Ciro Santilli @cirosantilli 37

 Incoming links: CIA 2010 covert communication websites / DNS Census 2013

CIA 2010 covert communication websites / Backlinks  Updated 2025-05-26  +Created 1970-01-01

 View more

Announcements and updates by self:

2023-06-10: initial announcements
- twitter.com/cirosantilli/status/1667532991315230720. Follow up when more domains were found: twitter.com/cirosantilli/status/1717445686214504830
- www.reddit.com/r/OSINT/comments/146185r/i_found_16_new_cia_covert_communication_websites/. Marked as SPAM 5 by mods days later. After reaching 92 votes, a very positive reply for that niche sub, and being obviously on topic. Weird. Anyways, did its job and likely kicked off hackernews.
- www.facebook.com/cirosantilli/posts/pfbid04KvRbEXghJakcD4AQz4379L5oVjPZ6vrBF1Eak3p81VnqRSXuXdvvYonCWPhGfQXl
2023-10-26 twitter.com/cirosantilli/status/1717445686214504830: announcement by self after finding 75 more sites
- Shared by others soo after:
- news.ycombinator.com/item?id=36279375#36280220 (212 points). Shame that this was published when we only had about 20 websites. As of writing we had 240. Might have been a greater hit then.
  Figure 1. Source.
- www.reddit.com/r/conspiracy/comments/14705gp/cia_2010_covert_communication_websites/ failed attempt with bad link unfortunately
2024-01-15: twitter.com/cirosantilli/status/1747742453778559165 Oleg Shakirov's findings
2024-01-23: mastodon.social/@cirosantilli/111807480628392615 ipinf.ru gives 4 hits and 4 new suspects, announced at:
2024-09 Aratu Week 2024 Talk by Ciro Santilli: My Best Random Projects
2025-03-13: 44 new domains found: Section "44 new CIA websites"
2025-04-14: cqcounter screenshots used to confirm many new hits: Section "60 new CIA website screenshots discovered on CQ Counter"
2025-05-23: Section "Backing up CIA website archives for research and posterity"

Pings by self:

2025-03-13:
- x.com/cirosantilli/status/1900278353065894324 pings x.com/JackRhysider Jack Rhysider, host of the Darkent Diaries podcast
- x.com/cirosantilli/status/1900828210578727276 pings x.com/JennaMC_Laugh Jenna McLaughlin and x.com/zachsdorfman Zach Dorfman, authors of the 2018 Yahoo articles
2025-03-31 going to find random interested people on Twitter:
2025-05-05:
- inteltoday.org/2021/07/31/us-national-whistleblower-day-july-30-2021-i-john-reidy-declare-cia-debacle-in-iran-china/#comment-46375 pings the author Dr. Ludwig De Braeckeleer. Besides his interest in intelligence, the dude actually also won a Breakthrough Prize in Physics, holy fuck it's mind boggling.
- x.com/cirosantilli/status/1919391488422662245 pings x.com/marisaataylor Marisa Taylor, author of the 2014, McClathy DC article
- x.com/cirosantilli/status/1919859345593880812 and x.com/cirosantilli/status/1919846838850499002 pings x.com/cirosantilli/status/1919859345593880812 Bill Marczak and x.com/thezedwards Zach Edwards, technical analysts for the Reuters article
- x.com/cirosantilli/status/1919860643408007644 pings x.com/joel_schectman Joel Schectman and x.com/bozorgmehr Bozorgmehr Sharafedin authors of the Reuters article
- x.com/cirosantilli/status/1919870831758365113 pings x.com/zachsdorfman Zach Dorfman (protected account) author of the Foreign Policy article
- x.com/cirosantilli/status/1920073080363241727 pings x.com/markmazzettinyt Mark Mazzetti, x.com/nytmike Michael S. Schmidt and x.com/mattapuzzo Matt Apuzzo authors of the 2017 New York Times article. Could not find a Twitter for the fourth author Adam Goldman.

Reactions by others:

2023-06-19: www.reddit.com/r/numberstations/comments/14dexiu/after_numbers_stations_vanished/ (30 points) off topic on that sub, but thankfully was not deleted, interesting sub topic
2023-10-26: Google Analytics backlink from lms.fh-wedel.de/ path unknown. Some shitty German university: en.wikipedia.org/wiki/Fachhochschule_Wedel_University_of_Applied_Sciences LMS stands for Learning management system, apparently a Moodle instance. Maybe they have some Open educational resources, but all in German so pointless
Second wave:
- 2023-12-01: news.ycombinator.com/item?id=38492304 (65 points). Second submission but pointing to OurBigBook.com rather than cirosantilli.com: ourbigbook.com/cirosantilli/cia-2010-covert-communication-websites We take those. Reached only 65 points as of January 2024.
- 2023-12-02: buttondown.email/grugq/archive/december-2-2023/. "grugq" is the handle of a zero day dealer whose received some scrutiny in 2012 after a Forbes protile was written about him: archive.ph/7mUG5. He comments:
  I don’t think anyone anticipated that databases leaked by hackers would enable OSINT researchers to conduct counterintelligence investigations that rival the state security services.
  presumably referring to DNS Census 2013.
2024-01-12: twitter.com/jeremy_wokka/status/1745657801584656564 (40k followers, mid of thread)
2025-04-02: www.reddit.com/r/wikipedia/comments/1kd7rzo/comment/mqoocu7/?context=3 user Gilda1234_ mentions this project in a comment to "Between 2010 and 2012, China identified and killed at least 30 CIA informants in the country" by idlikebab

Notable reactions to the websites themselves

www.reddit.com/r/soccer/comments/xrgua4/the_cia_used_a_message_board_on_a_fake_soccer/ "The CIA used a message board on a fake soccer website called "Iraniangoals.com" to communicate with Iranian spies, dozens of whom were arrested after the website was discovered." by user Carlos-Dangerzone (2022-09-29)
The fact that there were

 Read the full article

CIA 2010 covert communication websites / Hits with nearby IP hits  Updated 2025-05-26  +Created 1970-01-01

 View more

62.22.60.49: telecom-headlines.com. UUNET in Spain. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just before worldnewsnetworking.com. Tested viewdns.info range: 62.22.60.34 - 62.22.60.66

62.22.60.33: newsperk.com. Almost certainly a hit. Stylistically perfect, rss-item. But no comms not found. Ennerving! 2011. English. Egypt. news. Later legitimately reused.
62.22.60.34: freeslideshow.net. Legit? Attempting to open any HTML archives leads to an infinite page load loop, e.g. 2010. A subpage however exists: web.archive.org/web/20101230001640/http://freeslideshow.net/index_files/a.htm and appears legit.
62.22.60.40: travel-passage.com. Hit.
62.22.60.42: newsupdatesite.com. Hit.
62.22.60.46: flyingtimeline.com. Hit.
62.22.60.47: globalemergenceadvisorsbkserver.com. Legit.
62.22.60.48: currentcommunique.com. Hit.
62.22.60.49: telecom-headlines.com. Hit.
62.22.60.52: collectedmedias.com. Hit.
62.22.60.54: romulusactualites.com. Hit.
62.22.60.55: thefilmcentre.com. Hit.
62.22.60.56: traveltimenews.com. Hit.

