AI-Based Cybercrime Intelligence Platform. Collects and refines threat data from anonymous channels including Dark web and Telegram. Track cybercrimes with knowledge graph analyzer and user profiling tools.

Product Overview
  • XARVIS AI Brief
  • XARVIS Overview
  • Key Features
  • DarkCHAT
  • Use Cases
United States: U.S. Army Aviation and Missile Command Data Breach

In August 2023, the U.S. Army Aviation and Missile Command experienced a significant data breach. This breach, executed by the threat actor IntelBroker, involved the unauthorized release of documents related to the Boeing CH-47F Chinook and Sikorsky H-60 Black Hawk helicopters. These documents, including images and PDFs, were first leaked on BreachForums in May 2024 and then re-disclosed on June 16, 2024. This incident highlights vulnerabilities within critical military sectors.

This report is an AI-generated document by XARVIS, which actively monitors the dark web in real-time and automatically extracts key threat information from the data detected each day. If you wish to delve into detailed data, please request a product demo.


XARVIS is a comprehensive deep/dark web monitoring and data collection solution that covers anonymous channels such as the dark web and Telegram. Through integrated web monitoring, it collects data that can be used to track specific cyber incidents and gather information about associated criminals. Additionally, it employs advanced Natural Language Processing (NLP) systems and in-depth analysis to extract meaningful intelligence from the collected data. XARVIS is a powerful tool for monitoring and analyzing online activities in the hidden corners of the internet to enhance cybersecurity and threat intelligence efforts.

Importance of Dark Web Monitoring
How to use XARVIS
Dark Web Search [Search Engine]

XARVIS's primary function is to search the scattered data within the Dark Web, creating a search environment similar to Google.

Real-Time Threat Data Collection
It monitors and collects threat intelligence in real-time by tracking over thousands of Telegram hacking channels and hacking forums. The vast amount of unstructured data is categorized by identifying valid identifiers, which are then stored on servers. Users can leverage this collected intelligence in various ways to track specific threats.

Global Issue Monitoring [Search Engine]
XARVIS monitors globally trending topics. Dark Web users often express their views on global issues within the Dark Web and may engage in activities such as selling and sharing data stolen from major government agencies and corporations in adversarial nations. XARVIS can track posts related to global issues in real-time from over thousands of Telegram hacking channels and hacking forums.

Monitoring the Sale of Server Access Rights [Search Engine / Darkweb Trend]
Dark Web hacking forums not only deal with institutional and corporate data but also sell access rights to internal servers (VPN, RDP, Citrix, etc.). Threat actors can register these server access rights with XARVIS, allowing them to receive real-time notifications regarding the sale or sharing of relevant data. When exploited, these access rights can lead to disabling internal servers or even spreading ransomware attacks. XARVIS users can register specific server access rights-related keywords to receive real-time notifications.

Telegram Search [Telegram BETA]

Users can explore various Telegram channels and the messages, images, and documents collected from those channels. Telegram channels integrated into the XARVIS platform are typically categorized under hacking, drugs, Malware, and Hacktivists’ activities.

Tracking Threat Actors [Graph Analyzer]

Some threat actors active on the Dark Web or Telegram tend to focus their attacks on specific countries or industries. Users can use XARVIS's 'Dark Spider' feature to examine the Dark Web/Telegram posts made by these actors and go further by tracing and combining the traces left by threat actors (Bitcoin addresses, Telegram IDs, email addresses, etc.) to identify specific individuals.

Threat Domain Monitoring [New Threats]

XARVIS collects Dark Web domains in real-time and automatically classifies the nature of the collected domains (Hacking, Drug, Arms, etc.) using its proprietary language model, 'DarkBERT.' Collected data is stored in XARVIS, allowing users to filter domains based on their nature and monitor the domains that require real-time monitoring.


DarkCHAT is a generative AI model specialized in dark web content, integrated into XARVIS, a dark web monitoring solution. It is built upon DarkBERT, the world's first AI language model tailored specifically for dark web content. By leveraging DarkCHAT, you can achieve the following effects.

Crime Detection and Prevention

While the dark web is a frequent hub for illegal activities, its content is predominantly unstructured. The dark web-specific AI language model aids in analyzing and detecting these activities more effectively.

Threat Intelligence Acquisition on Relevant Topics of Interest

The collected data serves as a basis for deriving new intelligence.

Easy Access to Desired Data with a Single Command
Effortlessly access threat analysis reports published by S2W related to the desired data.

Automatic User Profiling
Automatically perform user profiling, identifying the countries and industries predominantly targeted by threat actors.

Obtain Threat Information Associated with Specific Countries or Industries
Access threat information related to specific countries or industries.

Retrieve Bitcoin Addresses Used by Threat Elements and the Sources (Exchanges) to Which They Belong
Gain insights into the Bitcoin addresses utilized by threat elements and the corresponding sources (exchanges).

