Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Investigation Workflows

This page provides real-world investigation workflows demonstrating how Hades enables comprehensive dark web intelligence analysis. Each workflow combines multiple data points to build actionable intelligence.

Marketplace Vendor Investigation

Objective: Track a vendor across multiple dark web marketplaces and identify all their operations.

Tools Used: Both Maltego Transforms and MCP Server work well for this workflow.

Investigation Steps

1. Initial Discovery

Start with a known marketplace where the vendor operates:

  • Maltego: Add hades.v2.onion entity → Run FetchBitcoinAddresses, FetchEmailAddresses, FetchTelegramLinks
  • MCP Server: “Find all cryptocurrency wallets and contacts on darkmarket2023.onion”

2. Extract Identifiers

Collect all vendor identifiers:

  • Cryptocurrency wallets (Bitcoin, Monero, Ethereum)
  • Communication channels (Telegram handles, email addresses, Discord invites)
  • PGP keys
  • Vendor usernames

3. Cross-Reference Identifiers

Search for these identifiers across the entire dark web:

  • Maltego: Run SearchByBitcoinAddress, SearchByTelegramLink, SearchByEmailAddress on each identifier
  • MCP Server: “Track these identifiers across all servers: @darkvendor, [email protected], bc1qxy2…”

4. Build Attribution Graph

Identify high-confidence matches:

  • Sites with 3+ shared identifiers = Very high confidence (same vendor)
  • Sites with 2 shared identifiers = High confidence (likely same vendor)
  • Sites with 1 shared identifier = Medium confidence (requires further investigation)

5. Analyze Timeline

Track vendor activity over time:

  • Maltego: Build temporal graph showing when vendors appeared on each site
  • MCP Server: “Show me the timeline of this Bitcoin address across all marketplaces”

6. Infrastructure Analysis

Check if vendor operates their own infrastructure:

  • Maltego: Run FetchSHV and SearchBySHV to find sites with identical JavaScript
  • MCP Server: “Find sites with identical infrastructure to this onion address”

Expected Outcomes

  • Complete list of all vendor operations across marketplaces
  • Confidence scores for each attribution
  • Timeline of vendor activity
  • Communication channels for monitoring
  • Infrastructure patterns (self-hosted vs marketplace vendor)

Use Cases

  • Law Enforcement: Building cases against dark web vendors
  • Fraud Investigation: Tracking vendors selling stolen credentials
  • Threat Intelligence: Monitoring high-risk vendors
  • Research: Studying vendor behavior and migration patterns

Infrastructure Attribution

Objective: Identify related criminal operations through shared infrastructure and technical fingerprints.

Investigation Steps

1. Infrastructure Fingerprinting

Extract technical fingerprints from the target site:

  • Maltego: Run FetchSHV (Script Hash Values) and FetchSSHFingerprints
  • MCP Server: “Get infrastructure fingerprints for targetmarket.onion”

2. Find Infrastructure Matches

Discover sites with identical or similar infrastructure:

  • Maltego: Run SearchBySHV and SearchBySSHFingerprint
  • MCP Server: “Find all sites with identical infrastructure to targetmarket.onion”

3. Classify Relationships

Analyze the type of relationship:

Identical SHV + Same SSH Fingerprint:

  • Very high confidence they’re related
  • Likely mirrors, backups, or related operations by same actor

Identical SHV + Different SSH Fingerprint:

  • Same codebase deployed to different servers
  • Could be franchised operations or mirrors

Different SHV + Same SSH Fingerprint:

  • Co-hosted on the same physical server
  • Shared hosting provider (less significant)

4. Technology Stack Analysis

Identify frameworks and patterns:

  • Maltego: Run FetchJavaScript to see what technologies are used
  • MCP Server: “Analyze the technology stack of targetmarket.onion”

5. Cross-Reference with Entities

Check if infrastructure matches also share entities (crypto, emails):

  • MCP Server: “For these infrastructure matches, find shared cryptocurrency wallets”

Expected Outcomes

  • Identification of mirror sites and backups
  • Discovery of related operations (franchises, multi-marketplace vendors)
  • Co-hosting patterns revealing shared infrastructure
  • Technology adoption patterns

Use Cases

  • Takedown Operations: Identifying all mirrors and backups before law enforcement action
  • Attribution: Linking operations to specific threat actor groups
  • Hosting Provider Analysis: Identifying bulletproof hosting providers
  • Trend Analysis: Tracking technology adoption in criminal ecosystems

Threat Intelligence Collection

Objective: Continuously monitor the dark web for emerging threats, new marketplaces, and high-risk services.

