T88 · v1.0.0 · NIGHTFALL Offensive Framework

SPECTER ARGUS

Dark Web AI Attribution Engine — Technical Documentation

Introduction

SPECTER ARGUS is Red Specter's dark web AI threat actor attribution engine. It is designed for law enforcement and intelligence use: enumerating dark web AI services, tracing cryptocurrency payments, correlating pseudonymous identities across platforms, and generating court-ready evidence packages signed with Ed25519.

Unlike other NIGHTFALL tools, SPECTER ARGUS has no UNLEASHED, DESTROY, or ANNIHILATE gate. It operates purely for collection and attribution — not disruption. Gate levels: PASSIVE OPEN INJECT.

Installation

$ git clone git@github.com:RichardBarron27/red-specter-specter-argus.git
$ cd red-specter-specter-argus
$ pip install -e . --break-system-packages
$ pip install requests pysocks networkx langdetect cryptography click --break-system-packages
$ specter-argus --help
Usage: specter-argus [OPTIONS] COMMAND [ARGS]...
  SPECTER ARGUS — Dark Web AI Attribution Engine
Commands: hunt  chain  link  sweep  archive-list  verify  pubkey

Tor must be running on 127.0.0.1:9050 for OPEN/INJECT gate operations. Start with sudo systemctl start tor or sudo tor &.

Gate System

The gate system enforces capability boundaries. Pass --gate PASSIVE|OPEN|INJECT to any command. Default is PASSIVE.

GateWhat unlocksNetwork activity
PASSIVEFINGERPRINT, ARCHIVE read, MAP, REPORT generationNone
OPENSWEEP (Tor probe), CHAIN (BlockCypher), LINK (forum scrape), INTERCEPT (XMPP/Matrix)Tor + HTTPS
INJECTCHAIN wallet clustering, LINK alias extraction, INTERCEPT Telegram searchTor + external APIs

SWEEP

Probes a dark web AI service via Tor (PySocks socks5h proxy on 127.0.0.1:9050). Detects AI signatures, models, payment methods, and authentication requirements.

Detection signatures

$ specter-argus sweep abcdef1234567890abcdef1234567890abcdef1234567890abcdef12.onion --gate OPEN
[SWEEP] title: DarkGPT — No Limits AI Service
[SWEEP] server: nginx/1.18.0
[SWEEP] models: ['GPT-4-uncensored', 'DALL-E-unrestricted']
[SWEEP] signatures: ['uncensored_llm', 'payment_btc', 'wormgpt_variant']
[SWEEP] payments: ['BTC', 'XMR']
[SWEEP] auth_required: True

CHAIN

Traces Bitcoin wallets using the BlockCypher API (no authentication required for basic queries). Identifies exchange destinations, detects coin mixing, and at INJECT gate clusters wallets via common-input-ownership heuristic.

Exchange identification

KNOWN_ENTITIES maps known exchange deposit addresses to exchange names: Binance, Coinbase, Bitfinex, Huobi, Kraken. Any wallet in the transaction graph matching a KNOWN_ENTITIES entry is labelled as an exchange destination.

Mixing detection

Equal-value outputs heuristic: if a transaction has 5 or more outputs of equal value, it is flagged as a potential coin mixing transaction (CoinJoin pattern).

$ specter-argus chain 1A1zP1eP5QGefi2DMPTfTL5SLmv7Divf --gate OPEN
[CHAIN] balance: 72.23 BTC (confirmed)
[CHAIN] tx_count: 3847
[CHAIN] exchange_hits: Binance (3 hops)
[CHAIN] mixing_detected: False
[CHAIN] confidence: 0.65

Correlates pseudonymous identities across dark web platforms using PGP key fingerprint reuse and v3 onion address cross-references. At INJECT gate, extracts @handle aliases from forum content.

PGP fingerprint reuse

The strongest single correlation signal: an operator who uses the same PGP key on two forums has provably linked those accounts. LINK extracts PGP public key blocks, computes a 16-char SHA-256 truncation as the fingerprint identifier, and flags any block appearing in multiple sources.

$ specter-argus link darkoperator99 --gate INJECT
[LINK] persona_matches: 2 forums (dread, exploit.in)
[LINK] pgp_reuse_hits: 1 (fingerprint: A3F2B891CC7D4E0A)
[LINK] onion_refs: [<56-char-onion>.onion]
[LINK] cross_platform_aliases: ['@d4rkop', '@dark_operator']
[LINK] attribution_confidence: 0.72

FINGERPRINT

Linguistic and behavioural profiling of dark web personas from text corpora. No network activity — operates on existing text. Available at PASSIVE gate.

