Tracking & Analytics Transforms

Discover Google Analytics and Google AdSense tracking IDs to link sites by operator. These transforms leverage clearnet tracking codes inadvertently or intentionally embedded in dark web sites.

Overview

Many dark web sites, especially those with clearnet mirror sites or sites operated by less sophisticated administrators, include Google tracking codes. These provide strong attribution signals:

• Google Analytics - Web analytics tracking IDs (format: UA-XXXXXX-X or G-XXXXXXXXXX)
• Google AdSense - Advertising revenue tracking IDs (format: ca-pub-XXXXXXXXXXXXXXXX)

Sites sharing these IDs are operated by the same person or organization, as these IDs are tied to Google accounts.

FetchGoogleAnalytics

Transform Name: FetchGoogleAnalytics

Description

Extracts all Google Analytics and Google AdSense tracking IDs found on a specified onion site. This single transform covers both Analytics and AdSense tracking codes.

Input Entity

• hades.v2.onion - An onion site address

Output Entities

• maltego.UniqueIdentifier - Google tracking IDs (Analytics or AdSense)

Tracking ID Formats

• Universal Analytics - UA-XXXXXX-X (older format)
• Google Analytics 4 - G-XXXXXXXXXX (newer format)
• AdSense Publisher ID - ca-pub-XXXXXXXXXXXXXXXX

Use Cases

• Identify sites tracked by the same Google account
• Link clearnet and dark web presences of operators
• Track amateur operators who don’t understand operational security
• Find forgotten tracking codes left in site templates
• Identify sites monetized by the same Google account

Investigation Tips

• Google Analytics on dark web sites is a major operational security failure
• Sites sharing Analytics IDs are definitively operated by the same Google account holder
• Google AdSense on dark web sites is extremely rare (against Google ToS) - when found, it’s a critical opsec failure
• High appearance count suggests widely-used template with tracking ID left in
• Can potentially correlate with clearnet sites using the same tracking ID

SearchByGoogleAnalytics

Transform Name: SearchByGoogleAnalytics

Description

Finds all onion sites that use a specific Google Analytics or AdSense tracking ID. Works with both Analytics and AdSense IDs in a single search.

Input Entity

• maltego.UniqueIdentifier - A Google tracking ID (Analytics or AdSense)

Output Entities

• hades.v2.onion - Onion site addresses

Use Cases

• Find all dark web sites operated by the same Google account holder
• Link an operator’s entire portfolio of sites
• Track clearnet-to-dark web connections
• Identify related operations through shared analytics or advertising

What Shared Tracking IDs Mean

• Same tracking ID = Same Google account = Same operator (very high confidence)
• This is one of the strongest attribution signals available
• AdSense accounts include payment details tied to real bank accounts
• Can potentially be verified through Google Analytics/AdSense data if accessible

Investigation Workflow Examples

Operator Portfolio Discovery

1. Extract tracking IDs from target site

   • Input: targetsite123abc.onion
   • Run: FetchGoogleAnalytics
   • Result: All Google tracking IDs found on the site (both Analytics and AdSense)

2. Find all sites with same tracking

   • Input: Each tracking ID
   • Run: SearchByGoogleAnalytics
   • Result: Complete portfolio of sites tracked by the same Google account

3. Analyze the portfolio

   • Review all sites discovered
   • Identify mix of clearnet and dark web sites
   • Note content types and business models
   • Map the operator’s entire web presence

4. Build operator profile

   • Cross-reference with other intelligence:
     • Run FetchBitcoinAddresses on each site
     • Run FetchEmailAddresses and other contact transforms
   • Sites with shared Google tracking + shared contacts = definitive attribution

Clearnet-to-Dark Web Linking

1. Start with dark web site using Google tracking

   • Input: Dark web onion address with tracking ID
   • Run: FetchGoogleAnalytics
   • Result: Google tracking ID

2. Search for tracking ID across platforms

   • Use external tools to search clearnet for the same tracking ID
   • Many websites leak their Analytics IDs in source code
   • Build a list of all sites (dark web and clearnet) using this ID

3. Identify the operator

   • Clearnet sites may have:
     • WHOIS registration information
     • Contact forms with real emails
     • Social media links
     • Business registration details
   • This can reveal true identity of dark web operator

Cross-Platform Attribution

Google tracking codes can be combined with other attribution methods:

High Confidence Attribution Stack:

1. Same Google Analytics/AdSense ID (Google account match)
2. Same cryptocurrency wallets (financial link)
3. Same email/Telegram contacts (communication link)
4. Same SSH fingerprint (infrastructure link)
5. Same SHV (code/template link)

Example Workflow:

1. Find sites with shared tracking ID → Get suspect sites
2. Run FetchBitcoinAddresses on all → Identify shared wallets
3. Run FetchEmailAddresses on all → Identify shared contacts
4. Run FetchSSHFingerprints on all → Identify shared infrastructure
5. Build attribution case with multiple corroborating indicators

Why Google Tracking on Dark Web is Significant

Operational Security Failures

• Reveals Google account associated with dark web operations
• Links clearnet identity to dark web activities
• Provides law enforcement with subpoena target (Google account)
• Exposes real-world financial information (AdSense payments)

Attribution Value

• Definitive link - Same Google account = same operator (no ambiguity)
• Clearnet connection - Google accounts require real information
• Financial trail - AdSense payments go to real bank accounts
• Persistent identifier - Tracking IDs rarely change once set