CIA 2010 covert communication websites Updated 2025-03-28 +Created 1970-01-01
View more
This article is about covert agent communication channel websites used by the CIA in many countries from the late 2000s until the early 2010s, when they were uncovered by counter intelligence of the targeted countries circa 2011-2013. This discovery led to the imprisonment and execution of several assets in Iran and China, and subsequent shutdown of the channel.
https://raw.githubusercontent.com/cirosantilli/media/master/CIA_Star_Wars_website_promo.jpg
Video 1.
How I found a Star Wars website made by the CIA by Ciro Santilli
. Source. Slightly edited VOD of the talk Aratu Week 2024 Talk by Ciro Santilli: My Best Random Projects.
The existence of such websites was first reported in November 2018 by Yahoo News: www.yahoo.com/video/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html.
Previous whispers had been heard in 2017 but without clear mention of websites: www.nytimes.com/2017/05/20/world/asia/china-cia-spies-espionage.html:
Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
[...]
From the final weeks of 2010 through the end of 2012, [...] the Chinese killed at least a dozen of the C.I.A.’s sources. [...] One was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
Most notably, starting in 2008, CIA contractor John Reidy started raising concerns about the security of the communication systems used, but he was silenced and ignored, leading to catastrophe.[ref][ref]
https://raw.githubusercontent.com/cirosantilli/media/master/Yahoo_CIA_website_article.png
Then in September 2022 a few specific websites were finally reported by Reuters: www.reuters.com/investigates/special-report/usa-spies-iran/, henceforth known only as "the Reuters article" in this article.
Figure 1.
Banner of the Reuters article
. Source.
Figure 2.
Reuters reconstruction of what the applet would have looked like
. Source.
Figure 3.
Inspecting the Reuters article HTML source code
. Source. The Reuters article only gave one URL explicitly: iraniangoals.com. But most others could be found by inspecting the HTML of the screenshots provided, except for the Carson website.
Ciro Santilli heard about the 2018 article at around 2020 while studying for his China campaign because the websites had been used to take down the Chinese CIA network in China. He even asked on Quora: www.quora.com/What-were-some-examples-of-the-websites-that-the-CIA-used-around-2010-as-a-communication-mechanism-for-its-spies-in-China-and-Iran-but-were-later-found-and-used-to-take-down-their-spy-networks but there were no publicly known domains at the time to serve as a starting point. Chris, Electrical Engineer and former Avionics Tech in the US Navy, even replied suggesting that obviously the CIA is so competent that it would never ever have its sites leaked like that:
Seriously a dumb question.
So when Ciro Santilli heard about the 2022 article almost a year after publication, and being a half-arsed web developer himself, he knew he had to try and find some of the domains himself using the newly available information! It was an irresistible real-life capture the flag. The thing is, everyone who has ever developed a website knows that its attack surface is about the size of Texas, and the potential for fingerprinting is off the charts with so many bits and pieces sticking out. Chris, get fucked.
Figure 4.
"Seriously a dumb question" Quora answer by Chris from the US Navy
. Source.
In particular, it is fun to have such a clear and visible to anyone examples of the USA spying on its own allies in the form of Wayback Machine archives.
Given that it was reported that there were "more than 350" such websites, it would be really cool if we could uncover more of those websites ourselves beyond the 9 domains reported by Reuters!
This article documents the list of extremely likely candidates Ciro has found so far, mostly using:
more details on methods also follow. It is still far from the 885 websites reported by citizenlabs, so there must be key techniques missing. But the fact that there are no Google Search hits for the domains or IPs (except in bulk e.g. in expired domain trackers) indicates that these might not have been previously clearly publicly disclosed.
If anyone can find others, or has better techniques: Section "How to contact Ciro Santilli". The techniques used so far have been very heuristic, and that added to the limited amount of data makes it almost certain that several IP ranges have been missed. There are two types of contributions that would be possible:
Perhaps the current heuristically obtained data can serve as a good starting for a more data-oriented search that will eventually find a valuable fingerprint which brings the entire network out.
Disclaimer: the network fell in 2013, followed by fully public disclosures in 2018 and 2022, so we believe it is now more than safe for the public to know what can still be uncovered about the events that took place. The main author's political bias is strongly pro-democracy and anti-dictatorship.
May this list serve as a tribute to those who spent their days making, using, and uncovering these websites under the shadows.
If you want to go into one of the best OSINT CTFs of your life, stop reading now and see how many Web Archives you can find starting only from the Reuters article as Ciro did. Some guidelines:
  • there was no ultra-clean fingerprint found yet. Some intuitive and somewhat guessy data analysis was needed. But when you clean the data correctly and make good guesses, many hits follow, it feels so good
  • nothing was paid for data. But using cybercafe Wifi's for a few extra IPs may help.
Figure 5.
viewdns.info activegameinfo.com domain to IP
. Source.
Figure 6.
viewdns.info aroundthemiddleeast.com IP to domain
. Source.
Figure 7.
DNS Census 2013 website
. Source. This source provided valuable historical domain to IP data. It was likely extracted with an illegal botnet. Data excerpt from the CSVs:
amazon.com,2012-02-01T21:33:36,72.21.194.1
amazon.com,2012-02-01T21:33:36,72.21.211.176
amazon.com,2013-10-02T19:03:39,72.21.194.212
amazon.com,2013-10-02T19:03:39,72.21.215.232
amazon.com.au,2012-02-10T08:03:38,207.171.166.22
amazon.com.au,2012-02-10T08:03:38,72.21.206.80
google.com,2012-01-28T05:33:40,74.125.159.103
google.com,2012-01-28T05:33:40,74.125.159.104
google.com,2013-10-02T19:02:35,74.125.239.41
google.com,2013-10-02T19:02:35,74.125.239.46
Figure 8.
The four communication mechanisms used by the CIA websites
. Java Applets, Adobe Flash, JavaScript and HTTPS
Figure 9.
Expired domain names by day 2011
. Source. The scraping of expired domain trackers to Github was one of the positive outcomes of this project.
Video 2.
Compromised Comms by Darknet Diaries (2023)
Source.
It was the YouTube suggestion for this video that made Ciro Santilli aware of the Reuters article almost one year after its publication, which kickstarted his research on the topic.
Full podcast transcript: darknetdiaries.com/transcript/75/
Read the full article
Fingerprints Updated 2025-03-28 +Created 1970-01-01
View more
From The Reuters websites and others we've found, we can establish see some clear stylistic trends across the websites which would allow us to find other likely candidates upon inspection:
The most notable dissonance from the rest of the web is that there are no commercial looking website of companies, presumably because it was felt that it would be possible to verify the existence of such companies.
