[PRINCIPAL / PROTECTEE NAME] - Collection Map
OSINT-058 Dark Web Exposure Assessment - collection workspace. Central topic = the principal (person or org) whose dark-web exposure is being assessed. This is a consent-based, defensive assessment - all collection is lawful, authorized-access only. Branches are the data-point categories for this dark-web exposure assessment. Seed each selector as a clonable block; expand with where it was found. Paste raw tool output into node Notes. → feeds deliverable OSINT-058. Scope boundary: surface/clearnet exposure → OSINT-055; doxxing attack pathways → OSINT-056; threat-actor attribution → OSINT-059; ongoing monitoring → OSINT-060.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer. Tick each EEI as satisfied. → drives §3 Key Judgments, §4 PIRs, §15 Verified Findings Summary, §16 Red Flags, §19 Gaps.
PIR-1 - Credential & Breach Exposure: what of the principal’s credentials / PII is present in known breach corpora, and is that data circulating on dark-web markets or forums?
- EEI: all principal email selectors checked against breach-corpus exposure-checking services (lawful, selector-based, no data acquisition)
- EEI: data classes implicated per breach identified (credential hash/plaintext, name, DOB, SSN, address, financial, device)
- EEI: recency and disclosure period established per breach item
- EEI: credential-reuse / account-takeover risk assessed per exposure
- EEI: evidence of breached data actively listed or traded on dark-web markets
PIR-2 - Dark-Web Marketplace & Venue Exposure: is the principal’s data being sold or traded on dark-web marketplaces, carding shops, or identity-broker platforms?
- EEI: search of accessible marketplace venues (clear-net gateways, public onion services) for principal selectors
- EEI: listing type, price/volume signals, and recency recorded per hit
- EEI: venue reliability and reputation assessed
- EEI: active listings vs. historical/archived references distinguished
PIR-3 - Dark-Web Forum & Chatter Exposure: are threat actors mentioning, targeting, or coordinating against the principal on dark-web forums or discussion environments?
- EEI: forum/board searches for principal name, handles, org, selectors via lawful public-source methods
- EEI: threat-actor context assessed (opportunistic vs. directed targeting intent)
- EEI: operational planning signals identified (reconnaissance, doxxing coordination, attack planning)
- EEI: credibility and reliability of source environment assessed
- EEI: raw chatter vs. substantiated claims distinguished
PIR-4 - Encrypted-Messaging & Closed-Platform Exposure: what dark-web exposure exists on encrypted-messaging platforms and closed communication surfaces?
- EEI: principal account/mention presence on Telegram public channels/groups, Discord, Matrix, IRC enumerated via lawful means
- EEI: leaked or archived message content involving principal identified
- EEI: impersonation and social-engineering vectors assessed
- EEI: authorized access basis documented per platform
PIR-5 - Criminal-Data-Trade & Identity-Fraud Risk: is the principal’s bundled identity data being traded or used in identity-fraud operations?
- EEI: evidence of fullz / identity-kit packages containing principal data
- EEI: synthetic-identity construction or account-opening signals identified
- EEI: data package contents and broker/trader context recorded
- EEI: indicators of actual fraudulent use assessed (loan applications, account openings, tax/benefit fraud)
PIR-6 - Threat-Actor Targeting: is there specific, credible threat-actor targeting (campaigns, doxxing ops, physical-threat signals) aimed at the principal?
- EEI: any specific targeting campaigns, doxxing operations, or harassment coordination identified
- EEI: physical-threat signals or reputation-scoring by threat actors assessed
- EEI: specificity and credibility of threat signals graded
- EEI: urgency and directness to principal established
Collection gaps / RFIs (running)
- [dark-web venues not lawfully accessible - note and route to OSINT-059 for authorized-access investigation]
- [suspected breach data not yet confirmed - route to breach-corpus recheck]
- [unresolved marketplace/forum postings - note data-persistence uncertainty]
- [open item] → route to [product]
01 · Identity Anchor
Establish the principal uniquely before any dark-web searching - every downstream finding is only as good as the selector → principal link. → feeds §6 Identity & Selector Inventory, §5 Assessment Scope, §15 Verified Findings Summary.
