Investigator Use
OnionScan is an open-source investigation tool designed to analyze Tor hidden services (.onion sites) for operational security vulnerabilities and potential de-anonymization indicators. Rather than monitoring content, OnionScan scans the technical configuration of hidden services to surface information that operators may have inadvertently exposed.
For OSINT investigators and security researchers, OnionScan is uniquely valuable because it can identify correlating information between a dark web service and the surface web. Common findings include: server headers that reveal the underlying web server software and version, Bitcoin addresses embedded in pages, SSH host keys that appear on both surface and dark web servers (indicating the same server runs both), email addresses or usernames in page metadata, and directory listing exposures.
When investigating a dark web marketplace, forum, or criminal service, OnionScan can surface technical artifacts that link the hidden service to identifiable infrastructure. A server that shares an SSH host key with a surface web IP address, for example, is likely the same physical or virtual machine — effectively de-anonymizing the hidden service's hosting infrastructure.
The tool scans HTTP headers, SSL/TLS certificates, server banners, and embedded metadata in pages. Each of these channels can leak information that correlates the hidden service to other identifiable resources, even when the operator believes they are completely anonymous.
OnionScan results have been used in academic research and law enforcement investigations to link dark web operators to their real infrastructure. The operational security failures it identifies — misconfigured web servers, shared SSL certificates, exposed Bitcoin addresses — represent the human error factor in dark web anonymity.
Installation requires Go and a working Tor installation. Run only against services you are authorized to investigate. Unauthorized scanning of computer systems, even dark web services, may be illegal in your jurisdiction.
Document all findings with the onion address, scan timestamp, and specific artifacts found. Treat each finding as a lead to be corroborated, not a definitive attribution.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
Ahmia
Dark Web OSINT
Ahmia indexes Tor hidden services, enabling investigators to search .onion sites by keyword without the Tor browser.
BlackWeb
Dark Web OSINT
BlackWeb is a community-maintained blacklist of malicious and spam domains for network filtering and threat infrastructure identification.
Dark Web Tools
Dark Web OSINT
IACA Dark Web Tools is a law enforcement-oriented collection of resources for searching Tor hidden services and dark web content.
Onion Inspector
Dark Web OSINT
Onioff inspects .onion URLs to verify availability, extract page metadata, and map Tor hidden service content for dark web OSINT.
Onion Links
Dark Web OSINT
Find the best onion links list here. Working onion links for 2025 with the best dark web links to explore. All working and updated.
Onion Scan Tool
Dark Web OSINT
OnionScan is a free and open source tool for investigating the Dark Web.