Read the full article
List of websites Updated 2025-03-28 +Created 1970-01-01
View more
As a JSON: github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/hits.json. OurBigBook Markup to JSON conversion helper cia-2010-covert-communication-websites/bigb-to-json:
cia-2010-covert-communication-websites/bigb-to-json cia-2010-covert-communication-websites.bigb
and new results that have been added to the list below can automatically be merged with cia-2010-covert-communication-websites/bigb-to-json-merge:
cia-2010-covert-communication-websites/bigb-to-json-merge > tmp.json
mv tmp.json ../media/cia-2010-covert-communication-websites/hits.json
Hit criteria: has Wayback Machine archive, and clear indication of a known communication mechanism. The mechanism itself doesn't need to be archived however, a link to it is enough given other supporting elements: IP range, site style, date, web archive date pattern. JS commons are always quickly visually inspected, other mechanisms we look only at filename patterns. Commented edge cases that didn't make the cut can be found mostly under Section "IP range search" and Section "2013 DNS Census virtual host cleanup heuristic keyword searches".
ipdomainWayback Machinelanguagecountry mentionscommsthemenotes
?24hoursprimenews.com2009EnglishJARnewssplit images[ref][ref]
?all-sport-headlines.com2011ArabicJARnewssplit images[ref][ref]Arabic-looking alphabet, image only so can't Google translate easily.
?cyhiraeth-intlnews.com2011EnglishJARnewsen.wikipedia.org/wiki/Cyhyraeth "The cyhyraeth is a ghostly spirit in Welsh mythology, a disembodied moaning voice that sounds before a person's death." WTF! So the serious looking black actress lady is meant to represent the voice of death?. Split images[ref][ref]. rss-items. Here she is on Getty Images: www.istockphoto.com/photo/natural-style-for-the-individual-gm171403107-26684547 by Urilux
?dailynewsandsports.com2013EnglishJARsports
?differentviewtoday.com2011EnglishJARnewssplit images, JAR unarchived
?euronewsonline.net2010EnglishJARnewsa.newslink. The image of the woman reading newspapers reverse searches to www.istockphoto.com/photo/news-gm101581053-7410445, iStock from Getty images
?europeannewsflash.com2011EnglishJARnewsSplit images[ref][ref]
?farsi-newsandweather.com2011FarsiIranJARnewssplit images[ref][ref]
?financecentraltoday.com2011EnglishJARnews, financeunusual td > p > strong article list. Copyright 2008.
?firstnewssource.com2011FarsiIranJARnewsCopyright 2009. Split images. rss-items.
?global-view-news.com2011EnglishJARnewssplit images[ref][ref]
?globaltourist.net2010EnglishJARtravelsplit images[ref][ref], rss-items. speed.jar "speed test" JAR pattern. Seems to have been legit both before.
?hassannews.net2010ArabicSWFnewsCSS or archive quite broken. Split images[ref][ref]. rss-items.
?health-men-today.com2011ArabicJARnewsrss-items. Encoding broken.
?inkfreenews.com2011EnglishJARnewssplit images, JAR unarchived
?internationalnewsworthiness.com2011EnglishJARnewsRSS, split images, JAR unarchived
?intlnewsdaily.com2011EnglishJARnewsrss-items
?intoworldnews.com2011EnglishJARnewssplit images. Links to news websites from frontpage, not news themselves.
?iranfootballsource.com2011FarsiJSsports, football
?iraniangoalkicks.com2008FarsiIranJARsports, football
?iraniangoals.com2009FarsiIranJSsports, football
?latinamericanewsbeat.com2010EnglishJARnewssplit images
?magneticfieldnews.com2010EnglishJARnewsrss, split images
?middle-east-newstoday.com2010FarsiJSnewsrss, split images
?mideasttoday.net2010FarsiJARnewsa.rss-item, split images, copyright 2008
?mydailynewsreport.com2011PashtoAfghanistanJARnewsrss, split images
?mynepalnews.com2011EnglishJARnewssplit images, JAR unarchived. Nice swimsuit ad.
?newdaynewsonline.com2011EnglishJARnews
?mywebofnews.com2011ArabicJARnewsSplit images[ref][ref]. rss-items.
?networkconnectionsite.com2011EnglishJSnewsrss, split images
?news-latina.com2011EnglishJARnewscopyright 2007
?newsdelivered.net2010EnglishJARnewsrss, split images, JAR unarchived
?newsincirculation.com2011ArabicJARnews
?newsworldsite.com2011PashtoAfghanistanJARnews
?opensourcenewstoday.com2010ArabicJARnewscopyright 2010
?outlooknewscast.com2011FarsiIranJARnews
?pars-technews.com2011FarsiIranJARnews"pars" presumably means "Parsi" or something of the same root
?pondernews.net2011ArabicJARnewsrss
?profile-news.com2011EnglishJARnewsa.newslink
?purlicue-news.com2011EnglishJARnewssplit images, rss
?rastadirect.net2010EnglishJARfansite
?segomonews.com2011EnglishJARnewsrss, split images. TODO meaning of "segomo"? The main Wikipedia hit is a Gallo-Roman God, but the website is focused on Asia?
?shadesofnews.com2011ArabicJARnewsa.rss-item, split images. Also has a second JAR at: web.archive.org/web/20131229092754/http://shadesofnews.com/sptgms213.jar
?sportsnewsfinder.com2011ChineseChinaJARnews体育新闻发现者 (sports news finder)
?technologypresstoday.com/2011FarsiJARnewssplit images, RSS
?techwatchtoday.com2011EnglishJARtech, newsMarked copyright 2008. Split images[ref][ref]. Later legit.
?terrain-news.com2011PashtoAfghanistanJARnews
?theworldnewsfeeds.com2011EnglishJARnewsrss-items. Split images[ref][ref]
?todayoutdoors.com2011EnglishJARsports, travelsplit images[ref][ref]
?todaysnewsreports.net2010ArabicJARnews
?weblognewsinfo.com2011EnglishJARnewsSplit images, rss-items.
?wiredworldnews.com2011EnglishJARtechsplit images, copyright 2008
?worldofonlinenews.com2011EnglishJARnewssplit images[ref][ref]. Later legit.
62.22.60.46flyingtimeline.com2011EnglishJARairplanes
62.22.60.48currentcommunique.com2011EnglishEgyptSWFnews
62.22.60.49telecom-headlines.com2011EnglishJStech
62.22.60.52collectedmedias.com2011FrenchJSnewsMarked copyright 2008
62.22.60.55thefilmcentre.com2011EnglishJSfilms
62.22.60.56traveltimenews.com2011EnglishJSnews
62.22.61.193awfaoi.org2010ArabicIraqJARnot-for-profitThis was the first clear .org hit with comms we've been able to find. Title translation: "Arab women to help Iraq", so perhaps "awfaoi" stands for "Arab Women For A O? Iraq". This fits well into the .org theme. Marked copyright 2008.
