Robin×SMESH

🕸️ Decentralized Dark Web OSINT via Signal Diffusion 🕸️

Quick Start • Architecture • Specialists • Enrichment • Reports

A Rust reimagining of Robin that replaces central LLM orchestration with SMESH's plant-inspired signal diffusion protocol.

The Difference

Aspect	Python Robin	Robin×SMESH
Orchestration	Sequential pipeline	Emergent via signals
Search	ThreadPool, 16 engines	N crawler agents, infinite scale
Filtering	Single LLM call	Multiple filter agents + consensus
Fault tolerance	Breaks on timeout	Signals decay, others pick up
Performance	~seconds per stage	~μs signal ops + async I/O

Architecture

┌────────────────────────────────────────────────────────────────────────────────┐
│                           SHARED SIGNAL FIELD                                   │
│  Signals decay over time · Reinforcement = consensus · No central controller   │
└────────────────────────────────────────────────────────────────────────────────┘
       ▲                    ▲                    ▲                    ▲
  ┌────┴────┐          ┌────┴────┐          ┌────┴────┐          ┌────┴────┐
  │ REFINER │          │ CRAWLER │          │ FILTER  │          │ ANALYST │
  │  Agent  │          │  Swarm  │          │  Agent  │          │  Agent  │
  └─────────┘          └─────────┘          └─────────┘          └─────────┘

Signal Flow

1. UserQuery → Refiner senses, emits RefinedQuery
2. RefinedQuery → Crawlers sense, emit RawResult (per .onion link)
3. RawResult → Filter senses batch, emits FilteredResult (top 20)
4. FilteredResult → Scrapers sense, emit ScrapedContent
5. ScrapedContent → Extractor senses, emits ExtractedArtifacts (IOCs)
6. ExtractedArtifacts → Enricher senses, queries surface web, emits EnrichedArtifacts
7. ScrapedContent + Artifacts → Analyst senses, emits Summary

Quick Start

# Build
cargo build --release

# Check Tor connection
./target/release/robin-smesh status

# Run investigation (Anthropic is default)
ANTHROPIC_API_KEY=sk-ant-... ./target/release/robin-smesh query \
  -q "ransomware payments" \
  --timeout 300

# Multi-specialist mode (6 expert analysts + lead synthesis)
ANTHROPIC_API_KEY=sk-ant-... ./target/release/robin-smesh query \
  -q "threat actor infrastructure" \
  --specialists

# External OSINT enrichment (GitHub + Brave search)
ANTHROPIC_API_KEY=sk-ant-... ./target/release/robin-smesh query \
  -q "data breach credentials" \
  --enrich \
  --specialists

# Blockchain temporal analysis (BTC/ETH wallet patterns)
ANTHROPIC_API_KEY=sk-ant-... ./target/release/robin-smesh query \
  -q "ransomware bitcoin wallets" \
  --blockchain \
  --specialists

# Use OpenAI instead
OPENAI_API_KEY=sk-... ./target/release/robin-smesh query \
  -q "ransomware payments" \
  --openai

# Use OpenRouter (Claude Sonnet 4.5)
OPENROUTER_API_KEY=... ./target/release/robin-smesh query \
  -q "data breach credentials" \
  --openrouter

# Use OpenRouter with permissive mode for security research
# (uses Mistral Large - less restrictive for threat intel queries)
OPENROUTER_API_KEY=... ./target/release/robin-smesh query \
  -q "stealer logs redline raccoon vidar" \
  --openrouter --permissive \
  --specialists

LLM Model Selection

Robin×SMESH auto-selects optimal models based on provider. You can override with -m:

Provider	Flag	Default Model	Notes
Anthropic	(default)	claude-sonnet-4-20250514	Best quality, recommended
OpenAI	--openai	gpt-4o	Strong reasoning
OpenRouter	--openrouter	anthropic/claude-sonnet-4.5	Claude via OpenRouter
OpenRouter	--openrouter --permissive	mistralai/mistral-large-2512	Less restrictive for security research

Permissive Mode

For security research queries that may trigger content filters (malware names, exploit terminology), use --permissive with OpenRouter:

