On April 5, 2023, the FBI and Dutch National Police announced the takedown of Genesis Market, one of the largest dark web marketplaces. The operation, dubbed “Operation Cookie Monster,” resulted in the arrest of 119 people and the seizure of over $1M in cryptocurrency. You can read the FBI’s warrant here for details specific to this case. In light of these events, I’d like to discuss how OSINT can assist with dark web investigations.
The Dark Web’s anonymity attracts a variety of users, from whistleblowers and political activists to cybercriminals and terrorists. There are several techniques that can be used to try and identify the individuals behind these sites and personas.
While not considered OSINT, there have been instances when technical vulnerabilities have existed in the technology used to host dark websites. These vulnerabilities may exist in the software itself or be due to misconfigurations, but they can sometimes reveal the site’s true IP address. Often these software vulnerabilities require pen-testing tools and techniques such as Burp Suite to induce error messages containing the site’s true IP address. Vulnerabilities such as these are uncommon and rarely utilized.
There have also been instances when dark website operators have used SSL certs or SSH keys, which can be tied to their true IP address using services like Shodan or Censys.
images from Hacker News