62.22.61.197rc5sports.com2011EnglishJARsports
62.22.61.198inside-vc.com2011EnglishCGIfinance"vc" is a standard abbreviation for venture capital
62.22.61.200zerosandonesnews.com2011EnglishSWFnewsrss, split images
62.22.61.202bailsnboots.com2011EnglishSWFsports, cricket"Bail" is one part of the thing your're supposed to hit with th eball in cricket.[ref]
62.22.61.203the-cricketer-online.com2011EnglishJARsports, cricketmarked copyright 2009.
62.22.61.204hollywoodscreen.net2011EnglishJSfilms
62.22.61.206worldnewsnetworking.com2011ArabicJARnews
62.22.61.212nuestrasfinanzas.com2011SpanishJARfinance
62.22.61.213sandstormnews.com2011ArabicSWFnewsrss, split images
62.22.61.217court-masters.com2011EnglishJARsports, tennis
62.22.61.219allworldstatistics.com2011EnglishJSstatistics
62.22.61.220newsjaka.com2011EnglishIndonesiaJSnews"jaka" presumably means Jakarta, the capital of Indonesia. There is a Indonesia section on the left sidebar. But the news are quite global however. Photo source: www.shutterstock.com/image-photo/little-boat-on-bratan-lake-front-5860873 depicts "Bratan lake in front of the Pura Ulu Danau temple" by Ine Beerten. Pinged her at: portfolio.inebeerten.be/#Contact
63.131.229.2fightskillsresource.com2011EnglishJSsports, martial artsGetty Images for the karate dude: www.istockphoto.com/photo/take-off-gm98702037-1196239
63.131.229.4unitedterritorynews.com2011EnglishJSnews
63.131.229.9show-dustry.com2011EnglishCGIentertainmentThe website name is a neologism with "show" and "industry".
63.131.229.11mythriftytrip.com2011EnglishCGItravelthrifty means: "using money and other resources carefully and not wastefully"
63.131.229.12cyberreportagenews.com2011EnglishJARnewsrdns source
63.131.229.13sunrise-news.com2011EnglishJARnewsrdns source
63.131.229.15cricketnewsforindia.com2013EnglishIndiaJSsports, cricketarchive quite broken, lots of missing files, including the JS
63.131.229.16nutricion-saludable.net2010SpanishCGIhealth
63.131.229.20fixashion.net2011EnglishJSfashion
63.130.160.50theglobalheadlines.com2010EnglishJARnewsthis has several archives from 2013, marked as Live Web Proxy Crawls and explained "mostly by the Save Page Now", so presumably by counter intelligence or amateurs
63.130.160.51hai-pow.com2011EnglishJARsports, martial arts
63.130.160.53echessnews.com2011ChineseChinaJARsports, boxingChinese title: 我的象棋世界 (My Chinese Chess world). rdns source. Split images[ref][ref]
63.130.160.60boxingstop.net2010PolishPolandJARsports, boxing
63.130.160.62azerinews.org2009AzerbaijaniAzerbaijanJARnewsrdns source. Split images, rss-items.
64.16.204.55holein1news.com2010EnglishJARsports, golf
64.16.204.58tech-topix.com2013EnglishCGItechArchive quite broken, but link to CGI comms.
65.61.127.163capture-nature.com2011EnglishJARphotographyReuters example. Since became legitimate, Ciro contacted the owner, and he was unaware of the domain's history.
65.61.127.166globalnewsbulletin.com2013EnglishTunisia, Afghanistan, Iran, EgyptCGInewsPHP pages, images /images/index_01.jpg
65.61.127.169crossovernews.net2011EnglishJARsports, basketball
65.61.127.174dedrickonline.com2010GermanJSsports
65.61.127.175altworldnews.com2013EnglishCGInewsEpoch times link, PHP pages
65.61.127.178tee-shot.net2011EnglishSWFsports, golfnice domain name
65.61.127.182pangawana.com2011ArabicAfghanistanJSnews
65.61.127.183cutabovenews.com2011EnglishAlgeria, various othersJSsports, basketballThe globe on Shutterstock: www.shutterstock.com/image-illustration/creative-drawing-charts-graphs-business-success-211092952 by rzoze19. Pinged him at: x.com/cirosantilli/status/1899748328549609700
65.61.127.184worldwildlifeadventure.com2011EnglishJARtravel
65.61.127.186explorealtmeds.com2013EnglishJARhealththe JAR was not archived, but there's a link to it
65.218.91.9welcometonyc.net2010EnglishCGItravel
65.218.91.17alljohnny.com2004EnglishCGIfansitemega early hit from 2004 to 2005. Then a gap, then they redid the domain: 2011. Same authors given content similarities e.g. "Submit Your Favorite Carson Moment". Reusing the domain after all these years, the lack of OPSEC is just mind blowing! New website marked Copyright 2003. Part of Oleg Shakirov's findings. One of the Reuters websites. Search documented at: Searching for Carson. Carson is also featured, although less proeminently, at webofcheer.com. There must have been some massive Johnny Carson fan among the contractors a that time!
66.45.179.192thegraceofislam.com2011EnglishCGIreligion, Islam
66.45.179.193arabicnewsunfiltered.com2011ArabicJARnewsrdns source
66.45.179.194raulsonsglobalnews.com2011EnglishJARnews
66.45.179.195aryannews.net2010PashtoAfghanistanJARnewsrdns source. Heil.
66.45.179.199attivitaestremi.com2011ItalianCGIsports
66.45.179.201hitthepavementnow.com2011EnglishCGIsports, running
66.45.179.202newimages.org2011TurkishTurkeyJARphotographyJAR unarchived
66.45.179.203noticiascontinental.com2011SpanishSouth AmericaCGInews
66.45.179.205noticiasporjanua.com2011SpanishJARnews
66.45.179.206podisticamondiale.com2010ItalianItalyJARsports, runningmarked copyright 2010
66.45.179.207reflectordenoticias.com2011SpanishJARnews
66.45.179.208havenofgamerz.com2011EnglishCGIgamingmarked copyright 2009
66.45.179.210sa-michigan.com2011EnglishJARsports"sa" is an abbreviation for the site title "Sports Alive"
66.45.179.211absolutebearing.net2010EnglishCGItravel, sports, boats
66.45.179.213myportaltonews.com2011EnglishJSnews
66.45.179.214investmentintellect.com2011EnglishJARfinance
66.45.179.215nigeriastar.net2011EnglishNigeriaJARnewsContains link to unarchived JAR
66.104.169.163doctorsoncallsite.com2011EnglishJARhealth
66.104.169.164lightandshadowonline.com2010EnglishJARphotography
66.104.169.168plugged-into-news.net2010EnglishJARnewsJAR uses .zip extension! First instance, wow
66.104.169.171golf-on-holiday.com2011EnglishJARsports, golf
66.104.169.172perspectiva-noticias.com2011SpanishJSnews
66.104.169.175aquaswimming.com2009EnglishJARsports, swimming
66.104.169.177dojo-temple.com2011EnglishCGIsports, martial artsTODO meaning of "kama"? Kama lol?
