Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Investigation Workflows

Practical step-by-step workflows for common dark web investigations using the Graph Platform.

Tracing a Cryptocurrency Address

Goal: Identify all dark web services connected to a known cryptocurrency wallet and map relationships between them.

Steps

  1. Add the wallet address

    • Enter the cryptocurrency address in the search bar
    • Select the matching result to add it to the canvas

  2. Expand the wallet node

    • Double-click the node to fetch all servers in the Hades database where this address appears
    • Each server is added as a child node with a found on edge

  3. Profile each server

    • Click individual server nodes to view their risk classification, title, and intent categories in the detail panel
    • Identify which marketplaces, vendors, or services are accepting the wallet

  4. Expand high-value servers

    • Double-click servers of interest to fetch their full entity set: other wallets, email addresses, Telegram channels, etc.
    • Look for entities shared between multiple servers — these indicate the same operator

  5. Cross-reference other wallets

    • Select any new wallet nodes discovered and expand them in turn
    • Servers that appear in multiple wallet expansions are likely controlled by the same actor

  6. Save the investigation

    • Use the toolbar to name the graph (e.g. BTC Wallet 1A2B… Network) and save

Identifying Shared Infrastructure

Goal: Determine whether multiple dark web sites are operated by the same actor through infrastructure fingerprinting.

Hades tracks two infrastructure fingerprints: Script Hash Values (SHV) — identifying sites running identical JavaScript code — and SSH fingerprints — identifying servers sharing the same hosting environment.

Steps

  1. Start with a known server

    • Search for the onion address and add it to the canvas

  2. Expand the server

    • Double-click to reveal connected nodes — look for SHV nodes (script hash values) and SSH nodes in the results

  3. Expand an SHV node

    • Double-click an SHV node to see every server running the identical JavaScript
    • Sites sharing an SHV were likely built from the same codebase or template — strong evidence of the same operator or hosting platform

  4. Expand an SSH node

    • Double-click an SSH fingerprint node to see all servers sharing that host key
    • Sites sharing an SSH fingerprint are co-hosted on the same physical or virtual machine

  5. Look for clusters

    • Use the node type filter to hide entity types that aren’t relevant and focus on the infrastructure picture
    • A cluster of servers connected through shared SHV and SSH nodes indicates a single operator managing multiple services

  6. Validate with entity overlap

    • Expand several of the clustered servers and check for shared Bitcoin addresses, emails, or Telegram accounts
    • Multiple shared indicators across the cluster strongly supports attribution to one actor

Vendor Attribution Across Marketplaces

Goal: Link a dark web vendor’s activity across multiple marketplaces using shared identifiers.

Steps

  1. Start with a known marketplace listing

    • Search for the marketplace server address and add it to the canvas
    • Expand it to reveal all associated entities

  2. Identify vendor-specific entities

    • Look for PGP keys, Telegram handles, or email addresses that appear on the site
    • Vendor contact details are strong identifiers — they are rarely reused by different actors

  3. Pivot through a PGP key or Telegram handle

    • Click the entity node to view its appearances list in the detail panel
    • The appearances list shows every server in the database where this entity was found
    • Click any address in the list to add that server to the graph

  4. Build the vendor network

    • Add the additional servers to the graph and expand them
    • Look for further shared entities across the new servers
    • Cryptocurrency addresses shared across multiple markets are particularly strong attribution evidence

  5. Establish the timeline

    • The detail panel for each server shows crawl timestamps
    • Ordering servers chronologically (by crawl date) can reveal when a vendor migrated between markets

  6. Document the network

    • Name the graph after the vendor or investigation reference
    • Export a PNG or PDF of the completed graph for reporting

Following a New Onion Address

Goal: Quickly profile an unknown onion address and assess its risk and connections.

Steps

  1. Add the server

    • Enter the onion address in the search bar and add it to the canvas

  2. Review the detail panel

    • Click the server node and review its risk classification, intent categories, and confidence score in the detail panel
    • Note the title, description, and last seen timestamp

  3. Expand the server

    • Double-click to reveal all connected entities and infrastructure
    • The initial expansion gives a comprehensive picture of what was found on the site: wallets, contact details, technology fingerprints

  4. Use the node type filter

    • Toggle entity types to focus your analysis
    • Show only cryptocurrency nodes to assess the payment infrastructure
    • Show only SHV/SSH nodes to assess the hosting fingerprint
    • Show only communication nodes (email, Telegram) to find operator contact points

  5. Assess co-hosted activity

    • If SSH fingerprint nodes are present, expand them to see what other sites share the same infrastructure
    • Co-hosted sites may have different content risk classifications that inform the overall threat picture

  6. Make the attribution decision

    • Based on shared entities and infrastructure, assess whether the server is part of a known network or an isolated site
    • Save or export the graph with your findings

Working with Large Graphs

As an investigation grows, the canvas can become dense. These techniques help maintain clarity.

Collapse explored branches

Once you’ve finished investigating a particular branch and documented your findings, right-click the branch root and select Collapse. The subtree is hidden but preserved — expand it again at any time.

Use the node type filter

When a particular entity type is generating noise (e.g. hundreds of image nodes from a media-heavy site), click its pill in the filter strip to hide all nodes of that type without removing them.

Focus with Select Neighbors

Right-click any node and choose Select Neighbors to select only the nodes directly connected to it. Combined with the detail panel summary, this gives a quick overview of a specific node’s immediate context.

Fit view

Press F or use Right-click → Fit View to zoom out and see all nodes on screen at once. Useful after several expansions have pushed nodes off the visible area.

Remove dead ends

If an expansion reveals nodes that are not relevant to the investigation, select them and press Delete to remove them and their subtrees. This keeps the graph focused on the evidence that matters.

© 2026 © Aikos Technologies Limited - All Rights Reserved.