[PRINCIPAL / PROTECTEE NAME] - Collection Map

OSINT-058 Dark Web Exposure Assessment - collection workspace. Central topic = the principal (person or org) whose dark-web exposure is being assessed. This is a consent-based, defensive assessment - all collection is lawful, authorized-access only. Branches are the data-point categories for this dark-web exposure assessment. Seed each selector as a clonable block; expand with where it was found. Paste raw tool output into node Notes. → feeds deliverable OSINT-058. Scope boundary: surface/clearnet exposure → OSINT-055; doxxing attack pathways → OSINT-056; threat-actor attribution → OSINT-059; ongoing monitoring → OSINT-060.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer. Tick each EEI as satisfied. → drives §3 Key Judgments, §4 PIRs, §15 Verified Findings Summary, §16 Red Flags, §19 Gaps.

PIR-1 - Credential & Breach Exposure: what of the principal’s credentials / PII is present in known breach corpora, and is that data circulating on dark-web markets or forums?

  • EEI: all principal email selectors checked against breach-corpus exposure-checking services (lawful, selector-based, no data acquisition)
  • EEI: data classes implicated per breach identified (credential hash/plaintext, name, DOB, SSN, address, financial, device)
  • EEI: recency and disclosure period established per breach item
  • EEI: credential-reuse / account-takeover risk assessed per exposure
  • EEI: evidence of breached data actively listed or traded on dark-web markets

PIR-2 - Dark-Web Marketplace & Venue Exposure: is the principal’s data being sold or traded on dark-web marketplaces, carding shops, or identity-broker platforms?

  • EEI: search of accessible marketplace venues (clear-net gateways, public onion services) for principal selectors
  • EEI: listing type, price/volume signals, and recency recorded per hit
  • EEI: venue reliability and reputation assessed
  • EEI: active listings vs. historical/archived references distinguished

PIR-3 - Dark-Web Forum & Chatter Exposure: are threat actors mentioning, targeting, or coordinating against the principal on dark-web forums or discussion environments?

  • EEI: forum/board searches for principal name, handles, org, selectors via lawful public-source methods
  • EEI: threat-actor context assessed (opportunistic vs. directed targeting intent)
  • EEI: operational planning signals identified (reconnaissance, doxxing coordination, attack planning)
  • EEI: credibility and reliability of source environment assessed
  • EEI: raw chatter vs. substantiated claims distinguished

PIR-4 - Encrypted-Messaging & Closed-Platform Exposure: what dark-web exposure exists on encrypted-messaging platforms and closed communication surfaces?

  • EEI: principal account/mention presence on Telegram public channels/groups, Discord, Matrix, IRC enumerated via lawful means
  • EEI: leaked or archived message content involving principal identified
  • EEI: impersonation and social-engineering vectors assessed
  • EEI: authorized access basis documented per platform

PIR-5 - Criminal-Data-Trade & Identity-Fraud Risk: is the principal’s bundled identity data being traded or used in identity-fraud operations?

  • EEI: evidence of fullz / identity-kit packages containing principal data
  • EEI: synthetic-identity construction or account-opening signals identified
  • EEI: data package contents and broker/trader context recorded
  • EEI: indicators of actual fraudulent use assessed (loan applications, account openings, tax/benefit fraud)

PIR-6 - Threat-Actor Targeting: is there specific, credible threat-actor targeting (campaigns, doxxing ops, physical-threat signals) aimed at the principal?

  • EEI: any specific targeting campaigns, doxxing operations, or harassment coordination identified
  • EEI: physical-threat signals or reputation-scoring by threat actors assessed
  • EEI: specificity and credibility of threat signals graded
  • EEI: urgency and directness to principal established

Collection gaps / RFIs (running)

  • [dark-web venues not lawfully accessible - note and route to OSINT-059 for authorized-access investigation]
  • [suspected breach data not yet confirmed - route to breach-corpus recheck]
  • [unresolved marketplace/forum postings - note data-persistence uncertainty]
  • [open item] → route to [product]

01 · Identity Anchor

Establish the principal uniquely before any dark-web searching - every downstream finding is only as good as the selector → principal link. → feeds §6 Identity & Selector Inventory, §5 Assessment Scope, §15 Verified Findings Summary.

