CIA 2010 covert communication websites Updated 2025-02-22 +Created 1970-01-01
View more
This article is about covert agent communication channel websites used by the CIA in many countries from the late 2000s until the early 2010s, when they were uncovered by counter intelligence of the targeted countries circa 2011-2013. This discovery led to the imprisonment and execution of several assets in Iran and China, and subsequent shutdown of the channel.
https://raw.githubusercontent.com/cirosantilli/media/master/CIA_Star_Wars_website_promo.jpg
Video 1.
How I found a Star Wars website made by the CIA by Ciro Santilli
. Source. Slightly edited VOD of the talk Aratu Week 2024 Talk by Ciro Santilli: My Best Random Projects.
The existence of such websites was first reported in November 2018 by Yahoo News: www.yahoo.com/video/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html.
Previous whispers had been heard in 2017 but without clear mention of websites: www.nytimes.com/2017/05/20/world/asia/china-cia-spies-espionage.html:
Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
[...]
From the final weeks of 2010 through the end of 2012, [...] the Chinese killed at least a dozen of the C.I.A.’s sources. [...] One was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.
https://raw.githubusercontent.com/cirosantilli/media/master/Yahoo_CIA_website_article.png
Then in September 2022 a few specific websites were finally reported by Reuters: www.reuters.com/investigates/special-report/usa-spies-iran/, henceforth known only as "the Reuters article" in this article.
Figure 1.
Banner of the Reuters article
. Source.
Figure 2.
Reuters reconstruction of what the applet would have looked like
. Source.
Figure 3.
Inspecting the Reuters article HTML source code
. Source. The Reuters article only gave one URL explicitly: iraniangoals.com. But most others could be found by inspecting the HTML of the screenshots provided, except for the Carson website.
Ciro Santilli heard about the 2018 article at around 2020 while studying for his China campaign because the websites had been used to take down the Chinese CIA network in China. He even asked on Quora: www.quora.com/What-were-some-examples-of-the-websites-that-the-CIA-used-around-2010-as-a-communication-mechanism-for-its-spies-in-China-and-Iran-but-were-later-found-and-used-to-take-down-their-spy-networks but there were no publicly known domains at the time to serve as a starting point. Chris, Electrical Engineer and former Avionics Tech in the US Navy, even replied suggesting that obviously the CIA is so competent that it would never ever have its sites leaked like that:
Seriously a dumb question.
So when Ciro Santilli heard about the 2022 article almost a year after publication, and being a half-arsed web developer himself, he knew he had to try and find some of the domains himself using the newly available information! It was an irresistible real-life capture the flag. The thing is, everyone who has ever developed a website knows that its attack surface is about the size of Texas, and the potential for fingerprinting is off the charts with so many bits and pieces sticking out. Chris, get fucked.
Figure 4.
"Seriously a dumb question" Quora answer by Chris from the US Navy
. Source.
In particular, it is fun to have such a clear and visible to anyone examples of the USA spying on its own allies in the form of Wayback Machine archives.
Given that it was reported that there were "more than 350" such websites, it would be really cool if we could uncover more of those websites ourselves beyond the 9 domains reported by Reuters!
This article documents the list of extremely likely candidates Ciro has found so far, mostly using:
more details on methods also follow. It is still far from the 885 websites reported by citizenlabs, so there must be key techniques missing. But the fact that there are no Google Search hits for the domains or IPs (except in bulk e.g. in expired domain trackers) indicates that these might not have been previously clearly publicly disclosed.
If anyone can find others, or has better techniques: Section "How to contact Ciro Santilli". The techniques used so far have been very heuristic, and that added to the limited amount of data makes it almost certain that several IP ranges have been missed. There are two types of contributions that would be possible:
Perhaps the current heuristically obtained data can serve as a good starting for a more data-oriented search that will eventually find a valuable fingerprint which brings the entire network out.
Disclaimer: the network fell in 2013, followed by fully public disclosures in 2018 and 2022, so we believe it is now more than safe for the public to know what can still be uncovered about the events that took place. The main author's political bias is strongly pro-democracy and anti-dictatorship.
May this list serve as a tribute to those who spent their days making, using, and uncovering these websites under the shadows.
If you want to go into one of the best OSINT CTFs of your life, stop reading now and see how many Web Archives you can find starting only from the Reuters article as Ciro did. Some guidelines:
  • there was no ultra-clean fingerprint found yet. Some intuitive and somewhat guessy data analysis was needed. But when you clean the data correctly and make good guesses, many hits follow, it feels so good
  • nothing was paid for data. But using cybercafe Wifi's for a few extra IPs may help.
Figure 5.
viewdns.info activegameinfo.com domain to IP
. Source.
Figure 6.
viewdns.info aroundthemiddleeast.com IP to domain
. Source.