66.104.169.179neighbour-news.com2010EnglishGermanyJARnewsMentions of Goethe-Institut and Germany all over. JAR unarchived
66.104.169.180medicatechinfo.com2010EnglishJShealth
66.104.169.181brickmanfinancialnews.com2011EnglishJSfinance
66.104.169.182casanewsnow.com2011EnglishJARJAR unarchived. TODO why "casa"? Doesn't seem to have any link to Spanish or Portuguese.
66.104.169.184bcenews.com2011AlbanianAlbaniaJARnews
66.104.173.163runakonews.com2011EnglishAfricaCGInews"Runako" is an African given name.
66.104.173.164shoppingadventure.net2010EnglishJARtravel, shoppingJAR unarchived
66.104.173.165entertaining-ly.com2011EnglishJARentertainment
66.104.173.166zubeenews.com2011EnglishJSnews"Zubee" is a Muslim name: muslimnames.com/zubee.
66.104.173.169smart-financeology.com2011EnglishJARfinance
66.104.173.175media-coverage-now.com2010EnglishSWFnews
66.104.173.176jbc-online-news.com2011EnglishJSnewsTODO meaning of "JCB". JS unarchived.
66.104.173.177webscooper.com2011EnglishJARnews
66.104.173.178dk-dcinvestment.com2010EnglishJARfinanceTODO meaning of "dk;dc".
66.104.173.180stara-turistick.com2011CroatianJARtourism
66.104.173.181playbackpolitics.com2011EnglishJSnews
66.104.173.182snapnewsfront.net2011EnglishJapanJSnews
66.104.173.183ingenuitytrendz.com2011EnglishJARtech
66.104.173.184armashoy.com2011SpanishSpainSWFgunsmeaning: "Weapons Today". In First World countries the CIA felt it would be safe to touch edgier subjects like guns
66.104.173.185baocontact.comEnglishJARHTML archive almost empty, but JAR was archived. One wonders what "bao" refers to, could be Chinese, but the small snippet of visible website is in English.
66.104.173.186myworldlymusic.com2011EnglishPakistanJARmusicJAR unarchived
66.104.173.189hitpoint-gaming.com2011EnglishJSgamingMarked copyright 2010
66.104.175.34itwebtoday.com2011EnglishJStech
66.104.175.35drglobalnews.com2011EnglishJARnewsTODO meaning of "dr"? rdns source.
66.104.175.36adilnews.net2010ArabicSWFnewsAdil is an Arabic masculine name
66.104.175.40beyondnetworknews.com2011EnglishEgyptCGInews
66.104.175.41grubbersworldrugbynews.com2011EnglishJSsports, rugby
66.104.175.42news-and-sports.com2011EnglishJARnewsrss, split images
66.104.175.44yourtripfinder.net2010Englishtravelcomms not found, CGI from unarchived subpage assumed
66.104.175.45rollinsnetwork.com2011EnglishCGItechCGI linked to but not archived
66.104.175.46infosharenews.com2011EnglishJARnews
66.104.175.47southasiaheadlines.com2011EnglishBangladesh, Bhutan, India, Maldives, Nepal, Pakistan, Sri Lanka TibetJARtravelJAR linked to but missing from archive
66.104.175.48worlddispatch.net2010ArabicSWFnews
66.104.175.49webworldsports.com2011ArabicJARsports
66.104.175.50fly-bybirdies.com2011EnglishJARtravel
66.104.175.51businessexchangetoday.com2011EnglishCGInews, financePHP pages
66.104.175.52mensajeradenoticias.com2011SpanishCGInewsCGI unarchived
66.104.175.53info-ology.net2010EnglishJARnews
66.104.175.54marketflows.net2011EnglishJARfinance
66.104.175.57metanewsdaily.com2010EnglishCGInews
66.175.106.134paddlescoop.com2011EnglishBangladesh, Pakistan, India, EnglandJARsports, cricket
66.175.106.137kessingerssportsnews.com2010EnglishJSsports
66.175.106.138factorforcenews.com2009EnglishJARnews
66.175.106.142kanata-news.com2010EnglishCanadaJSnews"Kanata" is a place in Ottawa, Canada. The name is likely of Indigenous origin.
66.175.106.143thecricketfan.com2011EnglishJARnews
66.175.106.146inews-today.com2011EnglishEgyptJARnewsMarked copyright 2008
66.175.106.147starwarsweb.net2010EnglishSWFfansitewell, not even the CIA can escape Star Wars. TODO identify boy.
66.175.106.148activegaminginfo.com2011ChineseJARgamingthe website is entitled "活跃游戏" which means "Lively games", or "active games" as in the domain name itself. The center character seems to be from one of the infinitely many Romance of the Three Kingdoms games that must exist: www.gamersky.com/news/200711/82611.shtml
66.175.106.149feedsdemexicoyelmundo.com2011SpanishMexicoJSnews
66.175.106.150noticiasmusica.net2010Brazilian PortugueseBrazilJARmusic
66.175.106.155atomworldnews.com2011EnglishEgyptJARnews
66.175.106.158nouvellesetdesrapports.com2011FrenchEgypt, TunisiaJARnews
66.237.236.227newsandmusicminute.com2011PashtoJSmusic
66.237.236.229pearls-playlist.com2011EnglishSWFmusic
66.237.236.230beyondthefringe.info2012EnglishJARrugsJAR unarchived
66.237.236.231primetimemovies.net2009EnglishJSfilmsJS unarchived
66.237.236.235persephneintl.com2013JARarchive very broken, JAR unarchived. Full title: "Persephne International", reference to Greek Goddess of "spring, the dead, the underworld, grain, and nature"
66.237.236.236directoalgrano.net2010SpanishJARnews
66.237.236.240actualizaciondebeisbol.com2011SpanishJSsports, baseball
66.237.236.243mygadgettech.com2009ChineseCGItechArchive very broken
66.237.236.247comunidaddenoticias.com2011SpanishEcuadorJARnews
66.237.236.249sumerjaseahora.com2011SpanishCGIsports, SCUBA divingsubmerge yourself now
69.84.156.69al-ashak-news-me.com2011ArabicJSnews
69.84.156.71worldfinancetoday.net2011EnglishJARfinance
69.84.156.72autonewsarabia.com2011ArabicJARcars
69.84.156.74blue-moon-news.com2011ArabicJSnews
69.84.156.76tnc-urdu.com2011UrduJARtechTODO meaning of "tnc"?
