Maltego is one of those tools that’s been around for so long people forget how powerful it still is for graph-based investigation. For ransomware research specifically, where you’re connecting operators, leak sites, infrastructure, victims, and money flow, a graph database is the right shape for the data. This is a starter pack of the entity model, transform recommendations, and the three reusable graphs that get used on almost every case.
The entity model
Start with seven entity types. Operator (the named ransomware brand). Affiliate (the individual or crew running attacks under that brand). Leak site (the onion or clearnet URL where victims are listed). Victim (the named or claimed target). Infrastructure (C2 IPs, payload hosting URLs, registered domains). Wallet (BTC or other crypto addresses tied to ransom payments). Persona (the Telegram handle, forum username, or contact email associated with a player).
The relationships between these are the work. Operator-publishes-LeakSite. LeakSite-lists-Victim. Affiliate-uses-Infrastructure. Persona-controls-Wallet. Victim-paid-Wallet. Once the entity model is consistent, the graph queries become trivial.
Transforms that earn their slot
Shodan and Censys for infrastructure pivoting. Given an IP, return certificates, banner text, and other associated infrastructure on the same hosting block. Catches infrastructure reuse across operators.
VirusTotal for sample-to-network pivoting. Given a hash, return associated network indicators. Especially useful for affiliate-to-operator attribution when samples reuse builder configurations.
Have I Been Pwned and Dehashed for persona-to-email pivoting. A forum username often appears in old breach data with the email it registered with, that email pivots into other forums, social profiles, and platforms.
Chainalysis Reactor or TRM Labs (paid) for wallet-to-wallet pivoting. Given a known operator wallet, surface associated wallets through clustering. The free alternative is OXT.me for BTC.
WhoisXML and DomainTools for registration-history pivoting. The same operator often registers domains in a recognisable pattern over time.
Graph 1: the operator profile
Central node: the operator. Branches for: known leak sites, claimed victims (last 90 days), associated infrastructure, named affiliates, observed wallets. Refresh weekly. The graph becomes a single-page summary you can hand to anyone reading about the operator for the first time.
Graph 2: the rebrand chain
When an operator disappears and a new one appears, the rebrand-chain graph shows the connections, shared infrastructure, similar codebases, overlapping affiliates, persona continuity. This graph is how you defensibly say “RansomHub is largely former ALPHV affiliates” without speculating.
Graph 3: the victim pivot
Central node: a named victim. Branches for: the operator that listed them, similar victims listed in the same window, infrastructure that touched the victim’s IP space, public statements from the victim. This graph is the one to build when reporting on a specific incident.
The discipline behind the tool
Maltego’s value isn’t the auto-discovery, it’s the documented chain of reasoning. Every node has a source. Every edge has a date. Every assertion is reproducible. When you publish, the graph is the audit trail. When something turns out to be wrong, the graph shows where.
The Community Edition handles most of this for free. The paid editions add transform packs, larger graphs, and team-collaboration features. Either way, the graph database habit pays back over time. Six months in, the same case takes half as long because the connections from previous cases are already there.