CIA 2010 covert communication websites / Non .com .net TLDs Updated 2025-07-16
View more
.com and .net are very dominant. Here we list other choices made:
  • .info: has a few hits:
    • archived comms:
      • beyondthefringe.info
    • unarchived comms:
      • crickettoday.info
    • unarchived:
      • talkingpointnews.info
      • theventurenews.info
      • worldconcerns.info
    Did a full Wayback Machine CDX scanning on .info after:
    grep -e news -e noticias -e nouvelles -e world -e global
    That makes about 10k domains, so it's about the right size.
  • .org: has a least one hit, see: Are there .org hits?
  • .biz:
    • unarchived comms:
      • atthemovies.biz
Read the full article
CIA 2010 covert communication websites / Google searches for known domains and IPs Updated 2025-07-16
View more
Googling most domains gives only very few results, and most of them are just useless lists of expired domains. Skipping those for now.
Googling "dedrickonline.com" has a git at www.webwiki.de/dedrickonline.com# Furthermore, it also contains the IP address "65.61.127.174" under the "Technik" tab!
Unfortunately that website appears to be split by language? E.g. the English version does not contain it: www.webwiki.com/dedrickonline.com, which would make searching a bit harder, but still doable.
But if we can Google search those IPs there, we might just hit gold.
IP search did work! www.webwiki.de/65.61.127.174
But doesn't often/ever work unfortunately for others.
Searching on github.com: github.com/DrWhax/cia-website-comms by Jurre van Bergen from September 2022 contains some of the links to some of the ones reported by Reuters including some of their JARs, presumably for reversing purposees. Pinged him at: github.com/DrWhax/cia-website-comms/issues/1
Read the full article
CIA 2010 covert communication websites / Hits with nearby IP hits Updated 2025-08-08
View more
62.22.60.49: telecom-headlines.com. UUNET in Spain. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just before worldnewsnetworking.com. Tested viewdns.info range: 62.22.60.34 - 62.22.60.66
  • 62.22.60.33: newsperk.com. Almost certainly a hit. Stylistically perfect, rss-item. But no comms not found. Ennerving! 2011. English. Egypt. news. Later legitimately reused.
  • 62.22.60.34: freeslideshow.net. Legit? Attempting to open any HTML archives leads to an infinite page load loop, e.g. 2010. A subpage however exists: web.archive.org/web/20101230001640/http://freeslideshow.net/index_files/a.htm and appears legit.
  • 62.22.60.40: travel-passage.com. Hit.
  • 62.22.60.42: newsupdatesite.com. Hit.
  • 62.22.60.46: flyingtimeline.com. Hit.
  • 62.22.60.47: globalemergenceadvisorsbkserver.com. Legit.
  • 62.22.60.48: currentcommunique.com. Hit.
  • 62.22.60.49: telecom-headlines.com. Hit.
  • 62.22.60.52: collectedmedias.com. Hit.
  • 62.22.60.54: romulusactualites.com. Hit.
  • 62.22.60.55: thefilmcentre.com. Hit.
  • 62.22.60.56: traveltimenews.com. Hit.
62.22.61.206 worldnewsnetworking.com. UUNET in Spain. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 62.22.61.188 - 62.22.61.224
65.218.91.17 alljohnny.com. UUNET in United States. One of the Reuters websites.
63.131.229.12 cyberreportagenews.com. ADHOST in Coeur d'Alene - United States. Tested viewdns.info range: 63.131.228.248 - 63.131.229.30
  • 63.131.229.2: fightskillsresource.com. Hit
  • 63.131.229.4: unitedterritorynews.com. Hit
  • 63.131.229.9: show-dustry.com. Hit
  • 63.131.229.10: afghanpoetry.net. Hit. Also at 74.254.12.166 in another range.
  • 63.131.229.11: mythriftytrip.com. Hit
  • 63.131.229.12: cyberreportagenews.com. Hit.
  • 63.131.229.13: sunrise-news.com. Hit.
  • 63.131.229.15: cricketnewsforindia.com. Hit.
  • 63.131.229.16:
  • 63.131.229.18: itnl-xchange.com. Hit.
  • 63.131.229.20:
    • fixashion.net. Hit.
    • a few others
63.130.160.50 theglobalheadlines.com. CW Vodafone Group PLC in United States. Found with: 2013 DNS census secureserver.net MX records intersection 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 63.130.160.35 - 63.130.160.75
64.16.204.55 holein1news.com. Saudi Telecom Company JSC in Saudi Arabia. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 64.16.204.50 - 64.16.204.63. With did Wayback Machine have so few archives here? TODO stopping viewdns.info exploration a bit short due to that.
65.61.127.163 capture-nature.com. ADHOST in Greenacres - United States. whois.arin.net/rest/net/NET-65-61-96-0-1/pft?s=65.61.127.163: Net Range: 65.61.96.0 - 65.61.127.255. Organization. Name: TierPoint, LLC. Tested viewdns.info range: 65.61.127.149 -
  • 65.61.127.46: anahuacchamber.com 2012-12-22T14:59:01
  • 65.61.127.117: medicaresupplementalinsurance.com, 2013-08-21T09:49:41. Legit.
  • 65.61.127.121: counter-images.com 2013-08-22T11:14:44: web.archive.org/web/20110208173132/http://www.counter-images.com/ Empty.
  • 65.61.127.125 zaphound.com 2013-08-21T02:25:40. Legit.
  • 65.61.127.130: ambitions.org 2013-08-22T01:43:40. Legit.
  • 65.61.127.161: european-footballer.com. Hit.
  • 65.61.127.163: capture-nature.com. Hit.
  • 65.61.127.164: futbolistico.net. 2012-02-20T03:25:33. Legit. web.archive.org/web/20130509004058/http://futbolistico.net/
  • 65.61.127.165: travelconnectionsonline.com. Ciro initially though this might be a hit. But upon Googling it, there's now a mirror at: travelconn.tripod.com/. Combined with the lack of a standard communications mechanism and the 2001 copyright, maybe it isn't a hit after all
  • 65.61.127.166: globalnewsbulletin.com: Hit.
  • 65.61.127.167: internationalwhiskylounge.com. Hit.
  • 65.61.127.168: the-golden-rule.info 2013-09-20T02:13:52. Hit.
  • 65.61.127.169: crossovernews.net. Hit.
