CIA 2010 covert communication websites Wakatime redirects Updated 2025-04-24 +Created 1970-01-01
Summary: this is just a red herring. Wakatime owner likely registered the domains just after this article was published as a publicity stunt. Fair play though.
As raised at: news.ycombinator.com/item?id=36280666, many, but not all, of the domains currently redirect to wakatime.com/ as of 2023, and apparently they were taken up in 2013 (TODO how to confirm that). TODO what is the explanation for that? Some examples that do:But some failed resolution examples:Even more suspiciously, according to his LinkedIn: www.linkedin.com/in/alanhamlett/, the owner of Wakatime, Alan Hamlett, worked at WhiteHat Security, Inc from Aug 2011 - Sep 2013. The company was then acquired by Synopsys in 2022. Holy crap!!! As shown at: web.archive.org/web/20131013193406/https://www.whitehatsec.com/ that company made website security tools. Did that dude use the tools to find the vulnerabilty and then just gobble up all the domains??? What a fucking legend if he did!!!
Let's try:
Running e.g.gives:so we see that he must have setup redirection with Namecheap as mentioned at: www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-redirect-a-url-for-a-domain/
curl -vvv dedrickonline.com
* Trying 162.255.119.197:80...
* Connected to dedrickonline.com (162.255.119.197) port 80 (#0)
> GET / HTTP/1.1
> Host: dedrickonline.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 12 Jun 2023 20:30:19 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 55
< Connection: keep-alive
< Location: https://wakatime.com
< X-Served-By: Namecheap URL Forward
< Server: namecheap-nginx
<
<a href='https://wakatime.com'>Moved Permanently</a>.
* Connection #0 to host dedrickonline.com left intact
Let's also try DNS history
- whoisrequest.com/history/:
- tools.whoisxmlapi.com/whois-history-search
- dedrickonline.com:
- CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
- Created Date: October 27, 2010 00:00:00 UTC
- Updated Date: October 28, 2013 00:00:00 UTC
- Expires Date: October 27, 2014 00:00:00 UTC
- Alan (namecheap):
- Created Date: June 11, 2023 09:59:25 UTC
- Expires Date: June 11, 2024 09:59:25 UTC
- CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
- activegaminginfo.com:
- CIA (Network Solutions, registrant name: LLC. Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions)
- Created Date: January 26, 2010 00:00:00 UTC
- Updated Date: November 27, 2010 00:00:00 UTC
- Expires Date: January 26, 2012 00:00:00 UTC
- Alan:
- Created Date: June 11, 2023 09:59:40 UTC
- Expires Date: June 11, 2024 09:59:40 UTC
- CIA (Network Solutions, registrant name: LLC. Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions)
- iraniangoalkicks.com:
- iraniangoals.com:
- CIA (registrar: Godaddy, registrant name: domainsbyproxy.com):
- Reuters:
- Created Date: September 29, 2022 11:16:09 UTC
- Updated Date: September 29, 2022 11:16:09 UTC
- Expires Date: September 29, 2023 11:16:09 UTC
- dedrickonline.com:
So these suggest Alan might have just come along in 2023 way after the 2022 Reuters article and did the same basic IP range search that Ciro is doing now, so possibly no new tech. Let's ask... twitter.com/cirosantilli/status/1668369786865164289
Searching tools.whoisxmlapi.com/reverse-whois-search with term "Corral, Elizabeth" gave no results unfortunately.
Basic search under tools.whoisxmlapi.com/reverse-whois-search for "Corral" also empty. They can't see their own data? Ah, need advanced. Marked "Historic" and selected "Corral, Elizabeth", ony one hit, activegaminginfo.com.
In this section we document events that led to a large number of thematically related messages being added to the chain e.g. referencing some current event that happened, as opposed to the media encoding/type like images and text sections.
The "Hitler did nothing wrong" meme[ref] is repeated several times, e.g.: tx 41967a7d75e9e1ca8c142a45ce29ea08b451a3b55c3e33538f5cc8a389ec66ab (2015-07-20):This one is also an Eternity Wall message. The message had also been previously Base58 encoded at address 1HitLerDidNothingWrongggggghJewfv in two different instances:
EW Hitler did nothing wrong.
- tx 55654178fe601c1fbe8b52b544286962523f11ec60ef12c94bc55198bb8c405c block 216909 (2013-01-17). That one is also followed by some other niceties:
1NiggersNiggersNiggersNiggerwxhs77
: 4x "Niggers"1JewsDidTheEconomyXXXXXXXXXXbd7ZkE
: "Jews Did the Economy"
- tx daa7fa928b8079174a646a9456ce9dad14eac44beb2fe5a2cb1c35ce70e92916 block 310007 (2014-07-10)
Brazil:
- tx 1c05bb7c0a8c9498d33a1e6d4a91bbb4c651daa5ea5a21aa5c8c600d3300b8bb Viva Brazil's Impeachment!