69.84.156.82arabicnewsonline.com2011ArabicJARnewsrdns source. Some very similar domains: modernarabicnews.com, arabicnewsource.com. Needed more creativity here! Later legit.
69.84.156.83unganadormundial.com2010SpanishCGIsports, fitness
69.84.156.88diariodeelmundo.com2011SpanishJARnews
69.84.156.89todaysarabnews.com2011ArabicJARnewsJAR unarchived.
69.84.156.90stickshiftnews.com2011EnglishJARcars
69.84.156.91theinternationalgoal.com2011SpanishCGInews
72.34.53.174electronictechreviews.com2011EnglishJARtechJAR unarchived. Split images, rss-items. Present at "Mass Deface III" pastebin.
72.34.53.174just-the-news.com2011ArabicJARnewscopyright 2009. Present at "Mass Deface III" pastebin. JAR unarchived.
72.34.53.174kickitnews.com2010ArabicJARsports, footballcopyright 2009. Present at "Mass Deface III" pastebin.
72.34.53.174moyistochnikonlaynovykhigr.com2011RussianRussiafansitecopy of myonlinegamesource.com, but on a Russian transliterated domain rather than the English one, very interesting
72.34.53.174myhealthlibrary.net2011EnglishJARhealthpresent at: "Mass Deface III" pastebin.
72.34.53.174myonlinegamesource.com2011RussianRussiagamingCan't find comms, but stylistically perfect. rss-items. Present at "Mass Deface III" pastebin.
72.34.53.174mytravelopian.com2011EnglishJARtravel
72.34.53.174recursosdenoticias.com2011SpanishJARnewsSplit images, rss-items. Present at "Mass Deface III" pastebin.
72.34.53.174sayaara-auto.com2010ArabicJARcars
72.34.53.174technologytodayandtomorrow.com2011EnglishJARtechrss-items. Present at "Mass Deface III" pastebin.
72.34.53.174todaysnewsandweather-ru.com2011RussianRussiaJSnewsJavaScript with SHAs
74.116.72.227dayenews.com2011EnglishJARnewsrdns source. Previously 69.74.45.67.
74.116.72.229guide-daventure.com2011FrenchFranceJARtravel
74.116.72.231bleachersfootballnews.com2011EnglishJARsports, footballTODO meaning of "Bleacher"? Possible reference to Bleacher Report.
74.116.72.232indirectfreekick.com2011EnglishJARsports, football
74.116.72.233wwiichronicles.net2011EnglishCGIhistory
74.116.72.234petroleumagenews.com2011EnglishJARoil
74.116.72.235the-open-book-online.com2011EnglishJSliterature
74.116.72.236techtopnews.com2011EnglishJARtech
74.116.72.239crickettoday.info2013PashtoJSsports, cricketJS unarchived. The requested URL /cricket.js was not found on this server
74.116.72.240zafernews.com2011ArabicJARnews
74.116.72.242gdgtsource.com2011EnglishCGItechPresumably "gdgt" stands for "GaDGeT", which is mentioned on subtitle
74.116.72.246vuvuzelanews.com2011EnglishJARsports, footballVuvuzela is this plastic horn, popular in football stadiums. The term is of African origin. Later legit. rdns source. Previously at 69.74.45.86.
74.116.72.247ballbatstumpsandbails.com2011EnglishJARsports, cricket
74.116.72.249round-trip-travel.com2010EnglishCGItravelthis got archived a lot of times, though all seem to be Alexa crawls.
74.116.72.250arabicnewsource.com2011ArabicCGInews
74.254.12.163half-court.net2010EnglishPhilippinesJARsports, basketball
74.254.12.164dailywellnessnews.com2011EnglishJARhealthrdns source. split images[ref][ref].
74.254.12.165dylandon.net2011ChineseSWFmusic"Dylan" presumably a reference to Bob Dylan? "Don" unclear. Maybe Don McLean?
74.254.12.166afghanpoetry.net2010EnglishAfghanistanSWFpoetryAlso at 63.131.229.10[ref] in a range.
74.254.12.168non-stop-news.net2010FarsiJARnews
74.254.12.169soldiersofsouthasia.com2011EnglishJARhistory
74.254.12.171autism-news.org2011EnglishSWFhealthcopyright 2007. Split images. rss-items. Previously at 69.74.45.67.
74.254.12.173thefreshnews.com2009EnglishSWFnewsrss, split images
74.254.12.176pakcricketgrd.com2011UrduJARsports, cricketTODO meaning of "grd"
74.254.12.177networkofnews.com2011EnglishJARnewsrdns source. Later legit.
74.254.12.179wineconnaisseur.net2010EnglishJSwine
74.254.12.180helpinghandssite.com2011EnglishJARnews
74.254.12.188first-tee-golf.com2011EnglishJARsports, golf
74.254.12.189fabu-foto.com2011EnglishCGIphotography
74.254.12.190viptravelabroad.com2011EnglishJStravel
174.133.70.18dryterrainnews.com2011EnglishAfricaJARnewsrss
174.133.70.18thefootball-life.com2011EnglishJSsports, footballrss, split images
174.133.70.18thenewsofpakistan.com2009EnglishPakistanJARnewsa.rss-item, split images
174.133.70.18totallynewsnow.com2011EnglishJSnewsrss
199.85.212.105mide-news.com2010EnglishCGInews"MIDE" stands for "Middle East". Comms not archived, presumably CGI comms variant.
199.85.212.111newsandsportscentral.com2009EnglishJARnewsrdns source
199.85.212.118just-kidding-news.com2011EnglishJARnewsepic name
199.187.208.12webofcheer.com2011EnglishJARfansite, comedyhas a an unarchived "members only!" section pointing to webofcheer.com/member.html, CGI comms variant. Copyright 2005! Features Johnny Carson, Charles Chaplin, Rowan Atkins, The Three Stooges and some other Americans no one knows about anymore. There must have been a massive Johnny Carson amongst the CIA contractors at that time given alljohnny.com! The HTML page is weirdly titled pg1c. Interesting, feels like a leak of the site generation system.