  • 65.61.127.170: newsidori.com. Hit.
  • 65.61.127.171: nrgconsultingandnews.com. Hit. 2013-08-13T18:45:05
  • 65.61.127.172: premierstriker.com. Hit. 2012-01-11
  • 65.61.127.174: dedrickonline.com. Hit.
  • 65.61.127.175: altworldnews.com. Hit.
  • 65.61.127.176: american-historyonline.com. Hit. 2011-09-08
  • 65.61.127.177: material-science.org. Hit.
  • 65.61.127.178: tee-shot.net. Hit.
  • 65.61.127.180: screencentral.info. Hit.
  • 65.61.127.181: worldnewsandtravel.com. Hit. 2011-11-13
  • 65.61.127.182: pangawana.com. Hit.
  • 65.61.127.183: cutabovenews.com. Hit.
  • 65.61.127.184: worldwildlifeadventure.com. Hit.
  • 65.61.127.186: explorealtmeds.com. Hit.
  • 65.61.127.194: 16 domains, so unclear.
  • 65.61.127.200: cdl-link.com (ipinf.ru). Legit.
  • 65.61.127.222: asianwhitecoffee.com 2012-07-16T09:21:05 web.archive.org/web/20110903080036/http://asianwhitecoffee.com/. Could be legit.
66.45.179.205 noticiasporjanua.com. ADHOST in Edmonds - United States. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 66.45.179.187 - 66.45.179.223
  • 66.45.179.187: mail03.gatesfoundation.org. Legit.
  • 66.45.179.192: thegraceofislam.com. Hit.
  • 66.45.179.193: arabicnewsunfiltered.com. Hit.
  • 66.45.179.194: raulsonsglobalnews.com. Hit.
  • 66.45.179.195: aryannews.net. Hit.
  • 66.45.179.199: attivitaestremi.com. Hit.
  • 66.45.179.200: foodwineandsuch.com. Hit.
  • 66.45.179.201: hitthepavementnow.com. Hit.
  • 66.45.179.203: noticiascontinental.com. Hit.
  • 66.45.179.205: noticiasporjanua.com. Hit.
  • 66.45.179.206: podisticamondiale.com. Hit.
  • 66.45.179.207: reflectordenoticias.com. Hit.
  • 66.45.179.208: havenofgamerz.com. Hit.
  • 66.45.179.209: vejaaeuropa.com. Hit.
  • 66.45.179.210: sa-michigan.com. Hit.
  • 66.45.179.211: absolutebearing.net. Hit.
  • 66.45.179.212: grandretirement.net. No archives. cqcounter.com/whois/www/grandretirement.net.html blank image.
  • 66.45.179.213: myportaltonews.com. Hit.
  • 66.45.179.214: investmentintellect.com. Hit.
  • 66.45.179.215: nigeriastar.net 2012-03-12. Hit.
66.104.169.184 bcenews.com. XO-AS15 in United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.169.158 - 66.104.169.189
66.104.173.186 myworldlymusic.com. XO-AS15 in United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.173.158 - 66.104.173.194
66.104.175.40 beyondnetworknews.com. XO-AS15 in United States. whois.arin.net/rest/net/NET-66-104-0-0-1/pft?s=66.104.175.40. Net Range:66.104.0.0 - 66.107.255.255. 2012 Internet Census puts most/all hits in this range under ip66-104-175-34.z175-104-66.customer.algx.net, algx.net redirects to verizon.com as of 2023. Related: superuser.com/questions/956568/why-are-my-pings-going-to-customer-algx-net. Tested viewdns.info range: 66.104.175.24 - unknown
66.175.106.148 activegaminginfo.com. UUNET in United States. whois.arin.net/rest/net/NET-66-175-106-128-1/pft?s=66.175.106.148: Net Range: 66.175.106.128 - 66.175.106.159. Customer Name: DIAMOND-COLESON. Tested viewdns.info range: 66.175.106.131 - 66.175.106.178
66.237.236.247 comunidaddenoticias.com. XO-AS15 in United States. Tested viewdns.info range: 66.237.236.222 - 66.237.236.254
69.84.156.90 stickshiftnews.com. COLOSPACE in Methuen - United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 69.84.156.64 - 69.84.156.95
  • 69.84.156.69: al-ashak-news-me.com. Hit.
  • 69.84.156.70: theventurenews.info. Hit.
  • 69.84.156.71: worldfinancetoday.net. Hit.
  • 69.84.156.72: autonewsarabia.com. Hit.
  • 69.84.156.74: blue-moon-news.com. Hit.
  • 69.84.156.75: theoutergreen.com. No archives. Might have been another golf hit. cqcounter.com/whois/www/theoutergreen.com.html not found.
  • 69.84.156.76: tnc-urdu.com. Hit.
  • 69.84.156.79: jassimnews.com. No archives/broken. cqcounter.com/whois/www/jassimnews.com.html blank.
  • 69.84.156.80: noticiasdenuestromundo.com. Hit.
  • 69.84.156.82: arabicnewsonline.com. Hit.
  • 69.84.156.83: unganadormundial.com. Hit.
  • 69.84.156.84: focusonbokeh.com. Hit. Network Solutions, LLC.
  • 69.84.156.85: classic-rocktopia.com. Hit. domainsbyproxy.com.
  • 69.84.156.87: i7diver.com. Hit.
  • 69.84.156.88: diariodeelmundo.com. Hit.
  • 69.84.156.89: todaysarabnews.com. Hit.
  • 69.84.156.90: stickshiftnews.com. Hit.
  • 69.84.156.91: theinternationalgoal.com. Hit.
72.34.53.174 technologytodayandtomorrow.com. IHNET in United States. This IP is special. This IP is somehow closely linked to the "Mass Deface III" pastebin as it seems to have been hosted by Condor hosting. They also have many old sites, and links to Russia which is apparently where this was hosted.
74.116.72.236 techtopnews.com. OPTIMUM-WIFI2 in Brooklyn - United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.116.72.215 - 74.116.72.254
74.254.12.168 non-stop-news.net. BELLSOUTH-NET-BLK in Atlantic Beach - United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.254.12.158 - 74.254.12.195. This domain exceptionally also has a second IP also with multihits: 207.239.196.230. The fact that the range has rdns sources with hits from both 2013 DNS Census and viewdns.info suggests this range is correct.