- tx 105fb3a0be8ab50bfa36012e0319a752dee39702cb44f3904cf423eb20367d57 contains a misogenous joke:which translates to:It is attributed to Diego Silva de Oliveira, possibly this football player: en.wikipedia.org/wiki/Diego_Silva_(footballer,_born_1990)
- c72dc315a5504362d01f2dcdfe77826d14a9eb3411b83edd7aa782e95e4a7794 via cryptograffiti.info:
NÓS DISSEMOS SIM AGÊNCIA TRANSITIVA 2015 Nota pública de reconhecimento do Acordo Reconformado, assinado pela Agência Transitiva e pela Escola de Artes Visuais do Parque Lage, em 22 de Abril de 2015. #ENCRUZILHADA EAV PARQUE LAGE 22.04.2015
- 1c05bb7c0a8c9498d33a1e6d4a91bbb4c651daa5ea5a21aa5c8c600d3300b8bb via cryptograffiti.info:
Our indexer does not handle UTF-8, here's a collection of some UTF-8 messages we've stumbled upon somewhat randomly:
Arabic:
- 7eb561f2139761064de20033fa4843f1f3e1a9551268704b36f84d94e66fd91a
يا سلم!
شعرك جميل
و عينيك حلوة
انا عطشان
اِروني من عينيك - b7376cae03b88392e5fd0292bcb43105386fbb534fc9be68c1e3d0b8f39e5ba4 via cryptograffiti.info
sjalom, salaam, peace!
الدين - 7a898b7e6b2145f4f887e1ff890d0b613e3008fbe350aa92662735e3acd0c0bc
هذه رسالة من المستقبل
إلى الماضي ...
الحياة صعبة في المستقبل
رعاية العالم
وتحمل المسؤولية
/yThis is a message from the future
To the past...
Life is difficult in the future
Caring for the world
And take responsibility
/y
Russian:
- 1dcd62c922eb1ddbc1f58615b6271d64736bf55e83408cef02a7d0ac6707e423 via cryptograffiti.info
А на Земле Быть Добру!
- 596cc6e905a5fc8248cf59198a19ce5070228b302a9f3a993197e2c87ddcaf14 via cryptograffiti.info
Книга Вечно Живущих открыта
The Book of the Ever-Living is open
- 596cc6e905a5fc8248cf59198a19ce5070228b302a9f3a993197e2c87ddcaf14 via cryptograffiti.info
Это тест, сука блять.
- ed56ef68ccbfb1d47bc159fb62fab6807ee4d7363d0ad4cded2e922a5b47362e via cryptograffiti.info
Путин хуйло лалалалалалалалалал
Putin sucks lalalalalalalalala
Chinese:
- 12b32b6752fbf521243c63dfb5e3fda46523dd7b572143635458f743591d3e35 via cryptograffiti.info:
中文測試
Chinese test
- a3dbd6cbb8637b6bf91d22ea97db2843d995498fd62740b9ed1e9dc068f2ad2d via cryptograffiti.info
- Ordinal ruleset inscription
- tx 8e89ce6bef85aea795f41f97a4dcd550d8cbc6d1f606f37109f6dc8b31f91bc1: Diamond Sutra in Chinese. Again at tx 0bc660cc2c6d0ec4f7dfe61bfb3a592b4a65677b16da7db35729fd43eee5323e.
- tx 7b0a0b9f18a729e905822304f9c4c05f8851d10bdc82efa902fd936ef874efeb: the first few poems from Three Hundred Tang Poems, a collection of famous Chinese poems from the Tang dynasty compiled in 1763. Each poem uses a classical Chinese poetry form with a small number of verses, usually 4, and fits into one line. Most lines contain the poem title, dynasty, author name followed by the poem, e.g. the first line:is amazingly translated by Google Translate as:
《春晓》唐 文嘉 春眠不觉晓,处处闻啼鸟。 夜来风雨声,花落知多少。
Japanese:
- ac2ad7c15162a8e461387b0d0d681bb5f81f2db1138b8f200b81bbc585bd0b8f via cryptograffiti.info:
モキーのフラッシュバン許すな
Hebrew:
- 0b32736592ce7abdd4d971bc4591544e1610ff51f498c9a14a6ba34a3abcad5d via cryptograffiti.info
חתימה טובה לכולם בכלל ולחברי ביטקוין ישראלי בפרט.
- d7b80c8fefc88cc3f06d74f8496e2dc6f44b5f5f0a59f9ba1ba27266848a8666 via cryptograffiti.info contains what appears to be UTF-8 Hebrew text on my terminal, but Google Translate couldn't translate it, so we are unsure.
A Quantitative Analysis of the Impact of Arbitrary Blockchain Content on Bitcoin Updated 2025-04-24 +Created 1970-01-01
CIA 2010 covert communication websites Selected screenshots Updated 2025-04-24 +Created 1970-01-01
This section contains some of the most interesting and a few representative screenshots of the websites found.
We intentionally omit the screenshots already reported by the Reuters article.
