CC BY-NC-ND 4.0 table of contents Updated +Created
CIA 2010 covert communication websites / IP and DNS metadata Updated +Created
Some dumps from us looking for patterns, but could not find any.
Sources of whois history include:
The vast majority of domains seem to be registered either via domainsbyproxy.com which likely intgrates with Godaddy and is widely used, and seems to give zero infromation at all about the registrar.
A much smaller number however uses other methods, some of which sometimes leak a little bit of data:
Big question: webmasters.stackexchange.com/questions/13237/how-do-you-view-domain-whois-history DomainTools also has it.
How on Earth did did Citizen Labs find what seems to be a DNS fingerprint??? Are there simply some very rare badly registered domains? What did they see!
CIA 2010 covert communication websites / IP range search Updated +Created
One promising way to find more of those would be with IP searches, since it was stated in the Reuters article that the CIA made the terrible mistake of using several contiguous IP blocks for those website. What a phenomenal OPSEC failure!!!
The easiest way would be if Wayback Machine itself had an IP search function, but we couldn't find one: Search Wayback Machine by IP.
viewdns.info was the first easily accessible website that Ciro Santilli could find that contained such information.
Our current results indicate that the typical IP range is about 30 IPs wide.
E.g. searching: viewdns.info/iphistory and considering only hits from 2011 or earlier we obtain:
Neither of these seem to be in the same ranges, the only common nearby hit amongst these ranges is the exact 68.178.232.100, and doing reverse IP search at viewdns.info/reverseip/?host=68.178.232.100&t=1 states that it has 2.5 million hostnames associated to it, so it must be some kind of Shared web hosting service, see also: superuser.com/questions/577070/is-it-possible-for-many-domain-names-to-share-one-ip-address, which makes search hard.
Ciro then tried some of the other IPs, and soon hit gold.
Initially, Ciro started by doing manual queries to viewdns.info/reversip until his IP was blocked. Then he created an account and used his 250 free queries with the following helper script: cia-2010-covert-communication-websites/viewdns-info.sh. The output of that script can be seen at: github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/viewdns-info.sh.
Ciro then found 2013 DNS Census which contained data highly disjoint form the viewdns-info one!
Summaries of the IP range exploration done so far follows, combined data from all databases above.
CIA 2010 covert communication websites / Wakatime redirects Updated +Created
Summary: this is just a red herring. Wakatime owner likely registered the domains just after this article was published as a publicity stunt. Fair play though.
As raised at: news.ycombinator.com/item?id=36280666, many, but not all, of the domains currently redirect to wakatime.com/ as of 2023, and apparently they were taken up in 2013 (TODO how to confirm that). TODO what is the explanation for that? Some examples that do:But some failed resolution examples:Even more suspiciously, according to his LinkedIn: www.linkedin.com/in/alanhamlett/, the owner of Wakatime, Alan Hamlett, worked at WhiteHat Security, Inc from Aug 2011 - Sep 2013. The company was then acquired by Synopsys in 2022. Holy crap!!! As shown at: web.archive.org/web/20131013193406/https://www.whitehatsec.com/ that company made website security tools. Did that dude use the tools to find the vulnerabilty and then just gobble up all the domains??? What a fucking legend if he did!!!
Running e.g.
curl -vvv dedrickonline.com
gives:
*   Trying 162.255.119.197:80...
* Connected to dedrickonline.com (162.255.119.197) port 80 (#0)
> GET / HTTP/1.1
> Host: dedrickonline.com
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 12 Jun 2023 20:30:19 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 55
< Connection: keep-alive
< Location: https://wakatime.com
< X-Served-By: Namecheap URL Forward
< Server: namecheap-nginx
<
<a href='https://wakatime.com'>Moved Permanently</a>.