Monitoring Workflows

1. High-Risk Marketplace Discovery

Monitor for new marketplaces by risk category:

  • MCP Server: “Show me high-risk drug marketplaces discovered in the last 7 days”
  • MCP Server: “Find all sites classified as ‘weapons’ with high confidence scores”

Filter criteria:

  • Risk level: High or Critical
  • Intent categories: Illegal drugs, weapons, hacking services, malware, ransomware
  • Minimum confidence score: 0.7 or higher
  • Time range: Last 7-30 days

2. Emerging Threat Patterns

Track new threat actor techniques:

  • New cryptocurrency types being adopted
  • New communication platforms (emerging alternatives to Telegram)
  • New payment processors
  • Technology trends (new frameworks, anonymization techniques)

3. Vendor Monitoring

Track known high-risk vendors:

  • Create watchlist of cryptocurrency wallets, Telegram handles, emails
  • MCP Server: “Alert me if these identifiers appear on new sites”
  • Monitor vendor migration between marketplaces

4. Geographic and Categorical Trends

Analyze threat distribution:

  • Which intent categories are growing?
  • What technologies are threat actors adopting?
  • How is the marketplace ecosystem evolving?

Alert Triggers

Set up monitoring for:

  • New sites with specific intent categories (drugs, weapons, ransomware)
  • Known vendor identifiers appearing on new sites
  • Infrastructure matches to known threat actor infrastructure
  • Specific cryptocurrency wallet activity

Expected Outcomes

  • Real-time feed of emerging threats
  • Early warning of new high-risk marketplaces
  • Tracking of threat actor migration patterns
  • Ecosystem trend analysis

Use Cases

  • SOC Teams: Daily threat intelligence briefings
  • Law Enforcement: Proactive threat monitoring
  • Financial Institutions: Fraud and credential theft monitoring
  • Researchers: Dark web ecosystem analysis

Law Enforcement Investigations

Objective: Build comprehensive intelligence reports with evidence chains suitable for legal proceedings.

Investigation Workflow

1. Initial Intelligence Gathering

Start with known indicators (onion address, cryptocurrency wallet, email, etc.):

  • Maltego: Build initial graph from seed entity
  • MCP Server: “Get complete intelligence profile for targetsite.onion including all entities, risk level, and metadata”

2. Vendor Attribution

Identify all operations controlled by the target:

  • MCP Server: “Perform vendor attribution on targetsite.onion with high confidence threshold”
  • Document all shared identifiers with confidence scores

3. Evidence Chain Building

Create timeline of criminal activity:

Discovery Evidence:

  • When was each site first indexed?
  • When did vendor identifiers first appear?
  • How have operations evolved over time?

Attribution Evidence:

  • Shared cryptocurrency wallets with dates/amounts
  • Shared communication channels
  • Shared infrastructure fingerprints
  • PGP key associations

Network Evidence:

  • Related operations discovered through shared indicators
  • Co-hosting relationships
  • Technology patterns

4. Relationship Mapping

Build comprehensive network graph:

  • Maltego: Visual graph showing all related entities and sites
  • MCP Server: “Build investigation graph starting from targetsite.onion with depth of 2”

Include:

  • All related onion sites
  • All entities (crypto, emails, communications)
  • Infrastructure relationships
  • Temporal relationships (timeline)

5. Risk Assessment

Document threat classification:

  • Risk level (low, medium, high, critical)
  • Intent categories with confidence scores
  • Scale of operation (number of sites, transaction volume)
  • Geographic indicators if available

6. Monitoring Plan

Set up ongoing monitoring:

  • Track known identifiers for new activity
  • Monitor for new mirrors or backups
  • Alert on infrastructure changes (potential response to investigation)

Evidence Documentation

For each intelligence finding, document:

  • Source: Which Hades collection/tool provided the data
  • Timestamp: When the data was collected
  • Confidence: Score or classification confidence level
  • Context: How this fits into the broader investigation
  • Corroboration: Other evidence supporting this finding

Expected Outcomes

  • Comprehensive case file with evidence chains
  • Attribution confidence scores suitable for legal proceedings
  • Network maps showing relationships between operations
  • Timeline of criminal activity
  • Ongoing monitoring capabilities

Use Cases

  • Criminal Investigations: Building cases against dark web vendors and operators
  • Takedown Operations: Planning coordinated multi-site takedowns
  • Prosecution Support: Providing evidence for court proceedings
  • Intelligence Reporting: Briefing stakeholders on threats

Cryptocurrency Wallet Tracking

Objective: Track cryptocurrency wallet usage across the dark web to identify payment patterns and vendor relationships.