Principal identity

  • Full legal name:
  • AKA / aliases / former names:
  • DOB / YOB (where applicable):
  • Role / profile (public-facing, executive, private individual):
  • Threat context / risk profile narrative:
  • Consent / authorization basis (ref):

Same-name / misattribution caveat

  • Same-name candidates identified and excluded:
  • Disambiguation approach:
  • Identity-resolution confidence (overall): [Confirmed / Probable / Possible / Unresolved]

Assessment window

  • Collection start date:
  • Collection end date (as-of):
  • Volatility note (dark-web data ephemeral):

02 · Selectors & Accounts

The pivot core for all dark-web searches. Enumerate all principal selectors - each value is its own clonable block. Confirm selector → principal attribution before searching. Clone blocks per value. → feeds §6 Identity & Selector Inventory, §7 Breach & Credential-Exposure Findings.

Email addresses

→ §6 Identity & Selector Inventory, §7 Breach & Credential-Exposure Findings. Tools: holehe, h8mail, hunter.io, haveibeenpwned (consented selector-checking only - no data acquisition).

  • [email - e.g. principal@domain.com]
    • Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Type: [primary / alias / work / legacy]
    • Linked accounts (account-discovery):
    • Breach / paste appearances (count):
    • Where found / source (URL):
    • Notes / tool output:
  • [email 2]

Usernames / handles

→ §6 Identity & Selector Inventory, §8 Dark-Web Marketplace & Venue Exposure, §9 Forum & Chatter. Tools: idcrawl, sherlock, whatsmyname, maigret.

  • [handle - e.g. p_smith_99]
    • Platforms / where found (URL):
    • Linked email(s):
    • Linked phone(s):
    • Dark-web platform appearances:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [handle 2]

Phone numbers

→ §6 Identity & Selector Inventory; cross-check against breach/PII exposure. Tools: truecaller, caller-ID lookups, breach-corpus phone checks.

  • [number - e.g. +1 555-0199]
    • Type: [mobile / landline / VoIP]
    • Linked accounts / apps:
    • Breach / paste appearances:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [number 2]

Domain names

→ §6 Identity & Selector Inventory, §7 Breach & Credential-Exposure Findings. Tools: whois, crt.sh, passive DNS.

  • [domain - e.g. principaldomain.com]
    • Registrant / WHOIS:
    • Associated IP(s):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [domain 2]

Physical identifiers (PII selectors)

Search breach corpora for name+DOB, name+address, SSN partial, etc. via lawful consented checking only.

  • [identifier type - e.g. name + DOB partial]
    • Breach appearances:
    • Data classes co-exposed:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes:

03 · Credential & Breach Exposure

Lawful exposure-checking of principal selectors against known public breach corpora and dark-web credential dumps. No data acquisition, no decryption, no use of breached secrets, no account access. Clone per breach item. → feeds §7 Breach & Credential-Exposure Findings, §14 Exposure Severity Register, §Appendix E. Tools: breach-corpus exposure-checking services (consented, selector-based); paste-site indexers.

Breach exposure item

Clone this block per breach / dump. Distinguish credential-exposure (password hash/plaintext) from PII-exposure (name/address/DOB/SSN/financial).

  • [breach name / dump label - e.g. “CompanyX 2022 dump”]
    • Exposed selector:
    • Data classes implicated: [e.g., email + password-hash, name, DOB, address, SSN-partial, financial]
    • Exposure type: [credential-exposure / PII-exposure / both]
    • Disclosure period / presumed recency:
    • Credential-reuse / ATO risk to principal: [High / Medium / Low]
    • Source grade (Admiralty A–F / 1–6):
    • Confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [breach item 2]

Paste-site & leak-repository exposure

  • [paste ref / repo - e.g. pastebin, ghostbin, breach.xxx indexer]
    • Selector exposed:
    • Data content observed (do not acquire / store):
    • Date of paste:
    • Significance to principal:
    • Source grade:
    • Notes:

Credential reuse assessment (cross-selector)

  • Password reuse signals across accounts:
  • Accounts most at ATO risk (ranked):
  • Recommended priority rotation:

04 · Dark-Web Presence

Presence of the principal’s data on dark-web marketplaces, carding shops, identity-broker venues, forums, and leak sites - accessed via clear-net gateways or public onion services only. No unauthorized account creation or forum access. → feeds §8 Dark-Web Marketplace & Venue Exposure, §9 Dark-Web Forum & Chatter, §11 Criminal-Data-Trade, §12 Dark-Web Reputation.

Marketplace & venue listings

Clone per venue/listing. → §8 Dark-Web Marketplace & Venue Exposure, §14 Exposure Severity Register.

  • [venue / marketplace class - e.g. credential-trading shop, carding forum market section]
    • Data offered: [e.g., credential set, PII bundle, fullz, financial data]
    • Principal selector linked:
    • Price / volume signal (if observable):
    • Listing recency:
    • Active vs. archived: [Active / Archived / Unknown]
    • Venue reliability:
    • Source grade (Admiralty A–F / 1–6):
    • Notes / capture ref:
  • [venue 2]

Dark-web forum & board mentions

Clone per forum/thread. → §9 Dark-Web Forum & Chatter Exposure.