2010 Wayback Machine archive of starwarsweb.net
. The Star Wars one. Clearly branded websites like this are rare, which makes finding them all the much more fun. The Reuters article had two of them (Carson and rastadirect.net), so these were probably manually selected from the full hit dataset, and did not serve specifically as entry points. Most of the websites are quite boring and forgetful as you'd expect.
The subtitle "Beyond The Unknown" may be a reference to the Unknown Regions, an unexplored area of the galaxy in the Star Wars fictional universe.
The photo can still be licensed today as of 2025: www.gettyimages.co.uk/detail/photo/little-jedi-royalty-free-image/172984439. We found it by searching for "jedi boy" on gettyimages.co.uk. The photo is credited to a
madisonwi
, presumably an alias based on the location Madison, Wisconsin. Here's a random website about adoption that uses it: www.adoptionadvocates.net/star-wars-adoption-language/ and where it can be seen without the watermarks.The droids can be seen e.g. at: www.amazon.co.uk/04-Kampf-Droiden-Superheftig-Jedi/dp/B004TINSW6, a promotional material for a 2008 The Clone Wars television series audio CD and available as transparent PNGs without background in several sources. The Yoda art also seems to come from that show: rpggamer.org/page.php?page=4229. One can picture the contractor's children watching that show when a lightbulb popped over their heads.
2011 Wayback Machine archive of alljohnny.com
. Source. Although alljohnny.com is one of the original Reuters examples, we are highlighting this screenshot here because the Reuters provided screenshot is from the extremely early 2004 version of the site, and it is interesting to see how this unique example was later updated in this 2011 version, the only known such case so far. The lack of OPSEC awareness is mind blowing, them reusing a domain like that after so many years in a completely new threat environment and possibly for a new asset.2011 Wayback Machine archive of webofcheer.com scrolled to show Johnny Carson
. Source. This website is a fansite for various comedians. It is the second known reference to Johnny Carson after alljohnny.com, which was one of the original screenshots given in the Reuters article. There must have been some massive Johnny Carson fan among the CIA contractors a that time!2011 Wayback Machine archive of iranfootballsource.com
. The third Iranian football on top of the two other published by Reuters: iraniangoalkicks.com and iraniangoals.com! Admittedly, this one is the most generic and less well designed one. But still. They pushed the theme too far!
The goalkeeper can be seen at: www.pixtastock.com/illustration/7323632.
2010 Wayback Machine archive of dedrickonline.com
. The German one.
The CIA has had a few Germany espionage scandals in the 2010s:
- 2014 www.bbc.co.uk/news/world-europe-28243933: a German Intelligence Agency agent was arrested for spying for the CIA
- 2021 www.reuters.com/world/europe/us-security-agency-spied-merkel-other-top-european-officials-through-danish-2021-05-30/ U.S. spied on Merkel and other Europeans through Danish cables
- 2020 www.dw.com/en/how-the-uss-cia-and-germanys-bnd-spied-on-world-leaders/a-52358527 it was revealed that Germany and the USA had an agreement to spy on world leaders, notably via compromised Swiss company Crypto AG
2010 Wayback Machine archive of lesummumdelafinance.com
. The arrow graph is very popular can be seen at: www.financialexpress.com/money/top-4-global-market-risks-for-2024-that-may-impact-your-finances-3346284/ and many other sites. Source unknown.
2011 Wayback Machine archive of attivitaestremi.com
. An Italian one about extreme sports.2010 Wayback Machine archive of noticiasmusica.net
. The Brazilian one.
2011 Wayback Machine archive of economicnewsbuzz.com
. The Korean one. Love the kawaii style!2011 Wayback Machine archive of snapnewsfront.net
. The Japanese one.
The geisha can be seen at: www.shutterstock.com/image-vector/pretty-geisha-16813348 by Larisa Frelke, assumed accounts: x.com/larra_vit | www.xing.com/profile/Larisa_Frelke
2010 Wayback Machine archive of philippinenewsonline.net
. The Philippine one one.2011 Wayback Machine archive of feedsdemexicoyelmundo.com
. The Mexican one.2012 Wayback Machine archive of easytraveleurope.com
. 2011 Wayback Machine archive of tee-shot.net
. One of the many golf-themed sites. Golf appears to be quite popular over in Langley. It's exactly what you'd expect for a mid-level spook to do in their free time!2011 Wayback Machine archive of nouvellesetdesrapports.com
. 2011 Wayback Machine archive of pangawana.com
. 2011 Wayback Machine archive of recuerdosdeviajeonline.com
. 2011 Wayback Machine archive of theworld-news.net
. 2011 Wayback Machine archive of kessingerssportsnews.com
. 2011 Wayback Machine archive of negativeaperture.com
. David Tong's 2009 Quantum Field Theory lectures at the Perimeter Institute Lecture 1 Updated 2025-04-24 +Created 1970-01-01
Good animation explaining it: Video "Electron transport chain by HarvardX (2017)".
There are unlisted articles, also show them or only show them.