173.208.81.2 LEASEWEB-USA-CHI in Lombard - United States:
199.85.212.118 just-kidding-news.com. ATT-INTERNET4 in United States.
204.176.38.143 noticiassofisticadas.com. UUNET in United States. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 204.176.38.125 - 204.176.38.154
  • 204.176.38.130: i-pressnews.com. Hit.
  • 204.176.38.132: turkishnewslinks.com. Hit.
  • 204.176.38.134: photographyarecord.com. Hit.
  • 204.176.38.135: breakingthewicket.com. Hit.
  • 204.176.38.136: politicalworldtoday.com. Hit.
  • 204.176.38.137: hi-tech-today.com. Hit.
  • 204.176.38.138: continental-business-news.com. TODO. rss-item, split images. 2011. Cannot find comms. Also header and footer are not limited width which is unusual. Further HTML similarity reversing would be needed.
  • 204.176.38.139: bigscreenbattles.com. Hit.
  • 204.176.38.141: rakotafootball.com. Hit.
  • 204.176.38.142: senderosdemontana.com. Hit.
  • 204.176.38.143: noticiassofisticadas.com. Hit.
  • 204.176.38.144: techno-today.com. Hit.
  • 204.176.38.145: tickettonews.com. Hit.
  • 204.176.38.146: dps-digitalphotosharing.com. Hit.
  • 204.176.38.147: theputtingreen.com. Hit.
  • 204.176.38.149: sportsnewstodayar.com. Hit.
  • 204.176.38.150: kairuafricanews.com. Hit.
204.176.39.115 globalprovincesnews.com. UUNET in United States. Tested viewdns.info range: 204.176.39.93 - 204.176.39.124
207.150.191.68 technologypresstoday.com. Saudi Telecom Company JSC in Saudi Arabia.
207.210.250.132 aeronet-news.com. AS17378 in United States. This is the Autonomous System Number for TierPoint, LLC. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 207.210.250.126 - 207.210.250.157
  • 207.210.250.131: starrynightnews.com. Hit.
  • 207.210.250.132: aeronet-news.com. Hit.
  • 207.210.250.133: bakaribulletin.com. Hit.
  • 207.210.250.134: deprensaenlarevisiondehoy.com. Hit.
  • 207.210.250.135: icwb-news.com. Hit.
  • 207.210.250.136: sportsreelhighlights.com. Hit.
  • 207.210.250.137: fashionforward.info. No archives. cqcounter.com/whois/www/fashionforward.info.html innovative but has a "Member" section. Stock lady visible somwhere at westlahairgrowth.com/?page_id=12158 according to Google images but I couldn't find it easily in the page.
  • 207.210.250.138: inquiry-human-past.com. Hit.
  • 207.210.250.139: thefairwaysaregreen.com. Hit.
  • 207.210.250.142: russiaupdate.com. Hit.
  • 207.210.250.143: archaeologyreview.net. Hit.
  • 207.210.250.144: highspeed-news.com. No archives. cqcounter.com/whois/www/highspeed-news.com.html not found.
  • 207.210.250.146: noticias-caracas.com. Hit.
  • 207.210.250.147: bailandstump.com. Hit.
  • 207.210.250.148: classicalmusic4arab.com. Hit.
  • 207.210.250.149: globalventurestat.com. Hit.
  • 207.210.250.152: al-rashidrealestate.com. Hit.
  • 207.210.250.153: newsintheworld-ru.com. Hit.
  • 207.210.250.154: news-unlimited.info. Hit.
208.93.112.105 fastnews-online.com. TULIP-SYSTEMS in United States. Checked viewdns.info range: 208.93.112.90 - 208.93.112.155
208.254.38.39 todaysengineering.com. COLO-PREM-VZB in United States.
  • Tested viewdns.info range: 208.254.38.9 - 208.254.38.86. Weirdly empty, doesn't even show the domain iteslf!
  • 68.178.232.100: source: securitytrails.com. 2009-11-24 - 2009-12-11, GoDaddy.com, LLC
208.254.40.117 worldnewsandent.com. COLO-PREM-VZB in United States. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117: Net Range 208.192.0.0 - 208.255.255.255. Tested viewdns.info range: 208.254.40.92 - 208.254.40.135
  • 208.254.40.96: sixty2media.com. Hit.
  • 208.254.40.99: newspoliticssource.com. Hit.
  • 208.254.40.110 musical-fortune.net. Hit.
  • 208.254.40.113: ashoka-gemstones.com. Hit.
  • 208.254.40.117: worldnewsandent.com. Hit.
  • 208.254.40.124: riskandrewardnews.com. Hit.
  • 208.254.40.129: mailb.casella.com. Legit.
208.254.42.205 driversinternationalgolf.com. COLO-PREM-VZB in United States. Tested viewdns.info range: 208.254.42.178 - 208.254.42.233.
209.162.192.49 rastadirect.net. DF-PTL2-3 in Gresham - United States. Source: securitytrails.com and cqcounter.com/site/rastadirect.net.html. Tested viewdns.info: 209.162.192.30 209.162.192.70
* 209.162.192.44: thejewelofsouthamerica.com. Hit.
* 209.162.192.49: rastadirect.net. Hit.
* 209.162.192.51: yellow-chair-report.com. Hit.
* 209.162.192.54: tutkulu-turu.com. Possible hit. domainsbyproxy.com 2008-03-04. Weird style made up exclusively of cut up images, including the text itself where links would normally be. Turkish. Archive a bit weird with images on top of text. 2011 Copyright 2006. Unarchived link to web.archive.org/web/20110129065840/http://tutkulu-turu.com/login.html with title "Kullanıcı adı" (Username). Headline "Online seyahat etmek acenta" translates to "Online travel agency".
* 209.162.192.57: globalnewsreports.net. Hit.
* 209.162.192.59: easytravelsite.net. Hit.
* 209.162.192.70: phrio.com. Off date. viewdns.info/reverseip/?t=1&host=209.162.192.70
210.80.75.55 philippinenewsonline.net. UUNET in Australia. Tested viewdns.info range: 210.80.75.30 - 210.80.75.67
  • 210.80.75.35: aroundtheworldnews.net. No archives. ipinf.ru/domains/210.80.75.33/ disagrees and places it at .33.