  • [forum / environment - e.g. dark-web discussion board, closed channel archive]
    • Mention type: [General / Targeted / Doxxing-related / Threat-planning signal]
    • Mention context (summary, no PII reproduction):
    • Threat-actor attribution (if assessable):
    • Substantiation: [Raw claim / Corroborated / Contradicted]
    • Source grade (Admiralty A–F / 1–6):
    • Capture ref:
  • [forum mention 2]

Leak-site & document-dump exposure

Clone per leak-site hit. → §7 Breach & Credential-Exposure Findings, §11 Criminal-Data-Trade.

  • [leak site / dump repo - e.g. ransomware leak site, data-dump indexer]
    • Data type exposed:
    • Principal selector presence:
    • Date listed:
    • Organization/context if applicable:
    • Source grade:
    • Notes / capture ref:
  • [leak site 2]

Dark-web reputation & targeting signals

→ §12 Dark-Web Reputation & Threat-Actor Targeting, §16 Red Flag / Notable Indicators.

  • [threat signal / targeting reference]
    • Source environment:
    • Specificity / credibility:
    • Directness to principal: [Direct / Indirect / Incidental]
    • Urgency: [Immediate / Near-term / Watchlist]
    • Source grade (Admiralty A–F / 1–6):
    • Notes / capture ref:
  • [threat signal 2]

05 · Digital Footprint & PII Exposure

Surface-web and data-broker PII exposure that increases the principal’s dark-web exploitability - provides the “composable” data that adversaries enrich breached credentials with. This branch is scoped to dark-web-relevant composition risk only; full clearnet digital footprint analysis is in OSINT-055. → feeds §13 Exposure-to-Harm Pathways (enabling exposures), §20 Remediation Plan.

Data broker / people-search exposure

Tools: public records searches, people-finders, data broker opt-out status.

  • [broker / aggregator class - e.g. people-search site, data broker, background-check aggregator]
    • PII fields exposed: [name / DOB / address / phone / email / relatives / employment]
    • Composability risk with dark-web breach data: [High / Medium / Low]
    • Opt-out / suppression status:
    • Notes:

Public records exposure

  • [record type - e.g. property record, court filing, voter roll, business registration]
    • PII fields exposed:
    • Composability risk:
    • Suppression / sealing option: [Yes / No / Partial]
    • Source:

Social media PII overshare (dark-web-relevant only)

Clone per platform if PII overshare materially increases dark-web harm pathways.

  • [platform - e.g. LinkedIn, Facebook]
    • PII overshared (relevant to dark-web ATO / targeting):
    • Composability with breach data:
    • Remediation (profile restriction, data removal):

06 · Infrastructure

Domain names, IP addresses, and digital assets associated with the principal - checked against dark-web exposure (leaked configs, credential dumps for services, mentions in threat-actor targeting). → feeds §6 Identity & Selector Inventory, §7 Breach findings for service accounts, §13 Exposure-to-Harm Pathways. Tools: whois, crt.sh, Shodan (passive), passive DNS, SecurityTrails.

Domains associated with principal

Clone per domain. → §6 Identity & Selector Inventory.

  • [domain - e.g. principalsite.com]
    • Registrant / WHOIS data:
    • Registration date / expiry:
    • Associated IP(s):
    • Certificate history (crt.sh):
    • Dark-web mention / breach exposure of this domain:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [domain 2]

IP addresses / hosting

  • [IP / ASN / hosting provider]
    • Services running:
    • Exposure / dark-web mention:
    • Notes:

Cloud / SaaS accounts (service-level breach exposure)

Credential exposure for org-level services (email platform, cloud, CRM, etc.).

  • [service - e.g. Microsoft 365, Google Workspace, Salesforce]
    • Selector / account exposed in breaches:
    • ATO risk level:
    • MFA status (if known):
    • Notes:

07 · Attack Surface & Vulnerabilities

Synthesize the exposure items into realistic harm pathways and surface attack-surface factors that amplify exploitability. This branch feeds the analytical sections, not raw collection. → feeds §13 Exposure-to-Harm Pathways, §14 Exposure Severity Register, §17 ACH, §20 Remediation.

Harm pathway mapping

Map each composed pathway; cross-ref to enabling exposures by section. Clone per pathway.

