{ "namespace": "dark-web", "expanded": "Dark Web", "description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.", "version": 6, "predicates": [ { "value": "topic", "description": "Topic associated with the materials tagged", "expanded": "Topic" }, { "value": "motivation", "description": "Motivation with the materials tagged", "expanded": "Motivation" }, { "value": "structure", "description": "Structure of the materials tagged", "expanded": "Structure" }, { "value": "service", "description": "Information related to an Dark-Web service", "expanded": "Service" }, { "value": "content", "description": "Identifiable entities and information contained in a Dark-Web service", "expanded": "Content" } ], "values": [ { "predicate": "topic", "entry": [ { "value": "drugs-narcotics", "expanded": "drugsNarcotics", "description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)." }, { "value": "electronics", "expanded": "electronics", "description": "Electronics and high tech materials, described or to sell for example." }, { "value": "finance", "expanded": "finance", "description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc." }, { "value": "finance-crypto", "expanded": "cryptoFinance", "description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc." }, { "value": "credit-card", "expanded": "creditCard", "description": "Credit cards and payments materials" }, { "value": "cash-in", "expanded": "cashIn", "description": "Buying parts of assets, conversion from liquid assets, currency, etc." }, { "value": "cash-out", "expanded": "cashOut", "description": "Selling parts of assets, conversion to liquid assets, currency, etc." }, { "value": "escrow", "expanded": "escrow", "description": "Third party keeping assets in behalf of two other parties making a transactions." }, { "value": "hacking", "expanded": "hacking", "description": "Materials relating to the illegal access to or alteration of data and/or electronic services." }, { "value": "identification-credentials", "expanded": "identificationCredentials", "description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials." }, { "value": "intellectual-property-copyright-materials", "expanded": "intellectualPropertyCopyrightMaterials", "description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders." }, { "value": "pornography-adult", "expanded": "pornographyAdult", "description": "Lawful, ethical pornography (i.e. involving only consenting adults)." }, { "value": "pornography-child-exploitation", "expanded": "pornographyChild(ChildExploitation)", "description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities" }, { "value": "pornography-illicit-or-illegal", "expanded": "pornographyIllicitOrIllegal", "description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc." }, { "value": "search-engine-index", "expanded": "searchEngineIndex", "description": "Site providing links/references to other sites/services. Referred to as a ‘nexus’ by (Moore and Rid, 2016)" }, { "value": "unclear", "expanded": "unclear", "description": "Unable to completely establish topic of material." }, { "value": "extremism", "expanded": "extremism", "description": "Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes." }, { "value": "violence", "expanded": "violence", "description": "Materials relating to violence against persons or property." }, { "value": "weapons", "expanded": "weapons", "description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients." }, { "value": "softwares", "expanded": "softwares", "description": "Illegal or armful software distribution" }, { "value": "counteir-feit-materials", "expanded": "counterFeitMaterials", "description": "Fake identification papers." }, { "value": "gambling", "expanded": "gambling", "description": "Games involving money" }, { "value": "library", "expanded": "library", "description": "Library or list of books" }, { "value": "other-not-illegal", "expanded": "otherNotIllegal", "description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors." }, { "value": "legitimate", "expanded": "legitimate", "description": "Legitimate websites" }, { "value": "chat", "expanded": "chatsPlatforms", "description": "Chats space or equivalent, which are not forums" }, { "value": "mixer", "expanded": "mixer", "description": "Anonymization tools for crypto-currencies transactions" }, { "value": "mystery-box", "expanded": "mysteryBox", "description": "Mystery Box seller" }, { "value": "anonymizer", "expanded": "anonymizer", "description": "Anonymization tools" }, { "value": "vpn-provider", "expanded": "vpnProvider", "description": "Provides VPN services and related" }, { "value": "email-provider", "expanded": "emailProvider", "description": "Provides e-mail services and related" }, { "value": "ponies", "expanded": "ponies", "description": "self-explanatory. It's ponies" }, { "value": "games", "expanded": "games", "description": "Flash or online games" }, { "value": "parody", "expanded": "parodyOrJoke", "description": "Meme, Parody, Jokes, Trolling, ..." }, { "value": "whistleblower", "expanded": "whistleblower", "description": "Exposition and sharing of confidential information with protection of the witness in mind" }, { "value": "ransomware-group", "expanded": "ransomwareGroup", "description": "Ransomware group PR or leak website" } ] }, { "predicate": "motivation", "entry": [ { "value": "education-training", "expanded": "educationTraining", "description": "Materials providing instruction - e.g. ‘how to’ guides" }, { "value": "wiki", "expanded": "wiki", "description": "Wiki pages, documentation and information display" }, { "value": "forum", "expanded": "forum", "description": "Sites specifically designed for multiple users to communicate as peers" }, { "value": "file-sharing", "expanded": "fileSharing", "description": "General file sharing, typically (but not limited to) movie/image sharing" }, { "value": "hosting", "expanded": "hosting", "description": "Hosting providers, e-mails, websites, file-storage etc." }, { "value": "ddos-services", "expanded": "ddosServices", "description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc." }, { "value": "general", "expanded": "general", "description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites." }, { "value": "information-sharing-reportage", "expanded": "InformationSharingReportage", "description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy." }, { "value": "scam", "expanded": "scam", "description": "Intentional