top of page

"Operation Cookie Monster": How OSINT Can Assist Dark Web Investigations

The shut down of Genesis Market, one of the largest dark web marketplaces, occurred on April 5, 2023, in an operation carried out by the FBI and the Dutch National Police, dubbed as 'Operation Cookie Monster.' The operation resulted in the apprehension of 119 individuals and seizure of over $1M in digital currencies. For case-specific details, refer to the official FBI warrant. In the light of these events, it is essential to shed light on how Open Source Intelligence (OSINT) can be a significant weapon in investigations of the dark web – an encrypted network flourishing with all manners – from whistleblowers, political activists, to cyber criminals and insurgents. Techniques exist which can help in identifying the culprits behind these anonymous sites and personas. Though not categorized under OSINT, there have been times when these criminal activities have been traced by exploiting the technical vulnerabilities in the software used to host such illicit sites. These vulnerabilities could be attributed to the software inadequacy or misconfigurations, exposing the real IP addresses of these sites. Pen-testing tools like Burp Suite, though very scarcely employed, can force these sites to leak error messages revealing the actual IP address. Furthermore, operators of dark websites have been known to use SSL certificates or SSH keys tied to their actual IP address, which can be tracked using services like Shodan or Censys. The majority of the transactions on the dark web are carried out using cryptocurrencies in return for unlawful goods and services. This gives rise to the possibility of tracking individuals via blockchain analysis tools. Owed to Anti-Money Laundering (AML) and Know Your Customer (KYC) laws designed to curb money laundering, it is impossible to open a bank account under the guise of "anonymous." Several countries have similar requirements on cryptocurrency exchanges. Certain companies offer blockchain analysis tools that help in linking cryptocurrency addresses to specific exchanges such as Coinbase or Binance. Consequently, with legal authority, law enforcement and financial investigators can demand that the exchange disclose the identity of the account owner. In the past, purchasing these blockchain analysis services had been financially draining for individuals. However, the blockchain analytics provider Breadcrumbs recently launched an analytics platform that provides the services at a more reasonable price and even a free plan. Coming to the topic of dark web, it's not introduced until day five of my SANS SEC497 Practical OSINT course. The reason being, learning about courses of action post-getting a communication medium from the dark web and leading it back to the overground internet comes first and foremost. Here’s a relatable metaphor explaining why. Operating a food truck that’s constantly on the move due to specific city regulations is akin to the ever-evolving and changing landscape of the dark web. But how do you ensure brand loyalty in such a situation? You initiate a direct line of communication with your customers to inform them of your changing location, the same strategy employed by many dark web actors to mitigate their unstable habitat. The dark web is certainly not the most secure environment to operate. A testament to this fact is the takedown of major dark web markets such as Silk Road, AlphaBay, Hansa, Wall Street, and recently, Genesis. Such persistent falls of marketplaces and consistent Denial of Service attacks on the Tor network spikes instability - DREAD forum being inaccessible for months due to such an attack is a solid proof. To counter this instability, sellers provide a variety of contact methods and sell on multiple marketplaces. This sets a stage for OSINT practitioners to come in and utilize the contact methods or 'selectors' to trace them back to the overground internet. For instance, an email from a dark site may be traced back to a normal internet site using Google. This opens a Pandora’s box for investigators to dig deeper into. There are multiple ways to exploit this to unveil the anonymous operators. For example, WHOIS records can be combed for site registration data which might give away essential details about the owner. Furthermore, operators unknowingly give away crucial data that OSINT practitioners use for their benefit. In addition, the unique language and sayings used on the forums, wherein these operators communicate and answer questions, give a unique insight towards their true personas. Even though these emails might be linked to an anonymous service, their usage on other various sites such as social media platforms and forums might give away significant information. Breach data, used legally and ethically, might unveil an online persona's real name or physical address. A significant example would be the leak of data from several VPN providers, including SuperVPN, GeckoVPN, and ChatVPN, in 2021/2022. Advancements in technology will play a profound part in future dark web market takedowns. Artificial Intelligence (AI) and Machine Learning (ML) will play central roles in OSINT. AI will assist in building web scraping tools, enabling fast and efficient data gathering and analysis from a variety of sources, while ML algorithms can be trained to detect patterns and relationships in the data. These improvements will be like wind under the wings of investigators, saving them ample time and resources for more investigative work. You can learn more about The SANS Institute, cybersecurity training, certifications, FREE resources by clicking here. This article was drafted by Matt Edmondson, SANS Principal Instructor. Sign up and receive your daily dose of cybersecurity news, tips, and expert insights.


bottom of page