Innumbra is a free, metadata-only dark web meta-search engine that indexes .onion hidden services on the Tor network. It is designed for security researchers, journalists, and threat intelligence analysts who need to discover, monitor, and analyze Tor hidden services without accessing their content directly.
Innumbra extracts and indexes: site titles, HTTP server headers, technology stacks (CMS, frameworks, databases), page language, uptime history, content hashes for mirror detection, OSINT entities (cryptocurrency wallets, PGP keys, email addresses, messaging handles), link relationships between sites, warrant canaries, law enforcement seizure banners, and threat intelligence classifications. No actual page content is stored, cached, or proxied.
Last updated: February 27, 2026 · 5,583 services indexed · 1,174 currently online
Innumbra supports keyword search, advanced filter operators, and direct entity lookups. You can combine any of these in a single query to narrow results precisely.
marketplace bitcoinbc1qxy2k...xyz or user@mail.comstatus:online status:offlinecti:ransomware cti:marketplacetech:nginx tech:wordpresslang:ru lang:de lang:enafter:2025-01 before:2026-01forum status:online lang:enEntity pivot search: Paste any entity value directly into the search bar — a Bitcoin address, email, PGP fingerprint, Jabber ID, or clearnet domain. Innumbra will show every indexed .onion site that references that identifier, enabling cross-site pivot analysis for OSINT investigations.
The automated crawler extracts 17+ categories of identifiers from every indexed page. These entities enable cross-referencing between sites — for example, searching a single Bitcoin wallet address reveals every .onion service that shares it, a technique used in threat intelligence and law enforcement investigations.
Innumbra uses a four-phase discovery pipeline that combines public intelligence feeds, automated crawling, and community submissions:
Every indexed site undergoes periodic status checks with retry logic (3 attempts per check, fresh Tor circuit per attempt). Sites confirmed offline across 5 consecutive check cycles are pruned from the active index. Technology fingerprinting, entity extraction, content hashing, and operator correlation run as scheduled background tasks.
| Link graph visualization | Interactive force-directed graph showing how .onion sites link to each other, revealing clusters and hub sites. |
| Mirror detection | Content hashing identifies sites serving identical content across different .onion addresses. |
| Operator correlation | Identifies sites likely run by the same entity using shared crypto wallets, PGP keys, favicon hashes, and link topology. |
| Warrant canary tracking | Detects and monitors PGP-signed warrant canary statements across indexed sites. |
| Seizure detection | Identifies law enforcement seizure banners in 12 languages from 13+ agencies (FBI, Europol, BKA, etc.). |
| Technology fingerprinting | Identifies web servers, CMS platforms, frameworks, programming languages, and database technologies from HTTP headers and HTML signatures. |
| Change detection | Tracks title changes, status transitions (online↔offline), and content modifications with timestamped history. |
Innumbra's operator correlator uses a proprietary probabilistic model to combine independent signals into a single confidence score. Each signal type has a base weight reflecting its discriminative power:
| PGP key fingerprints | 0.98 | Nearly unique per operator |
| Email addresses | 0.95 | Strong identity signal |
| Bitcoin addresses | 0.90 | Payment infrastructure |
| Content hash | 0.85 | Identical page content |
| Server fingerprint combo | 0.75 | Same server + framework + language |
| Favicon hash | 0.70 | Same visual identity |
| Fuzzy content hash | 0.65 | Near-duplicate content |
Default/common values (e.g., "admin@localhost", standard Apache error pages) are blocklisted to prevent false positives. Independent signal probabilities are combined into a single composite confidence score.
The entity extraction pipeline uses pattern matching optimized for each identifier format. Current coverage includes 17+ entity types across 5 categories:
Each site starts at a base score of 50/100. The scoring engine applies penalties and rewards based on observable indicators:
| Penalties | |
| IP address in headers | -25 |
| Clearnet domain references | -20 |
| Server version exposed | -15 |
| Framework/runtime exposed | -10 |
| Insecure cookies (no Secure/HttpOnly) | -10 |
| Missing each security header | -5 each |
| Rewards | |
| Content-Security-Policy present | +8 |
| X-Content-Type-Options present | +5 |
| Secure + HttpOnly cookies | +5 |
Score ranges: 0–29 (poor), 30–69 (moderate), 70–100 (strong). The OPSEC badge appears on every site dossier page.
