ATII Dark Web Intelligence – HADES – Maltego

The Anti-Human Trafficking Intelligence Initiative (ATII) is a nonprofit that encourages financial institutions and companies globally to practice corporate social responsibility and implement anti-human trafficking programs within their organizations (i.e., policies & procedures, training-live/eLearning, red flags/indicators, high risk trafficking data, etc.).  ATII collaborates with federal, state, and local law enforcement, intelligence agencies, and NGOs to support investigations around trafficking, child exploitation, missing persons, and child sexual abuse material (CSAM).  

Project Hades is a Darkweb Intelligence Platform built and managed by ATII. It ingests onion sites and collects evidence from those sites to deanonymize the users whether they be buyers, sellers, or administrators behind the dark web sites. Users can pivot on various data points to find related Entities. 

Dark Web Investigations

The ATII data enables investigators to monitor the criminal underground for threats and map out organized criminal networks based on deep & dark web intelligence.

Cryptocurrency Investigations

While investigating financial criminal activities, investigators can identify cryptocurrency addresses possibly used by multiple threat actors and criminal organizations using the ATII Hades Darkweb Intelligence Transforms.

Anti-Human Trafficking Investigations

The ATII Hades Darkweb Intelligence data provides valuable intelligence for anti-human trafficking task forces and investigations focusing on fighting child exploitation and finding missing persons.

Installation

Users with a Maltego One, Classic, or XL license can bring an API Key (provided by ATII).

Navigate to the Home screen > Transform Hub and search for Hades in the search bar.

Click Install.

Click Yes.

Input your API Key if prompted, the Transforms will install.

Or, if you have a Seed URL you can install the Transforms manually by clicking on the + sign under Internal Hub Items.

Input an ID, Name and Seed URL.

Transforms that are available to run are listed under:

View > Transform Manager > HADES

From the indexed Onion URLs, HADES can extract Selectors from the Websites and make them available for analysis.

To get the SSH Fingerprint from an .onion URL, Select the URL Entity and run the Transform:

ATII HADES Darkweb Intelligence > Fetch Selectors

If an SSH Fingerprint is available for the URL it will output an SSH Fingerprint Entity

This returns the SSH Fingerprint Entity:

c8:15:ad:85:b3:3b:f4:34:97:5c:07:1f:8a:67:4e:a4

To find more more URLs associated with the original URL run this transform on the SSH Fingerprint Entity:

ATII HADES Darkweb Intelligence > Search by SSH Fingerprint

For the URL Entity electronz2gpfyz5.onion, the Transform returns 36 more .onion URL Entities.

We can also run these Transforms on the URL Entity to return the Site Title & Categories related to the URL.

ATII HADES Darkweb Intelligence > Fetch Categories

ATII HADES Darkweb Intelligence > Fetch Website Title

Try fetching the selectors from the 36 URL Entities.

ATII HADES Darkweb Intelligence > Fetch Selectors

For bigger graphs you can switch to Circular Selection or Organic Selection to organize the graph.

Select All Entities (Ctrl + A)

Navigate to the toolbar at the top of the interface under “View” to switch views.

You can expand the graph by using the hotkeys (Alt + Enter).

Inspect the graph, Entities can be sorted under Detail View.

There are some BTC addresses & Emails, mostly with a safe-mail.net domain related to the SSH Fingerprint.

Some Dogecoin & Favorite Icons.

And some JavaScript Entities.

These two URL Entities share some overlapping Selectors.

fakebillxl6ind2f.onion

fakebillkelmwaos.onion

Select these Entities and Transfer to a New Graph by right clicking and selecting the “Copy to New Graph” icon in the left corner.

1365690874
fakebillkelmwaos.onion
fakebillxl6ind2f.onion
3NA9zFHKXgnEc3eN53SiJdVtJWex8uiWVi
33tyVR8Cj5NRQYiu3LfrzTeeePLeVisD3m
3DqwfqcAJV5ZnYmAqQNtTTUfUMm1HyuBMV
[email protected]

On the New Graph, Select the Bitcoin Entities:

3NA9zFHKXgnEc3eN53SiJdVtJWex8uiWVi
33tyVR8Cj5NRQYiu3LfrzTeeePLeVisD3m
3DqwfqcAJV5ZnYmAqQNtTTUfUMm1HyuBMV

And run the Transform:

ATII HADES Darkweb Intelligence > Search by Bitcoin

2 more SSH Fingerprints & URLs are returned:

ad:cc:6e:78:52:0a:c7:fa:ca:4b:8f:f9:96:12:8a:7f

79:5e:37:3c:c4:13:8b:fd:75:77:b6:88:48:35:7c:bf

fakebilz2rq7mjsb2svyms2sb2ixmzhu2zfiuojqqmbz7rk73eqv6dad.onion

fakebilsvff435ky3rp6msyvorixovwmozap5sljuotdmwyxshpmbqqd.onion

All 4 URLs are associated with the Email & Favorite Icon Entities, further indicating that these sites are related.

Select the 2 SSH Fingerprint Entities and run:

ATII HADES Darkweb Intelligence > Search by SSH Fingerprint

106 Onion URL Entities were returned, try further analyzing these URLs using the Hades Transforms.

Searching by Category can help narrow down your results to more easily find what you are looking for.

ATII HADES Darkweb Intelligence > Fetch Categories

To search by Google Tracking Codes:

ATII HADES Darkweb Intelligence > Search by Google Tracking Code

Some Entities may return more Tracking Codes. Because code and content is often reused in the the mirroring of .onion sites JavaScript & Favorite Icons can be used alongside Tracking Codes.

ATII HADES Darkweb Intelligence > Fetch Selectors

Certain .onion sites have specific tracking codes that tie multiple together.

Running HADES Transforms will query the HADES Database directly.

Hades can directly ingest .onion URLs. To scrape .onion links directly from the web for ingestion, this method works:

Drag a Phrase Entity from the Entity Palette and input:

market + “*.onion”

Then run the Transform:

All Transforms > To Website [using search engine]

Select all Website Entities and run:

All Transforms > To URLs [show Search Engine results]

Select only the URLs and run:

All Transforms > To Regex Matches [Found on Webpage]

Entities can be sorted in Detail View

Onion URL REGEX:

\b[_\-0-9a-z]+\.onion\b

[_\-0-9a-z]+\.onion

[a-z2-7]{16}.onion

[a-z2-7]{56}.onion

The .onion URLS that were scraped from the web pages will be listed in Phrase Entities.

Leave a Reply