Test

Exposing the IP Address of a Dark Web Link Collection

Apr 09, 2025By Covert Security

Our team has conducted threat intelligence in the dark web space and identified a technique used to expose the real IP addresses, behind Cloudflare protected sites using authenticated origin pulls.

โ›“๏ธโ€ One of the first targets is "darknetlinks[.]info" - a link collection for dark web forums, marketplaces, exchanges and others.

Our investigation showed that the site is using Cloudflare services to protect on a DNS-level, and on a server-level using authenticated origin pulls (AOP), to restrict server traffic only to Cloudflare servers.

๐Ÿ—๏ธ Conducting certificate intelligence using Censys, our team identified their origin certificate with the fingerprint "02a43b2d77464a269fc32fccf79699dea82569215c37134331f7aaba54d63052" and one host "146[.]19[.]143[.]203" server, which serves their dark web link collection.

Figure 1 - Censys Results for 146[.]19[.]143[.]203.

๐Ÿ›ก๏ธ The technique and exposed target are part of Covert Security's upcoming CS-ADWI (Advanced Dark Web Intelligence) course, featuring topics such as...

  • Monero transaction deanonymization through honeypot nodes.
  • Hidden service deanonymization on the dark web.
  • Deanonymization of Cloudflare protected services on the clear web.

๐ŸŽ‰ ๐˜š๐˜ต๐˜ข๐˜บ ๐˜ต๐˜ถ๐˜ฏ๐˜ฆ๐˜ฅ ๐˜ง๐˜ฐ๐˜ณ ๐˜ฎ๐˜ฐ๐˜ณ๐˜ฆ ๐˜ถ๐˜ฑ๐˜ฅ๐˜ข๐˜ต๐˜ฆ๐˜ด ๐˜ข๐˜ฏ๐˜ฅ ๐˜ฆ๐˜น๐˜ฑ๐˜ฐ๐˜ด๐˜ฆ๐˜ด, ๐˜ข๐˜ด ๐˜ฐ๐˜ถ๐˜ณ ๐˜ฅ๐˜ข๐˜ณ๐˜ฌ ๐˜ธ๐˜ฆ๐˜ฃ ๐˜ณ๐˜ฆ๐˜ด๐˜ฆ๐˜ข๐˜ณ๐˜ค๐˜ฉ ๐˜ฆ๐˜น๐˜ฑ๐˜ข๐˜ฏ๐˜ฅ๐˜ด.