Project Hades, the brainchild of the Anti-Human Trafficking Intelligence Initiative (ATII), provides researchers with a wealth of information related to darkweb onion sites.
The Project Hades dataset includes information on the existence of various onion sites as well as critical information those sites may contain, such as email addresses, cryptocurrency addresses, SSH keys, favicons, and other identifiers that can allow investigators to build connections. The sites that Project Hades monitors cover an assortment of illicit activity, ranging from weapons sales to document fraud to CSAM (Child Sexual Abuse Material).
Using Project Hades data in Maltego allows investigators to create compelling visualizations of connections between darkweb sites. And, by facilitating easy access to a wide arrangement of data sources in a single UI, Maltego also allows Project Hades data to be combined with information on cryptocurrency movements, domain registrations, social media profiles, and more.
Let’s take a look at the Russian- and English-language underground shop WannaBuy. WannaBuy is dedicated to the sale of compromised remote desktop protocol (RDP) servers which can be used for a variety of cybercriminal schemes, ranging from ransomware operations to tax fraud. WannaBuy exists only on the darkweb.
Image 1: Screenshot from the WannaBuy home page.
The homepage for WannaBuy is located at wannab666qqm2nhtkqmwwps3x2wu2bv—————[.]onion. Let’s put that into the Maltego as a Tor Onion Website Entity.Note: We have obfuscated part of the WannaBuy home page URL for security reasons.
To learn more about this site, let’s run the Transform [PH] Fetch Website Title.
The information returned indicates that this site brands itself as the WannaBuy homepage, which checks out with our understanding of this site.
Now let’s try to get more insights on the site by running the Transform [PH] Fetch Selectors. This Transform returns information that appears on the site, such as cryptocurrency addresses, emails, Google Tags, SSH Keys, and more.
We know that WannaBuy is a Russian- and English-language shop, and from the emails it appears that the site has also dedicated support channels for English and Russian speakers (the “ru” in one of the email addresses stands for Russian).
- [PH] Search by Email
- [PH] Search by ETags
After running these Transforms, we discover that the ETag only appears one time within the Project Hades dataset, on the WannaBuy site.
However, both email addresses appeared on another site: wannabuyaynozvmz[.]onion.
Hey, that site looks familiar! In the onion URL, we can see the name “WannaBuy” appear again. When we check the site, it seems to be offline.
It is possible that this WannaBuy website we just discovered is an older and disused URL.
We can check this hypothesis by checking cached results for the popular onion directory site dark[.]fail. Many threat actors and researchers alike reference dark[.]fail to stay on top of the latest onion addresses for popular onion sites ranging from the official darkweb version of Facebook to criminal markets.
Let’s open a new Maltego graph with a website Entity for dark[.]fail.
The Maltego Standard Transforms include Transforms that allow users to access historical snapshots of different websites via information from the Wayback Machine. The associated Transforms are:
- To Snapshots [Wayback Machine]
- To Snapshots between Dates [Wayback Machine]
As their names suggest, the first Transform searches across all time, while the second can have a specific date range input. In this case, we don’t have a strong sense of when this old WannaBuy URL might have been used, so we will run To Snapshots [Wayback Machine].
Note: We received 256 results, due to the restrictions set in the results slider. When we zoom into our graph, we can see more details about the individual results. The most important detail for this investigation is the dates.
Now, we enter the manual part of our investigation, where we check the different results one by one to see if we can find a Wayback Machine result for dark[.]fail that includes information on the old WannaBuy URL. Lucky for you, I’ve already done that! Let’s examine the result from July 4, 2021. Double click on the entry for July 4, 2021, to pull up the Details View.
We are interested in the URL that appears in the Details View: hxxps://web[.]archive[.]org/web/20210704081809if_/hxxps://dark[.]fail/
Let’s copy that and paste it into our browser. If we search for WannaBuy on the list, we will eventually find it…
It’s the WannaBuy URL that we found earlier! Now we can confirm that this URL is indeed an old URL used by WannaBuy.