  • [pathway - e.g. credential-stuffing / ATO]
    • Enabling dark-web exposures (cross-ref §):
    • Adversary capability assumed:
    • Composability score (how easily enabling data combines): [High / Medium / Low]
    • Disrupting remediation:
    • Residual risk after remediation:
  • [pathway 2 - e.g. synthetic identity fraud]
  • [pathway 3 - e.g. social-engineering / pretext using breached PII]
  • [pathway 4 - e.g. extortion / reputation attack using leaked material]
  • [pathway 5 - e.g. physical targeting using dark-web location data]

Attack-surface amplifiers

  • Credential reuse across personal + professional accounts:
  • Weak / missing MFA on high-value accounts:
  • PII composability from multiple breach sources:
  • Dark-web reputation or targeting signals present:
  • Encrypted-platform exposure enabling social engineering:

Exposure severity scoring (pre-register)

Full register → §14. Pre-score here during collection for triage.

  • [exposure ID - e.g. E-1: email+password in active dark-web market listing]
    • Likelihood (exploitability, 1–5):
    • Impact (harm if used, 1–5):
    • Inherent score (1–25):
    • Band: [Low / Moderate / Elevated / High / Critical]
    • Remediation lane: [credential / suppression / behavioral / escalation]
    • Residual score (post-remediation, 1–25):

08 · Attribution & Threat Actors

Attributable threat-actor targeting of the principal on dark-web surfaces. Distinguish opportunistic credential-reuse (low-sophistication, mass) from directed, specific targeting. Full threat-actor profiling and attribution investigation deferred to OSINT-059. → feeds §9 Dark-Web Forum & Chatter, §12 Dark-Web Reputation & Threat-Actor Targeting, §16 Red Flags.

Threat-actor targeting signals

Clone per signal / threat actor group.

  • [signal / actor reference - e.g. forum post targeting principal, doxxing thread]
    • Source environment (forum, market, encrypted channel):
    • Targeting specificity: [Mass/opportunistic / Semi-targeted / Specifically directed]
    • Credibility of signal: [High / Medium / Low]
    • Operational planning indicators:
    • Physical threat component: [Yes / No / Possible]
    • Urgency: [Immediate / Near-term / Watchlist / Historical]
    • Source grade (Admiralty A–F / 1–6):
    • Attribution confidence (to actor/group): [Confirmed / Probable / Possible / Unknown]
    • Escalation threshold reached: [Yes / No]
    • Notes / capture ref:
  • [signal 2]

Encrypted-messaging & closed-platform targeting

→ §10 Encrypted-Messaging & Closed-Platform Exposure.

  • [platform / channel - e.g. Telegram public channel, Discord server]
    • Attribution confidence (principal’s account / mention): [Confirmed / Probable / Possible]
    • Exposed content / context (summary):
    • Exploitability vector: [Impersonation / Social-engineering / Account-takeover / Doxxing coordination]
    • Authorized access basis: [Public channel / Principal-owned account consent / Other]
    • Notes:
  • [platform 2]

ACH working notes

Preliminary competing hypotheses for §17 ACH - refine before finalizing report.

  • H1 (primary):
  • H2 (alternative):
  • H3 (alternative):
  • Most diagnostic evidence:
  • Key assumptions for §18 KAC:

99 · Collection Admin

Working audit trail - not a deliverable section, but the record-keeping layer behind Annex A and Appendices B–H.

Source register

Every material datum traceable to a graded source. → feeds §Annex A Sources & Methodology, §Appendix C Full Source Register.

  • [S-1 - source description]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • URL / access method:
    • Lawful basis / authorized-access basis confirmed: [Yes / No]
    • Notes:

Evidence archive

→ feeds §Appendix D Evidence Archive & Chain-of-Custody Pointer, §Appendix E Breach-Exposure Register, §Appendix F Marketplace & Forum Reference Register.

  • [capture ref + hash + URL + timestamp + storage location]:
  • Consent / authorization on file (ref):
  • No technical intrusion confirmed:
  • No unauthorized account access confirmed:
  • No malware / impersonation used confirmed:
  • Breach data - no acquisition / decryption / use confirmed:
  • GDPR / CCPA handling note for third-party PII surfaced:
  • Non-FCRA consumer report status confirmed:

Open gaps / RFIs

→ feeds §19 Collection Gaps & RFIs.

  • [gap - dark-web venue not lawfully accessible: impact, recommended lawful collection, priority]
  • [gap - suspected breach data unconfirmed: impact, recheck plan, priority]
  • [gap - unresolved targeting signal: impact, escalation path, priority]
  • [open item → route to product / RFI holder]

Selector & identifier index (pre-Appendix B)

→ feeds §Appendix B Selector & Identifier Index.

  • [selector] - [type] - [resolution confidence] - [disambiguation note]