Security Transforms

Track SSH fingerprints to identify shared server infrastructure across dark web sites. These transforms reveal hosting relationships and infrastructure reuse.

Overview

SSH (Secure Shell) fingerprints are unique cryptographic identifiers for SSH servers. When multiple onion sites share the same SSH fingerprint, they are:

• Hosted on the same physical or virtual server
• Using the same SSH keys (indicating same administrator)
• Part of shared infrastructure

This is one of the strongest indicators of infrastructure relationships.

FetchSSHFingerprints

Transform Name: FetchSSHFingerprints

Description

Extracts all SSH fingerprints found on or associated with a specified onion site.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• hades.v2.sshfingerprint - SSH server fingerprints

Properties Returned

• Appearances - Number of times this SSH fingerprint appears in the database
• Hades Link - Direct link to view the onion site in Project Hades web interface

How SSH Fingerprints Are Collected

SSH fingerprints can be discovered through:

• Direct SSH connection attempts to the server
• Banner grabbing and service enumeration
• SSL/TLS certificate analysis
• Server response headers
• Embedded fingerprints in page source

Use Cases

• Identify the underlying server infrastructure for an onion site
• Prepare for finding co-hosted sites
• Document server fingerprints for infrastructure attribution
• Track server migrations or infrastructure changes

Investigation Tips

• Appearance count >1 means multiple sites share this SSH server
• SSH fingerprints are difficult to fake or spoof
• Sites on the same server may not be operated by the same people (shared hosting exists)
• Cross-reference with other intelligence before concluding relationship

SearchBySSHFingerprint

Transform Name: SearchBySSHFingerprint

Description

Finds all onion sites that share a specific SSH fingerprint, indicating they are hosted on the same server or use the same SSH keys.

Input Entity

• hades.v2.sshfingerprint - An SSH server fingerprint

Output Entities

• hades.v2.onion - Onion site addresses

Properties Returned

• Hades Link - Direct link to view each onion site in Project Hades web interface

What Shared SSH Fingerprints Mean

Strong Indicators (High Confidence):

• Identical SSH keys - Sites definitely share server infrastructure
• 2-3 sites - Likely operated by same person/team
• Small marketplaces - Often share hosting to reduce costs

Moderate Indicators (Medium Confidence):

• Many sites (10+) - Could be shared hosting provider serving multiple customers
• Mix of unrelated content - Likely shared hosting, not same operator

Requires Investigation:

• Always cross-reference SSH fingerprint matches with other intelligence
• Check for shared payment addresses, contacts, or content
• Consider timing - did sites appear on the server at the same time?

Use Cases

• Find all sites hosted on the same server
• Identify server infrastructure shared by multiple marketplaces
• Discover related operations through hosting relationships
• Map dark web hosting providers and their customers
• Track server migrations when SSH fingerprints change

Investigation Workflow Examples

Co-Hosting Discovery

1. Extract SSH fingerprint from target site

   • Input: targetmarket123abc.onion
   • Run: FetchSSHFingerprints
   • Result: SSH fingerprint(s) for the server

2. Find co-hosted sites

   • Input: SSH fingerprint from step 1
   • Run: SearchBySSHFingerprint
   • Result: All onion sites on the same server

3. Analyze co-hosting patterns

   • 2-3 related sites - Likely same operator’s portfolio
   • Many unrelated sites - Probably commercial hosting provider
   • Mix of marketplaces - Could be marketplace-specific hosting service

4. Build infrastructure attribution

   • For small groups of co-hosted sites:
     • Run FetchBitcoinAddresses on each site
     • Run FetchEmailAddresses and FetchTelegramLinks
     • Look for shared contacts or payment addresses
   • If shared contacts/wallets + shared SSH = very strong attribution

Hosting Provider Mapping

1. Identify a dark web hosting provider

   • Find known bulletproof hosting or dark web infrastructure services
   • Run: FetchSSHFingerprints
   • Result: SSH fingerprints for their servers

2. Map the provider’s customers

   • Input: Each SSH fingerprint
   • Run: SearchBySSHFingerprint
   • Result: All sites hosted by this provider

3. Analyze the customer base

   • What types of sites use this provider?
   • Are high-risk sites concentrated with certain providers?
   • Track provider reliability and longevity

4. Monitor provider changes

   • Regularly re-run transforms on known hosted sites
   • Detect when sites migrate to different servers/providers
   • Identify provider takedowns or shutdowns

Infrastructure Migration Tracking

1. Baseline current SSH fingerprints

   • Input: Sites under monitoring
   • Run: FetchSSHFingerprints
   • Document: Current SSH fingerprint and timestamp

2. Periodic re-fingerprinting

   • Regularly run FetchSSHFingerprints on monitored sites
   • Compare new fingerprints to baseline

3. Detect migrations

   • Different SSH fingerprint = Server change
     • Site moved to new hosting provider
     • Server upgrade or infrastructure change
     • Response to compromise or law enforcement action
   • Same SSH fingerprint = Still on same server
     • Stable hosting arrangement
     • No infrastructure changes

4. Investigate migration patterns

   • When sites migrate:
     • Run SearchBySSHFingerprint on the NEW fingerprint
     • See if site moved to a server with other known sites
     • Track migration pathways between hosting providers
     • Identify preferred backup hosting providers

Combining SSH with Other Infrastructure Intelligence

SSH fingerprints are most powerful when combined with other transforms:

1. SSH + SHV Analysis

   • Run: FetchSSHFingerprints and FetchSHV on target site
   • Sites with matching SSH + matching SHV = very strong relationship
   • Sites with matching SSH but different SHV = likely unrelated (shared hosting)

2. SSH + JavaScript Analysis

   • Run: FetchSSHFingerprints and FetchJavascriptFiles
   • Co-hosted sites with identical JavaScript = definitely related
   • Co-hosted sites with different JavaScript = possibly unrelated

3. SSH + Payment/Contact Analysis

   • Run: FetchSSHFingerprints, FetchBitcoinAddresses, FetchEmailAddresses
   • Sites with shared SSH + shared wallets/contacts = confirmed same operator
   • Sites with shared SSH but different contacts = probably just shared hosting

Attribution Confidence Levels

Very High Confidence (3+ matches):

• Shared SSH fingerprint
• Shared cryptocurrency wallets
• Shared email/Telegram contacts
• → Definitely same operator

High Confidence (2 matches):

• Shared SSH fingerprint
• Shared SHV (JavaScript infrastructure)
• → Very likely same operator or closely related

Medium Confidence (1-2 matches):

• Shared SSH fingerprint
• Similar content or category
• → Possibly related, requires more investigation

Low Confidence (1 match only):

• Shared SSH fingerprint alone
• → Could be coincidental shared hosting
• → Requires additional evidence

Server Infrastructure Ecosystem Analysis

1. Collect SSH fingerprints from many sites

   • Run FetchSSHFingerprints on a large sample of onion sites
   • Build a database of server fingerprints

2. Cluster analysis

   • Group sites by shared SSH fingerprints
   • Identify major hosting clusters
   • Map the dark web hosting ecosystem

3. Track ecosystem evolution

   • Monitor which servers grow (gaining new sites)
   • Identify servers that disappear (hosting provider shutdowns)
   • Track migration patterns when servers go offline

4. Risk assessment

   • Identify high-risk servers hosting many illegal marketplaces
   • Prioritize investigation of sites on high-risk infrastructure
   • Predict which sites may go offline together if server is seized