62.22.61.206 worldnewsnetworking.com. UUNET in Spain. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 62.22.61.188 - 62.22.61.224

62.22.61.193: awfaoi.org. Hit.
62.22.61.197: rc5sports.com. Hit.
62.22.61.198: inside-vc.com. Hit.
62.22.61.200: zerosandonesnews.com. Hit.
62.22.61.202: bailsnboots.com. Hit.
62.22.61.203: the-cricketer-online.com. Hit.
62.22.61.204: hollywoodscreen.net. Hit.
62.22.61.206: worldnewsnetworking.com. Hit.
62.22.61.212: nuestrasfinanzas.com. Hit.
62.22.61.213: sandstormnews.com. Hit.
62.22.61.215: the-tech-mind.com. Hit.
62.22.61.217: court-masters.com. Hit.
62.22.61.219: allworldstatistics.com. Hit.
62.22.61.220: newsjaka.com. Hit.
62.22.61.221: biochemresource.com. Archive broken/empty. One archive: contains an epically long URL that might shed light into something: web.archive.org/web/20120529121245/http://www.biochemresource.com/?fp=iboHtuxnjLG66y52DkK1xCFuZDBnVC8wovQepLt2Tk%2Bo1JIgIdVb6WL8kv6sSOEtxwcq4EbiJ0GxFY9N6HSWlg%3D%3D&prvtof=97vgfKVqt1Sd68qgNDPXB0o7Rwo%2FO3GKiiMG7fane6A%3D&poru=Zd9DHFaHFZ6ZrRLm8SW3egagqvdpzHhWb%2FoulRGeEYIUSVATB5gwTIDhluetONjG7xovtb%2FrvDStoqiAF1O8wA%3D%3D&. Asked at: stackoverflow.com/questions/47310661/any-idea-what-are-fp-prvtof-poru-in-a-url but no reply so far. One day my friend, one day. cqcounter.com/whois/www/biochemresource.com.html not found.
62.22.61.222: www.news-blitz-ar.com (ipinf.ru). No archives. Perfect domain name theme match. cqcounter.com/whois/www/news-blitz-ar.com.html not found.

65.218.91.17 alljohnny.com. UUNET in United States. One of the Reuters websites.

208.91.197.132: rdns source: viewdns.info. Big virtual.
65.218.91.17: rdns source? : viewdns.info. Tested viewdns.info range: 65.218.91.13 - 65.218.91. 17
- 65.218.91.9: welcometonyc.net. Hit. rdns source: ipinf.ru. Later also at 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-21 by viewdns.info
  - rolling-in-rapids.com. Hit.
- 65.218.91.17
  - international-smallbusiness.com. Stylitsic match, but some uncommon features like the country seelctor dropdown.
    Archives:
    web.archive.org/web/20110202031627/http://international-smallbusiness.com/
    web.archive.org/web/20120114080103/http://www.international-smallbusiness.com:80/sa.html
    web.archive.org/web/20110202031657/http://international-smallbusiness.com/style.css
    Also a potential unarchived CGI comms: web.archive.org/web/20110202031627/https://ssl.international-smallbusiness.com/cgi-bin/starting.cgi Perhaps with some better HTML reversing we could confirm a hit. Same registrar as alljohnny "L. Glaze" fuck me.
    208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-19. Big virtual.
    65.218.91.17 United States UUNET 2013-09-06
216.168.229.50: whoisxmlapi 2008-09-01 (15 years) 2010-04-17. Checked viewdns.info range: 216.168.229.45 - 216.168.229.55. viewdns.info/reverseip/?t=1&host=216.168.229.50 3k domains.

63.131.229.12 cyberreportagenews.com. ADHOST in Coeur d'Alene - United States. Tested viewdns.info range: 63.131.228.248 - 63.131.229.30

63.131.229.2: fightskillsresource.com. Hit
63.131.229.4: unitedterritorynews.com. Hit
63.131.229.9: show-dustry.com. Hit
63.131.229.10: afghanpoetry.net. Hit. Also at 74.254.12.166 in another range.
63.131.229.11: mythriftytrip.com. Hit
63.131.229.12: cyberreportagenews.com. Hit.
63.131.229.13: sunrise-news.com. Hit.
63.131.229.15: cricketnewsforindia.com. Hit.
63.131.229.16:
- nutricion-saludable.info. No archives. cqcounter.com/whois/www/nutricion-saludable.info.html has the exact same screenshot at the .net one, so also hit.
- nutricion-saludable.net. Hit.
63.131.229.18: itnl-xchange.com. Hit.
63.131.229.20:
- fixashion.net. Hit.
- a few others

63.130.160.50 theglobalheadlines.com. CW Vodafone Group PLC in United States. Found with: 2013 DNS census secureserver.net MX records intersection 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 63.130.160.35 - 63.130.160.75

63.130.160.50: theglobalheadlines.com. Hit.
63.130.160.51:
- hai-pow.com. Hit.
- secudenetworksecurity.com. No archives. cqcounter.com/whois/www/secudenetworksecurity.com.html blank image.
63.130.160.53: echessnews.com. Hit.
63.130.160.59: technologiewissen.com. No archives from the time. Would be Technology knowledge in German, so another likely German hit. Shame. cqcounter.com/whois/www/technologiewissen.com.html empty
63.130.160.60: boxingstop.net. Hit.
63.130.160.61: bookmarksthis.com. Hit.
63.130.160.62: azerinews.org. Hit.

64.16.204.55 holein1news.com. Saudi Telecom Company JSC in Saudi Arabia. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 64.16.204.50 - 64.16.204.63. With did Wayback Machine have so few archives here? TODO stopping viewdns.info exploration a bit short due to that.

