from darkmarket2023.onion with depth 2"

temporal_analysis

Track how a server or entity changes over time.

Parameters:

• target (required) - Server or entity to analyze
• target_type (required) - Type: server or entity
• time_range_days (optional) - Days to analyze (default: 90, max: 365)
• track_changes (optional) - Array of change types to track (default: ["new_entities"]):
  • new_entities - New crypto/emails/contacts appearing
  • content_changes - Title, content modifications
  • status_changes - Online/offline status changes
  • infrastructure_changes - SHV, SSH changes

Returns:

• Timeline of events, change summaries, and evolution analysis

Use Cases:

• Track how a marketplace evolved
• Identify when vendors became active
• Detect infrastructure changes (potential response to investigation)

Example:

"Show me how targetmarket.onion has changed over the last 90 days"

network_analysis

Analyze connections between multiple servers to find relationships.

Parameters:

• servers (required) - Array of onion addresses (min: 1, max: 20)
• find_connections (optional) - Find connections between servers (default: true)
• connection_types (optional) - Types to find (default: ["shared_entities", "shv_match"]):
  • shared_entities - Shared crypto/communications
  • shv_match - Identical infrastructure
  • ssh_match - Co-hosting
  • linked_onions - Sites linking to each other

Returns:

• Network graph with nodes, edges, connection statistics, and most connected server

Use Cases:

• Analyze marketplace cartels
• Find connections between threat actors
• Build network maps for presentations

Example:

"Analyze connections between these 3 marketplaces"

entity_evolution

Track how an entity (wallet, email, etc.) appears and evolves across servers over time.

Parameters:

• entity_value (required) - The entity to track (wallet, email, Telegram handle, etc.)
• entity_type (optional) - Type of entity (auto-detected if omitted)
• track_over_days (optional) - Days to track (default: 90, max: 365)

Returns:

• Timeline of entity appearances, server details, risk distribution, and evolution patterns

Use Cases:

• Track vendor migration between marketplaces
• Monitor when a wallet gets adopted by new sites
• Identify temporal patterns in entity usage

Example:

"Track this Bitcoin address across time and servers over 180 days"

Tool Selection Guide

When to Use Which Tool

For Cryptocurrency Investigations:

• Start with find_servers_with_wallet to locate all servers
• Use track_wallet_activity for temporal patterns
• Use find_related_wallets to discover payment methods
• Use cross_reference_wallets for multi-wallet attribution

For Vendor Attribution:

• Use vendor_attribution as primary tool (analyzes both crypto and communications)
• Use cross_platform_tracking for multi-identifier tracking
• Use find_servers_by_contact for specific communication channels
• Use trace_relationships to build comprehensive attribution graph

For Infrastructure Analysis:

• Use find_shv_matches to find identical infrastructure
• Use search_by_ssh_fingerprint for co-hosting detection
• Use infrastructure_clustering for ecosystem-wide patterns
• Use technology_stack_analysis for framework detection

For Threat Intelligence:

• Use threat_intelligence for daily monitoring feeds
• Use query_servers for specific targeted searches
• Use risk_assessment for aggregated threat statistics
• Use get_server_details for comprehensive target analysis

For Network Mapping:

• Use network_analysis to analyze connections between known servers
• Use trace_relationships to discover connections from a single starting point
• Use temporal_analysis to understand evolution over time
• Use entity_evolution to track specific identifiers

Common Query Patterns

Pattern: Find Everything About a Server

1. get_server_details - Get full intelligence profile
2. vendor_attribution - Find related operations
3. trace_relationships - Build network graph
4. temporal_analysis - Track evolution

Pattern: Track a Vendor

1. find_servers_with_wallet - Locate vendor wallet
2. find_servers_by_contact - Find Telegram/email usage
3. vendor_attribution - High-confidence attribution
4. cross_platform_tracking - Multi-identifier correlation

Pattern: Monitor Threats

1. threat_intelligence - Daily feed of new threats
2. query_servers - Targeted searches
3. risk_assessment - Aggregate statistics

Pattern: Infrastructure Correlation

1. find_shv_matches - Identical infrastructure
2. search_by_ssh_fingerprint - Co-hosting
3. infrastructure_clustering - Ecosystem patterns

Parameter Notes

Common Defaults

• Most tools default to limit: 100 results
• Time ranges default to 30 or 90 days
• Confidence thresholds default to 0.5-0.7
• Optional includes default to true for common use cases

Auto-Detection

Several tools auto-detect types:

• find_servers_with_wallet - Auto-detects crypto type from wallet format
• find_servers_by_contact - Auto-detects if email, Telegram, or Discord
• entity_evolution - Auto-detects entity type

Performance Tips

• Use narrower time ranges for faster queries
• Set lower limits when possible
• Use specific filters instead of broad searches
• Combine filters to reduce result sets

For practical examples of using these tools together, see the Usage Examples page.