  • 210.80.75.36: e-commodities.net. Hit.
  • 210.80.75.37: trekkingtoday.com. Hit.
  • 210.80.75.41: multinews-33.com. Hit.
  • 210.80.75.42: movimientodenticias.com. No archives. cqcounter.com/whois/www/movimientodenticias.com.html blank.
  • 210.80.75.43: gulfandmiddleeastnews.com. Hit.
  • 210.80.75.44: whirlybirdinflight.com. Hit.
  • 210.80.75.45: kings-game.net. Hit.
  • 210.80.75.46: topglobalnewsdaily.com. Hit.
  • 210.80.75.49: recipe-dujour.com. Hit.
  • 210.80.75.53: sportsman-elite.com. Hit.
  • 210.80.75.55: philippinenewsonline.net. Hit.
  • 210.80.75.56: technewsforme.com. Hit.
  • 210.80.75.59: goldeportesnoticias.com. Hit.
  • 210.80.75.68: gigabyte-usa.com. Legit.
212.4.16.232 mynewscheck.com. UUNET in Cassano d'Adda - Italy. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.16.214 - 212.4.17.198. ipinf.ru/domains/?search=212.4.17.125&cust=1 says they are /19, so .16 and .17 are both the same range from a registration perspective::
212.4.17.38 fightwithoutrules.com. UUNET in Cassano d'Adda - Italy. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117. Net Range: 208.192.0.0 - 208.255.255.255. Organization: Name: Verizon Business. Tested viewdns.info range: see 212.4.16.* above
  • 212.4.17.38: fightwithoutrules.com. Hit.
  • 212.4.17.41: newtechfrontier.com. Hit.
  • 212.4.17.43: smart-travel-consultant.com. Hit.
  • 212.4.17.46: atentlaloc.com. Hit.
  • 212.4.17.53: newsresolution.net. Hit.
  • 212.4.17.56: lesummumdelafinance.com. Hit.
  • 212.4.17.56: thepinnacleoffinance.com. No Wayback machine archives. cqcounter.com/whois/www/thepinnacleoffinance.com.html blank.
  • 212.4.17.61: tech-stop.org. Archive: 2011. Feels likely. No commons found. .org hit? Has subdomain "gear.tech-stop.org" according to 2013 DNS Census, which suggests CGI comms, but no links to it
  • 212.4.17.98: topbillingsite.com. Hit.
  • 212.4.17.122: b2bworldglobal.com. Hit.
  • 212.4.17.125: worldaroundyunnan.com. Hit.
  • 212.4.17.160: localtoglobalnews.com. Hit.
There were also some other reverse IP hits for fightwithoutrules.com, but no CIA websites there:
  • 204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26. Many domains.
  • 208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20. Many domains.
Other hits:
  • 208.91.197.132. rdns source: viewdns.info: "location" : "British Virgin Islands", "owner" : "Confluence Networks Inc", "lastseen" : "2013-09-26". So this is after the previous one, unlikely to be correct.
  • 205.178.189.131. source: securitytrails.com
212.4.18.129 sightseeingnews.com. UUNET in Cassano d'Adda - Italy. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.18.115 - 212.4.18.148. TODO expand. Interesting wide/sparse range? Or perhaps it's two separate ranges?
212.209.74.105 globalbaseballnews.com. UUNET in Sweden. Tested viewdns.info range: 212.209.74.100 - 212.209.74.132. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches
212.209.79.40 hydradraco.com. UUNET in Sweden. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just after globalbaseballnews.com. Tested viewdns.info range: 212.209.79.35 - 212.209.79.63
  • 212.209.79.34: fgnl.net. Hit. securitytrails.com provides IP history:
    • 212.209.79.34: 2008-09-01 - 2010-04-19.
    • 212.4.18.133: 2010-04-19 - 2019-06-19. Tested viewdns.info range: 212.4.18.122 - 212.4.18.148
    both under MCI Communications Services, Inc. d/b/a Verizon Business.
  • 212.209.79.37: fitness-sources.com. Hit.
  • 212.209.79.40: hydradraco.com. Hit.
  • 212.209.79.41: noticiasdelmundolatino.com. Hit.
  • 212.209.79.42: suparakuvi.com. Hit.
  • 212.209.79.44: myigadgets.net. Unclear. 2010. tech. Contains some helpers to: iGoogle. This page is very interesting. and quite different from the others, as it contains highly specialized functionality. No known comms found. The choice of homepage languages is also very suspicious: Arabic, Farsi, French, Chinese and Spanish.
  • 212.209.79.46: cetusdelph.com. Hit.
  • 212.209.79.47: willtoworship.com. Hit. domainsbyproxy.com
  • 212.209.79.48: themvconnection.com. Hit.
  • 212.209.79.51: pi-resources.net. Hit.
  • 212.209.79.52: newel-adserver.com. Redirects to newel.com which is legit. cqcounter.com/whois/www/newel-adserver.com.html blank.
  • 212.209.79.53: ourscubaworld.com. Hit.
  • 212.209.79.58: tech-love-home.com. Hit.
  • 212.209.79.60: first-solo-aviation.com. Hit.
  • 212.209.79.61: china-destinations.org. Hit.
212.209.90.84 thenewseditor.com. UUNET in Sweden. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.209.90.64 - 212.209.90.99
  • 212.209.90.69: worldedgenews.com. Hit.
  • 212.209.90.72: talkingpointnews.info. Hit.
  • 212.209.90.74: globalinvestmentnews.net. Hit.
  • 212.209.90.75: prebitinvestment.com. Hit.
  • 212.209.90.77: energy-bulb.com 2011. English. energy. Comms not found, but has unarchived link to: web.archive.org/web/20110128182345/https://webmail.energy-bulb.com/login.html. CGI comms variant?
  • 212.209.90.79: freeblink.com. No archives for timerange, then legit. cqcounter.com/whois/www/freeblink.com.html off-style
  • 212.209.90.80: nsmovies.net. Hit.
  • 212.209.90.82: middleeastjournal.net. Hit.
  • 212.209.90.84: thenewseditor.com. Hit.
  • 212.209.90.87: newsandweathersource.com. Hit.
  • 212.209.90.89: pakisports.com. Hit.
  • 212.209.90.90: vriha-aesthetics.com. Hit.
  • 212.209.90.92: amishkanews.com. Hit.
