ACAMS Today – Project Hades: Dark Web Revealed

MARCH 17, 2022

ACAMS Today - Project Hades ATII
ACAMS Today – Project Hades ATII

One of the biggest responsibilities of our time is to protect the most vulnerable, especially in the anti-human trafficking and anti-child exploitation space. The Anti-Human Trafficking Intelligence Initiative (ATII), a nonprofit organization, is continually expanding its presence and systems to combat human trafficking and child exploitation. One of its current initiatives is Project Hades, a dark web search platform.

In order to understand Project Hades as a dark web intelligence platform, it is necessary to clarify the concept of the dark web itself beyond some of the stereotypes created around it. The reason the dark web is called “dark” is not because it is a place of heinous activities, but rather because the cryptography protocols that protect users and URLs operating in it mixes attributions to the extent that they are made “dark,” compared to the daylight, in which intelligence monitors are accustomed to operating.

The dark web—originated in a military protocol—was never intended to support criminal activities. And indeed, there are still some valuable features linked to operating on the dark web, such as the existence of whistleblowing channels that allow free speech to exist beyond the reach of dictatorships that practice censorship.

As Edward Snowden pointed out, the problem with the internet is that it allows people to create fictional identities, which can be used for the aforementioned whistleblowing activities and can also be used for nefarious purposes. People can sign in with whatever “nickname” they want. While it is possible to ask Google, Facebook, Yahoo and others for the internet protocol number associated with a single login, that information is not captured on the dark web.

Big Data: Out of the Dark

One problem with the dark web relates to the decentralized nature of the internet. Things are opaque because attributions are all “falsified and falsifiable” without any further validation. On the dark web, IPs are proxies and where users seem to use their real-world nicknames and post personal identifiable information as if there was no tomorrow. Investigators must take into account the hypothesis of attribution being a matter of “online vengeance,” as this is what often occurs in child sexual abuse material (CSAM) cases.

From now on, it is important to separate intelligence from law enforcement (LE) activities—they are not and cannot be the same. The two crime-fighting activities occur in different stages of the timeline and face very different challenges. For intelligence, the question is not how far an IP is geolocated in international waters related to a specific user but, rather, how deeply integrated is this same IP with other criminal activities. For example, the registry of a cryptocurrency transaction performed between a CSAM criminal located in the U.S. and another criminal in Australia might happen in the public section of a French CSAM website—making this data subject to French jurisdiction. Consequently, a cryptocurrency address that might have been highly relevant for a CSAM investigation in the U.S. and Australia might never reach the U.S. nor Australia without the help of an intermediary and central database.

The lack of a central database for intelligence sharing on CSAM is still one of the biggest challenges for law enforcement authorities working in the field

The lack of a central database for intelligence sharing on CSAM is still one of the biggest challenges for LE authorities working in the field—and that includes a challenge pervading cryptocurrency information.

Introducing Project Hades

Because LE and intelligence activities do not mean the same thing, even if they are deeply correlated, it can be difficult to understand how monitoring of any kind can help fight crime on the dark web. CSAM researchers have for a long time been working with poor data due to the lack of proper tools to answer research questions. The Project Hades platform, created and licensed by ATII, is a well-thought-out project because it gives its users the opportunity of applying filters in a meaningful way.

In layman’s terms, Project Hades exists to contribute to the disruption of global human trafficking and child exploitation operations, economics and the overall anonymity of this nefarious activity. Utilizing a holistic strategy, the platform offers a comprehensive suite of solutions and support for both commercial and LE organizations based on the integration of data, technology and operational infrastructure. It uses big data technology aligned with vast data resources channeled through forensic linking, investigative intelligence and analytics.

Within the Project Hades platform, ATII performs evidence collection from the dark web to track and deanonymize people. The platform has collected over 100,000 bitcoin addresses and discovers at least 1,000 new dark websites every week or two, so there is always an abundance of data to work with. It also integrates with 10 different blockchain forensics, analytics and abuse databases just by clicking a button, including image hashing and exif data collection which allows further link analysis. Furthermore, Project Hades currently has over 35,000 dark web sites related to CSAM and over 183,000 ingested that cover various illegal activity carried out on the dark web. The platform has a Console, Maltego Transfor, application programming interface (API) and datasets that are used to investigate and report to LE, cryptocurrency exchanges, and other interested parties. All of these functions speed up the investigation process and provide additional insights.

Project Hades licenses are offered to LE agencies and to selected individuals at no charge as part of our nonprofit social impact initiative. Crypto exchanges, data companies and financial institutions can also utilize the Project Hades license as part of an ATII sponsorship package.

In this era of big data, having a powerful tool to compile information must meet the challenge of, in all cases, keeping the analytical path clear. This is a feature that Project Hades was successful in implementing.

The Attributions Lost on the Dark Web

At present, Project Hades indexed the four main cryptocurrencies associated with criminal activities on a large scale. Even if open-source intelligence survives as a powerful tool, an integrated dark and surface web analysis seems essential to bring dark activities back to shore. A cryptocurrency wallet found in a CSAM case that reveals itself on the surface web (the portion of the web that is readily available to the general public), associated with an online casino, is a red flag to start a money laundering investigation with the casino.

Project Hades exists to contribute to the disruption of global human trafficking and child exploitation operations, economics and the overall anonymity of this nefarious activity

Project Hades shows investigators and intelligence parties the power of finding patterns on the dark web. One must not forget that even if tools such as Project Hades can be very helpful for any investigation, research or monitoring activity on the dark web, it does not eliminate the need for a proper, diligent analysis.