MCP Server Usage Examples

Step-by-step examples of common dark web investigation workflows using the Hades MCP Server with Claude AI. Each example shows the natural language query and expected results.

Table of Contents

1. Cryptocurrency Wallet Investigation
2. Vendor Attribution Analysis
3. Infrastructure Correlation
4. Threat Intelligence Monitoring
5. Network Analysis

Cryptocurrency Wallet Investigation

Scenario: Track Bitcoin wallet across dark web marketplaces

Goal: Find all sites using a specific Bitcoin address and analyze their risk profiles.

Step 1: Find all servers with the wallet

User Query:

"Find all dark web sites using Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

Claude uses: find_servers_with_wallet

Expected Result:

Found 2 servers using this Bitcoin address:

1. darkmarket5abc.onion
   - Risk Level: High
   - Intent: Illegal drugs
   - Title: "DarkMarket - Premium Drugs"
   - Appearances: 12

2. vendorshop2xyz.onion
   - Risk Level: Medium
   - Intent: Marketplace
   - Title: "Vendor Shop"
   - Appearances: 5

Step 2: Track wallet activity over time

User Query:

"Show me the timeline of this wallet's appearances over the last 90 days"

Claude uses: track_wallet_activity

Expected Result:

Wallet Activity Timeline (Last 90 days):

First Seen: October 28, 2024
Last Seen: January 26, 2025
Total Servers: 2
Total Appearances: 17

Recent Activity:
- darkmarket5abc.onion: Last seen January 15, 2025 (High risk)
- vendorshop2xyz.onion: Last seen December 20, 2024 (Medium risk)

Step 3: Find all other wallets on these servers

User Query:

"What other cryptocurrency wallets are on darkmarket5abc.onion?"

Claude uses: find_related_wallets

Expected Result:

Cryptocurrency wallets on darkmarket5abc.onion:

Bitcoin (2 wallets):
  - bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh (12 appearances)
  - 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa (8 appearances)

Monero (1 wallet):
  - 4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAV5Usx3w... (15 appearances)

Total: 3 wallets across 2 cryptocurrency types

Analysis: This marketplace accepts both Bitcoin and Monero, with Monero being most prominent (15 appearances). The presence of multiple Bitcoin addresses suggests either multiple vendors or wallet rotation.

Vendor Attribution Analysis

Scenario: Identify all operations of a vendor starting from one marketplace

Goal: Build high-confidence attribution showing all sites operated by the same vendor.

Step 1: Perform vendor attribution

User Query:

"Find all related sites operated by the same vendor as darkmarket5abc.onion"

Claude uses: vendor_attribution

Expected Result:

Vendor Attribution Analysis for darkmarket5abc.onion:

Identifiers Found:
- Emails: [email protected]
- Telegram: @darkvendor
- Bitcoin: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh
- Monero: 4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAV5Usx3w...

Related Servers (3 found):

1. vendorshop2xyz.onion - VERY HIGH CONFIDENCE (4 shared indicators)
   Shared: @darkvendor, bc1qxy2..., [email protected], Monero wallet
   Risk: High, Intent: Marketplace

2. backupshop7def.onion - HIGH CONFIDENCE (3 shared indicators)
   Shared: @darkvendor, bc1qxy2..., Monero wallet
   Risk: Medium, Intent: Marketplace

3. vendor-mirror.onion - MEDIUM CONFIDENCE (2 shared indicators)
   Shared: @darkvendor, bc1qxy2...
   Risk: High, Intent: Illegal drugs

Interpretation: Very high confidence that vendorshop2xyz.onion is operated by the same vendor (shares all 4 identifiers). backupshop7def.onion is likely a backup or related operation. vendor-mirror.onion requires further investigation.