  • 212.209.90.93: theentertainbiz.com. Hit.
  • 212.209.90.94: eurosportssummary.com. Hit.
  • 212.209.91.14: teracom.net. Legit
216.93.248.194 esmundonoticias.com. TWDX in Chelmsford - United States.
216.104.38.114 all-sport-headlines.com. SINGLEHOP-LLC in United States.
216.105.98.152: modernarabicnews.com. SAVVY-NET in United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 216.105.98.125 - 216.105.98.167
  • 216.105.98.118:
  • 216.105.98.132: europeantravelcafe.com. Hit.
  • 216.105.98.134: fuenteneta.com. Hit.
  • 216.105.98.135: ilat-news.com. Hit.
  • 216.105.98.136: etherealinspirations.net. Hit.
  • 216.105.98.137: the-news-zone.com. Hit.
  • 216.105.98.138: photozoomnews.com. No archives. cqcounter.com/whois/www/photozoomnews.com.html empty
  • 216.105.98.139: cultura-digital.net. Hit.
  • 216.105.98.140: uaeshoppingspree.com. Hit.
  • 216.105.98.141: jabarifootball.com. No archives. "Jabari" is a Swahili/Arabic name[ref]. cqcounter.com/whois/www/jabarifootball.com.html not found.
  • 216.105.98.142: globalreview-ar.com. No archives. Shame, could have been our first Argentinian site. cqcounter.com/whois/www/globalreview-ar.com.html empty.
  • 216.105.98.144: garanziadellasicurezza.com. Hit.
  • 216.105.98.145: montanismoaventura.com. Hit.
  • 216.105.98.146: large-format-news.com. Hit.
  • 216.105.98.147: nepalnewsbrief.com. Hit. dnshistory.org marks it as having IP 2010-03-10 -> 2010-08-15 216.169.148.94 [ref]. This range does feel a bit different from the others, too many broken archives, and relatively early ones too. Explored viewdns.info range: 216.169.148.84 - 216.169.148.104, empty for period. domainsbyproxy.com.
  • 216.105.98.148: teclafinance.com. Hit.
  • 216.105.98.149: entreman.com. Hit.
  • 216.105.98.152: modernarabicnews.com. Hit.
  • 216.105.98.153: global-headlines.com. Hit.
  • 216.105.98.154: everythingcricket.org. Hit.
  • 216.105.98.156: familyhealthonline.net. Hit.
  • 216.105.98.157: delacorne.com. Hit.
  • 216.105.98.158: econfutures.com. Hit.
  • 216.105.98.161: kstcloud.com. No archives. cqcounter.com/whois/www/kstcloud.com.html not found
219.90.61.123 journeystravelled.com. UUNET in Taiwan. Tested viewdns.info range: 219.90.61.100 - 219.90.61.133
219.90.62.243 fitness-dawg.com. UUNET in Taiwan. whois.arin.net/rest/net/NET-219-0-0-0-1/pft?s=219.90.62.243. Net Type: Allocated to APNIC. Tested viewdns.info range: unknown - 219.90.62.255
Read the full article
CIA 2010 covert communication websites / Hits without nearby IP hits Updated 2025-07-16
View more
Here we list of suspected domains for which the correct IP was apparently not found since there are no neighbouring hits.
These are suspicious, and suggest either that we didn't obtain the correct reverse IP, or a change in CIA methodology from an older time at which they were not yet using the obscene IP ranges.
For example, in the case of inews-today.com, 2013 DNS Census gave one IP 193.203.49.212, but then viewdns.info gave another one 66.175.106.146 which fit into an existing IP range, and which assumed to be the correct IP of interest.
A similar case happened when we found IP 212.209.74.126 for headlines2day.com with dnshistory.org: dnshistory.org/historical-dns-records/a/headlines2day.com.
It is also possible that some of them are simply false positives so they should be taken with a grain of salt. Further reverse engineering e.g. of comms or HTML analysis might be able to exclude some of them.
It is interesting to note that Reuters seems to have featured disproportionately many hits from that range, one wonders why that happened. It is possible that they chose these because they actually didn't have any nearby hits to give away less obvious information, though they did pick some from the ranges as wel.
In what follows we list the domains with possible reverse IPs and what was explored so far for each. We consider IPs not in a range to be uncertain, and that instead their domains might have been previously in a range which we
dailynewsandsports.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches
  • 216.119.129.94. rdns source: viewdns.info "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2012-04-13". Tested viewdns.info range: 216.119.129.85 - 216.119.129.86, 216.119.129.89 - 216.119.129.99, ran out of queries for 87 and 88
    • 216.119.129.90: eastdairies.com 2011-04-04. Promising name and date, but no archives alas.
    • 216.119.129.97: miideaco.com 2016-02-01
  • 216.119.129.114 Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches, also present on viewdns.info but at a later date from previous "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2013-11-29". Tested viewdns.info range: 216.119.129.109 - 216.119.129.119
    • 216.119.129.110: dommoejmechty.com.ua. Legit.
    • 216.119.129.111: dailybeatz.com: Legit
    • 216.119.129.113:
      • audreygeneve.com
      • reyzheng.com
      • jacintorey.com
    • 216.119.129.114: dailynewsandsports.com. hit.
    • 216.119.129.115: afxchange.com legit/broken
    • 216.119.129.116: danafunkfinancial.com: legit
  • 208.73.33.194 on securitytrails.com
iranfootballsource.com:
iraniangoalkicks.com:
iraniangoals.com:
football-enthusiast.com:
  • 212.4.18.14: Tested viewdns.info range: 212.4.18.1 - 212.4.18.29. This is a curious case, rather close to 212.4.18.129 sightseeingnews.com, but not quite in the same range apparently. Viewdns.info also agrees on its history with only "212.4.18.14", "location" : "Milan - Italy", "owner" : "MCI Worldcom Italy Spa", "lastseen" : "2013-06-30" of interest.
cyhiraeth-intlnews.com:
europeannewsflash.com:
outlooknewscast.com:
farsi-newsandweather.com:
global-view-news.com:
health-men-today.com:
firstnewssource.com:
pars-technews.com:
newdaynewsonline.com:
sportsnewsfinder.com:
newsworldsite.com:
todaysnewsreports.net:
hassannews.net:
todayoutdoors.com:
globaltourist.net:
terrain-news.com:
intlnewsdaily.com
opensourcenewstoday.com:
Read the full article
CIA 2010 covert communication websites / How did Alexa find the domains? Updated 2025-07-16
View more
It can't be HTML crawl because presumably there wouldn't have been links to those websites? Presumably this is why Common Crawl doesn't seem to have any hits.
