Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Tracking & Analytics Transforms

Discover Google Analytics and Google AdSense tracking IDs to link sites by operator. These transforms leverage clearnet tracking codes inadvertently or intentionally embedded in dark web sites.

Overview

Many dark web sites, especially those with clearnet mirror sites or sites operated by less sophisticated administrators, include Google tracking codes. These provide strong attribution signals:

  • Google Analytics - Web analytics tracking IDs (format: UA-XXXXXX-X or G-XXXXXXXXXX)
  • Google AdSense - Advertising revenue tracking IDs (format: ca-pub-XXXXXXXXXXXXXXXX)

Sites sharing these IDs are operated by the same person or organization, as these IDs are tied to Google accounts.

Google Analytics Transforms

FetchGoogleAnalytics

Transform Name: FetchGoogleAnalytics

Description

Extracts all Google Analytics tracking IDs found on a specified onion site.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.googleanalytics - Google Analytics tracking IDs

Properties Returned

  • Appearances - Number of times this Analytics ID appears in the database
  • Hades Link - Direct link to view the onion site in Project Hades web interface

Analytics ID Formats

  • Universal Analytics - UA-XXXXXX-X (older format)
  • Google Analytics 4 - G-XXXXXXXXXX (newer format)

Use Cases

  • Identify sites tracked by the same Google account
  • Link clearnet and dark web presences of operators
  • Track amateur operators who don’t understand operational security
  • Find forgotten tracking codes left in site templates

Investigation Tips

  • Google Analytics on dark web sites is a major operational security failure
  • Sites sharing Analytics IDs are definitively operated by the same Google account holder
  • High appearance count suggests widely-used template with tracking ID left in
  • Can potentially correlate with clearnet sites using the same Analytics ID

SearchByGoogleAnalytics

Transform Name: SearchByGoogleAnalytics

Description

Finds all onion sites that use a specific Google Analytics tracking ID.

Input Entity

  • hades.v2.googleanalytics - A Google Analytics tracking ID

Output Entities

  • hades.v2.onion - Onion site addresses

Properties Returned

  • Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

  • Find all dark web sites operated by the same Google account holder
  • Link an operator’s entire portfolio of sites
  • Track clearnet-to-dark web connections
  • Identify related operations through shared analytics

What Shared Analytics IDs Mean

  • Same Analytics ID = Same Google account = Same operator (very high confidence)
  • This is one of the strongest attribution signals available
  • Can potentially be verified through Google Analytics data if accessible

Google AdSense Transforms

FetchGoogleAdSense

Transform Name: FetchGoogleAdSense

Description

Extracts all Google AdSense publisher IDs found on a specified onion site.

Input Entity

  • hades.v2.onion - An onion site address

Output Entities

  • hades.v2.googleadsense - Google AdSense publisher IDs

Properties Returned

  • Appearances - Number of times this AdSense ID appears in the database
  • Hades Link - Direct link to view the onion site in Project Hades web interface

AdSense ID Format

  • Publisher ID - ca-pub-XXXXXXXXXXXXXXXX

Use Cases

  • Identify sites monetized by the same Google account
  • Track revenue generation across site portfolios
  • Link clearnet and dark web operations
  • Identify operators trying to monetize dark web traffic

Investigation Tips

  • Google AdSense on dark web sites is extremely rare (against Google ToS)
  • When found, it’s a critical operational security failure
  • Sites sharing AdSense IDs are definitively operated by same account holder
  • AdSense accounts can be investigated separately through Google

SearchByGoogleAdSense

Transform Name: SearchByGoogleAdSense

Description

Finds all onion sites that use a specific Google AdSense publisher ID.

Input Entity

  • hades.v2.googleadsense - A Google AdSense publisher ID

Output Entities

  • hades.v2.onion - Onion site addresses

Properties Returned

  • Hades Link - Direct link to view each onion site in Project Hades web interface

Use Cases

  • Find all sites monetized through the same Google account
  • Link an operator’s revenue-generating site portfolio
  • Track attempts to monetize dark web traffic
  • Connect clearnet and dark web operations

What Shared AdSense IDs Mean

  • Same AdSense ID = Same Google account = Same operator (very high confidence)
  • Indicates commercial intent (trying to generate revenue)
  • Can potentially be verified through Google AdSense reporting

Investigation Workflow Examples

Operator Portfolio Discovery

  1. Extract tracking IDs from target site

    • Input: targetsite123abc.onion
    • Run: FetchGoogleAnalytics and FetchGoogleAdSense
    • Result: Tracking IDs found on the site