XARVIS Use Cases
Use Case 1
Use Case 2
Use Case 3
Use Case 4
Use Case 5
Use Case 6
Use Case 7
Dark Web Search

XARVIS utilizes 'DarkBERT,' a Dark Web specialized language model developed by S2W's AI team, to classify and provide threat information by category. This technology automatically analyzes the posts uploaded to hacking forums, identifying the targeted countries and industries, making it easier to monitor on a country-by-country and industry-specific basis. S2W's AI calculates threat levels, presenting the most dangerous content in order.

When a specific country is selected, users can assess the damage distribution across different industries within that country. Furthermore, users can explore the top 5 users targeting that country and the frequency of damage in comparison to neighboring countries.

Telegram Search (beta)

Cybercrime is increasingly prevalent not only on the Dark Web but also within Telegram channels. The Telegram search feature is a newly added functionality that allows keyword-based searching of various crime-related Telegram channels collected by S2W.

Telegram channels integrated into the XARVIS platform are typically categorized under hacking, drugs, malware, hactivists’ activities, and more.

By entering drug-related slang terms into the Telegram search bar, users can access actual chat logs containing those keywords. This enables the identification of Telegram channels involved in illegal drug trading and their sellers. This information can be cross-referenced with other data in XARVIS, such as Bitcoin addresses, to track down sellers.

* Please note that this feature is in Beta version, and its public release schedule is currently undefined. Additional features and changes may occur upon public release, expected in the year '24.

* Please note that this feature is in Beta version, and its public release schedule is currently undefined. Additional features and changes may occur upon public release, expected in the year '24.

Tracking Threat Actors #1

XARVIS's cross-analysis tool enables the tracking of threat actors effectively. XARVIS continuously collects real-time identifiers related to threat actors, and users can leverage this collected data for cross-analysis.

In 2022, XARVIS detected the activities of a user named 'Lost_Key' targeting Indonesia on the global hacking forum 'Breached.' XARVIS collected this user's cryptocurrency address and Telegram address. Furthermore, it confirmed that the collected cryptocurrency address was associated with the renowned cryptocurrency exchange 'Binance.'

By utilizing XARVIS's cross-analysis tool, law enforcement agencies and security professionals can identify the identity of threat actors. This powerful tool enhances their ability to uncover and trace the individuals behind cyber threats, ultimately contributing to improved cybersecurity and threat mitigation efforts.

Tracking Threat Actors #2

XARVIS's threat actor analysis tool can effectively track users who operate with multiple identities on the Dark Web and Telegram.

In 2022, XARVIS detected the activity logs of a user named 'okito,' who was continuously targeting Singapore. This user was active on the global hacking forum 'Breached' and left their Telegram address in dozens of posts.

By tracing the Telegram address, XARVIS discovered that the same Telegram address was posted in messages authored by 'ttyper,' who had detected traces of access denial on the hacking forum.

This demonstrates how XARVIS can consistently track users who employ multiple identities on hacking forums, enhancing the ability to monitor and respond to potentially malicious activities effectively.

Identifying New Threat Domains

XARVIS collects approximately 150 new Dark Web domains on a daily basis. It leverages the 'DarkBERT' language model developed by S2W's AI team to automatically classify these collected domains into categories such as drugs, finance, hacking, weapons sales, and more.

This functionality enables organizations in specific sectors to periodically monitor threat websites relevant to their industry. For example, a drugs investigation agency can gather information on newly created drugs trading sites and utilize the data collected from these sites for their investigations.

By using XARVIS's automated classification and monitoring capabilities, organizations can stay vigilant against emerging threats and make informed decisions to bolster their cybersecurity efforts.

Global Issue Monitoring

XARVIS provides the capability to monitor global issues that are gaining attention on the Dark Web.

Following the outbreak of the Russia-Ukraine war, the Dark Web saw a variety of opinions and discussions on this topic. Posts distributing the personal information of major government agencies, businesses, and citizens from both countries were frequently detected.

Similarly, after the outbreak of the Israel-Palestine conflict, XARVIS identified trends similar to those observed during the Russia-Ukraine war.

In this manner, XARVIS can concentrate on monitoring specific topics and detect related illegal transactions and harmful content. This enables organizations to stay informed about emerging issues and potential threats within these discussions on the Dark Web.

Monitoring Server Access Permissions for Sale

XARVIS allows users to monitor the sale and demand for internal network access permissions of specific country-based companies by entering specific keywords.

For example, if a post appears on the Dark Web offering account information that can access the internal servers of a specific institution in South Korea, XARVIS detects this post and sends an alert. Such leaked accounts could be exploited by threat actors to compromise internal servers, leading to potential disruption or ransomware attacks.

In order to respond quickly to such situations and prevent the spread of damage, regular monitoring and detection of account leaks are essential. XARVIS provides the necessary tools to proactively address these security concerns and protect organizations from potential threats.