So they must have had some kind of DNS A record database?
Or would IPv4 sweep have worked, without the Host header with the CIA's setup?
The same question also applies to the 2013 DNS Census. It has less hits, but still has many.
Whatever they did, we are so so glad that they did!
Read the full article
CIA 2010 covert communication websites / Internet Census 2012 Updated 2025-07-16
View more
Does not appear to have any reverse IP hits unfortunately: opendata.stackexchange.com/questions/1951/dataset-of-domain-names/21077#21077. Likely only has domains that were explicitly advertised.
We could not find anything useful in it so far, but there is great potential to use this tool to find new IP ranges based on properties of existing IP ranges. Part of the problem is that the dataset is huge, and is split by top 256 bytes. But it would be reasonable to at least explore ranges with pre-existing known hits...
We have started looking for patterns on 66.* and 208.*, both selected as two relatively far away ranges that have a number of pre-existing hits. 208 should likely have been 212 considering later finds that put several ranges in 212.
tcpip_fp:
  • 66.104.
    • 66.104.175.41: grubbersworldrugbynews.com: 1346397300 SCAN(V=6.01%E=4%D=1/12%OT=22%CT=443%CU=%PV=N%G=N%TM=387CAB9E%P=mipsel-openwrt-linux-gnu),ECN(R=N),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=N),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
    • 66.104.175.48: worlddispatch.net: 1346816700 SCAN(V=6.01%E=4%D=1/2%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=1D5EA%P=mipsel-openwrt-linux-gnu),SEQ(SP=F8%GCD=3%ISR=109%TI=Z%TS=A),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
    • 66.104.175.49: webworldsports.com: 1346692500 SCAN(V=6.01%E=4%D=9/3%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=5044E96E%P=mipsel-openwrt-linux-gnu),SEQ(SP=105%GCD=1%ISR=108%TI=Z%TS=A),OPS(O1=M550ST11NW6%O2=M550ST11NW6%O3=M550NNT11NW6%O4=M550ST11NW6%O5=M550ST11NW6%O6=M550ST11),WIN(W1=1510%W2=1510%W3=1510%W4=1510%W5=1510%W6=1510),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
    • 66.104.175.50: fly-bybirdies.com: 1346822100 SCAN(V=6.01%E=4%D=1/1%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=14655%P=mipsel-openwrt-linux-gnu),SEQ(TI=Z%TS=A),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
    • 66.104.175.53: info-ology.net: 1346712300 SCAN(V=6.01%E=4%D=9/4%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=50453230%P=mipsel-openwrt-linux-gnu),SEQ(SP=FB%GCD=1%ISR=FF%TI=Z%TS=A),ECN(R=N),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
  • 66.175.106
    • 66.175.106.150: noticiasmusica.net: 1340077500 SCAN(V=5.51%D=1/3%OT=22%CT=443%CU=%PV=N%G=N%TM=38707542%P=mipsel-openwrt-linux-gnu),ECN(R=N),T1(R=N),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
    • 66.175.106.155: atomworldnews.com: 1345562100 SCAN(V=5.51%D=8/21%OT=22%CT=443%CU=%PV=N%DC=I%G=N%TM=5033A5F2%P=mips-openwrt-linux-gnu),SEQ(SP=FB%GCD=1%ISR=FC%TI=Z%TS=A),ECN(R=Y%DF=Y%TG=40%W=1540%O=M550NNSNW6%CC=N%Q=),T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=),T2(R=N),T3(R=N),T4(R=N),T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=),T6(R=N),T7(R=N),U1(R=N),IE(R=N)
Read the full article
CIA 2010 covert communication websites / ipinf.ru Updated 2025-07-16
View more
alljohnny.com had a hit: ipinf.ru/domains/alljohnny.com/, and so Ciro started looking around... and a good number of other things have hits.
Not all of them, definitely less data than viewdns.info.
But they do reverse IP, and they show which nearby reverse IPs have hits on the same page, for free, which is great!
Shame their ordering is purely alphabetical, doesn't properly order the IPs so it is a bit of a pain, but we can handle it.
OMG, Russians!!!
The data here had a little bit of non-overlap from other sources. 4 new confirmed hits were found, plus 4 possible others that were left as candidates.
Read the full article
CIA 2010 covert communication websites / Wayback Machine CDX scanning with Tor parallelization Updated 2025-07-16
View more
First we must start the tor servers with the tor-army command from: stackoverflow.com/questions/14321214/how-to-run-multiple-tor-processes-at-once-with-different-exit-ips/76749983#76749983
tor-army 100
and then use it on a newline separated domain name list to check;
./cdx-tor.sh infile.txt
This creates a directory infile.txt.cdx/ containing:
  • infile.txt.cdx/out00, out01, etc.: the suspected CDX lines from domains from each tor instance based on the simple criteria that the CDX can handle directly. We split the input domains into 100 piles, and give one selected pile per tor instance.
  • infile.txt.cdx/out: the final combined CDX output of out00, out01, ...
  • infile.txt.cdx/out.post: the final output containing only domain names that match further CLI criteria that cannot be easily encoded on the CDX query. This is the cleanest domain name list you should look into at the end basically.
Since archive is so abysmal in its data access, e.g. a Google BigQuery would solve our issues in seconds, we have to come up with creative ways of getting around their IP throttling.
The CIA doesn't play fair. They're actually the exact opposite of fair. So neither shall we.
This should allow a full sweep of the 4.5M records in 2013 DNS Census virtual host cleanup in a reasonable amount of time. After JAR/SWF/CGI filtering we obtained 5.8k domains, so a reduction factor of about 1 million with likely very few losses. Not bad.
5.8k is still a bit annoying to fully go over however, so we can also try to count CDX hits to the domains and remove anything with too many hits, since the CIA websites basically have very few archives:
cd 2013-dns-census-a-novirt-domains.txt.cdx
./cdx-tor.sh -d out.post domain-list.txt
cd out.post.cdx
cut -d' ' -f1 out | uniq -c | sort -k1 -n | awk 'match($2, /([^,]+),([^)]+)/, a) {printf("%s.%s %d\n", a[2], a[1], $1)}' > out.count
This gives us something like:
12654montana.com 1
aeronet-news.com 1
atohms.com 1
av3net.com 1
beechstreetas400.com 1
sorted by increasing hit counts, so we can go down as far as patience allows for!