# These queries work with --permissive
robin-smesh query -q "stealer logs redline raccoon" --openrouter --permissive
robin-smesh query -q "infostealer malware analysis" --openrouter --permissive
robin-smesh query -q "ransomware bitcoin wallets" --openrouter --permissive

Custom Models

Override the default model with -m:

# Use a specific OpenRouter model
robin-smesh query -q "threat actor" --openrouter -m meta-llama/llama-3.1-70b-instruct

# Use GPT-4o-mini for cost savings
robin-smesh query -q "dark web market" --openai -m gpt-4o-mini

Requirements

• Rust 1.75+
• Tor running on port 9050:

  # Linux
  sudo apt install tor && sudo systemctl start tor
  
  # Mac
  brew install tor && brew services start tor

• LLM API Key:
  • ANTHROPIC_API_KEY (default, recommended)
  • OPENAI_API_KEY (with --openai flag)
  • OPENROUTER_API_KEY (with --openrouter flag)
• Optional for enrichment:
  • GITHUB_TOKEN – Increases GitHub API rate limits
  • BRAVE_API_KEY – Enables Brave Search integration

Crate Structure

robin-smesh/
├── robin-core/      # Signals, artifacts, field, search engines
├── robin-tor/       # Tor proxy, crawler, scraper
├── robin-agents/    # Specialized OSINT agents (refiner, crawler, filter, etc.)
├── robin-runtime/   # SMESH swarm coordinator
└── robin-cli/       # CLI binary

Key Concepts from SMESH

• Signals: Messages with intensity that decays over time
• Field: Shared space where signals propagate
• Reinforcement: Agreement from multiple agents boosts confidence
• Emergence: No central controller; coordination emerges from simple rules

Artifact Extraction

Automatically extracts:

• 🔗 Onion addresses
• 💰 Bitcoin/Ethereum/Monero addresses
• 📧 Email addresses
• 🔐 File hashes (MD5, SHA1, SHA256)
• 🐛 CVE identifiers
• ⚔️ MITRE ATT&CK TTPs
• 🌐 Domains and IPs

Multi-Specialist Analysis

With --specialists, analysis is performed by 6 expert personas before synthesis:

Specialist	Focus
🎯 Threat Intel	Actor TTPs, campaign patterns, IOC correlation
💰 Financial Crime	Cryptocurrency flows, money laundering, fraud
🔐 Technical	Malware, exploits, infrastructure analysis
🌍 Geopolitical	Nation-state activity, regional threats
⚖️ Legal/Regulatory	Compliance, jurisdiction, evidence handling
🔮 Strategic	Trend forecasting, risk assessment

External OSINT Enrichment

With --enrich, extracted artifacts are queried against surface web sources:

• GitHub Code Search – Emails, usernames, code snippets, hashes
• Brave Search – IPs, domains, malware hashes, threat intel

This bridges dark web findings with public attribution data.

Blockchain Temporal Analysis

With --blockchain, extracted cryptocurrency addresses are analyzed for temporal patterns:

• Bitcoin – Blockstream API (no key required)
• Ethereum – Etherscan API (optional ETHERSCAN_API_KEY for higher rate limits)

Analysis includes:

• Wallet age (first/last transaction)
• Transaction frequency and volume
• Temporal patterns – Regular intervals, burst activity, dormancy periods
• Timezone inference – Activity concentration by hour
• Risk indicators (high volume, recent activity, contract interactions)

Paste Site Monitoring

With --pastes, public paste sites are searched for leaked data matching query terms:

• Pastebin – Via psbdmp.ws API (paste dump search)
• Rentry.co – Slug-based discovery
• dpaste.org – Recent pastes API
• ControlC – Search interface
• JustPaste.it – Search interface

This catches leaked credentials, wallet addresses, and IOCs that often appear on paste sites before propagating to dark web markets.

Example Reports

Sample investigation reports are available in reports/:

reports/
├── summary_2026-01-20_15-24-29.md  # Ransomware payment investigation
├── summary_2026-01-20_15-26-30.md  # Threat actor infrastructure
├── summary_2026-01-20_15-51-10.md  # Multi-specialist analysis
└── summary_2026-01-20_16-09-02.md  # With external enrichment

License

MIT OR Apache-2.0