Figure 7.
DNS Census 2013 website
. Source. This source provided valuable historical domain to IP data. It was likely extracted with an illegal botnet. Data excerpt from the CSVs:
amazon.com,2012-02-01T21:33:36,72.21.194.1
amazon.com,2012-02-01T21:33:36,72.21.211.176
amazon.com,2013-10-02T19:03:39,72.21.194.212
amazon.com,2013-10-02T19:03:39,72.21.215.232
amazon.com.au,2012-02-10T08:03:38,207.171.166.22
amazon.com.au,2012-02-10T08:03:38,72.21.206.80
google.com,2012-01-28T05:33:40,74.125.159.103
google.com,2012-01-28T05:33:40,74.125.159.104
google.com,2013-10-02T19:02:35,74.125.239.41
google.com,2013-10-02T19:02:35,74.125.239.46
Figure 8.
The four communication mechanisms used by the CIA websites
. Java Applets, Adobe Flash, JavaScript and HTTPS
Figure 9.
Expired domain names by day 2011
. Source. The scraping of expired domain trackers to Github was one of the positive outcomes of this project.
Video 2.
Compromised Comms by Darknet Diaries (2023)
Source.
It was the YouTube suggestion for this video that made Ciro Santilli aware of the Reuters article almost one year after its publication, which kickstarted his research on the topic.
Full podcast transcript: darknetdiaries.com/transcript/75/
Read the full article
Backlinks Updated 2025-02-22 +Created 1970-01-01
View more
Initial announcements by self on 2023-06-10:
Shared by others soo after:
2023-10-26 twitter.com/cirosantilli/status/1717445686214504830: announcement by self after finding 75 more sites
Second wave:
Some more:
/ny
Read the full article
Hits without nearby IP hits Updated 2025-02-22 +Created 1970-01-01
View more
Here we list domains for which the correct IP was apparently not found since there are no neighbouring hits.
These are suspicious, and suggest either that we didn't obtain the correct reverse IP, or a change in CIA methodology from an older time at which they were not yet using the obscene IP ranges.
For example, in the case of inews-today.com, 2013 DNS Census gave one IP 193.203.49.212, but then viewdns.info gave another one 66.175.106.146 which fit into an existing IP range, and which assumed to be the correct IP of interest.
A similar case happened when we found IP 212.209.74.126 for headlines2day.com with dnshistory.org: dnshistory.org/historical-dns-records/a/headlines2day.com.
It is interesting to note that Reuters seems to have featured disproportionately many hits from that range, one wonders why that happened. It is possible that they chose these because they actually didn't have any nearby hits to give away less obvious information, though they did pick some from the ranges as wel.
In what follows we list the domains with possible reverse IPs and what was explored so far for each. We consider IPs not in a range to be uncertain, and that instead their domains might have been previously in a range which we
dailynewsandsports.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches
  • 216.119.129.94. rdns source: viewdns.info "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2012-04-13". Tested viewdns.info range: 216.119.129.85 - 216.119.129.86, 216.119.129.89 - 216.119.129.99, ran out of queries for 87 and 88
    • 216.119.129.90: eastdairies.com 2011-04-04. Promising name and date, but no archives alas.
    • 216.119.129.97: miideaco.com 2016-02-01
  • 216.119.129.114 Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches, also present on viewdns.info but at a later date from previous "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2013-11-29". Tested viewdns.info range: 216.119.129.109 - 216.119.129.119
    • 216.119.129.110: dommoejmechty.com.ua. Legit.
    • 216.119.129.111: dailybeatz.com: Legit
    • 216.119.129.113:
      • audreygeneve.com
      • reyzheng.com
      • jacintorey.com
    • 216.119.129.114: dailynewsandsports.com. hit.
    • 216.119.129.115: afxchange.com legit/broken
    • 216.119.129.116: danafunkfinancial.com: legit
  • 208.73.33.194 on securitytrails.com
iranfootballsource.com:
  • 34.98.99.30 Kansas City - United States Google LLC 2021-05-24
  • 184.168.221.94 United States GoDaddy.com 2020-07-21
  • 50.63.202.66 United States GoDaddy.com 2020-07-07
  • 50.63.202.86 United States GoDaddy.com 2020-05-28
  • 184.168.221.94 United States GoDaddy.com 2020-05-13
  • 50.63.202.74 United States GoDaddy.com 2020-04-29
  • 50.18.223.191 San Jose - United States Amazon.com 2015-03-23. Sources: 2013 DNS Census and viewdns.info
    • no viewdns.info hits +- 10
  • 85.13.200.108 United Kingdom Coreix Dedicated Customer Allocation 2013-06-30. Source: viewdns.info
    • 85.13.200.108: 1000 hits, so unlikely to be the one
iraniangoalkicks.com:
iraniangoals.com:
football-enthusiast.com:
  • 212.4.18.14: Tested viewdns.info range: 212.4.18.1 - 212.4.18.29. This is a curious case, rather close to 212.4.18.129 sightseeingnews.com, but not quite in the same range apparently. Viewdns.info also agrees on its history with only "212.4.18.14", "location" : "Milan - Italy", "owner" : "MCI Worldcom Italy Spa", "lastseen" : "2013-06-30" of interest.