64.16.204.35: ironcityfootball.com. web.archive.org/web/20080510230549/ironcityfootball.com Legit/broke. cqcounter.com/whois/www/ironcityfootball.com.html from 2011 could be in style though... "Iron City" is a historical nickname for Pittsburgh, Pennsylvania.
64.16.204.51: africannewsandsports.com. No archives. rdns source: viewdns.info. cqcounter.com/whois/www/africannewsandsports.com.html not found.
64.16.204.53: bosniakbusinessnews.com. Hit.
64.16.204.54: affairesdumonde.com. Hit.
64.16.204.55: holein1news.com. Hit.
64.16.204.56: fightorgohome.com. Uncertain. domainsbyproxy.com. Created: 2011-03-28. No archives. rdns source: viewdns.info cqcounter.com/whois/www/fightorgohome.com.html from 2011 not very typical but possible. Has a "Login" link visible for possible comms. The domain name is typical...
64.16.204.58: tech-topix.com. Hit.
64.16.204.60: pakpoldaily.com. No archives. rdns source: viewdns.info. TODO meaning? Might be Indonesian, maybe linked to police: www.facebook.com/watch/?v=880204266271955 cqcounter.com/whois/www/pakpoldaily.com.html not found.

65.61.127.163 capture-nature.com. ADHOST in Greenacres - United States. whois.arin.net/rest/net/NET-65-61-96-0-1/pft?s=65.61.127.163: Net Range: 65.61.96.0 - 65.61.127.255. Organization. Name: TierPoint, LLC. Tested viewdns.info range: 65.61.127.149 -

65.61.127.46: anahuacchamber.com 2012-12-22T14:59:01
65.61.127.117: medicaresupplementalinsurance.com, 2013-08-21T09:49:41. Legit.
65.61.127.121: counter-images.com 2013-08-22T11:14:44: web.archive.org/web/20110208173132/http://www.counter-images.com/ Empty.
65.61.127.125 zaphound.com 2013-08-21T02:25:40. Legit.
65.61.127.130: ambitions.org 2013-08-22T01:43:40. Legit.
65.61.127.161: european-footballer.com. Hit.
65.61.127.163: capture-nature.com. Hit.
65.61.127.164: futbolistico.net. 2012-02-20T03:25:33. Legit. web.archive.org/web/20130509004058/http://futbolistico.net/
65.61.127.165: travelconnectionsonline.com. Ciro initially though this might be a hit. But upon Googling it, there's now a mirror at: travelconn.tripod.com/. Combined with the lack of a standard communications mechanism and the 2001 copyright, maybe it isn't a hit after all
65.61.127.166: globalnewsbulletin.com: Hit.
65.61.127.167: internationalwhiskylounge.com. Hit.
65.61.127.168: the-golden-rule.info 2013-09-20T02:13:52. Hit.
65.61.127.169: crossovernews.net. Hit.
65.61.127.170: newsidori.com. Hit.
65.61.127.171: nrgconsultingandnews.com. Hit. 2013-08-13T18:45:05
65.61.127.172: premierstriker.com. Hit. 2012-01-11
65.61.127.174: dedrickonline.com. Hit.
65.61.127.175: altworldnews.com. Hit.
65.61.127.176: american-historyonline.com. Hit. 2011-09-08
65.61.127.177: material-science.org. Hit.
65.61.127.178: tee-shot.net. Hit.
65.61.127.180: screencentral.info. Hit.
65.61.127.181: worldnewsandtravel.com. Hit. 2011-11-13
65.61.127.182: pangawana.com. Hit.
65.61.127.183: cutabovenews.com. Hit.
65.61.127.184: worldwildlifeadventure.com. Hit.
65.61.127.186: explorealtmeds.com. Hit.
65.61.127.194: 16 domains, so unclear.
- about-video-games.com: web.archive.org/web/20121013013710/http://about-video-games.com/ off
- aboutfaceonline.com: web.archive.org/web/20120701000000*/aboutfaceonline.com off
65.61.127.200: cdl-link.com (ipinf.ru). Legit.
65.61.127.222: asianwhitecoffee.com 2012-07-16T09:21:05 web.archive.org/web/20110903080036/http://asianwhitecoffee.com/. Could be legit.

66.45.179.205 noticiasporjanua.com. ADHOST in Edmonds - United States. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 66.45.179.187 - 66.45.179.223

66.45.179.187: mail03.gatesfoundation.org. Legit.
66.45.179.192: thegraceofislam.com. Hit.
66.45.179.193: arabicnewsunfiltered.com. Hit.
66.45.179.194: raulsonsglobalnews.com. Hit.
66.45.179.195: aryannews.net. Hit.
66.45.179.199: attivitaestremi.com. Hit.
66.45.179.200: foodwineandsuch.com. Hit.
66.45.179.201: hitthepavementnow.com. Hit.
66.45.179.203: noticiascontinental.com. Hit.
66.45.179.205: noticiasporjanua.com. Hit.
66.45.179.206: podisticamondiale.com. Hit.
66.45.179.207: reflectordenoticias.com. Hit.
66.45.179.208: havenofgamerz.com. Hit.
66.45.179.209: vejaaeuropa.com. Hit.
66.45.179.210: sa-michigan.com. Hit.
66.45.179.211: absolutebearing.net. Hit.
66.45.179.212: grandretirement.net. No archives. cqcounter.com/whois/www/grandretirement.net.html blank image.
66.45.179.213: myportaltonews.com. Hit.
66.45.179.214: investmentintellect.com. Hit.
66.45.179.215: nigeriastar.net 2012-03-12. Hit.

66.104.169.184 bcenews.com. XO-AS15 in United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.169.158 - 66.104.169.189

66.104.169.162: bestsportsnews.net. Archive broken. cqcounter.com/whois/www/bestsportsnews.net.html error not found.
66.104.169.163: doctorsoncallsite.com. Hit. domainsbyproxy.com
66.104.169.164: lightandshadowonline.com. Hit. domainsbyproxy.com. Created: 2007-11-27. Updated: 2012-06-06.
66.104.169.168: plugged-into-news.net. Hit. Network Solutions, LLC. Registrant: Godfrey Hubbard.
66.104.169.169: worldsportsite.com. Hit. domainsbyproxy.com. Created: 2009-05-20.
66.104.169.171: golf-on-holiday.com. Hit. Network Solutions, LLC. Registrant: Tammy Pulley.
66.104.169.172: perspectiva-noticias.com. Hit. domainsbyproxy.com. Created: 2009-04-28.
66.104.169.175: aquaswimming.com. Hit. domainsbyproxy.com
66.104.169.177: dojo-temple.com. Hit. domainsbyproxy.com
66.104.169.179: neighbour-news.com. Hit. domainsbyproxy.com
66.104.169.180: medicatechinfo.com. Hit. Network Solutions, LLC. Registrant: Jason Noll.
- 205.178.189.131: securitytrails.com 2009-06-25 - 2009-07-02 Network Solutions, LLC., "ip_count": 726755. Moved to new one 2009-07-02 - 2010-11-03
66.104.169.181: brickmanfinancialnews.com. Hit. domainsbyproxy.com
66.104.169.182: casanewsnow.com. Hit. domainsbyproxy.com
66.104.169.183: aworldofnews.com. No archives. cqcounter.com/whois/www/aworldofnews.com.html blank image
66.104.169.184: bcenews.com. Hit.
66.104.169.197: teamshula.com. Legit.