Principal identity
- Full legal name:
- AKA / aliases / former names:
- DOB / YOB (where applicable):
- Role / profile (public-facing, executive, private individual):
- Threat context / risk profile narrative:
- Consent / authorization basis (ref):
Same-name / misattribution caveat
- Same-name candidates identified and excluded:
- Disambiguation approach:
- Identity-resolution confidence (overall): [Confirmed / Probable / Possible / Unresolved]
Assessment window
- Collection start date:
- Collection end date (as-of):
- Volatility note (dark-web data ephemeral):
02 · Selectors & Accounts
The pivot core for all dark-web searches. Enumerate all principal selectors - each value is its own clonable block. Confirm selector → principal attribution before searching. Clone blocks per value. → feeds §6 Identity & Selector Inventory, §7 Breach & Credential-Exposure Findings.
Email addresses
→ §6 Identity & Selector Inventory, §7 Breach & Credential-Exposure Findings. Tools: holehe, h8mail, hunter.io, haveibeenpwned (consented selector-checking only - no data acquisition).
- [email - e.g. principal@domain.com]
- Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
- Type: [primary / alias / work / legacy]
- Linked accounts (account-discovery):
- Breach / paste appearances (count):
- Where found / source (URL):
- Notes / tool output:
- [email 2]
Usernames / handles
→ §6 Identity & Selector Inventory, §8 Dark-Web Marketplace & Venue Exposure, §9 Forum & Chatter. Tools: idcrawl, sherlock, whatsmyname, maigret.
- [handle - e.g. p_smith_99]
- Platforms / where found (URL):
- Linked email(s):
- Linked phone(s):
- Dark-web platform appearances:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [handle 2]
Phone numbers
→ §6 Identity & Selector Inventory; cross-check against breach/PII exposure. Tools: truecaller, caller-ID lookups, breach-corpus phone checks.
- [number - e.g. +1 555-0199]
- Type: [mobile / landline / VoIP]
- Linked accounts / apps:
- Breach / paste appearances:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [number 2]
Domain names
→ §6 Identity & Selector Inventory, §7 Breach & Credential-Exposure Findings. Tools: whois, crt.sh, passive DNS.
- [domain - e.g. principaldomain.com]
- Registrant / WHOIS:
- Associated IP(s):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [domain 2]
Physical identifiers (PII selectors)
Search breach corpora for name+DOB, name+address, SSN partial, etc. via lawful consented checking only.
- [identifier type - e.g. name + DOB partial]
- Breach appearances:
- Data classes co-exposed:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes:
03 · Credential & Breach Exposure
Lawful exposure-checking of principal selectors against known public breach corpora and dark-web credential dumps. No data acquisition, no decryption, no use of breached secrets, no account access. Clone per breach item. → feeds §7 Breach & Credential-Exposure Findings, §14 Exposure Severity Register, §Appendix E. Tools: breach-corpus exposure-checking services (consented, selector-based); paste-site indexers.
Breach exposure item
Clone this block per breach / dump. Distinguish credential-exposure (password hash/plaintext) from PII-exposure (name/address/DOB/SSN/financial).
- [breach name / dump label - e.g. “CompanyX 2022 dump”]
- Exposed selector:
- Data classes implicated: [e.g., email + password-hash, name, DOB, address, SSN-partial, financial]
- Exposure type: [credential-exposure / PII-exposure / both]
- Disclosure period / presumed recency:
- Credential-reuse / ATO risk to principal: [High / Medium / Low]
- Source grade (Admiralty A–F / 1–6):
- Confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [breach item 2]
Paste-site & leak-repository exposure
- [paste ref / repo - e.g. pastebin, ghostbin, breach.xxx indexer]
- Selector exposed:
- Data content observed (do not acquire / store):
- Date of paste:
- Significance to principal:
- Source grade:
- Notes:
Credential reuse assessment (cross-selector)
- Password reuse signals across accounts:
- Accounts most at ATO risk (ranked):
- Recommended priority rotation:
04 · Dark-Web Presence
Presence of the principal’s data on dark-web marketplaces, carding shops, identity-broker venues, forums, and leak sites - accessed via clear-net gateways or public onion services only. No unauthorized account creation or forum access. → feeds §8 Dark-Web Marketplace & Venue Exposure, §9 Dark-Web Forum & Chatter, §11 Criminal-Data-Trade, §12 Dark-Web Reputation.
Marketplace & venue listings
Clone per venue/listing. → §8 Dark-Web Marketplace & Venue Exposure, §14 Exposure Severity Register.
- [venue / marketplace class - e.g. credential-trading shop, carding forum market section]
- Data offered: [e.g., credential set, PII bundle, fullz, financial data]
- Principal selector linked:
- Price / volume signal (if observable):
- Listing recency:
- Active vs. archived: [Active / Archived / Unknown]
- Venue reliability:
- Source grade (Admiralty A–F / 1–6):
- Notes / capture ref:
- [venue 2]
Dark-web forum & board mentions
Clone per forum/thread. → §9 Dark-Web Forum & Chatter Exposure.