Investigation Steps

1. Wallet Discovery

Identify wallets of interest:

  • Maltego: FetchBitcoinAddresses, FetchMoneroAddresses, FetchEthereumAddresses on known sites
  • MCP Server: “Find all cryptocurrency wallets on darkmarket2023.onion”

2. Cross-Platform Search

Track wallet across all indexed sites:

  • Maltego: SearchByBitcoinAddress on each wallet
  • MCP Server: “Find all sites using Bitcoin address bc1qxy2…”

3. Temporal Analysis

Analyze wallet usage patterns over time:

  • MCP Server: “Track this wallet’s appearances over the last 90 days”
  • Identify when wallet first appeared
  • Track which sites added/removed the wallet
  • Detect migration patterns

4. Co-Occurrence Analysis

Find wallets that appear together:

  • MCP Server: “Find all other wallets on sites that use this Bitcoin address”
  • Identify wallet clusters (wallets that always appear together)
  • Detect vendor wallet rotation patterns

5. Risk Correlation

Analyze risk levels of sites using the wallet:

  • Are they all high-risk marketplaces?
  • Do they share intent categories (all drug markets, all carding sites)?
  • What’s the risk distribution?

Expected Outcomes

  • Complete history of wallet appearances
  • List of all sites accepting the wallet
  • Temporal patterns (when wallet appeared on each site)
  • Related wallets (co-occurrence patterns)
  • Risk profile of wallet usage

Use Cases

  • Ransomware Investigation: Tracking ransom payment wallets
  • Vendor Tracking: Following marketplace vendor wallets
  • Money Laundering: Identifying wallet rotation patterns
  • Threat Intelligence: Profiling payment patterns by threat category

Best Practices

Start Broad, Then Narrow

Begin with general queries to understand the landscape, then drill down:

  1. Broad: “Find all high-risk drug marketplaces”
  2. Medium: “Get all wallets from these marketplaces”
  3. Narrow: “Track this specific wallet across all sites”

Use Confidence Scores

Weight evidence by confidence:

  • Very High (4+ shared indicators): Safe to attribute
  • High (2-3 shared indicators): Likely related, needs validation
  • Medium (1 shared indicator): Requires significant additional investigation
  • Low (circumstantial): Use only to generate leads

Combine Multiple Signals

Best intelligence comes from combining:

  • Entity evidence (crypto + communications)
  • Infrastructure evidence (SHV + SSH fingerprints)
  • Temporal evidence (timeline analysis)
  • Risk evidence (classification confidence)

Document Everything

For each finding, record:

  • Source of intelligence
  • Date collected
  • Confidence level
  • Corroborating evidence
  • Analysis notes

Validate Across Methods

Cross-validate findings:

  • If Maltego shows a relationship, verify with MCP Server
  • If MCP Server suggests attribution, build visual graph in Maltego
  • Use multiple data points to confirm each conclusion

Workflow Templates

Quick Vendor Check

Goal: Quickly determine if a vendor operates multiple sites

1. Extract all identifiers from known site
2. Search each identifier across database
3. Flag sites with 2+ matches for review
4. Build attribution graph for high-confidence matches

Comprehensive Investigation

Goal: Complete intelligence report on a target

1. Initial discovery (all entities, infrastructure, risk)
2. Attribution (find all related operations)
3. Network analysis (map relationships)
4. Temporal analysis (build timeline)
5. Evidence documentation
6. Monitoring setup

Daily Threat Monitoring

Goal: Stay informed on emerging threats

1. Query new high-risk sites (last 24-48 hours)
2. Check watchlist identifiers for new appearances
3. Review infrastructure matches to known threats
4. Generate daily threat brief

For step-by-step examples with actual queries and responses, see the MCP Server Examples page.

© 2026 © Aikos Technologies Limited - All Rights Reserved.