New results from a full CDX scan of 2013-dns-census-a-novirt.csv:
  • 219.90.61.123 journeystravelled.com
Read the full article
CIA 2010 covert communication websites / iraniangoals.com Updated 2025-07-16
View more
whoisxmlapi WHOIS history April 11, 2011:
  • Created Date: March 6, 2008 00:00:00 UTC
  • Updated Date: March 7, 2011 00:00:00 UTC
  • Expires Date: March 6, 2014 00:00:00 UTC
  • Registrant Name: domainsbyproxy.com.
  • Registrant Organization: Domains by Proxy, Inc.
  • Registrant Street: 15111 N. Hayden Rd., Ste 160,
  • Registrant City: Scottsdale
  • Registrant State/Province: Arizona
  • Registrant Postal Code: 85260
  • Registrant Country: UNITED STATES
  • Name servers: NS29.WORLDNIC.COM|NS30.WORLDNIC.COM
Folowed by reuters registration in 2022.
whoisrequest.com/history/ mentions:
  • 1 Apr, 2008: Domain created*, nameservers added. Nameservers:
  • ns1.webhostingpad.com
  • ns2.webhostingpad.com
Read the full article
CIA 2010 covert communication websites / iraniangoals.com JavaScript reverse engineering Updated 2025-07-16
View more
Notably, the password is hardcoded and its hash is stored in the JavaScript itself. The result is then submitted back via a POST request to /cgi-bin/goal.cgi.
TODO: how is the SHA calculated? Appears to be manual.
Read the full article
CIA 2010 covert communication websites / JavaScript reverse engineering Updated 2025-07-16
Read the full article
CIA 2010 covert communication websites / JavaScript with SHAs Updated 2025-07-16
View more
There are two types of JavaScript found so far. The ones with SHA and the ones without. There are only 2 examples of JS with SHA:
Both files start with precisely the same string:
var ms="\u062F\u0631\u064A\u0627\u0641\u062A\u06CC",lc="\u062A\u0647\u064A\u0647 \u0645\u062A\u0646",mn="\u0628\u0631\u062F\u0627\u0632\u0634 \u062F\u0631 \u062C\u0631\u064A\u0627\u0646 \u0627\u0633\u062A...\u0644\u0637\u0641\u0627 \u0635\u0628\u0631 \u0643\u0646\u064A\u062F",lt="\u062A\u0647\u064A\u0647 \u0645\u062A\u0646",ne="\u067E\u0627\u0633\u062E",kf="\u062E\u0631\u0648\u062C",mb="\u062D\u0630\u0641",mv="\u062F\u0631\u064A\u0627\u0641\u062A\u06CC",nt="\u0627\u0631\u0633\u0627\u0644",ig="\u062B\u0628\u062A \u063A\u0644\u0637. \u062C\u0647\u062A \u062A\u062C\u062F\u064A\u062F \u062B\u0628\u062A \u0635\u0641\u062D\u0647 \u0631\u0627 \u0628\u0627\u0632\u0622\u0648\u0631\u06CC \u06A9\u0646\u064A\u062F",hs="\u063A\u064A\u0631 \u0642\u0627\u0628\u0644 \u0627\u062C\u0631\u0627. \u062E\u0637\u0627 \u062F\u0631 \u0627\u062A\u0651\u0635\u0627\u0644",ji="\u063A\u064A\u0631 \u0642\u0627\u0628\u0644 \u0627\u062C\u0631\u0627. \u062E\u0637\u0627 \u062F\u0631 \u0627\u062A\u0651\u0635\u0627\u0644",ie="\u063A\u064A\u0631 \u0642\u0627\u0628\u0644 \u0627\u062C\u0631\u0627. \u062E\u0637\u0627 \u062F\u0631 \u0627\u062A\u0651\u0635\u0627\u0644",gc="\u0633\u0648\u0627\u0631 \u06A9\u0631\u062F\u0646 \u062A\u06A9\u0645\u064A\u0644 \u0634\u062F",gz="\u0645\u0637\u0645\u0626\u0646\u064A\u062F \u06A9\u0647 \u0645\u064A\u062E\u0648\u0627\u0647\u064A\u062F \u067E\u064A\u0627\u0645 \u0631\u0627 \u062D\u0630\u0641 \u06A9\u0646\u064A\u062F\u061F"
Good fingerprint present in all of them:
throw new Error("B64 D.1");};if(at[1]==-1){throw new Error("B64 D.2");};if(at[2]==-1){if(f<ay.length){throw new Error("B64 D.3");};dg=2;}else if(at[3]==-1){if(f<ay.length){throw new Error("B64 D.4")
Read the full article
CIA 2010 covert communication websites / JS CDX scanning Updated 2025-07-16
View more
JAR, SWF and CGI-bin scanning by path only is fine, since there are relatively few of those. But .js scanning by path only is too broad.
One option would be to filter out by size, an information that is contained on the CDX. Let's check typical ones:
grep -f <(jq -r '.[]|select(select(.comms)|.comms|test("\\.js"))|.host' ../media/cia-2010-covert-communication-websites/hits.json) out | out.jshits.cdx
sort -n -k7 out.jshits.cdx
Ignoring some obvious unrelated non-comms files visually we get a range of about 2732 to 3632:
net,hollywoodscreen)/current.js 20110106082232 http://hollywoodscreen.net/current.js text/javascript 200 XY5NHVW7UMFS3WSKPXLOQ5DJA34POXMV 2732
com,amishkanews)/amishkanewss.js 20110208032713 http://amishkanews.com/amishkanewss.js text/javascript 200 S5ZWJ53JFSLUSJVXBBA3NBJXNYLNCI4E 3632
This ignores the obviously atypical JavaScript with SHAs from iranfootballsource, and the particularly small old menu.js from cutabovenews.com, which we embed into ../cia-2010-covert-communication-websites/cdx-post-js.sh.
The size helps a bit, but it's not insanely good unfortunately, only about 3x, these are some common JS sizes right there!