- [forum / environment - e.g. dark-web discussion board, closed channel archive]
- Mention type: [General / Targeted / Doxxing-related / Threat-planning signal]
- Mention context (summary, no PII reproduction):
- Threat-actor attribution (if assessable):
- Substantiation: [Raw claim / Corroborated / Contradicted]
- Source grade (Admiralty A–F / 1–6):
- Capture ref:
- [forum mention 2]
Leak-site & document-dump exposure
Clone per leak-site hit. → §7 Breach & Credential-Exposure Findings, §11 Criminal-Data-Trade.
- [leak site / dump repo - e.g. ransomware leak site, data-dump indexer]
- Data type exposed:
- Principal selector presence:
- Date listed:
- Organization/context if applicable:
- Source grade:
- Notes / capture ref:
- [leak site 2]
Dark-web reputation & targeting signals
→ §12 Dark-Web Reputation & Threat-Actor Targeting, §16 Red Flag / Notable Indicators.
- [threat signal / targeting reference]
- Source environment:
- Specificity / credibility:
- Directness to principal: [Direct / Indirect / Incidental]
- Urgency: [Immediate / Near-term / Watchlist]
- Source grade (Admiralty A–F / 1–6):
- Notes / capture ref:
- [threat signal 2]
05 · Digital Footprint & PII Exposure
Surface-web and data-broker PII exposure that increases the principal’s dark-web exploitability - provides the “composable” data that adversaries enrich breached credentials with. This branch is scoped to dark-web-relevant composition risk only; full clearnet digital footprint analysis is in OSINT-055. → feeds §13 Exposure-to-Harm Pathways (enabling exposures), §20 Remediation Plan.
Data broker / people-search exposure
Tools: public records searches, people-finders, data broker opt-out status.
- [broker / aggregator class - e.g. people-search site, data broker, background-check aggregator]
- PII fields exposed: [name / DOB / address / phone / email / relatives / employment]
- Composability risk with dark-web breach data: [High / Medium / Low]
- Opt-out / suppression status:
- Notes:
Public records exposure
- [record type - e.g. property record, court filing, voter roll, business registration]
- PII fields exposed:
- Composability risk:
- Suppression / sealing option: [Yes / No / Partial]
- Source:
Social media PII overshare (dark-web-relevant only)
Clone per platform if PII overshare materially increases dark-web harm pathways.
- [platform - e.g. LinkedIn, Facebook]
- PII overshared (relevant to dark-web ATO / targeting):
- Composability with breach data:
- Remediation (profile restriction, data removal):
06 · Infrastructure
Domain names, IP addresses, and digital assets associated with the principal - checked against dark-web exposure (leaked configs, credential dumps for services, mentions in threat-actor targeting). → feeds §6 Identity & Selector Inventory, §7 Breach findings for service accounts, §13 Exposure-to-Harm Pathways. Tools: whois, crt.sh, Shodan (passive), passive DNS, SecurityTrails.
Domains associated with principal
Clone per domain. → §6 Identity & Selector Inventory.
- [domain - e.g. principalsite.com]
- Registrant / WHOIS data:
- Registration date / expiry:
- Associated IP(s):
- Certificate history (crt.sh):
- Dark-web mention / breach exposure of this domain:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [domain 2]
IP addresses / hosting
- [IP / ASN / hosting provider]
- Services running:
- Exposure / dark-web mention:
- Notes:
Cloud / SaaS accounts (service-level breach exposure)
Credential exposure for org-level services (email platform, cloud, CRM, etc.).
- [service - e.g. Microsoft 365, Google Workspace, Salesforce]
- Selector / account exposed in breaches:
- ATO risk level:
- MFA status (if known):
- Notes:
07 · Attack Surface & Vulnerabilities
Synthesize the exposure items into realistic harm pathways and surface attack-surface factors that amplify exploitability. This branch feeds the analytical sections, not raw collection. → feeds §13 Exposure-to-Harm Pathways, §14 Exposure Severity Register, §17 ACH, §20 Remediation.
Harm pathway mapping
Map each composed pathway; cross-ref to enabling exposures by section. Clone per pathway.