confidence trick to fraud people or group of people" }, { "value": "political-speech", "expanded": "politicalSpeech", "description": "Political, activism, without extremism." }, { "value": "conspirationist", "expanded": "conspirationist", "description": "Conspirationist content, fake news, etc." }, { "value": "hate-speech", "expanded": "hateSpeech", "description": "Racism, violent, hate... speech." }, { "value": "religious", "expanded": "religious", "description": "Religious, faith, doctrinal related content." }, { "value": "marketplace-for-sale", "expanded": "marketplaceForSale", "description": "Services/goods for sale, regardless of means of payment." }, { "value": "smuggling", "expanded": "smuggling", "description": "Information or trading of wild animals, prohibited goods, ... " }, { "value": "recruitment-advocacy", "expanded": "recruitmentAdvocacy", "description": "Propaganda" }, { "value": "system-placeholder", "expanded": "systemPlaceholder", "description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2" }, { "value": "unclear", "expanded": "unclear", "description": "Unable to completely establish motivation of material." } ] }, { "predicate": "structure", "entry": [ { "value": "incomplete", "expanded": "incomplete", "description": "Websites and pages that are unable to load completely properly" }, { "value": "captcha", "expanded": "captcha", "description": "Captchas and solvers elements" }, { "value": "login-forms", "expanded": "loginForms", "description": "Authentication pages, login page, login forms that block access to an internal part of a website." }, { "value": "contact-forms", "expanded": "contactForms", "description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..." }, { "value": "encryption-keys", "expanded": "encryptionKeys", "description": "e.g. PGP Keys, passwords, ..." }, { "value": "police-notice", "expanded": "policeNotice", "description": "Closed websites, with police-equivalent banners" }, { "value": "legal-statement", "expanded": "legalStatement", "description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..." }, { "value": "test", "expanded": "test", "description": "Test websites without any real consequences or effects" }, { "value": "videos", "expanded": "videos", "description": "Videos and streaming" }, { "value": "ransomware-post", "expanded": "ransomwarePost", "description": "Ransomware post published by a ransomware group" }, { "value": "unclear", "expanded": "unclear", "description": "Unable to completely establish structure of material." } ] }, { "predicate": "service", "entry": [ { "value": "url", "expanded": "url", "description": "Uniform Resource Locator (URL) of a dark-web. The url should indicate a protocol (http), a hostname (www.example.com), and a file name (index.html). Example: http://www.example.com/index.html" }, { "value": "content-type", "expanded": "contentType", "description": "Content-Type representaton headerused to indicate the original media type of the resource (prior to any content encoding applied for sending). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type" }, { "value": "path", "expanded": "path", "description": "The URL path is the string of information that comes after the top level domain name " }, { "value": "detection-date", "expanded": "detectionDate", "description": "Date in which the dark-web was detected. The date should be in ISO 8601 format. Example: 2019-01-01T00:00:00Z" }, { "value": "network-protocol", "expanded": "networkProtocol", "description": "Network protocol used to access the dark-web site (e.g., HTTP, HTTPS)" }, { "value": "port", "expanded": "port", "description": "Port number where the dark-web service is being offered" }, { "value": "network", "expanded": "network", "description": "Overlay network (darknet) that host the service or content" }, { "value": "found-at", "expanded": "foundAt", "description": "Domain or service where the dark-web where found at" } ] }, { "predicate": "content", "entry": [ { "value": "sha1sum", "expanded": "sha1sum", "description": "SHA-1 (Secure Hash Algorithm 1) hash of the HTML or objectName content" }, { "value": "sha256sum", "expanded": "sha256sum", "description": "SHA-256 hash of the HTML or objectName content" }, { "value": "ssdeep", "expanded": "ssdeep", "description": "ssdeep fuzzy hash of the HTML or objectName content" }, { "value": "language", "expanded": "language", "description": "Detected language of the service in ISO 639‑1 Code. Example: en" }, { "value": "html", "expanded": "html", "description": "HyperText Markup Language (HTML) used in a website" }, { "value": "css", "expanded": "css", "description": "CSS (Cascading Style Sheets) used in a dark-web site" }, { "value": "text", "expanded": "text", "description": "Content of the dark-web service without HTML tags" }, { "value": "page-title", "expanded": "pageTitle", "description": "HTML tag content of a dark-web site" }, { "value": "phone-number", "expanded": "phoneNumber", "description": "Phone number identified in the dark-web site" }, { "value": "creditCard", "expanded": "creditCard", "description": "Credit card identified in the dark-web site" }, { "value": "email", "expanded": "email", "description": "Email address identified in the dark-web site" }, { "value": "pgp-public-key-block", "expanded": "pgpPublicKeyBlock", "description": "PGP public key block identified in the dark-web site" }, { "value": "country", "expanded": "country", "description": "Associated country detected on the code of the dark-web site, following ISO 3166-1 alpha-2" }, { "value": "company-name", "expanded": "companyName", "description": "Company name identified in a dark-web site" }, { "value": "company-link", "expanded": "companyLink", "description": "Company link identified in a dark-web site" }, { "value": "victim-address", "expanded": "victimAddress", "description": "Business address identified in a dark-web site" }, { "value": "victim-TLD", "expanded": "victimTLD", "description": "Business Top Level Domain (TLD) of a company identified in a dark-web site" } ] } ] }