[DIGITAL IDENTITY] - Collection Map

OSINT-059 Dark Web Investigation & Attribution Report - collection workspace. Central topic = the subject’s dark-web identity (handle / entity / incident). Branches are the data-point categories for the dark-web attribution mission. Drop each collected value as a child node; expand it with where it was found. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-059.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + the essential elements of information (EEI) for each. Tick checkboxes as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Verified Findings, §17 Gaps.

PIR-1 - Handles / accounts: What dark-web identifiers does the subject operate?

  • EEI: primary dark-web handle(s) identified and documented
  • EEI: secondary / alias handles and cross-platform reuse confirmed
  • EEI: same-handle candidates identified and excluded (namesake check)
  • EEI: PGP key ID(s) and fingerprint(s) linked to handle(s)
  • EEI: wallet address(es) linked to handle(s) (route to OSINT-022 if full tracing needed)

PIR-2 - Venues: What dark-web forums, markets, and hidden services does the subject frequent?

  • EEI: primary marketplace / forum / hidden service with .onion URL documented
  • EEI: secondary venues and lurking presence noted
  • EEI: time window of observed presence for each venue
  • EEI: subject’s activity level per venue (active / occasional / historical)

PIR-3 - Activity: What illicit activity is the subject engaged in?

  • EEI: primary illicit activity type (credential trafficking / data sale / narcotics / fraud / malware / C2 / other)
  • EEI: listing or post evidence captured and preserved with hash
  • EEI: scale and recency of activity established
  • EEI: specific threat to client from subject’s activity assessed

PIR-4 - Attribution: Can the subject’s dark-web activity be tied to a real-world identity?

  • EEI: at least one strong attribution link (PGP key reuse / cross-platform handle / wallet clustering / registration data / self-disclosure / writing style / operational mistake)
  • EEI: contradictory / exculpatory evidence reviewed and documented
  • EEI: namesake / false-flag risk assessed
  • EEI: attribution confidence level determined (Confirmed / Probable / Possible / Unresolved)

PIR-5 - Network: What dark-web associations and threat-actor affiliations exist?

  • EEI: co-posting accounts and transactional counterparties identified
  • EEI: shared infrastructure or group affiliation indicators documented
  • EEI: known threat-actor group / criminal collective link assessed

Collection gaps / RFIs (running)

  • [open item] → route to [product / analyst / venue]
  • [open item]

01 · Identity Anchor

The bridge between the real-world subject and the dark-web identity being attributed. Both sides of the link must be established before attribution can be graded. → feeds §5 Subject Identification & Dark-Web Handles, §8 Attribution Analysis.

Real-world anchor (subject / entity / incident)

  • Subject legal name / entity name:
  • Triggering identifier (what brought them to attention):
  • Client-supplied selectors (emails / phones / usernames / wallet addresses):
  • Prior OSINT-055 or OSINT-058 findings in scope:

Dark-web anchor (primary identifier)

  • Primary handle:
    • Venue first seen:
    • Registration date (if visible):
    • Basis for anchoring to subject:
    • Confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output:
  • Attribution confidence (initial): [Confirmed / Probable / Possible / Unresolved]

02 · Selectors & Accounts

The full set of dark-web and cross-platform identifiers. Each selector block is clonable. → feeds §5 Subject Identification & Dark-Web Handles, §8 Attribution Analysis, Appendix A.

Dark-web handles / usernames

Cross-reference against clearnet usernames (idcrawl / sherlock / whatsmyname) to surface reuse.

  • [handle - e.g. d4rkpr0xy]
    • Venue(s) where found:
    • Clearnet reuse (platform + URL):
    • Linked email(s):
    • PGP key linked:
    • Wallet address(es) linked:
    • Other accounts reusing it:
    • Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output: ← sherlock, whatsmyname, idcrawl
  • [handle 2]

Email addresses (dark-web registrations / contact)

→ check breach/paste appearances and account discovery alongside handle attribution.