Innumbra is a free dark web meta-search engine that indexes .onion hidden services on the Tor network. It is built for OSINT (Open Source Intelligence) professionals, cybersecurity researchers, journalists investigating dark web activity, and threat intelligence analysts. Unlike content search engines, Innumbra indexes only metadata — titles, technology stacks, uptime status, extracted entities, and structural relationships — without storing any page content.
Most dark web search engines index page content for full-text search. Innumbra takes a different approach: it indexes metadata only, focusing on structural intelligence. This includes technology fingerprinting (identifying web servers, CMS platforms, and frameworks), entity extraction (cryptocurrency wallets, PGP keys, email addresses), operator correlation (linking sites to the same operator via shared identifiers), mirror detection (identifying duplicate sites via content hashing), and uptime monitoring with historical tracking.
Innumbra aggregates from multiple intelligence sources: Ahmia's public hidden service index, deepdarkCTI threat feeds (markets, forums, ransomware groups), ransomwatch and RansomLook ransomware tracking APIs, curated onion directories, curated CTI repositories, clearnet aggregator sites, and automated automated crawl discovery. All imported addresses are screened against the Ahmia CSAM blocklist before indexing.
No. Innumbra is strictly a metadata-only index. It stores site titles, HTTP response headers, technology fingerprints, uptime history, content hashes (for mirror detection), and extracted entity identifiers. It does not store, cache, proxy, or reproduce any actual page content from .onion hidden services.
Operator correlation identifies .onion sites likely operated by the same person or group. Innumbra analyzes multiple signals with weighted confidence scores: shared cryptocurrency wallet addresses (0.90 confidence), shared PGP key fingerprints (0.98), shared email addresses (0.95), matching favicon image hashes (0.70), identical content hashes (0.85), matching server fingerprints (0.75), and link topology patterns. Sites exceeding the confidence threshold are grouped into operator clusters.
Yes. Innumbra is completely free to use with no accounts, rate limits, or paywalls. The search engine, entity explorer, link graph visualization, site comparison tool, and all analysis features are openly accessible. The platform also provides an API, RSS feeds, an llms.txt file for AI systems, and a sitemap for search engine indexing.
Innumbra uses two complementary methods for mirror detection: exact content hashing creates fingerprints — two sites with identical hashes are confirmed mirrors. Fuzzy hashing detects near-duplicates even when sites differ slightly (e.g., different headers but same body content). Sites sharing the same content hash are automatically grouped on the mirror detection page. Near-duplicate detection runs efficiently across the entire index.
Innumbra rates each site's operational security on a 0–100 scale. The score starts at 50 and applies penalties for security failures: exposing server software versions (-15), clearnet domain references (-20), leaking IP addresses in headers (-25), missing security headers (-5 each), insecure cookies (-10), and exposing framework details (-10). Rewards are given for good practices: security headers like Content-Security-Policy (+8), X-Content-Type-Options (+5), and proper cookie flags (+5). Sites with scores below 30 are considered high-risk; above 70 indicates strong operational security.
Yes. Innumbra extracts cryptocurrency wallet addresses (Bitcoin, Ethereum, Monero, Dogecoin, Zcash) from every indexed page. Paste any wallet address directly into the search bar to find every .onion site that references it. This entity pivot search is one of the most powerful features for threat intelligence and financial investigations — if the same Bitcoin address appears on three different dark web markets, those services may share an operator or payment processor. The entity explorer shows all extracted entities with cross-site relationships.
Innumbra applies the Ahmia CSAM blocklist to every address before it enters the index. Known child abuse sites are permanently excluded at the import stage. Innumbra does not store, cache, or proxy any page content — it indexes only metadata (titles, headers, technology fingerprints, entity identifiers). Users can report sites for removal via the content removal page. The platform is designed exclusively for legitimate OSINT research, journalism, and threat intelligence work.