SPECTER ARGUS

Dark Web AI Attribution Engine

T88 · v1.0.0 · NIGHTFALL Offensive Framework · Law Enforcement
226
Tests
8
Subsystems
3
Gate Levels
Ed25519
Signed Reports
JSON-LD
Court Evidence
Documentation ← NIGHTFALL
Overview

Attribute. Trace. Prove.

The Dark Web AI Problem
WormGPT, FraudGPT, DarkGPT and their successors operate as uncensored AI services on Tor hidden services — used for phishing generation, CSAM, fraud, and malware authorship. Law enforcement can enumerate these services and collect attribution evidence without needing a subpoena or provider cooperation. SPECTER ARGUS does exactly that.
Multi-Layer Attribution
Attribution doesn't come from a single signal. ARGUS correlates Bitcoin wallet graphs, PGP key reuse across forums, cross-platform handles, linguistic fingerprints, timezone inference from posting patterns, OPSEC mistakes, and XMPP/Matrix/Telegram contact channels — then builds a NetworkX relationship graph with weighted edges and centrality scoring.
Court-Ready Evidence
Every ARG-{hex12} report is signed with Ed25519 — tamper-evident and verifiable with the published public key. The MAP subsystem exports JSON-LD graphs using schema.org vocabulary for admissibility. ARCHIVE tracks service state over time with SHA-256 state hashes, proving changes and continuity of operation.
No UNLEASHED Gate
SPECTER ARGUS operates under PASSIVE / OPEN / INJECT only — no destructive capability. PASSIVE: local data analysis only. OPEN: active dark web enumeration and wallet queries. INJECT: deep tracing, alias extraction, communications discovery. Designed for intelligence collection, not disruption.
⚖ LAW ENFORCEMENT POSITIONING
SPECTER ARGUS is Red Specter's primary tool for law enforcement partnerships. It provides NCA, NCSC, Europol EC3, and Interpol with capabilities that no commercial threat intelligence vendor currently offers: dark web AI service enumeration combined with on-chain Bitcoin attribution and cross-platform persona correlation — all signed with cryptographic evidence chains suitable for court proceedings.

Gate levels available: PASSIVE OPEN INJECT
Architecture

8 Subsystems

SUBSYSTEM 01
SWEEP
Tor-proxied dark web AI service enumeration. Probes target onion addresses using PySocks socks5h proxy. Detects 7 AI service signature patterns, identifies models, payment methods (BTC/XMR/USDT), and auth requirements. Seeds from known WormGPT/FraudGPT addresses.
GATE: OPEN
SUBSYSTEM 02
CHAIN
Bitcoin wallet tracing via BlockCypher API (no auth required). KNOWN_ENTITIES maps addresses to exchanges (Binance, Coinbase, Bitfinex, Huobi, Kraken). Detects coin mixing via equal-value output heuristic. At INJECT gate: common-input-ownership wallet clustering. Monero noted as untraceable.
GATE: OPEN / INJECT (clustering)
SUBSYSTEM 03
LINK
Cross-platform persona correlation. PGP fingerprint reuse detection across dark web forums. ONION_RE v3 address extraction. Scrapes known dark web forums (Dread) via Tor proxy. At INJECT gate: @handle alias extraction from forum content.
GATE: OPEN / INJECT (aliases)
SUBSYSTEM 04
FINGERPRINT
Linguistic and behavioural profiling. langdetect language identification. Timezone inference from UTC posting hour patterns (TZ_MAP). OPSEC mistake detection via regex (IP exposure, clearnet email, OS fingerprint leaks, real name disclosure). Technical sophistication scoring.
GATE: PASSIVE
SUBSYSTEM 05
INTERCEPT
Communications channel discovery. XMPP: TCP port 5222 banner grab with stream:stream opener. Matrix: .well-known server discovery. Telegram: t.me/s/ public channel scraping (INJECT gate). JID/Matrix address/ @handle extraction via regex from any text.
GATE: OPEN / INJECT (Telegram)
SUBSYSTEM 06
ARCHIVE
SQLite temporal snapshot engine. Stores service state with SHA-256 hash for diff detection. Tracks title changes, model additions/removals, new signatures, auth changes. Proves continuity of operation and service evolution over time. Court-admissible temporal evidence.
GATE: PASSIVE (local DB)
SUBSYSTEM 07
MAP
NetworkX DiGraph relationship graph builder. Ingests results from all subsystems. Weighted edges: owns=1.0, alias_of=0.9, linked_via_pgp=0.85, pays_to=0.8. Computes degree centrality for central actor identification. Exports JSON-LD using schema.org vocabulary for court evidence.
GATE: PASSIVE
SUBSYSTEM 08
REPORT
Ed25519-signed ARG-{hex12} attribution reports. SHA-256 hash-chained evidence. Attribution confidence score 0.0–1.0 aggregated across all subsystem results. Three output formats: text (human-readable), JSON (machine-readable + verifiable). Keypair stored at ~/.specter_argus/keys/.
GATE: PASSIVE
Gate System

