Finchless Research

Precision Intelligence Engineering

Dark Net Recon

Tor-routed discovery, capture, and classification across hidden services — delivering decision-ready artefacts for defence, response, and investigations.

Start a briefing View capabilities

Overview

Dark Net Recon combines stealth collection with forensic capture to map risk, surface exposure, and preserve evidence from hidden services. It pairs automated discovery with analyst validation to keep findings actionable and repeatable.

Stealth-first collection over Tor with adaptive retries
Full-page screenshots, DOM source, and HAR logs for replay
OCR and AI classification to triage visual-only content
Entity extraction for PGP keys, emails, credentials, and crypto
Recursive link discovery for network and forum mapping

Core Capabilities

Tor-Routed Discovery

SOCKS5 routing with jittered backoff and retry controls for volatile endpoints.

Forensic Capture

Full-page screenshots, HTML dumps, and HAR logs to support replay and audit.

AI + OCR Triage

Vision models and OCR extract meaning from image-only marketplaces and posts.

Entity Extraction

PGP, emails, usernames, credential hints, crypto wallets, and contact vectors.

Recursive Mapping

Follow-on discovery to enumerate related sellers, mirrors, and forum threads.

Evidence Vault

SHA256-tagged artefacts with timestamps, source refs, and session logs.

Backed by the VEILFRAME pipeline for darknet reconnaissance and artefact retention.

Operating Modes

Discovery

Enumerate fresh `.onion` nodes and mirrors using entropy-aware mutation and curated seeds.

Validation

Verify exposure, capture proofs (screenshots/DOM/HAR), and pull entities for action.

Monitoring

Revisit targets on a schedule, diff changes, and push alerts to owners or SOAR.

Workflow

Scope objectives (targets, watchwords, constraints)
Tor collection with resilience controls
Capture: screenshot → DOM → HAR
Triage: OCR + vision classification
Extract entities and indicators
Report with actions and owners
Optional monitoring and re-test

Deliverables

Evidence Pack

Full-page PNG screenshots (with SHA256)
HTML source dumps and HAR logs
Entity CSV (PGP, emails, wallets, usernames)
Indicator JSONL for downstream tooling

Analysis Brief

Findings and risk notes
Exposure snapshots with references
Recommended actions and owners
Optional ATT&CK cross-walk where relevant

Sample Artefact Index


/evidence/
  2025-08-31T05-59-58Z/
    capture/
      0001.png         # SHA256: 8b2d…cf
      0001.dom.html
      0001.har.json
    entities/
      entities.csv     # pgp,email,username,wallet
    indicators/
      iocs.jsonl
    session.json       # timings, exit node, status

Exact layout and fields align to your case file structure on request.

FAQs

Do you capture enough for replay?

Yes. Screenshots, DOM, and HAR provide a verifiable snapshot for review and handover.

What if a page is image-only?

OCR and vision models extract text and cues from screenshots to aid classification.

Can you monitor specific sellers or forums?

Yes. We schedule revisits, diff changes, and surface alerts with context.

How are artefacts packaged?

SHA256-tagged assets with timestamps, source references, and session logs.

Engage With Us

Brief us on targets, timelines, and desired outputs. We respond with scope and a plan you can act on.

Contact Operations OSINT Services Adversarial Simulation