TITANIUM: Tools for the Investigation of Transactions in Underground Markets

Monitoring the Dark Web

The Hague (13 August 2019)

Background

The Dark Web is a place on the internet that is designed in such a way that it is easy to conceal the identities of natural persons. Besides legitimate activities, this has attracted a multitude of criminal business as well. The infamous Dark Markets are places where trade takes place in weapons, illicit drugs, child abuse material, stolen credentials, and others. However, there is no Google here. Markets disappear and emerge as a result of scams or Law Enforcement, and they change their structure frequently. Additionally, actors actively try to hide their identities as much as possible.

These features make it difficult for Law Enforcement to effectively gather evidence on the Dark Web. For one, it is slow (because of its technological design), but more importantly: it is very hard to create an overview of what happens where, and to find out which user is active across different markets. Another reason why it is good to have a specialized monitor instead of just using a Tor browser, is that Law Enforcement Agencies IT departments are usually not fond of individuals in their organizations to access the Dark Web from within their network.

Standardized access

The Dark Web monitors of TNO aim to remove some of the barriers when researching the Dark Web. There is a so-called Persistent Monitor (PM) that contains an up-to-date overview of active and offline Tor hidden services including a search index on the first depth of pages. Second, historic data of forums that enable research into communications of actors on the Dark Web is available.

TITANIUM has focused on the so-called Ephemeral Monitor (EM). The aim of this EM is to provide a layered and unified access to Dark Market data. On the highest layer, an overview of topics per market is presented, and it is possible to drill down to individual markets, individual vendors, and their individual posts. The EM shows the Dark Web ‘as it is’ and does not store historic data (hence the name ‘ephemeral’).

An important feature of the EM is that it provides an intelligent and flexible way to control access to the data: sometimes local legislation or mandates from LE Officers prevent them to access the most detailed information (which may contain personal information).

The EM makes it possible to identify connections across markets, based on similarity of users: usernames, PGP keys, authorship style or even the re-use of images may provide evidence for actors being active across different markets.

TITANIUM

The TITANIUM project is a European collaborative R&D project. TNO is a partner in this project and has developed the EM as a part of this project; it will be made available through the project. Access to the PM can be arranged through TNO. The monitor tooling can be used without training.