Canary Links — Detecting Adversary Intelligence Crossover

A canary link is a URL that exists only in mirror maze content — it is never linked from the real site, never appears in the real sitemap, and has no legitimate reason to be accessed by any real user or authorized crawler. When a canary link is accessed, it can only mean one thing: content from a mirror maze session has crossed over into a real research operation.

Why Canary Links Matter

The mirror maze serves adversary operators plausible-looking content. But the maze's effectiveness depends on adversaries staying in the maze — using maze-derived intelligence as their understanding of the real site. If maze content crosses over into a real research context (a human analyst reviewing bot-collected data and clicking a link from it), the canary detects the crossover.

A canary hit is evidence that the adversary operation involves a human intelligence layer above the automated crawling. Automated bots do not follow curiosity-driven paths. A human analyst reviewing harvested content and clicking an unfamiliar link does. The canary turns this behavioral difference into a detection event.

Canary Link Design

Canary links in IEO Engine deployments are embedded as attribution node references in maze content — URLs formatted to look like internal methodology documentation paths. A Tencent-class adversary receiving content fingerprinted to look like Zayo infrastructure encounters links to "Zayo attribution nodes" — URLs that would make sense if the content were real but exist nowhere on the actual site.

The URLs are distinctive enough that an automated crawler would follow them (it follows all links) but specific enough that a human analyst would notice them as unusual. The combination maximizes both detection probability and analyst attention when a hit occurs.

The Documented Crossover Event

The MM deployment logged one confirmed canary hit at 43.165.67.57 — classified as a Tencent-class IP — hitting the path /resources/zayo-attribution-node/. The IP had been classified as a Tencent watcher and was receiving maze content with Zayo fingerprints. The canary hit confirmed that a Tencent-class actor was following maze content links and accessing the real server.

This crossover event provided intelligence about the adversary operation: it involved a human or semi-automated intelligence layer that was reviewing maze-derived content and following links from it. The pure-automated interpretation of Tencent's activity as a simple polling bot was incorrect — there was analytical review of the collected data.

IEO Engine methodology →

Related
Canary link — glossary → Mirror maze → Fingerprinting →