A Darkwebathon Journey

My Darkwebathon journey started in December 2021. It was the first time that the Anti-Human Trafficking Intelligence Initiative (ATII) had conducted a global CTF. The event was for a worthwhile cause. 400+ participants among 56 teams joined the virtual fight against various real-world criminal entities. ATII launched their own dark web intelligence monitoring tool during the competition, which helped us track these criminals. I’d like to share more about my experience in the hopes that others might see the value of applying intelligence work to special events that help solve real, global problems.


If you’re interested in all of the different types of events– including threat intelligence focused activities – here is an overview of the ATII event challenges from the past 3 years:


  • Cryptocurrency Challenge & Email Challenge: Find intel and link it with an existing dataset with the help of available tools.
  • Maltego Challenge: Create unique graphs to illustrate the connections between different information sources like IP addresses, social media accounts, and cryptocurrency addresses. Here is my Maltego dark web sun video.
  • Intel Report Challenge: Create individual and team intelligence reports.
  • Image Hash Challenge: Submit image hashes and link them with a website or threat actor.
  • Onion Link Challenge: Find new onion links or use existing data and find connections.
  • OSINT Challenge: Find suspicious IP address and bank data.
  • Darkwebathon Sprint Challenge (2022): 6-hour challenge where all participants must complete one of the above challenges individually instead of as a team. In the 2022 challenge, I placed first worldwide in the image hash challenge and got the MVP award! You can watch the closing ceremony here.


One fruitful aspect of the event was the free use of new tooling. ATII provided training related to sponsor-related tools, which we could access for a limited time. Their platform had a large dataset with selectors, crypto addresses, graphs, screenshots, image hashes and more. At the 2023 conference I attended, we also leveraged tools like DarkOwl and SOSIntel, which are dark and clear web data scraper tools allowing users to find important intel. We also used DarkBlue to pivot intelligence data and store snapshots of crawl data pages with historic versions. Plus, the cryptocurrency forensic investigation tool, Qlue, provided intelligence on whether the specific crypto addresses were risky, suspicious or good and when the transactions happened.



My Experiences and Awards

During my 2021 Darkwebathon experience, my team started the investigation with a single email ID and an image hash data set. Our goal was to complete an intelligence report in 2 days. Using the platform's dataset and sponsored tools, my team found various information about the threat actor – including a phone number, crypto addresses, a website, and social media. Sponsors provided challenge winners with prizes that included tool licenses and course memberships for up to a year. My team secured 2nd place in this event, and I won the Cryptocurrency Challenge Award.


I learned about even more tools and strategies during the 2023 Darkwebathon. My team used the data scrapers tools to find threat actor data. We also used open-source databases like Google, Virustotal, and Whois to track pivot intel, like contact information and social media and WhatsApp accounts. I researched the concept of pig butchering scams and created a detailed report on it. Our team successfully submitted 19 different reports that were hundreds of pages in length. I secured the first-place prize for the cryptocurrency challenge, and my team earned 2nd place in the OSINT challenge.


Below are my some Maltego graphs I created during the 2023 Darkwebathon:


Darkwebathon Journey_img1.png

Figure 1: Rings of PigButchering Scam


Darkwebathon Journey_img2.png

Figure 2: Maltego Fireworks


Below are my 2022 Maltego graphs:


Darkwebathon Journey_img3.jpg

Figure 3: Dark Web Sun with golden rays of Cryptos


Darkwebathon Journey_img4.jpg

Figure 4: Dark Web Sun with Golden Rays of Cryptos


Darkwebathon Journey_img5.jpg

Figure 5: Dark Web Sun with Golden Rays of Cryptos




The Darkwebathon was a fantastic event! Unlike most CTFs, all participants worked with real human trafficking-related data collected from the dark web. This type of event is extremely useful in understanding dark web activities and gaining insights about threat actors. One main takeaway from these events is that by using appropriate methods and tools, we can avoid the risk of exposure. This event gives the entire infosec community the opportunity to gain hands-on practice and training using helpful tools.


Learn more about ATII and the Darkwebathon from the following ref links:

Bheshaj Taksali
Bheshaj is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He has over 10 years of experience in the security industry and has a Master's Degree in Computer Science. Prior to joining the Optiv, he was the Senior Malware Analyst in Innovana ThinkLabs, and before this he was a Malware Technical Specialist in McAfee (aka Intel Security). He is responsible for cyber intelligence operations, collection and development of OSINT sources, Cyber-HUMINT, malware analysis, threat hunting and the production of tailored CTI reports. Bheshaj is SANS Certified in GREM and CCFA Certified by McAfee Institute.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.