rastadirect.net:
todaysengineering.com:
  • 208.254.38.39. rdns source: both viewdns.info and 2013 DNS Census. Tested viewdns.info range: 208.254.38.34 - 208.254.38.44. Weirdly empty, doesn't even show the domain iteslf!
  • 68.178.232.100: source: securitytrails.com. 2009-11-24 - 2009-12-11, GoDaddy.com, LLC
worldofonlinenews.com:
mywebofnews.com:
cyhiraeth-intlnews.com:
news-latina.com:
europeannewsflash.com:
outlooknewscast.com:
  • dnshistory.org/historical-dns-records/a/outlooknewscast.com
    • 2009-08-08 -> 2011-02-11 74.53.159.130. Tested viewdns.info range: 74.53.159.120 - 74.53.159.140
      • 74.53.159.130: aeromedhistory.org 2014-11-29
      • 74.53.159.130: mariposahorticultural.com 2022-11-28
      • 74.53.159.130: thewritestuffresume.com 2011-04-04. Legit.
  • viewdns.info/iphistory/?domain=outlooknewscast.com
    • 204.93.178.121 Chicago - United States SERVERCENTRAL 2011-09-08. Tested viewdns.info range: 204.93.178.111 - 204.93.178.131. Skimmed through, nothing of great interest.
    • 74.53.159.130 United States SOFTLAYER 2011-04-04. Tested.
24hoursprimenews.com:
farsi-newsandweather.com:
global-view-news.com:
health-men-today.com:
  • dnshistory.org/historical-dns-records/a/health-men-today.com
    • 2009-11-30 -> 2010-05-27 67.220.228.224. New range with global-view-news.com? Tested viewdns.info range: 67.220.228.214 67.220.228.234
      • 67.220.228.223: stagedwithdistinction.com 2011-10-09. One archive of godaddy only.
    • 2009-08-01 -> 2009-09-19 69.42.58.50. Tested viewdns.info range: 69.42.58.40 - 69.42.58.60. Virtuals, canada.
    • 2011-01-07 -> 2011-01-07 69.90.162.165. Tested viewdns.info range: 69.90.162.155 - 69.90.162.175. Virtuals.
  • viewdns.info/iphistory/?domain=health-men-today.com
    • 204.11.56.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-04-19. Virtuals.
    • 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Unknown range.
    • 69.90.162.165 Canada COGECO-PEER1 2012-06-29. Tested.
firstnewssource.com:
theworldnewsfeeds.com:
pars-technews.com:
newdaynewsonline.com:
sportsnewsfinder.com:
newsworldsite.com:
  • viewdns.info/iphistory/?domain=newsworldsite.com
    • 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2013-05-20 big virtual
    • 204.93.159.80 Chicago - United States SERVERCENTRAL 2013-04-21. Tested viewdns.info range: 204.93.159.70 204.93.159.90
      • 204.93.159.84: team-merk.com 2011-08-11. No archives.
todaysnewsreports.net:
  • viewdns.info/iphistory/?domain=todaysnewsreports.net
    • 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-07-01
    • 205.178.189.129 United States NETWORK-SOLUTIONS-HOSTING 2013-05-20 likely virtual
    • 173.255.131.72 Reno - United States UK-2 Limited 2012-08-27. Tested viewdns.info range: 173.255.131.62 173.255.131.82. Virtual and modern hits only.
    • 67.213.211.232 United States UK-2 Limited 2011-09-07 unknown. Tested viewdns.info range: 67.213.211.222 67.213.211.242
      • 67.213.211.236: icf-finan.com 2015-01-20
      • 67.213.211.237: playinside.me 2016-02-04. Nice domain hack, but no.
      • 67.213.211.239: reality-sexxx.com 2011-09-08
hassannews.net:
weblognewsinfo.com:
newsincirculation.com
  • dnshistory.org/historical-dns-records/a/newsincirculation.com
    • 2010-03-10 -> 2010-08-15 64.120.20.234 virtual with weblognewsinfo.com
    • 2013-11-26 -> 2013-11-26 70.32.43.226
  • viewdns.info/iphistory/?domain=newsincirculation.com
    • 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2014-01-31
    • 50.63.202.77 United States AS-26496-GO-DADDY-COM-LLC 2013-10-19. virutal?
    • 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2013-09-26 virtual?