* Connection #0 to host dedrickonline.com left intact
so we see that he must have setup redirection with Namecheap as mentioned at: www.namecheap.com/support/knowledgebase/article.aspx/385/2237/how-to-redirect-a-url-for-a-domain/
Let's also try DNS history
  • whoisrequest.com/history/:
    • dedrickonline.com: registered: 1 Nov, 2010, dropped: 24 Nov, 2013
    • activegaminginfo.com : registered: 1 Feb, 2010, dropped: 1 Apr, 2012
  • tools.whoisxmlapi.com/whois-history-search
    • dedrickonline.com:
      • CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
        • Created Date: October 27, 2010 00:00:00 UTC
        • Updated Date: October 28, 2013 00:00:00 UTC
        • Expires Date: October 27, 2014 00:00:00 UTC
      • Alan (namecheap):
        • Created Date: June 11, 2023 09:59:25 UTC
        • Expires Date: June 11, 2024 09:59:25 UTC
    • activegaminginfo.com:
      • CIA (Network Solutions, registrant name: LLC. Corral, Elizabeth|ATTN ACTIVEGAMINGINFO.COM|care of Network Solutions)
        • Created Date: January 26, 2010 00:00:00 UTC
        • Updated Date: November 27, 2010 00:00:00 UTC
        • Expires Date: January 26, 2012 00:00:00 UTC
      • Alan:
        • Created Date: June 11, 2023 09:59:40 UTC
        • Expires Date: June 11, 2024 09:59:40 UTC
    • iraniangoalkicks.com:
      • CIA (registrar: Godaddy, registrant name: domainsbyproxy.com)
        • Created Date: April 9, 2007 00:00:00 UTC
        • Updated Date: March 2, 2011 00:00:00 UTC
        • Expires Date: April 9, 2011 00:00:00 UTC
      • Alan:
        • Created Date: June 11, 2023 09:59:20 UTC
        • Expires Date: June 11, 2024 09:59:20 UTC
    • iraniangoals.com:
      • CIA (registrar: Godaddy, registrant name: domainsbyproxy.com):
        • Created Date: March 6, 2008 00:00:00 UTC
        • Updated Date: March 7, 2011 00:00:00 UTC
        • Expires Date: March 6, 2014 00:00:00 UTC
      • Reuters:
        • Created Date: September 29, 2022 11:16:09 UTC
        • Updated Date: September 29, 2022 11:16:09 UTC
        • Expires Date: September 29, 2023 11:16:09 UTC
So these suggest Alan might have just come along in 2023 way after the 2022 Reuters article and did the same basic IP range search that Ciro is doing now, so possibly no new tech. Let's ask... twitter.com/cirosantilli/status/1668369786865164289
The domain name history presented is however of interest, and could lead to patterns being found.
Searching tools.whoisxmlapi.com/reverse-whois-search with term "Corral, Elizabeth" gave no results unfortunately.
Basic search under tools.whoisxmlapi.com/reverse-whois-search for "Corral" also empty. They can't see their own data? Ah, need advanced. Marked "Historic" and selected "Corral, Elizabeth", ony one hit, activegaminginfo.com.
Cool data embedded in the Bitcoin blockchain / Themes Updated +Created
In this section we document events that led to a large number of thematically related messages being added to the chain e.g. referencing some current event that happened, as opposed to the media encoding/type like images and text sections.
The "Hitler did nothing wrong" meme[ref] is repeated several times, e.g.: tx 41967a7d75e9e1ca8c142a45ce29ea08b451a3b55c3e33538f5cc8a389ec66ab (2015-07-20):
EW Hitler did nothing wrong.
This one is also an Eternity Wall message. The message had also been previously Base58 encoded at address 1HitLerDidNothingWrongggggghJewfv in two different instances:
Brazil:
  • tx 1c05bb7c0a8c9498d33a1e6d4a91bbb4c651daa5ea5a21aa5c8c600d3300b8bb Viva Brazil's Impeachment!
  • tx 105fb3a0be8ab50bfa36012e0319a752dee39702cb44f3904cf423eb20367d57 contains a misogenous joke:
    A mulher feia so tem uma coisa a oferecer,uma boa foda(Diego Silva de Oliveira)
    which translates to:
    Ugly women only have one thing to offer, a good fuck
    It is attributed to Diego Silva de Oliveira, possibly this football player: en.wikipedia.org/wiki/Diego_Silva_(footballer,_born_1990)
  • c72dc315a5504362d01f2dcdfe77826d14a9eb3411b83edd7aa782e95e4a7794 via cryptograffiti.info:
    NÓS DISSEMOS SIM
    AGÊNCIA TRANSITIVA 2015
    
    Nota pública de reconhecimento do Acordo Reconformado, assinado pela Agência Transitiva e 
    pela Escola de Artes Visuais do Parque Lage, em 22 de Abril de 2015.