- [pathway - e.g. credential-stuffing / ATO]
- Enabling dark-web exposures (cross-ref §):
- Adversary capability assumed:
- Composability score (how easily enabling data combines): [High / Medium / Low]
- Disrupting remediation:
- Residual risk after remediation:
- [pathway 2 - e.g. synthetic identity fraud]
- [pathway 3 - e.g. social-engineering / pretext using breached PII]
- [pathway 4 - e.g. extortion / reputation attack using leaked material]
- [pathway 5 - e.g. physical targeting using dark-web location data]
Attack-surface amplifiers
- Credential reuse across personal + professional accounts:
- Weak / missing MFA on high-value accounts:
- PII composability from multiple breach sources:
- Dark-web reputation or targeting signals present:
- Encrypted-platform exposure enabling social engineering:
Exposure severity scoring (pre-register)
Full register → §14. Pre-score here during collection for triage.
- [exposure ID - e.g. E-1: email+password in active dark-web market listing]
- Likelihood (exploitability, 1–5):
- Impact (harm if used, 1–5):
- Inherent score (1–25):
- Band: [Low / Moderate / Elevated / High / Critical]
- Remediation lane: [credential / suppression / behavioral / escalation]
- Residual score (post-remediation, 1–25):
08 · Attribution & Threat Actors
Attributable threat-actor targeting of the principal on dark-web surfaces. Distinguish opportunistic credential-reuse (low-sophistication, mass) from directed, specific targeting. Full threat-actor profiling and attribution investigation deferred to OSINT-059. → feeds §9 Dark-Web Forum & Chatter, §12 Dark-Web Reputation & Threat-Actor Targeting, §16 Red Flags.
Threat-actor targeting signals
Clone per signal / threat actor group.
- [signal / actor reference - e.g. forum post targeting principal, doxxing thread]
- Source environment (forum, market, encrypted channel):
- Targeting specificity: [Mass/opportunistic / Semi-targeted / Specifically directed]
- Credibility of signal: [High / Medium / Low]
- Operational planning indicators:
- Physical threat component: [Yes / No / Possible]
- Urgency: [Immediate / Near-term / Watchlist / Historical]
- Source grade (Admiralty A–F / 1–6):
- Attribution confidence (to actor/group): [Confirmed / Probable / Possible / Unknown]
- Escalation threshold reached: [Yes / No]
- Notes / capture ref:
- [signal 2]
Encrypted-messaging & closed-platform targeting
→ §10 Encrypted-Messaging & Closed-Platform Exposure.
- [platform / channel - e.g. Telegram public channel, Discord server]
- Attribution confidence (principal’s account / mention): [Confirmed / Probable / Possible]
- Exposed content / context (summary):
- Exploitability vector: [Impersonation / Social-engineering / Account-takeover / Doxxing coordination]
- Authorized access basis: [Public channel / Principal-owned account consent / Other]
- Notes:
- [platform 2]
ACH working notes
Preliminary competing hypotheses for §17 ACH - refine before finalizing report.
- H1 (primary):
- H2 (alternative):
- H3 (alternative):
- Most diagnostic evidence:
- Key assumptions for §18 KAC:
99 · Collection Admin
Working audit trail - not a deliverable section, but the record-keeping layer behind Annex A and Appendices B–H.
Source register
Every material datum traceable to a graded source. → feeds §Annex A Sources & Methodology, §Appendix C Full Source Register.
- [S-1 - source description]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
- URL / access method:
- Lawful basis / authorized-access basis confirmed: [Yes / No]
- Notes:
Evidence archive
→ feeds §Appendix D Evidence Archive & Chain-of-Custody Pointer, §Appendix E Breach-Exposure Register, §Appendix F Marketplace & Forum Reference Register.
- [capture ref + hash + URL + timestamp + storage location]:
Legal & ethical compliance log
- Consent / authorization on file (ref):
- No technical intrusion confirmed:
- No unauthorized account access confirmed:
- No malware / impersonation used confirmed:
- Breach data - no acquisition / decryption / use confirmed:
- GDPR / CCPA handling note for third-party PII surfaced:
- Non-FCRA consumer report status confirmed:
Open gaps / RFIs
→ feeds §19 Collection Gaps & RFIs.
- [gap - dark-web venue not lawfully accessible: impact, recommended lawful collection, priority]
- [gap - suspected breach data unconfirmed: impact, recheck plan, priority]
- [gap - unresolved targeting signal: impact, escalation path, priority]
- [open item → route to product / RFI holder]
Selector & identifier index (pre-Appendix B)
→ feeds §Appendix B Selector & Identifier Index.
- [selector] - [type] - [resolution confidence] - [disambiguation note]