199.187.208.12world-news-online.net2010EnglishJARnewsa.rss-item, split images
204.176.38.130i-pressnews.com2011EnglishJARnews
204.176.38.132turkishnewslinks.com2011EnglishTurkeyJARnews
204.176.38.133globalcitizennews.net2010EnglishJARnewsrss, split images
204.176.38.134photographyarecord.com2011EnglishCGIphotographyCute
204.176.38.135breakingthewicket.com2011EnglishCGIsports, cricket
204.176.38.136politicalworldtoday.com2011EnglishEgyptJARnews
204.176.38.137hi-tech-today.com2011EnglishJARtech
204.176.38.139bigscreenbattles.com2011EnglishJARfilms
204.176.38.141rakotafootball.com2011EnglishJARsports, football"Rakota" is an Indian family name
204.176.38.143noticiassofisticadas.com2011SpanishCGInews
204.176.38.142senderosdemontana.com2011SpanishJSsports, cyclingTalks about mountain biking and Eurobike 2010, so likely Spain focused, but it is not direct enough to be certain. JS unarchived.
204.176.38.144techno-today.com2011EnglishJARtechwas legit previously.
204.176.38.145tickettonews.com2011EnglishJARnewsrdns source. Epoch times link.
204.176.38.146dps-digitalphotosharing.com2011EnglishJARphotography
204.176.38.147theputtingreen.com2011EnglishJARsports, golf
204.176.38.149sportsnewstodayar.com2011ArabicLebanon, othersJARsports"ar" on domain name presumably means "Arabic"
204.176.38.159kairuafricanews.com2011EnglishAfricaJARnewswhat is "Kairu"? en.wikipedia.org/wiki/Kairu a place in India? en.wiktionary.org/wiki/kairu "frog" in Japanese? rdns source
204.176.39.97beamingnews.com2011ArabicJARnewsNice design. rdns source
204.176.39.98cubriendonoticias.com2011SpanishJARnewsarchive quite broken. JAR unarchived.
204.176.39.100rowleyworldpost.com2011EnglishEgypt, othersJARnews
204.176.39.103economicnewsbuzz.com2011KoreanCGIfinanceLove the kawaii style
204.176.39.104spectranewsonline.com2011EnglishCGInewsmarked copyright 2010.
204.176.39.105entertainmentnewscompany.com2011ChineseSWFfilms, musicTitle: "娱乐新闻公司", lit. Entertainment News Company
204.176.39.110arabnewsatdawn.com2011ArabicCGInewscute, the Arab chick's ice cream actually has a cocktail umbrella on it. Marked copyright 2010. Here she is: www.shutterstock.com/image-photo/young-veiled-woman-reading-newspaper-eating-4836766 by Anneka. Pinged her privately on www.facebook.com/Anyka.Fotografie.
204.176.39.115globalprovincesnews.com2010ArabicJSnews
204.176.39.116mahparah-news.com2011FarsiJSnews
204.176.39.119commercialspacedesign.com2013FarsiCGIarchitectureC O N C E P T U A L design. A rare example of a fake company website.
207.210.250.131starrynightnews.com2011ArabicJSnewsinteresting design
207.210.250.132aeronet-news.com2011EnglishJARairplanes
207.210.250.133bakaribulletin.com2011EnglishAfricaJSnewsBakari could either be a given name, or a village in Togo
207.210.250.134deprensaenlarevisiondehoy.com2011SpanishJARnews
207.210.250.135icwb-news.com2011EnglishJARnewsICWB stands for "Inner Circle Worldwide Business (News)", the title of the website
207.210.250.136sportsreelhighlights.com2011EnglishJARsports
207.210.250.138inquiry-human-past.com2011EnglishJARhistory
207.210.250.139thefairwaysaregreen.com2011ThaiJARsports, golf
207.210.250.143archaeologyreview.net2010EnglishJARhistory, archeology
207.210.250.146noticias-caracas.com2011SpanishVenezuelaCGInewsCaracas is the capital of Venezuela. But you knew that, right?
207.210.250.147bailandstump.com2011EnglishJSsports, cricket"Bail" and "Stump" are the two parts of the thing your're supposed to hit with the ball in cricket.[ref]
207.210.250.149globalventurestat.com2008EnglishSWFnews
207.210.250.152al-rashidrealestate.com2010ArabicEgyptCGIfinance, real-estate
207.210.250.153newsintheworld-ru.com2011RussianJARnews
208.93.112.105fastnews-online.com2009EnglishJARnewsa.newslink
208.93.112.106travelxtreme.net2008EnglishJARtravelsplit images
208.93.112.108nbanewsroundup.com2013EnglishCGIsports, basketballquite broken with only HTML archived in 2013, but we're counting it due to coms link and IP range.
208.254.38.39todaysengineering.com2011EnglishCGIengineering
208.254.38.56nejadnews.com2011ArabicJARnewsrss, JAR unarchived
208.254.40.96sixty2media.com2011EnglishVariousJARnewsEpoch times link
208.254.40.99newspoliticssource.com2013ArabicJARnewsOne of the news mentions Snowden
208.254.40.110musical-fortune.net2010EnglishCGImusicimages /images/banner-02.jpg
208.254.40.113ashoka-gemstones.com2010EnglishJARjewelry
208.254.40.117worldnewsandent.com2010ArabicEgyptCGImews
208.254.40.124riskandrewardnews.com2013EnglishCGIfinance
208.254.42.194it-proonline.com2011EnglishCGItechimages /images/header_01.jpg
208.254.42.205driversinternationalgolf.com2011EnglishCGIsports, golf
208.254.42.209mardelsurnoticias.com2011SpanishJARnewsweird mixture of Portuguese and Spanish language external links
208.254.42.215nowfreshfinances.com2011EnglishCGIfinanceCGI unarchived
208.254.42.216circulatingnews.net2010EnglishJARtravel
208.254.42.219westingtonpassnews.com2011EnglishJARnews
209.51.136.178cellar-notes.com2011EnglishJARwinerss, split images, JAR unarchived
209.51.136.178the-news-scene.com2011EnglishJARnewssplit images, RSS
210.80.75.36e-commodities.net2011EnglishJARfinance
210.80.75.37trekkingtoday.com2011EnglishJARsports, runningsplit images[ref][ref]. rdns source.
