IEEE Access (Jan 2024)
A Measurement Study on Tor Hidden Services via Keyword-Based Dark Web Collection Framework
Abstract
Due to the anonymous nature of the Dark Web, perpetrators utilize it combined with cryptocurrencies to hide their online activities and identities. Moreover, recent criminals abuse coin-mixing services to obfuscate financial transactions, dramatically hindering traceability and transparency. Recent studies have elaborated on demystifying the Dark Web ecosystem by analyzing real-world data acquired from well-known underground marketplaces and forums. However, previous assessments are less effective in understanding the most up-to-date trends and interrelationships between illegal activities because they do not efficiently deal with the ever-changing status of the Tor hidden services and cryptocurrencies, such as uniform resource locator (URL) policy updates and diverse Bitcoin address types. To this end, we propose a Dark Web data collection framework that automatically gathers .onion addresses operated by suspicious vendors and the corresponding Bitcoin addresses based on criminal-related keywords. Our framework aims to understand the interrelationship between illicit activities by analyzing the dependency between the keywords based on the seed .onions that appear in common. We also explore the trends in the life cycle of .onion domains for each keyword. To demonstrate the versatility of our framework, we provide various case studies to achieve potential clues for dark vendor profiling and alias attribution and how to discriminate mixed Bitcoin addresses from the universal Bitcoin usage patterns.
Keywords