SignalMethodOutput
LanguagelangdetectISO 639-1 code + confidence
TimezoneUTC hour → TZ_MAPLikely timezone list
OPSEC scoreRegex red flags0–10 scale (lower = more mistakes)
Technical sophisticationTech term ratio0.0–1.0 float
Posting entropyShannon entropyRegularity indicator

OPSEC red flags detected

INTERCEPT

Discovers communication channels used by dark web operators. Probes XMPP and Matrix at OPEN gate; searches Telegram public channels at INJECT gate.

XMPP probing

TCP socket connect to port 5222. Sends standard <stream:stream> opener and reads the server banner response. Classifies as CONFIRMED, TIMEOUT, or REFUSED.

Matrix discovery

GET /.well-known/matrix/server — standard Matrix federation discovery endpoint. Returns the delegated server address if Matrix is running.

Contact extraction

Extracts JIDs (user@domain.onion), Matrix addresses (@user:server), and @handles from any text corpus via regex. No network activity required for extraction.

ARCHIVE

SQLite-backed temporal snapshot engine for dark web AI services. Proves service continuity and evolution for court proceedings.

Schema

snapshots (
  id INTEGER PRIMARY KEY,
  onion_url TEXT,
  snapshot_ts TEXT,       -- ISO 8601
  title TEXT,
  server TEXT,
  models TEXT,            -- JSON array
  signatures TEXT,        -- JSON array
  payments TEXT,          -- JSON array
  auth_req INTEGER,
  state_hash TEXT,        -- SHA-256 of canonical state
  raw_json TEXT
)

State hash

SHA-256 of: title + sorted(models) + sorted(signatures) + auth_required. A change in state_hash between two snapshots proves the service changed. ARCHIVE reports added/removed models and signatures between snapshots.

MAP

Builds a NetworkX DiGraph from all subsystem results. Computes degree centrality to identify the most-connected (most-likely primary) actor. Exports court-ready JSON-LD.

Edge weights

Edge typeWeightMeaning
owns1.0Entity owns a service
alias_of0.9Cross-platform alias confirmed
linked_via_pgp0.85PGP key reuse detected
pays_to0.8Bitcoin payment relationship
communicates_via0.7Shared comms channel

REPORT

Generates Ed25519-signed ARG-{hex12} attribution reports. Each report ID is unique (ARG- + secrets.token_hex(6).upper()). Keys are generated once at ~/.specter_argus/keys/ and reused for consistency.

CLI Reference

$ specter-argus hunt <onion> [--gate PASSIVE|OPEN|INJECT] [--tor-host HOST] [--tor-port PORT]
  Full attribution pipeline. Runs SWEEP → CHAIN → LINK → FINGERPRINT → INTERCEPT → ARCHIVE → MAP → REPORT.

$ specter-argus sweep <onion> --gate OPEN
  Probe a single dark web AI service via Tor.

$ specter-argus chain <wallet> --gate OPEN|INJECT
  Trace a Bitcoin wallet. INJECT gate enables clustering.

$ specter-argus link <handle> --gate OPEN|INJECT
  Cross-platform persona correlation.

$ specter-argus archive-list <onion>
  List all temporal snapshots for an onion address.

$ specter-argus verify <report.json>
  Verify Ed25519 signature on an ARG-{hex12} report.

$ specter-argus pubkey
  Print the Ed25519 public key (for distribution to verifiers).

Report Format

{
  "report_id": "ARG-4F2A1B",
  "query": "<target-onion>",
  "timestamp": "2026-05-16T14:23:00Z",
  "gate": "INJECT",
  "sweep_results": { ... },
  "chain_results": { ... },
  "link_results": { ... },
  "fingerprint_results": { ... },
  "intercept_results": { ... },
  "map_json": { ... },           // NetworkX graph as JSON-LD
  "attribution_confidence": 0.78,
  "public_key": "<base64-ed25519-pubkey>",
  "signature": "<base64-ed25519-sig>"
}

Verification

Any party holding the public key (distributed via specter-argus pubkey) can verify any ARG report is untampered:

$ specter-argus verify report.json
[VERIFY] Report: ARG-4F2A1B
[VERIFY] Timestamp: 2026-05-16T14:23:00Z
[VERIFY] Gate: INJECT
[VERIFY] Signature: VALID ✓

Verification uses cryptography.hazmat.primitives.asymmetric.ed25519.Ed25519PublicKey.verify() — standard Python cryptography library. The canonical payload is the report JSON with signature and public_key fields removed, serialised with sorted keys and no whitespace.