  • [email - e.g. user@protonmail.com]
    • Venue / registration context:
    • Breach / paste appearances:
    • Account discovery (linked platforms):
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output: ← holehe, h8mail, hunter.io, haveibeenpwned
  • [email 2]

PGP keys

  • [key ID / fingerprint - e.g. 0xABCD1234]
    • Keyserver found on:
    • UID(s) on key:
    • Cross-venue reuse:
    • Creation / expiry date:
    • Signed / web-of-trust links:
    • Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output: ← keys.openpgp.org, Mailvelope lookup
  • [key 2]

Cryptocurrency wallet addresses

Full on-chain tracing routes to OSINT-022; record identifiers here for attribution linkage only.

  • [wallet address - e.g. 1A1zP1…]
    • Chain / coin:
    • Venue / listing context found:
    • Clustering / co-spend links noted:
    • Exchange deposit detected:
    • Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output: ← blockchain.com, etherscan, breadcrumbs.app, arkham
  • [wallet 2]

Phone numbers (dark-web contact)

  • [number - e.g. +1 555-0199 / Telegram ID]
    • Context found:
    • Type (Telegram / Signal / VoIP / other):
    • Linked accounts:
    • Attribution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output:
  • [number 2]

03 · Credential & Breach Exposure

Background breach exposure context - distinguishes the subject as actor from subject as victim. Credential exposure feeds attribution (do leaked passwords reappear on dark-web registrations?). → feeds §10 Illicit Activity & Threat Indicators (if subject is trafficking their own or others’ data), §8 Attribution (if leaked passwords or usernames confirm cross-platform link).

Breach appearances (subject as potential victim or actor)

  • [breach / paste - e.g. Collection #1, 2019-01]
    • Selector exposed:
    • Data fields (email / password hash / plaintext / phone / address):
    • Source grade:
    • Significance (victim profile vs. actor reuse):
    • Notes / tool output: ← haveibeenpwned, dehashed, intelx.io, leakcheck
  • [breach 2]

Credential reuse across dark-web accounts (attribution pivot)

  • [credential pattern - e.g. password variant observed in two venues]
    • Venues matched:
    • Confidence this links accounts to same operator: [H/M/L]
    • Notes:

Data-broker / stealer-log exposure

  • [stealer-log / data-broker entry]
    • Source:
    • Data content:
    • Relevance:
    • Notes / tool output: ← intelx.io, flare.io, Hudson Rock Cavalier

04 · Dark-Web Presence

The heart of the collection. One block per venue / platform where the subject appears. Capture: handle used, activity type, content themes, time window, .onion URL (if safe to record). → feeds §6 Venue & Platform Mapping, §7 Activity & Communications Analysis, Appendix B.

Forum / community presence

Clone per forum. Passive observation only - no account creation, no engagement.

  • [forum - e.g. RaidForums mirror / BreachForums / XSS / Exploit.in]
    • .onion / clearnet URL:
    • Handle used:
    • Join / first-post date:
    • Last active date:
    • Activity level: [Active / Occasional / Historical / Single post]
    • Post count / reputation score:
    • Topics / sub-forums active in:
    • Notable posts / threads (by date):
    • Source grade:
    • Notes / captured content (hashed):
  • [forum 2]

Marketplace listings / vendor presence

Clone per marketplace.

  • [marketplace - e.g. AlphaBay successor / dark0de / vendor shop]
    • .onion URL:
    • Vendor handle:
    • Listings observed (category / price / quantity):
    • Feedback / reputation metrics:
    • PGP key posted:
    • Wallet address(es) in listings:
    • Time window of observed activity:
    • Source grade:
    • Notes / captured content (hashed):
  • [marketplace 2]

Paste sites / leak sites / hidden service mentions

Clone per paste / mention.