    • 69.147.228.5 Chicago - United States LEASEWEB-USA-CHI 2012-11-12 unknown. Tested viewdns.info range: 69.147.228.1 69.147.228.15. Nope.
    • 173.208.81.2 Lombard - United States LEASEWEB-USA-CHI 2011-04-04 virtual
todayoutdoors.com:
esmundonoticias.com:
globaltourist.net:
  • dnshistory.org/historical-dns-records/a/ 2009-07-30 -> 2011-01-01 69.59.20.215 unknown. Tested viewdns.info range: 69.59.20.205 69.59.20.225. Virtuals.
  • viewdns.info/iphistory/?domain=globaltourist.net
    • 216.172.170.14 United States NETWORK-SOLUTIONS-HOSTING 2013-07-08
    • 216.21.239.197 United States NETWORK-SOLUTIONS-HOSTING 2012-06-25
    • 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-04-09 big virtual
    • 174.136.34.154 United States IHNET 2012-03-12 unknown. Tested viewdns.info range: 174.136.34.144 174.136.34.164
    • 74.119.145.101 Frankfurt am Main - Germany PERFORMIVE 2011-09-07. Tested viewdns.info range: 74.119.145.91 74.119.145.111. One virtual.
    • 69.59.20.215 United States ATLRETAIL 2011-06-22. Tested
all-sport-headlines.com:
  • viewdns.info/iphistory/?domain=all-sport-headlines.com
    • 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-11-12 virtual
    • 216.104.38.114 United States SINGLEHOP-LLC 2012-09-21. Tested viewdns.info range: 216.104.38.104 216.104.38.124
      • 216.104.38.110: afterawhilecrocodile.info 2011-07-26. Legit.
technologytodayandtomorrow.com:
  • viewdns.info/iphistory/?domain=technologytodayandtomorrow.com
    • 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13 virtual
    • 72.34.53.174 United States IHNET 2011-09-08. Tested viewdns.info range: 72.34.53.164 72.34.53.184
      • 72.34.53.166: bjellaagency.com 2023-03-07
      • 72.34.53.174: businesscardprinternyc.info 2012-04-18
      • 72.34.53.174: dermozamsoe106.com 2011-07-02
      • 72.34.53.174: electronictechreviews.com 2011-09-08. Hit.
      • 72.34.53.174: glialcells2009paris.com 2012-11-12
      • 72.34.53.174: hysfreedom.net 2013-07-08. Legit.
      • 72.34.53.174: integrativetherapiesec.com 2013-06-30
      • 72.34.53.174: intloil.org 2012-04-27. Possible hit, a bit off style, but possibly because too broken. Copyright 2005. Present at pastebin.com/CTXnhjeSp.
      • 72.34.53.174: islamicnewsonline.com 2013-03-23. No archives in date range.
      • 72.34.53.174: larumbaknox.com 2012-01-11. Parked domain girl
      • 72.34.53.174: myonlinegamesource.com 2012-01-11
      • 72.34.53.174: mytravelopian.com 2011-04-04. Feels legit, but there's some chance.
      • 72.34.53.174: recursosdenoticias.com 2012-06-29. Hit.
      • 72.34.53.174: todaysnewsandweather-ru.com 2012-01-11. Hit.
      • 72.34.53.181: theebizguy.com 2022-12-26
      • 72.34.53.183: nofatchics.com 2012-01-11
terrain-news.com:
intlnewsdaily.com
  • dnshistory.org/historical-dns-records/a/intlnewsdaily.com 2010-02-21 -> 2010-08-06 75.126.136.179. unknown range.
  • viewdns.info/iphistory/?domain=intlnewsdaily.com
    • 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Virtual. Tested.
    • 63.247.95.50 Austell - United States NTHL 2012-06-29 unknown. Tested viewdns.info range: 63.247.95.40 63.247.95.60
      • 63.247.95.50: 2b-sports.com 2013-04-21
      • 63.247.95.50: caldentalinsurance.com 2014-07-05
      • 63.247.95.50: cameronbal-photography.com 2012-06-29
      • 63.247.95.50: congbetham.com 2014-07-05
      • 63.247.95.50: essentialintelligenceagency.com 2023-03-07
      • 63.247.95.50: isabellavalentina.com 2014-07-05
      • 63.247.95.50: jhraccounting.com.au 2021-05-03
      • 63.247.95.50: missouribreaks294.com 2012-06-29
      • 63.247.95.50: startorganize.com 2011-08-11
      • 63.247.95.50: tifocus.net 2011-08-11
      • 63.247.95.50: tifocus.org 2011-08-10
      • 63.247.95.50: whitepartyorlando.com 2012-01-11
    • 204.11.56.25 (ipinf.ru)
opensourcenewstoday.com:
techwatchtoday.com:
Read the full article