    
    #ENCRUZILHADA
    EAV PARQUE LAGE
    22.04.2015
  • 1c05bb7c0a8c9498d33a1e6d4a91bbb4c651daa5ea5a21aa5c8c600d3300b8bb via cryptograffiti.info:
    Viva Brazil's Impeachment!
Our indexer does not handle UTF-8, here's a collection of some UTF-8 messages we've stumbled upon somewhat randomly:
Arabic:
  • 7eb561f2139761064de20033fa4843f1f3e1a9551268704b36f84d94e66fd91a
    يا سلم!
    شعرك جميل
    و عينيك حلوة
    انا عطشان
    اِروني من عينيك
    O peace!
    Your hair is beautiful
    And your eyes are beautiful
    I'm thirsty
    Show me from your eyes
  • b7376cae03b88392e5fd0292bcb43105386fbb534fc9be68c1e3d0b8f39e5ba4 via cryptograffiti.info
    sjalom, salaam, peace!
    الدين
  • 7a898b7e6b2145f4f887e1ff890d0b613e3008fbe350aa92662735e3acd0c0bc
    هذه رسالة من المستقبل
    إلى الماضي ...
    الحياة صعبة في المستقبل
    رعاية العالم
    وتحمل المسؤولية
    /y
    This is a message from the future
    To the past...
    Life is difficult in the future
    Caring for the world
    And take responsibility
    /y
Russian:
  • 1dcd62c922eb1ddbc1f58615b6271d64736bf55e83408cef02a7d0ac6707e423 via cryptograffiti.info
    А на Земле Быть Добру!
    And on Earth To Be Good!
  • 596cc6e905a5fc8248cf59198a19ce5070228b302a9f3a993197e2c87ddcaf14 via cryptograffiti.info
    Книга Вечно Живущих открыта
    The Book of the Ever-Living is open
  • 596cc6e905a5fc8248cf59198a19ce5070228b302a9f3a993197e2c87ddcaf14 via cryptograffiti.info
    Это тест, сука блять.
    This is a test, motherfucker.
  • ed56ef68ccbfb1d47bc159fb62fab6807ee4d7363d0ad4cded2e922a5b47362e via cryptograffiti.info
    Путин хуйло лалалалалалалалалал
    Putin sucks lalalalalalalalala
Chinese:
Japanese:
  • ac2ad7c15162a8e461387b0d0d681bb5f81f2db1138b8f200b81bbc585bd0b8f via cryptograffiti.info:
    モキーのフラッシュバン許すな
    Don't forgive Moky's flashbang
Hebrew:
  • 0b32736592ce7abdd4d971bc4591544e1610ff51f498c9a14a6ba34a3abcad5d via cryptograffiti.info
    חתימה טובה לכולם בכלל ולחברי ביטקוין ישראלי בפרט.
    A good signature for everyone in general and Israeli Bitcoin members in particular.
  • d7b80c8fefc88cc3f06d74f8496e2dc6f44b5f5f0a59f9ba1ba27266848a8666 via cryptograffiti.info contains what appears to be UTF-8 Hebrew text on my terminal, but Google Translate couldn't translate it, so we are unsure.
Davinci Jeremie Updated +Created
Video 1.
Just buy $1 worth of Bitcoin please! by Davinci Jeremie (2013)
Source.
Digital quantum computer Updated +Created
As of 2022, this tends to be the more "default" when you talk about a quantum computer.
But there are some serious analog quantum computer contestants in the field as well.
Histogram Updated +Created
Puzzle script Updated +Created
Amazon Redshift Updated +Created
Amazon S3 Updated +Created
Android Open Source Project Updated +Created
Bitcoin input script Updated +Created
Bitcoin script operator Updated +Created
Bitcoin script type Updated +Created
Calcite Updated +Created
CIA 2010 covert communication websites / Selected screenshots Updated +Created
This section contains some of the most interesting and a few representative screenshots of the websites found.
We intentionally omit the screenshots already reported by the Reuters article.
Figure 1.
2010 Wayback Machine archive of starwarsweb.net
.
The Star Wars one. Clearly branded websites like this are rare, which makes finding them all the much more fun. The Reuters article had two of them (Carson and rastadirect.net), so these were probably manually selected from the full hit dataset, and did not serve specifically as entry points. Most of the websites are quite boring and forgetful as you'd expect.