Step 2: Cross-platform tracking

User Query:

"Track these identifiers across all servers: @darkvendor, [email protected], bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh"

Claude uses: cross_platform_tracking

Expected Result:

Cross-Platform Tracking Results:

Identifier Distribution:
- @darkvendor: Appears on 5 servers
- [email protected]: Appears on 4 servers
- bc1qxy2...: Appears on 6 servers

Server Overlap Groups:

3 Identifiers (Very High Confidence):
- darkmarket5abc.onion (High risk, Illegal drugs)
- vendorshop2xyz.onion (High risk, Marketplace)

2 Identifiers (High Confidence):
- backupshop7def.onion (Medium risk, Marketplace)
- vendor-site.onion (High risk, Illegal drugs)

1 Identifier (Medium Confidence):
- newmarket.onion (Medium risk, Marketplace)
- exchange-site.onion (Low risk, Cryptocurrency)

Analysis: Strong evidence of a vendor network. Sites with 3 identifiers are almost certainly the same operator. Sites with 2 identifiers are likely related (backups or franchises).

Infrastructure Correlation

Scenario: Find mirror sites and related infrastructure

Goal: Identify all sites with identical infrastructure to detect mirrors, backups, and related operations.

Step 1: Find SHV matches

User Query:

"Find sites with identical infrastructure to targetmarket.onion"

Claude uses: find_shv_matches

Expected Result:

Infrastructure Analysis for targetmarket.onion:

SHV: a7f3b2c8d9e1f0a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6
Script Count: 24 JavaScript files
Key Scripts:
- /static/js/main.chunk.js
- /static/js/vendor.chunk.js
- /js/react-bundle.js

Matching Sites (4 found):

1. targetmarket-mirror.onion
   - Script Count: 24 (identical)
   - Risk: High, Intent: Marketplace
   - Title: "TargetMarket Mirror"
   - Confidence: VERY HIGH

2. targetmarket-backup.onion
   - Script Count: 24 (identical)
   - Risk: High, Intent: Marketplace
   - Title: "TargetMarket Backup"
   - Confidence: VERY HIGH

3. tm-v2.onion
   - Script Count: 24 (identical)
   - Risk: High, Intent: Marketplace
   - Title: "TM v2"
   - Confidence: VERY HIGH

4. related-market.onion
   - Script Count: 22 (similar)
   - Risk: Medium, Intent: Marketplace
   - Confidence: MEDIUM

Interpretation: First 3 sites are confirmed mirrors (identical JavaScript, similar titles). related-market.onion has similar but not identical infrastructure - possibly franchised or using modified codebase.

Step 2: Check SSH fingerprints for co-hosting

User Query:

"Are targetmarket.onion and targetmarket-mirror.onion hosted on the same server?"

Claude uses: search_by_ssh_fingerprint

Expected Result:

SSH Fingerprint Analysis:

Source: targetmarket.onion
SSH Fingerprint: SHA256:abc123def456...

Co-hosted Sites:
1. targetmarket-mirror.onion (CONFIRMED)
   - Same SSH fingerprint
   - Risk: High
   - Confidence: VERY HIGH - Same physical server

2. unrelated-site.onion
   - Same SSH fingerprint
   - Risk: Low
   - Confidence: MEDIUM - Shared hosting provider

Analysis:

• targetmarket.onion and targetmarket-mirror.onion: Identical JavaScript AND same SSH = Confirmed mirrors on same server
• unrelated-site.onion: Same SSH but different SHV = Just shared hosting, not related operations

Threat Intelligence Monitoring

Scenario: Daily monitoring of new high-risk drug marketplaces

Goal: Stay informed on newly discovered threats and emerging marketplaces.