  2. Find all sites with same tracking

    • Input: Each Google Analytics or AdSense ID
    • Run: SearchByGoogleAnalytics or SearchByGoogleAdSense
    • Result: Complete portfolio of sites tracked by the same Google account

  3. Analyze the portfolio

    • Review all sites discovered
    • Identify mix of clearnet and dark web sites
    • Note content types and business models
    • Map the operator’s entire web presence

  4. Build operator profile

    • Cross-reference with other intelligence:
      • Run FetchBitcoinAddresses on each site
      • Run FetchEmailAddresses and other contact transforms
    • Sites with shared Google tracking + shared contacts = definitive attribution

Clearnet-to-Dark Web Linking

  1. Start with dark web site using Google tracking

    • Input: Dark web onion address with Analytics ID
    • Run: FetchGoogleAnalytics
    • Result: Google Analytics ID

  2. Search for Analytics ID across platforms

    • Use external tools to search clearnet for the same Analytics ID
    • Many websites leak their Analytics IDs in source code
    • Build a list of all sites (dark web and clearnet) using this ID

  3. Identify the operator

    • Clearnet sites may have:
      • WHOIS registration information
      • Contact forms with real emails
      • Social media links
      • Business registration details
    • This can reveal true identity of dark web operator

  4. Operational security assessment

    • Document the opsec failure
    • Note if operator is aware of the exposure
    • Track if they eventually remove the tracking codes

Template Tracking Code Analysis

  1. Identify sites with common Analytics ID

    • Input: Google Analytics ID found on multiple sites
    • Run: SearchByGoogleAnalytics
    • Result: All sites sharing this ID

  2. Determine if it’s template-based

    • Many unrelated sites - Likely a template with tracking ID left in
    • Few related sites - Likely same operator’s portfolio
    • Check if sites use same template/framework

  3. Template attribution

    • If it’s a template:
      • Track which dark web sites use this template
      • Identify template creator through Analytics ID
      • Map template distribution network
    • If it’s an operator portfolio:
      • Build comprehensive attribution of all sites
      • Track operator’s expansion and activities

Operational Security Monitoring

  1. Baseline tracking code presence

    • Regularly run FetchGoogleAnalytics and FetchGoogleAdSense on monitored sites
    • Document which sites have tracking codes

  2. Monitor for changes

    • New tracking codes appear - Site added analytics (major opsec failure)
    • Tracking codes removed - Operator became aware of exposure
    • Tracking codes changed - Switched to new Google account

  3. Investigate changes

    • When tracking codes change, search for both old and new IDs
    • Track if sites migrate to new tracking accounts together
    • Note improvements or degradations in operational security

Cross-Platform Attribution

Google tracking codes can be combined with other attribution methods:

High Confidence Attribution Stack:

  1. Same Google Analytics/AdSense ID (Google account match)
  2. Same cryptocurrency wallets (financial link)
  3. Same email/Telegram contacts (communication link)
  4. Same SSH fingerprint (infrastructure link)
  5. Same SHV (code/template link)

Investigation Priority:

  • Start with Google tracking (strongest attribution signal)
  • Use other transforms to build supporting evidence
  • Create multi-dimensional attribution profile

Example Workflow:

  1. Find sites with shared Analytics ID → Get suspect sites
  2. Run FetchBitcoinAddresses on all → Identify shared wallets
  3. Run FetchEmailAddresses on all → Identify shared contacts
  4. Run FetchSSHFingerprints on all → Identify shared infrastructure
  5. Build attribution case with multiple corroborating indicators

Why Google Tracking on Dark Web is Significant

Operational Security Failures

  • Reveals Google account associated with dark web operations
  • Links clearnet identity to dark web activities
  • Provides law enforcement with subpoena target (Google account)
  • Exposes real-world financial information (AdSense payments)

Attribution Value

  • Definitive link - Same Google account = same operator (no ambiguity)
  • Clearnet connection - Google accounts require real information
  • Financial trail - AdSense payments go to real bank accounts
  • Persistent identifier - Tracking IDs rarely change once set

Intelligence Opportunities

  • Google Analytics data may be accessible to law enforcement
  • Can reveal visitor statistics, traffic sources, user behavior
  • AdSense account information includes payment details
  • Historical data may show site evolution and growth

© 2026 © Aikos Technologies Limited - All Rights Reserved.