210.80.75.41multinews-33.comJARnewsNo archives of the HTML, but the JAR was archived
210.80.75.43gulfandmiddleeastnews.com2011ArabicJSnews
210.80.75.44whirlybirdinflight.com2011EnglishJARhelicopters
210.80.75.45kings-game.net2011EnglishJARgaming, chessJAR unarchived
210.80.75.46topglobalnewsdaily.com2011EnglishJSnews
210.80.75.49recipe-dujour.com2011EnglishJARcookingnice design
210.80.75.55philippinenewsonline.net2010PhilippinesJARnews
210.80.75.56technewsforme.com2011FarsiJARtech
212.4.16.224lanoticiasdehoyelinforme.com2010SpanishJARnews
212.4.16.232mynewscheck.com2011EnglishCanadaJARnewsrdns source
212.4.16.245financial-crisis-news.com2011RussianRussiaJARnewsrdns source
212.4.16.252minutosdenoticias.com2010SpanishCGInewsCSS
212.4.17.38fightwithoutrules.com2011RussianJARsports, combat sportsThe photo on top middle can be seen e.g. at spfightingtalk.wordpress.com/2013/01/18/breaking-down-mixed-martial-arts-what-is-mma/. The fither on top is Mac Danzig, TODO find bottom one lazy now.
212.4.17.41newtechfrontier.com2010EnglishCGItechsince became legit: newtechfrontier.com/
212.4.17.43smart-travel-consultant.com2011ChineseCGItravelajaxtax.js may be of interest for fingerprinting. Title: "智能旅行顾问", lit. Smart Travel Consultant
212.4.17.46atentlaloc.com2009EnglishQuatar, Lebanon, Israel, IranJSjewelryTlaloc is an Aztec deity, and Aten is an Egyptian deity. Both appear to be somewhat linked to gold, thus their usage in a jewelry website. Creative domain name.
212.4.17.53newsresolution.net2010EnglishCôte d'Ivoire, Lebanon, SudanJARnews, UN Peacekeeping
212.4.17.56lesummumdelafinance.com2010FrenchFranceJARfinance
212.4.17.98topbillingsite.com2011EnglishCGIfilms
212.4.17.122b2bworldglobal.com2011EnglishCGInews
212.4.17.125worldaroundyunnan.com2011ChineseJARnewsrss, split images, JAR
212.4.17.160localtoglobalnews.com2010EnglishJARnewsrss, split images
212.4.18.14football-enthusiast.com2011EnglishEuropeJSsports, football
212.4.18.129sightseeingnews.com2010EnglishJARtravel
212.209.74.105globalbaseballnews.com2011EnglishJSsports, baseball
212.209.74.106football-de-luxe.com2010FrenchFranceJARsports, football
212.209.74.112developmental-league.com2010EnglishCGIsports, American footballCGI comms variant?
212.209.74.115mediocampodefutbol.com2010SpanishJARsports, football
212.209.74.117myengineeringaffinity.com2011EnglishJARtech
212.209.74.123worldfinancialexchangenews.com2010EnglishSWFfinanceSWF unarchived.
212.209.74.125avoilurefixe.com2011FrenchTunisiaJARairplanes"à voilure fixe" is French for "with fixed wing", i.e. fixed wing aircraft
212.209.74.126headlines2day.com2011FarsiJARnewsmarked copyright 2009
212.209.79.34fgnl.net2011EnglishIranCGInewsfour letter domain! FGNL stands for "Farsi Global News Links" Marked copyright 2009.
212.209.79.37fitness-sources.com2010EnglishJSsports, fitness
212.209.79.40hydradraco.com2011EnglishJARsports, American footballTODO meaning of the name?
212.209.79.41noticiasdelmundolatino.com2011SpanishJARnews
212.209.79.42suparakuvi.com2011FrenchFranceJARnewsa Tour Eiffel image, and young people stuff, i.e. first world stuff. It's for France alright. But TODO meaning of domain name? Ciro's second language French didn't cut it this time.
212.209.79.46cetusdelph.com2011EnglishJSsports, scuba
212.209.79.47willtoworship.com2011EnglishJARreligion, Christianitymarked copyright 2007 (!)
212.209.79.48themvconnection.com2011EnglishJARmusic
212.209.79.51pi-resources.net2010EnglishJSprivate investigators"pi" stands for Private Investigators. The CIA must have had some fun making this one.
212.209.79.53ourscubaworld.com2011EnglishJSsports, scuba
212.209.79.58tech-love-home.com2011ChineseJStechTitle: "消费类电子产品", lit. Consummer Electronics
212.209.79.60first-solo-aviation.com2010EnglishJARairplanes
212.209.79.61china-destinations.org2011ChineseJStraveltitle: "中国目的地指南", lit. "China Destination Guide"
212.209.90.69worldedgenews.com2011EnglishJARnews
212.209.90.74globalinvestmentnews.net2010EnglishJARnewsrss, split images
212.209.90.80nsmovies.net2010EnglishJARfilms"ns" stands for "Nirguna Saguna", two separate Hindu names/deities. But there are no other Indian references beyond those.
212.209.90.82middleeastjournal.net2010ArabicJSnews
212.209.90.84thenewseditor.com2011EnglishJARnews
212.209.90.87newsandweathersource.com2009EnglishJARnewsmarked copyright 2009.
212.209.90.89pakisports.com2010EnglishPakistanSWFsports
212.209.90.90vriha-aesthetics.com2011ArabicJSnews
212.209.90.92amishkanews.com2011EnglishIndiaJSnewsAmishka is an Indian name, plus some prominent mentions of Bollywood both point to India specifically
212.209.90.93theentertainbiz.com2011EnglishJARentertainment
212.209.90.94eurosportssummary.com2011EnglishJARsports
216.93.248.194esmundonoticias.com2011SpanishJARnewsrss-items. Shares IP with kukrinews.com.
216.93.248.194kukrinews.com2010EnglishJSNewsJavaScript with SHAs. Talks to /cgi-bin/news.cgi. A Kukri is the national weapon of Nepal. Slogan: "Nepal's Sharp Edge", thus matching the website name. Split image header. Copyright 2009. Shares IP with esmundonoticias.com.
216.93.248.194lasthournews.com2010UrdujARnewssplit images
216.105.98.139cultura-digital.net2008SpanishCGInewsMarked copyright 2008. Previously legit.
216.105.98.140uaeshoppingspree.com2013EnglishUAEJARshoppingArchive quite broken, but has link to unarchived JAR. Has an unusually personal touch "As you can probably tell from the title of my website, shopping is my very favorite pastime."
216.105.98.145montanismoaventura.com2012SpanishSpainJSsports, mountaineeringJS unarchived. Marked copyright 2010.
216.105.98.147nepalnewsbrief.com2008EnglishNepalJARnewsMarked copyright 2006 (!) If true this would be the earliest known reference to a date in the websites.
216.105.98.152modernarabicnews.com2013ArabicJARnewsHTML archive quite broken, but JAR was archived thankfully.