66.104.173.186 myworldlymusic.com. XO-AS15 in United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.173.158 - 66.104.173.194

66.104.173.161: fanatic-pc-gamers.com. domainsbyproxy.com. 2013: Welcome to the US Petabox. cqcounter.com/whois/www/fanatic-pc-gamers.com.html somewhat in-style with large "Login to our Members Forum" message and copyright 2005.
66.104.173.163: runakonews.com. Hit.
66.104.173.164: shoppingadventure.net. Hit.
66.104.173.165: entertaining-ly.com. Hit. Network Solutions, LLC for Matthew Sorrell. tools.whoisxmlapi.com/reverse-whois-search hits:
- premier-fishing-tips.com. Legit with photos and mention of Matthew Sorrell: web.archive.org/web/20110129024453/http://www.premier-fishing-tips.com/ Still live as of 2025.
  Sincerely,
  Matthew Sorrell
  Webmaster, Premier-Fishing-Tips.com
- entertaining-ly.com
66.104.173.166: zubeenews.com. Hit. domainsbyproxy.com
66.104.173.169: smart-financeology.com. Hit. domainsbyproxy.com
66.104.173.173: remarkably has two potential hits, both shown in viewdns.info, and one of them was also in the 2013 DNS Census.
- worldfeedstoday.com. Hit. Network Solutions, LLC + Perfect Privacy LLC.
- world-newsfeeds.com. No archives. cqcounter.com/whois/www/world-newsfeeds.com.html blank image.
66.104.173.175: media-coverage-now.com. Hit. domainsbyproxy.com
66.104.173.176: jbc-online-news.com. Hit. domainsbyproxy.com
66.104.173.177: webscooper.com. Hit.
66.104.173.178: dk-dcinvestment.com. Hit. domainsbyproxy.com
66.104.173.179: newsforthetech.com. Hit. domainsbyproxy.com
66.104.173.180: stara-turistick.com. Hit. domainsbyproxy.com
66.104.173.181: playbackpolitics.com. Hit. domainsbyproxy.com
66.104.173.182: snapnewsfront.net. Hit. domainsbyproxy.com
66.104.173.183: ingenuitytrendz.com. Hit. domainsbyproxy.com
66.104.173.184: armashoy.com. Hit. domainsbyproxy.com
66.104.173.185: baocontact.com. Hit. Godaddy for a "Denise Welch":
```
"name": "Denise Welch",
"organization": null,
"street": "Box 288",
"city": "Macdona",
"state": "Texas",
"postalCode": "78054",
"country": "UNITED STATES",
```
tools.whoisxmlapi.com/reverse-whois-search has 151 results, some inspections:
- web.archive.org/web/20160610031345/http://socialmediamagazine.biz/ legit Denise Welch, President
- web.archive.org/web/20211126033925/http://allofmywishes.com/ no relevant archives
- web.archive.org/web/20110208070523/pet-a-bration.com no archives
Reducing a bit searching for Macdona as city gives only 19 hits:
- web.archive.org/web/20111126163259/http://tamilupgraded.com/ 19 Archives broken. cqcounter.com/whois/www/tamilupgraded.com.html off style.
- web.archive.org/web/20080115063123/http://www.zirnitrasports.com/ suspicious but quite broken. Arabic. Split images. Comms not found. cqcounter.com/whois/www/zirnitrasports.com.html in-style. viewdns.info/iphistory/?domain=zirnitrasports.com. Members/register at top linking to web.archive.org/web/20080115220218/http://www.zirnitrasports.com/reg.html
  - 216.180.224.58 British Virgin Islands NTHL 2012-01-11. viewdns.info/reverseip/?t=1&host=216.180.224.58 small virtual. Also searched 216.180.224.50 - 216.180.224.65
    dare2wearts.com 2012-06-29 No archives.
    keralaaicuf.com 2012-09-21. No archives.
    kids-ireland.com 2011-11-13 web.archive.org/web/20110128075525/http://kids-ireland.com/ off
    makeupbyjadab.com 2012-11-12. Off
    socalfitnessbootcamp.com 2012-06-29. Off
    unitedwelfareservices.com 2012-11-12. No archives.
    zirnitrasports.com 2012-01-11
- bontonphoto.com web.archive.org/web/20100605033030/http://www.bontonphoto.com/ suspicious with members linking to web.archive.org/web/20130826142257/https://bonto001.secure.omnis.com/cgi-bin/main.cgi www.omnis.com/ is a hosting service.
  - web.archive.org/web/20130528074647/http://bontonphoto.com/ better screenshot has a news link.. cqcounter.com/whois/www/bontonphoto.com.html empty
- olqhchurch.com web.archive.org/web/20110201182208/http://olqhchurch.com/ dead, cqcounter.com/whois/www/olqhchurch.com.html not found
66.104.173.186: myworldlymusic.com. Hit.
66.104.173.189: hitpoint-gaming.com. Hit. Network Solutions, LLC + perfect privacy.

66.104.175.40 beyondnetworknews.com. XO-AS15 in United States. whois.arin.net/rest/net/NET-66-104-0-0-1/pft?s=66.104.175.40. Net Range:66.104.0.0 - 66.107.255.255. 2012 Internet Census puts most/all hits in this range under ip66-104-175-34.z175-104-66.customer.algx.net, algx.net redirects to verizon.com as of 2023. Related: superuser.com/questions/956568/why-are-my-pings-going-to-customer-algx-net. Tested viewdns.info range: 66.104.175.24 - unknown

66.104.175.34: itwebtoday.com. Hit. domainsbyproxy.com
66.104.175.35: drglobalnews.com. Hit.
66.104.175.36: adilnews.net. Hit.
66.104.175.37: technewstogo.com. web.archive.org/web/20110201205946/http://technewstogo.com/ "UNDER CONSTRUCTION" cqcounter.com/whois/www/technewstogo.com.html same.
66.104.175.40: beyondnetworknews.com. Hit.
66.104.175.41: grubbersworldrugbynews.com. Hit. domainsbyproxy.com
66.104.175.42: news-and-sports.com. Hit.
66.104.175.44: yourtripfinder.net. Hit. domainsbyproxy.com
66.104.175.45: rollinsnetwork.com. Hit. domainsbyproxy.com
66.104.175.46: infosharenews.com. Hit.
66.104.175.47: southasiaheadlines.com. Hit.
66.104.175.48: worlddispatch.net. Hit.
66.104.175.49: webworldsports.com. Hit.
66.104.175.50: fly-bybirdies.com. Hit.
66.104.175.51: businessexchangetoday.com. Hit.
66.104.175.52: mensajeradenoticias.com. Hit. domainsbyproxy.com
66.104.175.53: info-ology.net. Hit.
66.104.175.54: marketflows.net. Hit. domainsbyproxy.com
66.104.175.57: metanewsdaily.com. Hit.
66.104.175.218: remote.taxconsultantsgroup.com. No archives. cqcounter.com/whois/www/taxconsultantsgroup.com.html commercial so unlikely