The subtitle "Beyond The Unknown" may be a reference to the Unknown Regions, an unexplored area of the galaxy in the Star Wars fictional universe.
Figure 2.
Stock photo of a Jedi boy from Getty Images used on starwarsweb.net
. Source.
Marked as Uploaded 10 October, 2008.
The photo can still be licensed today as of 2025: www.gettyimages.co.uk/detail/photo/little-jedi-royalty-free-image/172984439. We found it by searching for "jedi boy" on gettyimages.co.uk. The photo is credited to a madisonwi, presumably an alias based on the location Madison, Wisconsin. Here's a random website about adoption that uses it: www.adoptionadvocates.net/star-wars-adoption-language/ and where it can be seen without the watermarks.
The droids can be seen e.g. at: www.amazon.co.uk/04-Kampf-Droiden-Superheftig-Jedi/dp/B004TINSW6, a promotional material for a 2008 The Clone Wars television series audio CD and available as transparent PNGs without background in several sources. The Yoda art also seems to come from that show: rpggamer.org/page.php?page=4229. One can picture the contractor's children watching that show when a lightbulb popped over their heads.
It later ocurred to Ciro Santilli that perhaps Reuters did not showcase this website because it features a minor. But Ciro is sure that that minor is now a handsome young man in his 20's and would find the entire story very amusing if he ever finds out about it!
Figure 3.
2011 Wayback Machine archive of alljohnny.com
. Source. Although alljohnny.com is one of the original Reuters examples, we are highlighting this screenshot here because the Reuters provided screenshot is from the extremely early 2004 version of the site, and it is interesting to see how this unique example was later updated in this 2011 version, the only known such case so far. The lack of OPSEC awareness is mind blowing, them reusing a domain like that after so many years in a completely new threat environment and possibly for a new asset.
Figure 4.
2011 Wayback Machine archive of webofcheer.com scrolled to show Johnny Carson
. Source. This website is a fansite for various comedians. It is the second known reference to Johnny Carson after alljohnny.com, which was one of the original screenshots given in the Reuters article. There must have been some massive Johnny Carson fan among the CIA contractors a that time!
Figure 5.
2011 Wayback Machine archive of iranfootballsource.com
.
The third Iranian football on top of the two other published by Reuters: iraniangoalkicks.com and iraniangoals.com! Admittedly, this one is the most generic and less well designed one. But still. They pushed the theme too far!
The goalkeeper can be seen at: www.pixtastock.com/illustration/7323632.
Figure 6.
2010 Wayback Machine archive of dedrickonline.com
.
The German one.
The CIA has had a few Germany espionage scandals in the 2010s:
Figure 7.
2010 Wayback Machine archive of lesummumdelafinance.com
.
A French one. Because it mentions VTT (Mountain Biking in French), it must focus France.
The arrow graph is very popular can be seen at: www.financialexpress.com/money/top-4-global-market-risks-for-2024-that-may-impact-your-finances-3346284/ and many other sites. Source unknown.
Figure 8.
2011 Wayback Machine archive of attivitaestremi.com
. An Italian one about extreme sports.
Figure 10.
2011 Wayback Machine archive of economicnewsbuzz.com
. The Korean one. Love the kawaii style!
Figure 11.
2011 Wayback Machine archive of snapnewsfront.net
.
The Japanese one.
Figure 12.
2010 Wayback Machine archive of philippinenewsonline.net
. The Philippine one one.
Figure 13.
2011 Wayback Machine archive of feedsdemexicoyelmundo.com
. The Mexican one.
Figure 14.
2012 Wayback Machine archive of easytraveleurope.com
.
Figure 15.
2011 Wayback Machine archive of tee-shot.net
. One of the many golf-themed sites. Golf appears to be quite popular over in Langley. It's exactly what you'd expect for a mid-level spook to do in their free time!
Figure 16.
2011 Wayback Machine archive of nouvellesetdesrapports.com
.
Figure 17.
2011 Wayback Machine archive of pangawana.com
.
Figure 18.
2011 Wayback Machine archive of recuerdosdeviajeonline.com
.
Figure 19.
2011 Wayback Machine archive of theworld-news.net
.
Figure 20.
2011 Wayback Machine archive of kessingerssportsnews.com
.
Figure 21.
2011 Wayback Machine archive of negativeaperture.com
.

There are unlisted articles, also show them or only show them.