216.105.98.154everythingcricket.org2011EnglishJARsports, cricketAlso has archives from 2009, but they were a bit broken. The 2011 one is marked copyright 2011, so they actually bothered to updated that.
216.105.98.156familyhealthonline.net2011EnglishCGIhealth
219.90.61.110surya-brahma.com2011SpanishJARnewsSurya and Brahman are Hindu concepts, but the website appears to have nothing to do with India or Hinduism. Interesting.
219.90.61.111classicalmusicboxonline.com2010EnglishCGImusic
219.90.61.116athletepro.net2010EnglishJARsports
219.90.61.117lajornadanow.com2010SpanishJARnews
219.90.61.120theinternationalworld.com2011EnglishJARnewsrdns source. rss-items.
219.90.61.121thepyramidnews.com2011FarsiIranJARnews
219.90.61.122iran-newslink-today.com2011FarsiIranJARnews
219.90.61.123journeystravelled.com2011EnglishJARtravel
219.90.62.229information-junky.com2011EnglishGhanaJARnews
219.90.62.231todosperuahora.com2011SpanishPeruCGInews
219.90.62.233theworld-news.net2010UrduCGInews
219.90.62.234recuerdosdeviajeonline.com2011SpanishSWFtravelmarked "Copyright 2009"
219.90.62.237elcorreodenoticias.com2011SpanishVenezuelaJARnews
219.90.62.237ride-captain.com2011EnglishJARsports, motorcyles
219.90.62.238freshtechonline.com2011EnglishCGItech
219.90.62.241newscentertoday.com2011EnglishJARnewsCopyright 2008. rdns source. rss-items. Later legit, with a pause The domain name you have entered is not available. It has been taken down because the email address of the domain holder (Registrant) has not been verified..
219.90.62.243fitness-dawg.com2021EnglishJARsports, fitnessOriginal Reuters article sample. Pushup dude stock: www.istockphoto.com/photo/sweating-young-man-doing-push-ups-gm115455429-645125 by Mike R. Manzano, pinged at: x.com/cirosantilli/status/1899750172260806711. Dude was an ex-Sr. Software engineer at Coinbase from 2019-2022, he likely retired with the Bitcoin boom already legend. Still making apps as of 2024 though: www.facebook.com/leftspin. Dog at: www.istockphoto.com/photo/english-bulldog-gm92095947-2629950 by GlobalP.
219.90.62.244easytraveleurope.com2012EnglishJARtravelnice design
219.90.62.245world-news-now.net2011EnglishJARnews
219.90.62.246negativeaperture.com2011EnglishCGIphotographynice domain name
219.90.62.247conquermstoday.com2011EnglishCGIhealthMS means multiple sclerosis. Comms not found, CGI from unarchived subpage assumed. Has a subdomain "heal.conquermstoday.com" according to 2013 DNS Census, but no links to it in the archive.
Read the full article
44 new CIA websites Updated 2025-03-28 +Created 2025-03-13 2025-03-28
View more
This is an update to the article: Section "CIA 2010 covert communication websites"
I found 44 new covert websites made by the CIA around 2010 bringing the total to 397!
Most websites were boring as usual, but one was slightly cooler: webofcheer.com is a comedy fansite featuring Johnny Carson, Charles Chaplin, Rowan Atkins (of Mr. Bean fame), The Three Stooges and some other Americans no one knows about anymore. There must have been a massive Johnny Carson amongst the contractors at that time, given that we previously also knew about alljohnny.com, a site dedicated fully to him! Both of these sites also serve as some of the earliest examples we've got so far, dating back to 2004 and 2005.
Figure 1.
2011 Wayback Machine archive of webofcheer.com
. Source.
Figure 2.
2011 Wayback Machine archive of webofcheer.com scrolled to show Johnny Carson
. Source.
Figure 3.
2004 Wayback Machine archive of alljohnny.com
. Source. This one was a previously known website featuring Johnny Carson.
Another cool discovery is that I found the Getty Images source of the Jedi boy on their Star Wars themed site starwarsweb.net: web.archive.org/web/20101230033220/http://starwarsweb.net/ The photo can still be licensed today as of 2025: www.gettyimages.co.uk/detail/photo/little-jedi-royalty-free-image/172984439. I found it by searching for "jedi boy" on gettyimages.co.uk. The photo is credited to username madisonwi, presumably an alias of a photographer from Madison, Wisconsin. Inspired by this I reverse image searched and found the source of many other stock images from other websites, and I pinged their authors whenever I could locate them e.g. x.com/cirosantilli/status/1899750172260806711.
Figure 4.
Stock photo of a Jedi boy from Getty Images used on starwarsweb.net
. Source.
Figure 5.
2010 Wayback Machine archive of starwarsweb.net
.
There were two small advances that led to the discovery of new domains:
  • while looking for a way to procrastinate I decided to scrape justdropped.com/drops/ for fun. That website lists expired domain names and see if it would yield any new results.
    I had already scrapped other expired domain websites before and used that data, and I hoped that this one would provide some new domain hits, even though it had very large overlap with the other websites I had scraped domains from previously.
    Such domain name lists tend to contain all SCAM domains in existence, since those inevitably expire once the scammers are caught.
  • even more importantly, I noticed by chance that I was being too strict on a small part of my fingerprinting which was excluding a few good domains, by removing any hits that had multiple archives of the Communication mechanism
With those two new developments, I then kicked off my pre-existing search pipelines searching for domain names with the word news on them, an amazingly efficient heuristic because many of the websites were disguised as news aggregators, and after a few hours theses new hits emerged. A few of those also led to the discovery of new IPs which then led to new domains.
One entirely new IP range was found around fastnews-online.com from 208.93.112.105 to 208.93.112.125. There were many domain names with very promising names in the range, but unfortunately for some reason most didn't have Wayback Machine Archives so I didn't count them as hits as per my guidelines.
Figure 6.
2009 Wayback Machine archive of fastnews-online.com
.
Also the newly found todaysengineering.com at 208.254.38.39 appears to form an IP range with the previously known nejadnews.com at 208.254.38.56, but I couldn't find any other domains in the region with our current data sources.
Figure 7.
2011 Wayback Machine archive of todaysengineering.com
.
All other domains either slot into previously known IP ranges, or more commonly don't currently have a known IP, though they would likely just slot in existing ranges if we had better data.
Thanks to Jack Rhysider from the Darknet Diaries podcast for pointing me to the existing of the 2022 Reuters article that kickstarted my research on the subject!
One outcome of this update is that I've increased my jq level to better automate the maintenance of the hits.json file were I store all the known websites in JSON format. I love that tool so much, I managed to merge two JSONs with it removing duplicates and then sort the JSON as desired. Beauty.
Read the full article