66.175.106.148 activegaminginfo.com. UUNET in United States. whois.arin.net/rest/net/NET-66-175-106-128-1/pft?s=66.175.106.148: Net Range: 66.175.106.128 - 66.175.106.159. Customer Name: DIAMOND-COLESON. Tested viewdns.info range: 66.175.106.131 - 66.175.106.178

66.175.106.10: nationalchecktrust.com. Legit?
66.175.106.134: paddlescoop.com. Hit.
66.175.106.137: kessingerssportsnews.com. Hit. Network Solutions: Latimer, Daniel
```
"name": "Latimer, Daniel|ATTN KESSINGERSSPORTSNEWS.COM|care of Network Solutions",
"organization": null,
"street": "PO Box 459",
"city": "PA",
"state": "US",
"postalCode": "18222",
"country": "UNITED STATES",
```
12 hits for name but nothing else looks promissing:
- element42.au
- refugeministryoils.com
- element42.com.au
- refugeloveministry.net
- refugeloveministry.com
- boysofrockingham.com
- daniellatimer.net
- thejourneytoyourheart.com. web.archive.org/web/20130925191623/http://thejourneytoyourheart.com/ empty cqcounter.com/whois/www/thejourneytoyourheart.com.html not found
- latimerstudio.com
- latimerstudios.com
- danlatimer.com
- kessingerssportsnews.com
66.175.106.138: factorforcenews.com. Hit. domainsbyproxy.com
66.175.106.140: aroundthemiddleeast.com. No Wayback Machine hits. Last resolved: 2012-06-29. cqcounter.com/whois/www/aroundthemiddleeast.com.html not found.
66.175.106.142: kanata-news.com. Hit. domainsbyproxy.com
66.175.106.143: thecricketfan.com. Hit.
66.175.106.146: inews-today.com. Initially found with 2013 DNS Census virtual host cleanup heuristic keyword searches which gave IP address 193.203.49.212. But that has no nearby hits. 66.175.106.146 was later found on viewdns.info, and slotted into this other existing IP range.
- 193.203.49.211 datingso.com: legit? Russian dating website
- 193.203.49.212 inews-today.com. Hit.
- 193.203.49.223 zatysi.net: legit
- 193.203.49.226 kinotopik.com: legit? Russian
- 193.203.49.229 rotor-volgograd.com. Legit.
- 193.203.49.233 ordercytotec.com. Broken. cqcounter.com/whois/www/ordercytotec.com.html not found.
66.175.106.147: starwarsweb.net. Hit.
66.175.106.148: activegaminginfo.com. Hit. Network Solutions, LLC for Elizabeth Corral. tools.whoisxmlapi.com/reverse-whois-search reverse search "Corral, Elizabeth" only has that hit
66.175.106.149: feedsdemexicoyelmundo.com. Hit.
66.175.106.150: noticiasmusica.net. Hit. Network Solutions, LLC for Megan See. tools.whoisxmlapi.com/reverse-whois-search only this hit.
66.175.106.155: atomworldnews.com. Hit. domainsbyproxy.com
66.175.106.158: nouvellesetdesrapports.com. Hit.
66.175.106.166: exchange.katzbarron.com. Legit. Reverse IP source: 2012 Internet Census
66.175.106.183: mail.lfdatacenter.com. No archives.

66.237.236.247 comunidaddenoticias.com. XO-AS15 in United States. Tested viewdns.info range: 66.237.236.222 - 66.237.236.254

66.237.236.227: newsandmusicminute.com. Hit. Network Solutions, LLC for:
```
"name": "Alger, Jennifer",
"organization": null,
"street": "PO Box 459",
"city": "Drums",
"state": "PA",
"postalCode": "18222",
"country": "UNITED STATES",
```
tools.whoisxmlapi.com/reverse-whois-search search for "Alger, Jennifer" has four domain:
- preparedtoact.com: parked domain girl web.archive.org/web/20130831091701/http://www.preparedtoact.com/
- prepared2act.com
- newsandmusicminute.com
- jennisdish.com web.archive.org/web/20110207105346/http://jennisdish.com/ godaddy
but more interestingly this address is the same as other hits: activegameinfo.com and noticiasmusica.net! "PO Box 459" anywhere search has 10k+ domains and so does Drums so not helping.
66.237.236.229: pearls-playlist.com 2011-11-13. Hit. domainsbyproxy.com

66.237.236.230: beyondthefringe.info 2013-01-02. Hit. GoDaddy.com for

"registrantContact": {
  "name": "Nathan Stock",
  "organization": null,
  "street": "PO Box 61654",
  "city": "Savannah",
  "state": "Georgia",
  "postalCode": "31420",
  "country": "UNITED STATES",
  "email": "nathanstock@earthlink.net",
  "telephone": "19129206355",

no hits for that name of reversed.

66.237.236.231: primetimemovies.net 2011-06-22. Hit. No whois records.
66.237.236.235: persephneintl.com. Hit. domainsbyproxy.com
66.237.236.236: directoalgrano.net 2012-01-23. Hit.
66.237.236.240: actualizaciondebeisbol.com. Hit. domainsbyproxy.com
66.237.236.243: mygadgettech.com. Hit.
66.237.236.247: comunidaddenoticias.com. Hit. domainsbyproxy.com
66.237.236.249: sumerjaseahora.com. Hit. domainsbyproxy.com

69.84.156.90 stickshiftnews.com. COLOSPACE in Methuen - United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 69.84.156.64 - 69.84.156.95

69.84.156.69: al-ashak-news-me.com. Hit.
69.84.156.70: theventurenews.info. Hit.
69.84.156.71: worldfinancetoday.net. Hit.
69.84.156.72: autonewsarabia.com. Hit.
69.84.156.74: blue-moon-news.com. Hit.
69.84.156.75: theoutergreen.com. No archives. Might have been another golf hit. cqcounter.com/whois/www/theoutergreen.com.html not found.
69.84.156.76: tnc-urdu.com. Hit.
69.84.156.79: jassimnews.com. No archives/broken. cqcounter.com/whois/www/jassimnews.com.html blank.
69.84.156.80: noticiasdenuestromundo.com. Hit.
69.84.156.82: arabicnewsonline.com. Hit.
69.84.156.83: unganadormundial.com. Hit.
69.84.156.84: focusonbokeh.com. Hit. Network Solutions, LLC.
69.84.156.85: classic-rocktopia.com. Hit. domainsbyproxy.com.
69.84.156.87: i7diver.com. Hit.
69.84.156.88: diariodeelmundo.com. Hit.
69.84.156.89: todaysarabnews.com. Hit.
69.84.156.90: stickshiftnews.com. Hit.
69.84.156.91: theinternationalgoal.com. Hit.

