← Back to Agent Chain
🕸️ Dark Web Intel
Tor-based intelligence pipeline for discovering AI agents operating in dark web markets, forums, and C2 infrastructure
What Is Dark Web Intel?
Dark Web Intel is Agent Chain's Tor-based threat intelligence product. It continuously crawls onion services, dark web markets, and forums to identify AI agents operating outside the open web — including command-and-control infrastructure, automated scam networks, and AI-powered synthetic media operations.
The pipeline consists of five components: a Tor proxy, an Ahmia seeder (the primary .onion search engine), a Tor crawler, an OpSec scanner, and a content classifier with AI detection capabilities.
⚠️ Dark Web Intel subscription — $99.99/month. Access requires KYC (Know Your Customer) verification. New subscribers are placed in a compliance review queue and notified within 24–48 hours. Access is not granted until KYC is reviewed and approved. You must also acknowledge the Acceptable Use Policy before accessing dark web data.
Rate limits: 10 API requests/minute per subscriber. A burst allowance of 20 requests is permitted; excess returns HTTP 429 (Too Many Requests).
Logging policy: All queries are logged with timestamp, subscriber ID, search terms, and requesting IP address. Logs are retained for 90 days and may be reviewed by our compliance team in the event of a regulatory inquiry or reported misuse. Logging is a non-optional condition of subscription.
Rate limits: 10 API requests/minute per subscriber. A burst allowance of 20 requests is permitted; excess returns HTTP 429 (Too Many Requests).
Logging policy: All queries are logged with timestamp, subscriber ID, search terms, and requesting IP address. Logs are retained for 90 days and may be reviewed by our compliance team in the event of a regulatory inquiry or reported misuse. Logging is a non-optional condition of subscription.
🛡️ Law Enforcement Access. Law enforcement agencies receive Dark Web Intel access at no charge — no subscription fee required. Request a dedicated law enforcement API key to get started.
Architecture — Five-Layer Pipeline
Layer 1
🧅 Tor Proxy
SOCKS5 proxy via Tor daemon. All dark web requests route through the Tor network. IP rotation every 10 minutes. Used by all downstream components.
Layer 2
🌱 Ahmia Seeder
Seeds the crawler with fresh .onion URLs from Ahmia.fi — the primary indexed dark web search engine. Filters for AI, agent, and crypto-related categories.
Layer 3
🕷️ Tor Crawler
JavaScript-rendering crawler tuned for .onion services. Detects AI API usage patterns, LangChain signatures, agent frameworks, and automated traffic patterns.
Layer 4
🔒 OpSec Scanner
Extracts crypto wallet addresses, PGP keys, contact channels (Telegram/Discord), and infrastructure signals. Correlates with known malicious actor profiles.
Layer 5
🧠 Content Classifier
AI-powered classification of discovered content: markets, forums, C2 panels, paste sites, code repos. Flags AI agent activity, synthetic media, and scam infrastructure. Outputs W3 Intel sighting cards.
What Gets Detected
| Category | Signals | Output |
|---|---|---|
| AI Agent C2 Panels | LangChain patterns, agent framework signatures, tool invocation logs | W3 Intel Sighting Card (CRITICAL) |
| Automated Scam Markets | AI-generated product listings, LLM chatbot integration, bulk credential sales | Sighting Card + OpSec record |
| Synthetic Media Shops | Deepfake service listings, AI voice cloning, identity forgery offerings | Content classification report |
| Crypto Drainer Infrastructure | Wallet drainer scripts, phishing kits with AI personalization, stolen wallet data | Wallet address blocklist |
| Data Broker Markets | Bulk PII sales, AI-enriched datasets, identity packages | Data exposure alerts |
| AI Botnets | Distributed agent networks, coordinated posting patterns, CAPTCHA bypass services | Botnet map + sighting cards |
API Endpoints
ℹ️ All endpoints require an active Dark Web Intel subscription (
Bearer token + plan check) or a verified law enforcement API key. KYC approval is required before subscription access is activated.Intelligence Reports
| Method | Endpoint | Description |
|---|---|---|
| GET | /v1/darkweb/sightings | All dark web sighting cards (paginated) |
| GET | /v1/darkweb/sightings/:id | Get a specific dark web sighting |
| GET | /v1/darkweb/markets | Indexed dark web markets (with AI activity score) |
| GET | /v1/darkweb/actors | Known threat actor profiles |
| GET | /v1/darkweb/wallets | Crypto wallet addresses linked to dark web activity |
Crawl & Scan
| Method | Endpoint | Description |
|---|---|---|
| POST | /v1/darkweb/crawl | Submit a .onion URL for immediate crawl + classification |
| GET | /v1/darkweb/crawl/:jobId | Check crawl job status |
| POST | /v1/darkweb/scan/wallet | Check if a wallet address appears in dark web data |
| POST | /v1/darkweb/scan/domain | Check if a clearnet domain has a dark web presence |
Search & Export
| Method | Endpoint | Description |
|---|---|---|
| GET | /v1/darkweb/search | Full-text search across classified content |
| GET | /v1/darkweb/stats | Platform stats (total crawled, active markets, AI detections) |
| GET | /v1/darkweb/export | Bulk export (.json or .csv) |
| GET | /v1/darkweb/feed | Real-time streaming feed of new discoveries |
OpSec Records
| Method | Endpoint | Description |
|---|---|---|
| GET | /v1/darkweb/opsec/:actorId | OpSec profile for a known actor (wallets, PGP, channels) |
| GET | /v1/darkweb/correlate/:fingerprint | Correlate agent fingerprint with dark web data |
| POST | /v1/darkweb/report | Submit a new .onion URL to the community intel pool |
Quick Start
// Check if a wallet address appears in dark web data
const result = await ac.darkweb.scanWallet({
address: '0x742d35Cc6634C0532925a3b8D4C9C5B6e2f6e3d0'
});
// → { found: true, sighting_ids: ['DW-1844'], markets: ['AlphaBay3'] }
// Submit a .onion URL for crawl and classification
const job = await ac.darkweb.crawl({
url: 'http://example3g2t5zk7j.onion/shop'
});
const report = await ac.darkweb.getCrawlResult(job.id);
// Stream new dark web discoveries in real-time
const stream = ac.darkweb.feed();
stream.on('discovery', (sighting) => {
console.log(`New: ${sighting.category} — risk: ${sighting.risk_score}`);
});
OpSec Notes
All dark web crawling is performed server-side through the Agent Chain Tor infrastructure. Your IP is never exposed to .onion services. Crawl requests are routed through circuit-isolated Tor paths and proxied through an egress pool.
Submitted .onion URLs are reviewed for compliance before crawl results are returned. URLs linking to illegal content outside of threat intelligence context (e.g., CSAM, weapons markets) will be rejected and the submission logged.
🔒 Dark Web Intel data is provided strictly for threat intelligence, security research, and defensive purposes. By subscribing, you agree to the Acceptable Use Policy.