Being a big data project on the dark web, Project Hades is meant to help with the misattribution problem through repeated data in correlated environments. If a single email on the front page of a CSAM forum seems suspicious as a lead for investigators and the email repeats itself in hundreds of forums of the same kind and shares the same hash values of images, that makes it a stronger lead.

The Dark Web Mirrors

This is similar to favicons and titles, or in other words, the icon or image you see in a website’s URL. As dark web researchers are aware, CSAM forums, dark web markets and other kinds of URLs operating on the dark web have names and logos, and their users also have profile pictures and nicknames. Somehow, people—whatever they are doing on the dark web—must be able to communicate with each other.

On the dark web, where URLs tend to be temporary and pages keep constantly moving their locations to other servers, keeping track of things that appear with the same logo (favicon) and name is relevant to identify the mirrors, wherever they are existent.

In the case of what is supposed to be a URL mirror, Project Hades also keeps track of their last web appearance in case investigators find them later. This feature makes this a powerful tool for integrating dark and open web intelligence because those links were never posted in the open world of search engines.

Project Hades shows investigators and intelligence parties the power of finding patterns on the dark web

Beyond the Keywords

In terms of dark web intelligence, intelligence tools still rely, overall, on the “what are the keywords?” question. This question is obsolete because on the dark web, there is no such thing as keyword-related criminality. The greatest identifier of organized crime has always been unique stamps. Generalized “stamps,” such as keywords, can be accidentally “leaked” to LE monitors. On the dark web, it is not that those keywords are not useful anymore, but that the approach must be methodologically consistent with the criminal mechanics that are being analyzed.

The innovative nature of Project Hades has leveraged the keyword problem to a next intelligence level. The question is not “what the keywords are” anymore but, rather, how have they evolved and how are they related to each other. What seemed to be an innocent keyword such as “Portuguese” or even a CSAM forum title, which would have remained out of sight for a less diligent tool, is also tracked by Project Hades. More than that, the platform allows a dark web search around the same key word to clarify where things are surfacing on the dark web. In order to find out where the intersection is, information needs to be crossed-referenced with a link-tree feature that proves the validity of this intelligence.

And most importantly, these analytics can be done without any personal risk for the analyst. Project Hades is an external platform taking data out of the dark to present its users in a safe, organized and search-friendly environment. All data displayed can be searched deeply to construct, point by point, the clear logic disguised by criminal tactics on the dark web.

The Search Features

In order to guarantee a chance of success for the user, faced as they are by the enormity of services operating on the dark web, users are allowed to search for specific data points of their interest in Project Hades’ database to see if this data appears elsewhere. The databases are constantly updated. The reason why that matters is because it guarantees that the database has not deviated from its initial aim: tracking criminal-related activity. The platform is meant to filter for worthwhile data rather than present analysts with non-relevant data.

Having a targeted search feature is vital since the lack of search engines is often the greatest problem for investigations on the dark web. As with open web search engines, the problem remains the production of irrelevant results. Project Hades found the proper equilibrium here, with a database constructed to follow a proper, targeted methodology. Moreover, it will also keep track of places where the data is still missing. For example, where the .onion address (dark web URL) is still not crawled, users can submit a support request. Prior to initializing an investigation, Project Hades allows users to search its database to see if the .onion address is in the database. This avoids wrong conclusions such as it being non-data—when things were simply not crawled yet.

Users are also expected to retro-feed the Project Hades database so that the tool can better support investigations. It allows, as such, .onion addresses to be submitted for analysis. That can be a very important tool to stabilize data in a dynamic scenario such as the dark web.

The Role of Cryptocurrency

The two most important rules of the dark web for CSAM are that the files are not for sale and that cryptocurrencies are complex. Dark web scammers and CSAM offenders often “try their luck” outside the CSAM forums, where cryptocurrency discussions and related information is often prohibited. Different from cash-based wallets (whose transactions occur in parallel communication channels), cryptocurrency wallets are visible and easy to predict the “expected degree of complexity” before even starting an investigation.

When a CSAM criminal pays a membership fee tied to a CSAM commercial forum, the website administrator issues the criminal the ‘login keys’­—which are only approved through payments, as a matter of how things are designed inside dark web commercial CSAM forums. In commercial forums, the “login credentials” find the blockchain itself as an exchange channel, making them often “PINs” information that reduces the surface of attack for LE actors. This is different from all conventional intelligence that has ever been seen around dark web CSAM forums.

Using the Project Hades platform, investigators can conduct in-depth searches in cryptocurrency wallets by tracking and putting together repeated data posted across different dark web locations, which allows investigators to put together the puzzle that criminals have intentionally disassembled.

In conclusion, the Project Hades platform makes it possible for investigators to be able to take up the fight against human trafficking, using strategic and innovative software, without direct exposure to the child and sexual exploitation material often associated with illicit activity and the trauma it frequently leaves on those investigating these crimes. In December 2021, ATII held a successful “technology/OSINT For Good” event called the Darkwebathon (think hackathon or capture the flag—CTF), where over 300 participants from both the public and private sectors collaborated for five days to gather as much data as possible to stop criminals preying on innocent victims. This is one of the ways ATII is fulfilling its mission to offer actionable intelligence to LE agencies through Project Hades—at no cost—to disrupt the exploitation of children and save the lives of our most vulnerable.

Carolina Christofoletti, senior CSAM experteer, Anti-Human Trafficking Intelligence Initiative, Sao Paulo, Brazil,

Edited by: Jennifer Moreau, ESG advisory and marketing director, Anti-Human Trafficking Intelligence Initiative, USA,