72.34.53.174 technologytodayandtomorrow.com. IHNET in United States. This IP is special. This IP is somehow closely linked to the "Mass Deface III" pastebin as it seems to have been hosted by Condor hosting. They also have many old sites, and links to Russia which is apparently where this was hosted.

viewdns.info/iphistory/?domain=technologytodayandtomorrow.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13 virtual
- 72.34.53.174 United States IHNET 2011-09-08. Tested viewdns.info range: 72.34.53.164 72.34.53.184 viewdns.info/reverseip/?t=1&host=72.34.53.174 went through all of them;
  - hits
    electronictechreviews.com 2011-09-08 domainsbyproxy.com
    recursosdenoticias.com 2012-06-29 domainsbyproxy.com
    todaysnewsandweather-ru.com 2012-01-11 domainsbyproxy.com
    myonlinegamesource.com 2012-01-11 Godaddy:
    "name": "Brandon Stiltner", "organization": null, "street": "1200 Brookstone Centre Pkwy", "city": "Columbus", "state": "Georgia", "postalCode": "31904", "country": "UNITED STATES",
    has two domains:
    sandshomerepairs.com. web.archive.org/web/20110207105346/sandshomerepairs.com no archives, cqcounter.com/whois/www/sandshomerepairs.com.html not found
    myonlinegamesource.com
    mytravelopian.com 2011-04-04 domainsbyproxy.com
  - possible hits
    * intloil.org 2012-04-27. 2011, Possible hit, a bit off style, but possibly because too broken. rss-item. Copyright 2005. Present at pastebin.com/CTXnhjeSp (now lost without archives I'm an idiot). cqcounter.com/whois/www/intloil.org.html from 2011 somewhat in style but interestingly also similarly broken. The "Login" button leads to another domain: "condorsecure.com": web.archive.org/web/20110721052801/https://condorsecure.com/~intloilo/alternativefuels.html which is megaweird and is what is mentioned in the "Mass Deface III" pastebin. domainsbyproxy.com. A similar thing happens in europeantravelcafe.com but to another domain.
    * islamicnewsonline.com 2013-03-23. No archives in date range. cqcounter.com/whois/www/islamicnewsonline.com.html not found, sad
  - not hits
    businesscardprinternyc.info 2012-04-18. Legit web.archive.org/web/20110925172844/http://businesscardprinternyc.info/
    dermozamsoe106.com 2011-07-02
    glialcells2009paris.com 2012-11-12
    hysfreedom.net 2013-07-08. Legit. web.archive.org/web/20111014185727/http://hysfreedom.net/
    integrativetherapiesec.com 2013-06-30. Parked domain girl. cqcounter.com/whois/www/integrativetherapiesec.com.html not found
    larumbaknox.com 2012-01-11. Parked domain girl
    theebizguy.com 2022-12-26 web.archive.org/web/20250000000000*/theebizguy.com many archives
    nofatchics.com 2012-01-11
    bjellaagency.com 2023-03-07
securitytrails.com/domain/technologytodayandtomorrow.com/history/a same

74.116.72.236 techtopnews.com. OPTIMUM-WIFI2 in Brooklyn - United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.116.72.215 - 74.116.72.254

74.116.72.199: newsungraphics.com. Legit.
74.116.72.209: newsung.com. Legit/broken. cqcounter.com/whois/www/newsung.com.html not found
74.116.72.214: ofinancialinc.com. Legit.
74.116.72.219: stockpromoters.com. Legit.
74.116.72.227: dayenews.com. Hit.
74.116.72.229: guide-daventure.com. Hit.
74.116.72.230: spaceage-exchange.com. No archives. cqcounter.com/whois/www/spaceage-exchange.com.html blank image.
74.116.72.231: bleachersfootballnews.com. Hit.
74.116.72.232: indirectfreekick.com. Hit.
74.116.72.233: wwiichronicles.net. Hit.
74.116.72.234: petroleumagenews.com. Hit.
74.116.72.235: the-open-book-online.com. Hit.
74.116.72.236: techtopnews.com. Hit.
74.116.72.237: noticiasdiariasdedeportes.com. No archives. Sad, another potential Brazil hit. cqcounter.com/whois/www/noticiasdiariasdedeportes.com.html not found.
74.116.72.238: pohandakhbar.com. Hit. domainsbyproxy.com.
74.116.72.239: crickettoday.info. Hit.
74.116.72.240: zafernews.com. Hit.
74.116.72.241: itechnewstoday.com. Hit. domainsbyproxy.com.
74.116.72.242: gdgtsource.com. Hit.
74.116.72.243: waronfilmonline.com. Hit.
74.116.72.244: arborstribune.org. Hit. arborstribune.org. Godaddy without domainsbyproxy.com. Registrant: Ryan Binder, email rkbinder@copper.net Reverse hits for name:
- arborstribune.org
- phaseintl.us
- rblab.us
- bindersynthetics.com
- ryanbinder.com
- finalmarch.com. No archives. cqcounter.com/whois/www/finalmarch.com.html not found.
- finalmarch.info.
- mydrunknews.com. Godaddy parked: web.archive.org/web/20110207181833/http://mydrunknews.com/. cqcounter.com/whois/www/mydrunknews.com.html not found.
74.116.72.245: wineenthusiastonline.com. Welcome to the US Petabox. cqcounter.com/whois/www/wineenthusiastonline.com.html not found.
74.116.72.246: vuvuzelanews.com. Hit.
74.116.72.247: ballbatstumpsandbails.com. Hit.
74.116.72.248: kioni-sailing.com. Hit.
74.116.72.249: round-trip-travel.com. Hit.
74.116.72.250: arabicnewsource.com. Hit.

74.254.12.168 non-stop-news.net. BELLSOUTH-NET-BLK in Atlantic Beach - United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.254.12.158 - 74.254.12.195. This domain exceptionally also has a second IP also with multihits: 207.239.196.230. The fact that the range has rdns sources with hits from both 2013 DNS Census and viewdns.info suggests this range is correct.

