CybersecurityFeatured

Dark Web Monitor — CTI Passive Surveillance Tool

Passive CTI surveillance tool monitoring .onion sources for threat intelligence, extracting IOCs, and auto-scoring threat criticality — deployed via Docker with strict OPSEC.

2026
Completed (June 2026)
1 member
View Code

Technologies Used

PythonTor (SOCKS5)BeautifulSoup4Have I Been Pwned APIDockerCTIIOC Extraction

A Cyber Threat Intelligence (CTI) tool for passive monitoring of Tor .onion sources. Detects mentions of a target organization in public dark web sources, extracts Indicators of Compromise (IOCs), and automatically qualifies threat criticality.

🎯 Project Overview

Built as an OPSEC-strict passive reconnaissance tool for SOC/CERT environments. All traffic is routed through a local Tor daemon (SOCKS5 proxy), and the tool verifies Tor exit before any collection.

Usage scope: Passive monitoring of public sources only — no authentication, no marketplace interaction, no download of illegal content.

🔍 Threat Detection Categories

  • fuite_information — Source code leaks, API keys, database dumps, exposed secrets
  • compromission — Credentials, stealer logs, VPN/RDP access sales
  • atteinte_image — Phishing pages, typosquatting, fake login portals

🧩 IOC Extraction

Automatically extracts and classifies IOCs from .onion page content:

  • Credentials (email:password pairs)
  • AWS access keys (AKIA… pattern)
  • IP addresses
  • Cryptographic hashes (MD5, SHA-1, SHA-256)

🔐 k-Anonymity Breach Verification (HIBP)

Detected passwords are verified against the Have I Been Pwned API using the k-anonymity model:

  • Only the first 5 characters of the SHA-1 hash are sent to the API
  • The full password or hash is never transmitted
  • The server returns all hashes matching that prefix; the check is done locally

📊 Threat Scoring

| Score | Meaning | |-------|---------| | INFO | Mention found, no IOC | | LOW | Generic IOC, target not confirmed | | MEDIUM | IOC linked to target | | HIGH | Active credential or access leak for target | | CRITICAL | Confirmed breach with mass credential/access dump |

Passwords are redacted (:***redacted***) in all alert outputs.

🏗️ Architecture & Deployment

  • Alerting — Alerts written to alerts.jsonl (JSON Lines), ready for Elasticsearch/OpenSearch ingestion
  • Docker Compose — Containerized deployment for reproducibility and isolation
  • OPSEC — Tor exit verification before any collection; designed for isolated VM deployment

🛠️ Stack

| Component | Technology | |-----------|-----------| | Language | Python 3.10+ | | Anonymous network | Tor (SOCKS5 via requests[socks]) | | HTML parsing | BeautifulSoup4 | | Breach API | Have I Been Pwned (k-anonymity) | | Containerization | Docker / Docker Compose |

Challenges

  • Routing all traffic through Tor while verifying OPSEC before any collection
  • Implementing k-anonymity for HIBP password checking without leaking the full hash
  • Designing a multi-category threat classifier that minimizes false positives
  • Masking sensitive data in alert output while preserving forensic value
  • Building an extensible alert format compatible with SIEM ingestion pipelines

Solutions

  • SOCKS5 proxy via requests[socks] + mandatory Tor exit check before collection loop
  • SHA-1 prefix (5 chars) sent to HIBP; local suffix match against returned hash list
  • Three-category threat taxonomy with keyword-based classification per category
  • Regex-based IOC extractor with automatic password redaction in JSON alert output
  • JSON Lines format (alerts.jsonl) enabling direct ingestion into Elasticsearch/OpenSearch

Outcomes

  • Functional CTI passive monitoring tool covering credential leaks, access sales, and brand threats
  • k-anonymity HIBP integration ensuring zero sensitive data transmission
  • Automated IOC extraction: credentials, AWS keys, IPs, cryptographic hashes
  • Criticality scoring from INFO to CRITICAL with target-presence weighting
  • Containerized deployment via Docker Compose for reproducible SOC/CERT environments