  • [paste site / leak site - e.g. Pastebin, ghostbin, ransomware leak blog]
    • URL (captured):
    • Handle / attributed to subject:
    • Content summary:
    • Date posted:
    • Source grade:
    • Notes:
  • [paste 2]

Chat platforms (dark-web adjacent)

  • [platform - e.g. Telegram channel / IRC / Matrix / XMPP]
    • Channel / server:
    • Handle used:
    • Content observed:
    • Time window:
    • Notes / tool output:

05 · Digital Footprint & PII Exposure

Clearnet footprint that provides attribution anchors linking dark-web identity to real-world subject. → feeds §8 Attribution Analysis (cross-platform handle reuse, self-disclosure, metadata); §10 Illicit Activity (if subject is selling client PII or targeting client infrastructure).

Clearnet social media (attribution-pivot accounts)

Clone per platform. Focus on handles / metadata that bridge dark-web to real-world identity.

  • [platform - e.g. GitHub / Twitter-X / Reddit / Telegram public / HackerNews]
    • Handle / URL:
    • Attribution confidence (links to dark-web identity): [Confirmed / Probable / Possible]
    • Key content (writing style, references to dark-web activity):
    • Account status: [Active / Dormant / Deleted]
    • Notes / tool output: ← sherlock, whatsmyname, idcrawl
  • [platform 2]

Technical / developer footprint

  • [GitHub / GitLab / SourceForge repo or commit]
    • Username:
    • Email in commits:
    • Code / tools of relevance:
    • Attribution link to dark-web handle:
    • Notes:

Data-broker / public-record PII

  • [data-broker / people-search entry]
    • Fields available:
    • Accuracy / currency:
    • Attribution link:
    • Notes / tool output: ← Spokeo, BeenVerified, PeopleFinders, Intelius

Image / media (avatar / profile picture reverse)

  • [image ref]
    • Reverse-image match (platform + URL):
    • Metadata (EXIF / geotag):
    • Attribution link:
    • Notes:

06 · Infrastructure

The technical infrastructure operated by or associated with the subject. → feeds §6 Venue & Platform Mapping (subject-operated hidden services), §8 Attribution Analysis (shared infrastructure pivot), §11 OPSEC Assessment.

Domains and hidden services operated by subject

Clone per domain / .onion.

  • [domain / .onion - e.g. subjectshop.onion]
    • Registrant / WHOIS (clearnet):
    • Hosting / IP / ASN:
    • SSL cert / SAN (crt.sh):
    • Associated email(s) in registration:
    • Linked identifiers:
    • Status: [Active / Offline / Seized]
    • Notes / tool output: ← whois, crt.sh, Shodan, SecurityTrails, RiskIQ
  • [domain 2]

IP addresses (inferred or observed)

  • [IP - e.g. exit-node IP seen in registration, forum login leak]
    • ASN / hosting provider:
    • Geolocation (coarse):
    • Context of exposure (OPSEC mistake vs. Tor exit):
    • Attribution confidence: [H/M/L]
    • Notes / tool output: ← Shodan, Censys, AbuseIPDB
  • [IP 2]

Malware / C2 infrastructure (if applicable)

  • [C2 domain / IP / malware hash]
    • Malware family:
    • Observed in:
    • Link to subject:
    • TI source:
    • Notes / tool output: ← VirusTotal, Any.run, MalwareBazaar, ThreatFox

Shared infrastructure pivot (clusters with associates)

  • [infrastructure element - e.g. shared hosting account, certificate reuse]
    • Shared with (associated handle / entity):
    • Basis for clustering:
    • Notes:

07 · Attack Surface & Vulnerabilities

The subject’s OPSEC weaknesses and attribution-enabling mistakes - the inverse of §11 OPSEC Assessment. → feeds §11 Operational Security (OPSEC) Assessment, §15 ACH, §17 Gaps.