74.254.12.163: half-court.net. Hit.
74.254.12.163: dailywellnessnews.com. Hit.
74.254.12.165: dylandon.net. Hit. rdns source: viewdns.info.
74.254.12.166: afghanpoetry.net. Hit.
74.254.12.168: non-stop-news.net. Hit.
74.254.12.169: soldiersofsouthasia.com. Hit.
74.254.12.170: greek-news.info. Hit.
74.254.12.171: autism-news.org. Hit.
74.254.12.172: thesportsguidebook.com. rdns source: 2013 DNS Census. Only has archive of one subpage: 2009. English. sports. cqcounter.com/whois/www/thesportsguidebook.com.html not found.
74.254.12.173: thefreshnews.com. Hit.
74.254.12.174: reliefline.info. web.archive.org/web/20090416064302/http://www.reliefline.info:80/ Archive too broken. cqcounter.com/whois/www/reliefline.info.html broken.
74.254.12.176: pakcricketgrd.com. Hit.
74.254.12.177: networkofnews.com. Hit.
74.254.12.179: wineconnaisseur.net. Hit.
74.254.12.180: helpinghandssite.com. Hit.
74.254.12.185: newskwest.com. No archives. cqcounter.com/whois/www/newskwest.com.html broken.
74.254.12.187: efiinvestment.com. Hit.
74.254.12.188: first-tee-golf.com. Hit.
74.254.12.189: fabu-foto.com. Hit.
74.254.12.190: viptravelabroad.com. Hit.

173.208.81.2 LEASEWEB-USA-CHI in Lombard - United States:

weblognewsinfo.com:
- dnshistory.org/historical-dns-records/a/weblognewsinfo.com 2010-05-10 -> 2010-10-07 64.120.20.234 viewdns.info/reverseip/?t=1&host=64.120.20.234 small virtual:
  - web.archive.org/web/20101229135149/http://knightsofx.net/ off
  - marvel-mail.com/ no archives, dawhois.com/site/marvel-mail.com.html no results
- viewdns.info/iphistory/?domain=weblognewsinfo.com
  - 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-09-26 virtual
  - 173.208.81.2 Lombard - United States LEASEWEB-USA-CHI 2013-06-30 virtual with newsincirculation.com viewdns.info/reverseip/?t=1&host=173.208.81.2
    web.archive.org/web/20110131042438/http://underground-basement.com/ off
    web.archive.org/web/20110623044033/http://www.mypolitiki.com/ off
newsincirculation.com
- dnshistory.org/historical-dns-records/a/newsincirculation.com
  - 2010-03-10 -> 2010-08-15 64.120.20.234 virtual with weblognewsinfo.com
  - 2013-11-26 -> 2013-11-26 70.32.43.226
- viewdns.info/iphistory/?domain=newsincirculation.com
  - 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2014-01-31
  - 50.63.202.77 United States AS-26496-GO-DADDY-COM-LLC 2013-10-19. virutal?
  - 70.32.43.226 Lombard - United States LEASEWEB-USA-CHI 2013-09-26 virtual?
  - 69.147.228.5 Chicago - United States LEASEWEB-USA-CHI 2012-11-12 unknown. Tested viewdns.info range: 69.147.228.1 69.147.228.15. Nope.
  - 173.208.81.2 Lombard - United States LEASEWEB-USA-CHI 2011-04-04 virtual

199.19.110.7 theworldnewsfeeds.com. Los Angeles - United States FIBER-LOGIC.

dnshistory.org/historical-dns-records/a/theworldnewsfeeds.com no hits
viewdns.info/iphistory/?domain=theworldnewsfeeds.com
- 199.19.110.7 2012-01-11 unknown range viewdns.info/reverseip/?t=1&host=199.19.110.7 small virtual:
  - Hits
    classymotors.net
    russiansportsworld.com
    urbestbod.com
  - Not hits:
    angelesmesapc.org: web.archive.org/web/20110623222054/http://angelesmesapc.org/ seems legit.
    web.archive.org/web/20110701070546/http://www.gralnickandsale.com/ broken
    web.archive.org/web/20110208064143/http://magnoliahousephotography.com/ commercial
    web.archive.org/web/20101229224456/http://rdns13.net/ cgi bin
- 74.200.252.212 United States RACKSPACE 2011-11-13 unknown range. viewdns.info/reverseip/?t=1&host=74.200.252.212 small virtual fully explored:
  - web.archive.org/web/20110202113450/http://vhserver2.com/ Joomla
  - web.archive.org/web/20110207191522/http://haugofamily.com/ redirecting

199.85.212.118 just-kidding-news.com. ATT-INTERNET4 in United States.

199.85.212.118 rdns source: 2013 DNS Census virtual host cleanup heuristic keyword searches, dnshistory.org (2009-09-23 -> 2011-01-25) and viewdns.info: "location": "United States", "owner": "VIMRO, LLC", "lastseen": "2012-01-11". Tested viewdns.info range: 199.85.212.95 - 199.85.212.128. Not sure worth it given the many 2013 DNS Census misses surrounding.
- 199.85.212.98: colorsxpress.com. Legit
- 199.85.212.104:
  - jobindons.com 2013-10-19.
  - piogroup.org 2012-12-29.
- 199.85.212.105: mide-news.com. Hit.
- 199.85.212.109: game2be.com. Infinite load loop: web.archive.org/web/20080102074404/http://www.game2be.com/ cqcounter.com/whois/www/game2be.com.html error not found.
- 199.85.212.111:
  - newsandsportscentral.com. Hit.
  - and many many others, not bothering with it
- 199.85.212.115: veryperi.com. Legit? 2011. Style is similar.
- 199.85.212.116: approselect.com. Legit?
- 199.85.212.117: innovative-software-solutions.com. broken/legit cqcounter.com/whois/www/innovative-software-solutions.com.html broken.
- 199.85.212.118: just-kidding-news.com. Hit.
- 199.85.212.119: invisus.com. Legit
- 199.85.212.120: allurebyjustine.com. Legit?
- 199.85.212.121: stockprouniversity.com cqcounter.com/whois/www/stockprouniversity.com.html legit?
- 199.85.212.122: stjosephswoodshop.com Legit?
- 199.85.212.125: time-spacer.net. Welcome to the US Petabox. cqcounter.com/whois/www/time-spacer.net.html service unavailable
- 199.85.212.132: qualitytrans.net. Legit?
- 199.85.212.134: mywellnessminder.com. Legit?
- 199.85.212.138: crystalglassinc.com
- 199.85.212.140: davistech-llc.com
68.178.232.100: see rastadirect.net. rdns source: viewdns.info: "location": "United States", "owner": "GoDaddy.com, LLC", "lastseen": "2012-06-29"
209.85.45.84. Tested viewdns.info range: 209.85.45.74 - 209.85.45.94.
- 209.85.45.2: dz8.dailyrazor.com
- 209.85.45.2: jr4consulting.com
- 209.85.45.41: guitarzza.com. No archives of time.
- 209.85.45.46: evergraindecking.com. No archives of time.
- 209.85.45.114: mauritiuspropertyconsultant.com. Legit/ broken.
- 209.85.45.160: bieltvedt.net. No archives of time.
- 209.85.45.160: golfstats.dk. No archives.
- 209.85.45.225: infokus.ca
- 209.85.45.225: mail.tomlatham.net
- 209.85.45.225: mail.tomlatham.org
- 209.85.45.239: flavacationcenter.com