User Query:

"Show me high-risk drug marketplaces discovered in the last 7 days"

Claude uses: threat_intelligence

Expected Result:

Threat Intelligence Feed (Last 7 days)

Time Range: January 20 - January 27, 2025
Total Threats Found: 5 high-risk drug marketplaces

1. newmarket8xyz.onion
   - Discovered: January 25, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (94% confidence)
   - Also classified: Marketplace (89%)
   - Title: "NewMarket - Drugs & More"

2. vendor42abc.onion
   - Discovered: January 23, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (87% confidence)
   - Title: "Vendor 42 Shop"

3. darkpharm-v3.onion
   - Discovered: January 21, 2025
   - Risk Level: Critical
   - Top Intent: Illegal drugs (96% confidence)
   - Also classified: Pharmaceutical (91%)
   - Title: "DarkPharm v3"

4. street-market.onion
   - Discovered: January 20, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (82% confidence)
   - Title: "Street Market"

5. euro-vendor.onion
   - Discovered: January 20, 2025
   - Risk Level: High
   - Top Intent: Illegal drugs (79% confidence)
   - Title: "European Vendor Shop"

Summary:
- All 5 sites are high/critical risk
- Average confidence score: 87.6%
- Most common secondary category: Marketplace

Follow-up queries:

• “Get complete details on darkpharm-v3.onion”
• “Find if any of these share infrastructure”
• “Check if these vendors operate other sites”

Network Analysis

Scenario: Analyze connections between known marketplaces

Goal: Understand relationships between multiple marketplaces to identify cartels or shared operators.

User Query:

"Analyze the connections between these 3 marketplaces: marketplace1.onion, marketplace2.onion, marketplace3.onion"

Claude uses: network_analysis

Expected Result:

Network Analysis Results:

Servers Analyzed: 3

Connections Found: 2

Connection 1: marketplace1.onion ↔ marketplace2.onion
  Type: Shared Entities
  Shared Identifiers (3):
    - Bitcoin: bc1q...
    - Telegram: @admin
    - Email: [email protected]
  Confidence: VERY HIGH

Connection 2: marketplace2.onion ↔ marketplace3.onion
  Type: SHV Match
  Details: Identical JavaScript infrastructure
  SHV: a7f3b2c8d9e1f0a2b3c4d5e6f7a8b9c0...
  Confidence: VERY HIGH

Network Statistics:
- Total Connections: 2
- Connection Types:
  - Shared Entities: 1
  - SHV Match: 1
- Most Connected Server: marketplace2.onion (2 connections)

Interpretation:
- marketplace1 & marketplace2 share Bitcoin, Telegram, email = Same operators
- marketplace2 & marketplace3 have identical infrastructure = Related/franchised
- marketplace2 is the hub connecting the network

Follow-up analysis:

"Perform vendor attribution on marketplace2.onion to find all related sites"

Investigation Best Practices

Start Simple, Build Complexity

Good Workflow:

1. "Find all sites using Bitcoin address bc1qxy2..."
2. "What other wallets are on darkmarket5abc.onion?"
3. "Find all sites operated by the same vendor as darkmarket5abc.onion"
4. "Build investigation graph from darkmarket5abc.onion"

Why: Each query builds on previous results, progressively expanding the investigation.

Use Confidence Scores

Interpreting Results:

• 4+ shared indicators = Very high confidence, safe to attribute
• 2-3 shared indicators = High confidence, likely related
• 1 shared indicator = Medium confidence, needs more investigation
• Infrastructure only = Lower confidence unless combined with entities

Combine Multiple Signals

Strong Attribution Evidence:

1. Shared crypto wallets + shared communications
2. Identical infrastructure (SHV) + shared entities
3. Co-hosting (SSH) + shared contacts

Weaker Evidence (Requires Corroboration):

• Single shared entity
• Similar (not identical) infrastructure
• Co-hosting alone (shared hosting provider)

Validate Findings

Cross-Validation:

1. Use vendor_attribution to find related sites
2. Use find_shv_matches to check infrastructure
3. Use cross_platform_tracking to verify shared identifiers
4. Use network_analysis to map complete relationships

Multiple tools confirming the same relationship = High confidence

Common Query Patterns

Quick Vendor Check

"Find all sites operated by the same vendor as targetsite.onion"

Single query for quick attribution analysis.

Comprehensive Investigation

1. "Get complete intelligence profile for targetsite.onion"
2. "Find all sites operated by the same vendor"
3. "Analyze connections between [list of related sites]"
4. "Show me how targetsite.onion has changed over the last 90 days"

Complete investigation from discovery to timeline.

Daily Threat Monitoring

"Show me high-risk marketplaces discovered in the last 24 hours with Bitcoin wallets"

Daily intelligence briefing.