PASSIVE / OPEN / INJECT

SPECTER ARGUS operates under three gate levels only. There is no UNLEASHED, DESTROY, or ANNIHILATE gate — this tool is built for intelligence collection, not disruption.

Gate Capability Network Activity Use Case
PASSIVE Local analysis only — FINGERPRINT, ARCHIVE, MAP, REPORT None Analyse existing data, build graphs, generate signed reports
OPEN Active dark web queries — SWEEP, CHAIN, LINK, INTERCEPT Tor + BlockCypher API Enumerate services, trace wallets, correlate personas
INJECT Deep tracing — wallet clustering, alias extraction, Telegram search Tor + external APIs Full attribution pipeline, cross-platform identity linkage
CLI Reference

specter-argus

$ specter-argus hunt <onion> --gate OPEN
# Full attribution pipeline: SWEEP+CHAIN+LINK+FINGERPRINT+INTERCEPT+ARCHIVE+MAP+REPORT

$ specter-argus sweep <onion> --gate OPEN
# Probe dark web AI service via Tor — detect models, signatures, payment, auth

$ specter-argus chain <btc-wallet> --gate OPEN
# Trace Bitcoin wallet — exchange identification, mixing detection

$ specter-argus chain <btc-wallet> --gate INJECT
# INJECT gate: common-input-ownership wallet clustering

$ specter-argus link <handle> --gate INJECT
# Cross-platform persona correlation + alias extraction

$ specter-argus archive-list <onion>
# List temporal snapshots and service diffs

$ specter-argus verify report.json
# Verify Ed25519 signature on ARG-{hex12} report

$ specter-argus pubkey
# Print Ed25519 public key for court-ready report verification

[ARG-4F2A1B] SWEEP complete. 3 services enumerated.
[ARG-4F2A1B] CHAIN: wallet traced → Binance exchange cluster (3 hops)
[ARG-4F2A1B] LINK: PGP key reuse detected across 2 forums (handle: darkoperator99)
[ARG-4F2A1B] FINGERPRINT: TZ=UTC+3, lang=ru, OPSEC score=2/10 (email exposed)
[ARG-4F2A1B] Attribution confidence: 0.78 | Report signed OK
Coverage

What ARGUS Covers

Dark Web AI Services
Uncensored LLMs, AI tooling marketplaces, CSAM generation services, fraud/phishing-as-a-service portals. Detects model APIs, rate limits, authentication patterns, and payment integration across Tor hidden services.
Bitcoin Tracing
Wallet profiling, exchange identification (5 major exchanges), coin mixing detection via equal-value output heuristic, common-input-ownership clustering at INJECT gate. Complements Chainalysis/Elliptic for LE use.
Persona Correlation
PGP fingerprint reuse across dark web forums is the strongest single correlation signal. Cross-referencing handles, communication addresses, onion references, and payment addresses builds a high-confidence identity cluster even without clearnet exposure.
Linguistic Profiling
Language detection, timezone inference from UTC posting patterns, OPSEC mistake cataloguing. Even technically sophisticated operators leak identity through consistent posting times and language choices across multiple pseudonymous accounts.