Read the full article
CIA 2010 covert communication websites / "Mass Deface III" pastebin Updated 2025-07-16
View more
pastebin.com/CTXnhjeS dated mega early on Sep 30th, 2012 by CYBERTAZIEX.
This source was found by Oleg Shakirov.
Holy fuck the type of data source that we get in this area of work!
This pastebin contained a few new hits, in addition to some pre-existing ones. Most of the hits them seem to be linked to the IP 72.34.53.174, which presumably is a major part of the fingerprint found by CYBERTAZIEX, though unsurprisingly methodology is unclear. As documented, the domains appear to be linked to a "Condor hosting" provider, but it is hard to find any information about it online.
From the title, it would seem that someone hacked into Condor and defaced all of its sites, including unknowingly some CIA ones which is LOL.
Ciro Santilli checked every single non-subdomain domain in the list.
Other files under the same account: pastebin.com/u/cybertaziex did not seem of interest.
The author's real name appears to be Deni Suwandi: twitter.com/denz_999 from Indonesia, but all accounts appear to be inactive, otherwise we'd ping him to ask for more info about the list.
www.zone-h.com lists some of the domains. They also seem to have intended to have snapshots of the defaces but we can't see them which is sad:
Read the full article
CIA 2010 covert communication websites / Methodology Updated 2025-07-16
View more
This section tries to explain how the discoveries were made in more detail.
Some of the subsections are quite readable, while others are mostly data dumps and work logs, so bear with us.
Read the full article
CIA 2010 covert communication websites / noticiasmusica.net Updated 2025-07-16
View more
whoisxmlapi WHOIS record on September 13, 2011
  • Registrar Name: NETWORK SOLUTIONS, LLC
  • Created Date: February 17, 2010 00:00:00 UTC
  • Updated Date: February 17, 2010 00:00:00 UTC
  • Expires Date: February 17, 2015 00:00:00 UTC
  • Registrant Name: See, Megan|ATTN NOTICIASMUSICA.NET|care of Network Solutions
  • Registrant Street: PO Box 459
  • Registrant City: PA
  • Registrant State/Province: US
  • Registrant Postal Code: 18222
  • Registrant Country: UNITED STATES
  • Administrative Contact
  • Administrative Name: See, Megan|ATTN NOTICIASMUSICA.NET|care of Network Solutions
  • Administrative Street: PO Box 459
  • Administrative City: Drums
  • Administrative State/Province: PA
  • Administrative Postal Code: 18222
  • Administrative Country: UNITED STATES
  • Administrative Email: hf3eg77c4nn@networksolutionsprivateregistration.com
  • Administrative Phone: 5707088780
  • Name Servers: NS45.WORLDNIC.COM|NS46.WORLDNIC.COM
2012:
Read the full article
CIA 2010 covert communication websites / Oleg Shakirov's findings Updated 2025-07-16
View more
Starting at twitter.com/shakirov2036/status/1746729471778988499, Russian expat Oleg Shakirov comments "Let me know if you are still looking for the Carson website".
He then proceeded to give Carson and 5 other domains in private communication. His name is given here with his consent. His advances besides not being blind were Yandexing for some of the known hits which led to pages that contained other hits:
Unfortunately, these methods are not very generalizable, and didn't lead to a large number of other hits. But every domain counts!
Read the full article
CIA 2010 covert communication websites / Reuters article Updated 2025-07-16
View more
This is our primary data source, the first article that pointed out a few specific CIA websites which then served as the basis for all of our research.
We take the truth of this article as an axiom. And then all we claim is that all other websites found were made by the same people due to strong shared design principles of the such websites.
Read the full article
CIA 2010 covert communication websites / Reverse engineering Updated 2025-07-16
View more
In this section we document the outcomes of more detailed inspection of both the communication mechanisms (JavaScript, JAR, swf) and HTML that might help to better fingerprint the websites.
Read the full article
CIA 2010 covert communication websites / Searching for Carson Updated 2025-07-16
View more
Edit: Carson was found Oleg Shakirov's findingsby Oleg Shakirov: alljohnny.com, communicated at: twitter.com/shakirov2036/status/1746729471778988499, earliest archive from 2004 (!): web.archive.org/web/20040113025122/http://alljohnny.com/, The domain was hidden in plain sight, it was present in a not very visible watermark visible in the Reuters article screenshot! The watermark was added to the CIA to the background image, it is actually present on the website. In retrospect, it was actually present at on the expired domain trackers dataset, but the mega discrete all second word made Ciro Santilli miss it: github.com/cirosantilli/expired-domain-names-by-day-2015/blob/9d504f3b85364a64f7db93311e70011344cff788/07/05/02#L1572
Figure 1.
2004 Wayback Machine archive of alljohnny.com
.
What follows is the previous
The fact that the Reuters article has a screenshot of it, and therefore a Wayback Machine link, plus the specificity of the website topic, will likely keep Ciro awake at night for a while until someone finds that domain.
Some text visible on the Reuters screenshot:
It is unclear however if this text is plaintext or part of a an image.
Some failed attempts, either dry guesses or from DNS grepping dataset searches:
Searching the Wayback Machine proved fruitless. There is no full text search: Wayback Machine full text search, and a heuristic web.archive.org/web/20230000000000*/Johnny%20Carson search has relevant hits but not the one we want.
Another attempt was to search for "carson" on webmasterhome.cn which lists expired domains in bulk by expiration day, and it search engine friendly. It contains most of the domains we've found so far. Google either doesn't support partial word search or requires you to be a God to find it
so we settle for DuckDuckGo which supports it: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22&t=h_&ia=web Adding years also helps: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22+2011&ia=web with this we might be getting all possible results. Ciro went through all in 2011, 2012 and 2013 but no luck. Also fuck en.wikipedia.org/wiki/Carson_City,_Nevada and en.wikipedia.org/wiki/Carson,_California :-)
Let's search tools.whoisxmlapi.com/reverse-whois-search for "carson" contained in any historic domain name. 10,001 lines. Grepping those, no good Wayback machine hits for those that also contain "johnny" or "show". Data at: raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/tools.whoisxmlapi.com_reverse-whois-search_carson.csv in case anyone want to try and dig...
Let's also search the fortuitously timed 2013 DNS Census.
Read the full article

There are unlisted articles, also show them or only show them.