Infrastructure Attribution

1. "Find sites with identical infrastructure to targetsite.onion"
2. "Are these sites co-hosted on the same server?"
3. "Analyze the technology stack of targetsite.onion"

Complete infrastructure analysis.

Tips for Effective Queries

Be Specific

Good: “Find all high-risk drug marketplaces with Bitcoin discovered in the last 7 days” Less Effective: “Find marketplaces”

Use Natural Language

You don’t need to remember exact tool names or parameters:

Good:

• “Track this wallet across all sites”
• “Find related operations”
• “Show me the timeline”

Unnecessary:

• “Use find_servers_with_wallet tool with wallet_address parameter”

Follow-Up Questions

Claude maintains context, so you can ask follow-up questions:

User: "Find all sites using Bitcoin address bc1qxy2..."
Claude: [Shows 5 sites]

User: "What other wallets are on the first one?"
Claude: [Understands "first one" refers to first result]

User: "Find sites with identical infrastructure to that site"
Claude: [Continues investigation on same target]

Request Formatting

If you need results in a specific format:

"Find all sites operated by this vendor and format as a table with risk levels and confidence scores"

"Show me the timeline as a bulleted list"

"Summarize the top 3 threats discovered this week"

Troubleshooting Common Issues

No Results Found

Query: “Find all sites using Bitcoin address 1ABC123…”

If no results:

• Verify wallet address format (Bitcoin addresses start with 1, 3, or bc1)
• Try searching without filters: “Search for any cryptocurrency wallets”
• Wallet may not be in database (too new, obscure site, not yet indexed)

Too Many Results

Query: “Find all sites with Bitcoin”

If overwhelmed with results:

• Add filters: “Find high-risk sites with Bitcoin”
• Narrow time range: “…discovered in the last 30 days”
• Be more specific: “…drug marketplaces with Bitcoin wallets”

Unclear Relationships

When connections aren’t clear:

• Use vendor_attribution for high-confidence matches
• Check confidence scores (2+ shared indicators minimum)
• Verify with infrastructure: “Do these sites share infrastructure?”
• Review timeline: “When did this wallet appear on each site?”

For complete tool documentation, see the Tool Reference page.

For conceptual investigation workflows, see Investigation Workflows.

Investigation Skills for Hades

Specialized investigation skills that enhance your Hades MCP Server investigations with expert methodologies, structured analysis frameworks, and professional report templates.

What are Investigation Skills?

Investigation skills are reusable expert personas that provide:

• Specialized domain knowledge and methodologies
• Structured investigation frameworks
• Consistent output formats
• Best practices and guidelines

When you activate a skill, the AI loads that expertise and applies it to your investigation, automatically using the appropriate Hades MCP tools with proper methodology.

Platform Support: These skills work across all AI platforms that support the Hades MCP Server, including Claude Desktop, Claude CLI, OpenAI (ChatGPT/GPT-4), and Ollama (local models).

Available Skills

1. Hades Analyst

General dark web intelligence analyst for comprehensive investigations

Best for: General investigations, onion site analysis, entity tracking, infrastructure correlation

Confidence Framework: Very High (95%+), High (80-94%), Medium (60-79%), Low (<60%)

What it does:

• Comprehensive dark web intelligence analysis using all 21 Hades MCP tools
• Structured methodology with confidence-based attribution
• Evidence chain building for investigations
• Multi-tool coordination for complex queries
• Professional intelligence summaries

2. Vendor Tracker

Specialized vendor attribution across multiple marketplaces

Best for: Vendor attribution, marketplace vendor tracking, building evidence chains, identifying vendor networks

Confidence Methodology: 4+ indicators = 95%+, 3 indicators = 80-94%, 2 indicators = 60-79%

What it does:

• Tracks vendors across dark web marketplaces
• Correlates cryptocurrency wallets, communication channels, and infrastructure
• Builds high-confidence attribution chains
• Analyzes vendor migration patterns
• Assesses operational security (OPSEC)
• Creates evidence-based investigation reports

3. Threat Reporter

Creates structured threat intelligence reports for SOC teams

Best for: SOC briefings, daily threat briefs, vendor investigation reports, executive summaries, formal documentation

Report Types: Daily Threat Brief, Vendor Investigation Report, Infrastructure Analysis, Cryptocurrency Tracking Report

What it does:

• Transforms Hades data into executive-ready intelligence reports
• Follows intelligence community best practices
• Applies TLP marking and confidence assessments
• Creates SMART recommendations
• Synthesizes complex findings into clear intelligence
• Provides specific IoCs and defensive actions

Using Skills Across Platforms

Claude Desktop / Claude CLI

Activation: Use slash commands to invoke skills

Examples:

# General investigation with Hades Analyst
/hades-analyst investigate darkmarket2023.onion

# Track Bitcoin wallet
/hades-analyst track Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

# Vendor attribution with Vendor Tracker
/vendor-tracker find all sites operated by darkmarket5abc.onion

# Create report with Threat Reporter
/threat-reporter generate vendor investigation report for darkmarket2023.onion

# Daily threat brief
/threat-reporter create daily brief for last 24 hours

Setup: Contact [email protected] for skill installation packages for Claude Desktop/CLI.

OpenAI (ChatGPT / GPT-4 / GPT-3.5)

Activation: Load skill as system prompt at the start of your conversation

Example - Hades Analyst:

System Prompt:
You are an expert Dark Web Intelligence Analyst specializing in Tor hidden service
investigations using the Hades platform. You have access to 21 Hades MCP tools for
querying dark web intelligence.

Use structured methodology with confidence-based attribution:
- Very High Confidence (95%+): 4+ shared indicators
- High Confidence (80-94%): 2-3 shared indicators
- Medium Confidence (60-79%): 1 shared indicator
- Low Confidence (<60%): Circumstantial evidence

For every investigation:
1. Use get_server_details for comprehensive profiles
2. Use vendor_attribution for related operations
3. Use find_shv_matches to check for mirrors
4. Provide structured intelligence summary with confidence scores

Always cite which Hades MCP tools you used for each finding.

User Query:

Investigate darkmarket2023.onion and provide a comprehensive intelligence assessment

Example - Vendor Tracker:

System Prompt:
You are a specialized dark web vendor attribution analyst. Track vendors across
marketplaces by correlating cryptocurrency wallets, communication channels, and
infrastructure using Hades MCP tools.

Confidence scoring:
- 4+ shared indicators = 95%+ confidence (same operator)
- 3 shared indicators = 80-94% confidence (likely related)
- 2 shared indicators = 60-79% confidence (possible relation)

Build evidence chains showing: shared wallets, communication channels, infrastructure
patterns, and temporal correlations. Use vendor_attribution and cross_platform_tracking
tools proactively.

Example - Threat Reporter:

System Prompt:
You are a threat intelligence report writer transforming Hades MCP data into
executive-ready intelligence reports following IC standards.

Report structure:
- Executive Summary (2-3 sentences)
- Key Findings (bulleted, confidence-assessed)
- Technical Details (IoCs, infrastructure, entities)
- Recommendations (SMART format)
- TLP marking (TLP:AMBER by default)

Use threat_intelligence and query_servers tools to gather data, then synthesize into
formal reports with proper confidence assessments.

Setup: Configure Hades MCP Server with OpenAI integration (see MCP Server Setup)

Ollama (Local Models)

Activation: Load skill as system prompt when starting conversation

Example - Hades Analyst (Llama 3 / Mistral):

# Start Ollama with system prompt
ollama run llama3

>>> /set system You are an expert Dark Web Intelligence Analyst specializing in Tor
hidden service investigations using the Hades platform. You have access to 21 Hades
MCP tools. Use structured methodology with confidence-based attribution: Very High
(95%+) for 4+ indicators, High (80-94%) for 2-3 indicators, Medium (60-79%) for 1
indicator. For investigations, use get_server_details first, then vendor_attribution,
then find_shv_matches. Always provide confidence scores and cite which tools you used.

>>> Investigate darkmarket2023.onion

Example - Vendor Tracker:

ollama run llama3

>>> /set system You are a dark web vendor attribution analyst tracking vendors across
marketplaces. Use Hades MCP tools to correlate cryptocurrency wallets, communication
channels, and infrastructure. Confidence: 4+ indicators = 95%+, 3 indicators = 80-94%,
2 indicators = 60-79%. Build evidence chains with vendor_attribution and
cross_platform_tracking tools.