OPSEC mistakes observed

  • [mistake - e.g. reused username on clearnet, real email in PGP UID, IP leak in forum post]
    • Venue / context:
    • Date observed:
    • Attribution value (pivots to what):
    • Notes:

Counter-OPSEC / anti-forensic measures observed

  • [measure - e.g. Tor-only access, PGP-signed comms, separate per-venue handles]
    • Consistency of measure across venues:
    • Assessment of effectiveness:

VPN / Tor / proxy usage indicators

  • [indicator - e.g. Tor exit IP in forum login, VPN ASN in registration record]
    • Source:
    • OPSEC implication:

OPSEC posture assessment (working)

  • Overall posture: [Low / Moderate / High]
  • Strongest OPSEC element:
  • Most significant weakness:
  • Implication for further collection:

08 · Attribution & Threat Actors

The full attribution evidence chain mapped here; the Key Judgment KJ-1 (subject operates handle) and KJ-2 (subject engaged in activity) are supported by nodes in this branch. → feeds §8 Attribution Analysis, §9 Network & Affiliation Mapping, §15 ACH, §16 Key Assumptions.

Attribution evidence chain

Each evidence item is an independent link. Collect at least two independent streams before upgrading to Probable.

  • [evidence item - e.g. PGP key reuse across venues]
    • Evidence type: [PGP key reuse / cross-platform handle / wallet clustering / registration data / self-disclosure / writing style / metadata / OPSEC mistake / other]
    • Detail:
    • Strength: [Strong / Moderate / Weak]
    • Source grade:
    • Notes:
  • [evidence item 2]

ACH hypotheses (working)

  • H1 Subject genuinely operates the handles - evidence for / against: /
  • H2 Misattribution (namesake / false flag) - evidence for / against: /
  • H3 Shared account (multiple users) - evidence for / against: /
  • H4 Compromised identity / planted evidence - evidence for / against: /
  • Most consistent hypothesis (working):

Network associates / co-actors

Clone per associate. → feeds §9 Network & Affiliation Mapping.

  • [associate handle - e.g. c0mprom1sed]
    • Venue(s) of connection:
    • Nature of connection: [Co-poster / transaction partner / forum interaction / shared infrastructure / group affiliation]
    • Known real-world link (if any):
    • Confidence: [H/M/L]
    • Source grade:
    • Notes:
  • [associate 2]

Threat-actor group / criminal network affiliation

  • [group / collective - e.g. Lapsus$ / Killnet / specific marketplace org]
    • Indicators of affiliation:
    • Confidence: [H/M/L]
    • TI references:
    • Notes:

Writing style & linguistic markers

  • Primary language:
  • Distinctive patterns (idioms, typos, punctuation habits, vocabulary):
  • Cross-venue consistency:
  • Tool/approach: [JGAAP / manual stylometric notes]
  • Attribution value:

99 · Collection Admin

Working register - audit trail behind the deliverable. Not itself a deliverable section.

Source register

Every material datum traceable to a graded source (Admiralty A–F / 1–6).

  • [S-1 - source]
    • Type: [Forum post / marketplace listing / hidden service / PGP key / wallet transaction / chat log / paste / data-broker / TI feed / other]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • Capture method (screenshot / hash / archive):
  • [S-2]

Evidence archive

  • [EV-1 - capture ref]
    • File hash (SHA-256):
    • Original URL / .onion:
    • Timestamp of capture:
    • Preservation method: [Screenshot / HTTrack / archive.org / IPFS / local]
    • Chain-of-custody note:
  • [EV-2]

Open gaps / RFIs / verification pending

  • [item - e.g. PGP key fingerprint not confirmed against keyserver]
  • [item - e.g. wallet clustering not completed - route to OSINT-022]
  • [item - e.g. associate handle unresolved]

Assumptions log (feeds §16 Key Assumptions Check)

  • A-1 Handles not shared / single operator assumed: [basis / confidence]
  • A-2 Dark-web content not tampered / planted: [basis / confidence]
  • A-3 OPSEC posture consistent across venues: [basis / confidence]
  • A-4 No law-enforcement / intelligence operation running the account: [basis / confidence]