>>> Find all operations related to vendor using Bitcoin bc1qxy2... and Telegram @darkvendor

Example - Threat Reporter:

ollama run llama3

>>> /set system You are a threat intelligence report writer. Transform Hades MCP data
into executive-ready reports with: Executive Summary, Key Findings (with confidence),
Technical Details (IoCs), Recommendations (SMART), TLP marking. Use threat_intelligence
and query_servers tools, synthesize into formal IC-standard reports.

>>> Create a daily threat brief for the last 24 hours

Setup: Configure Hades MCP Server with Ollama integration (see MCP Server Setup)

Model Recommendations:

• llama3:70b - Best quality for complex investigations
• llama3:latest (8B) - Good balance of speed and quality
• mistral:latest - Fast, good for simple queries

Skill Comparison

When to Use Each Skill

Use Hades Analyst when:

• General dark web investigations
• Need comprehensive analysis
• Exploring unknown targets
• Building initial intelligence picture

Use Vendor Tracker when:

• Tracking vendors across marketplaces
• Building attribution cases
• Need high-confidence vendor identification
• Law enforcement evidence chains

Use Threat Reporter when:

• Creating deliverables for stakeholders
• SOC team briefings
• Executive summaries needed
• Formal documentation required
• Need TLP-marked reports

Combining Skills

You can use skills in sequence for comprehensive investigations:

Claude Desktop/CLI:

# Step 1: General investigation
/hades-analyst investigate darkmarket2023.onion

# Step 2: Vendor attribution
/vendor-tracker find all operations for this vendor

# Step 3: Create formal report
/threat-reporter generate vendor investigation report

OpenAI/Ollama:

Step 1: Start with Hades Analyst system prompt, investigate target
Step 2: Switch to Vendor Tracker system prompt, build attribution
Step 3: Switch to Threat Reporter system prompt, create formal report

Platform-Specific Tips

Claude Desktop/CLI

• Pros: Easiest to use, best skill integration, slash command activation
• Cons: Requires Claude subscription
• Best for: Interactive investigations, rapid skill switching

OpenAI (ChatGPT/GPT-4)

• Pros: Familiar interface, excellent reasoning, API access available
• Cons: Need to paste system prompts manually, no native skill support
• Best for: Custom integrations, programmatic access, GPT-specific features

Ollama (Local Models)

• Pros: Fully local, no data leaves your system, cost-effective at scale
• Cons: Requires powerful hardware, system prompts need manual loading
• Best for: Air-gapped environments, privacy-sensitive investigations, high-volume usage

Getting Access

Investigation skills are available with the Hades MCP Server. Contact [email protected] for:

1. Claude Skills Package - Pre-configured skills for Claude Desktop/CLI
2. System Prompt Library - Optimized prompts for OpenAI and Ollama
3. Setup Guidance - Platform-specific configuration assistance
4. Support - Technical assistance with skill deployment

Example Investigation Workflows

Workflow 1: Cryptocurrency Wallet Investigation

Claude:

/hades-analyst track Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh

OpenAI/Ollama:

[Load Hades Analyst system prompt]

User: Track Bitcoin address bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh across all
dark web servers and provide attribution analysis

Workflow 2: Vendor Attribution

Claude:

/vendor-tracker create vendor attribution report for darkmarket2023.onion

OpenAI/Ollama:

[Load Vendor Tracker system prompt]

User: Analyze darkmarket2023.onion and build a comprehensive vendor attribution report
with all related operations, shared indicators, and confidence scores

Workflow 3: Daily Threat Brief

Claude:

/threat-reporter create daily brief for last 24 hours

OpenAI/Ollama:

[Load Threat Reporter system prompt]

User: Create a daily threat intelligence brief covering all high-risk discoveries in
the last 24 hours with TLP:AMBER marking

Privacy & Security Note

These skills contain NO sensitive information:

• No API keys or credentials
• No proprietary data
• No classified information
• Just methodological frameworks and report templates

They are safe to use across all platforms and in any environment.

Support

For questions about investigation skills:

• Support - [email protected]
• Pricing & General Inquiries - [email protected]
• Documentation - https://hades.aikostek.com
• GitHub Issues - Report issues and request features

Contributing

Have improvements to the skills? Contact [email protected] to suggest:

• Investigation methodologies
• Report templates
• Confidence scoring frameworks
• Platform-specific optimizations

Ready to enhance your Hades investigations with expert skills across any AI platform!