204.176.38.143 noticiassofisticadas.com. UUNET in United States. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 204.176.38.125 - 204.176.38.154

204.176.38.130: i-pressnews.com. Hit.
204.176.38.132: turkishnewslinks.com. Hit.
204.176.38.134: photographyarecord.com. Hit.
204.176.38.135: breakingthewicket.com. Hit.
204.176.38.136: politicalworldtoday.com. Hit.
204.176.38.137: hi-tech-today.com. Hit.
204.176.38.138: continental-business-news.com. TODO. rss-item, split images. 2011. Cannot find comms. Also header and footer are not limited width which is unusual. Further HTML similarity reversing would be needed.
204.176.38.139: bigscreenbattles.com. Hit.
204.176.38.141: rakotafootball.com. Hit.
204.176.38.142: senderosdemontana.com. Hit.
204.176.38.143: noticiassofisticadas.com. Hit.
204.176.38.144: techno-today.com. Hit.
204.176.38.145: tickettonews.com. Hit.
204.176.38.146: dps-digitalphotosharing.com. Hit.
204.176.38.147: theputtingreen.com. Hit.
204.176.38.149: sportsnewstodayar.com. Hit.
204.176.38.150: kairuafricanews.com. Hit.

204.176.39.115 globalprovincesnews.com. UUNET in United States. Tested viewdns.info range: 204.176.39.93 - 204.176.39.124

204.176.39.97: beamingnews.com. Hit.
204.176.39.98: cubriendonoticias.com. Hit.
204.176.39.100: rowleyworldpost.com. Hit.
204.176.39.101: noticiastopicas.com. No archives. cqcounter.com/whois/www/noticiastopicas.com.html not found.
204.176.39.103: economicnewsbuzz.com. Hit.
204.176.39.104: spectranewsonline.com. Hit.
204.176.39.105: entertainmentnewscompany.com. Hit.
204.176.39.107: guidetoelectronics.net. Uncertain. 2010. English. tech, electronics. Split images, rss-items. Comms not found, likely CGI comms variant on unarchived login page:. web.archive.org/web/20101230025246/http://guidetoelectronics.net/login.html
204.176.39.110: arabnewsatdawn.com. Hit.
204.176.39.114: messengergalaxy.com. Uncertain. 2011. Would be the first example of something more commercial/service offering we've seen so far. Possible CGI comms variant.
204.176.39.115: globalprovincesnews.com. Hit.
204.176.39.116: mahparah-news.com. Hit.
204.176.39.119: commercialspacedesign.com. Hit.

207.150.191.68 technologypresstoday.com. Saudi Telecom Company JSC in Saudi Arabia.

technologypresstoday.com. Hit. 2011. JAR. Farsi. RSS, split images.
- viewdns.info/iphistory/?domain=technologypresstoday.com says 72.13.93.206 Santa Clara - United States EGIHOSTING 2012-01-11. viewdns.info/reverseip/?host=72.13.93.206&t=1 says large virtual.
- dnshistory.org/dns-records/technologypresstoday.com says empty
- securitytrails.com/domain/technologypresstoday.com/history/a
  - 72.13.93.203 EGIHosting 2009-07-20 (16 years) 2009-07-27 (16 years) 7 days
  - 64.13.159.156 Wave Broadband 2009-05-30 (16 years) 2009-07-16 (16 years) 2 months. viewdns.info/reverseip/?t=1&host=64.13.159.156 empty.
  - 207.150.191.68 Saudi Telecom Company JSC 2009-01-21 (16 years) 2009-05-22 (16 years) 4 months
  - 68.178.232.100 GoDaddy.com, LLC 2009-01-14 (16 years) 2009-01-20 (16 years) 6 days
worldofonlinenews.com. Hit.
- dnshistory.org/historical-dns-records/a/worldofonlinenews.com 2015-12-15 -> 2016-04-21 108.167.161.90 presumably from the legit era
- viewdns.info/iphistory/?domain=worldofonlinenews.com
  - 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-02 virtual
  - 207.150.191.68 Saudi Arabia Saudi Telecom Company JSC 2011-04-04 virtual
mywebofnews.com. Hit.
- dnshistory.org/historical-dns-records/a/mywebofnews.com 2010-03-09 -> 2010-08-14 207.150.191.68 But this has several hits for the same IP on DNS Census 2013 which is unusual:
```
3xhunter.com|2012-04-12T07:53:24|207.150.191.68
dreamersoul.net|2012-04-11T22:06:18|207.150.191.68
exdump.com|2012-02-03T11:42:44|207.150.191.68
```
viewdns.info/reverseip/?host=207.150.191.68&t=1 is medium virtual:
- world-high.info: cqcounter.com/whois/www/world-high.info.html legit wordpress
- viewdns.info/iphistory/?domain=mywebofnews.com no hits
  68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-27 virtual
  207.150.191.68 Saudi kkkArabia Saudi Telecom Company JSC 2011-06-22 virtual
viewdns.info/reverseip/?host=207.150.191.68&t=1
- kickofffootballnews.com. Hit. viewdns.info/iphistory/?domain=kickofffootballnews.com to that IP alone
- ithaiproperty.com. Legit. web.archive.org/web/20111001231548/http://www.ithaiproperty.com/
- themaconnightlife.com: no archives: web.archive.org/web/20250000000000*/themaconnightlife.com. cqcounter.com/whois/www/themaconnightlife.com.html sems legit.
- web.archive.org/web/20110202093639/http://theadvancompany.com/ cgi-bin directory
- web.archive.org/web/20091212001404/http://www.toddlerbedrailshop.com/ off
- cqcounter.com/whois/www/texasdavisfive.com.html off
- web.archive.org/web/20250000000000*/geldherrin-lady-estefania.com no archives.

207.210.250.132 aeronet-news.com. AS17378 in United States. This is the Autonomous System Number for TierPoint, LLC. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 207.210.250.126 - 207.210.250.157

207.210.250.131: starrynightnews.com. Hit.
207.210.250.132: aeronet-news.com. Hit.
207.210.250.133: bakaribulletin.com. Hit.
207.210.250.134: deprensaenlarevisiondehoy.com. Hit.
207.210.250.135: icwb-news.com. Hit.
207.210.250.136: sportsreelhighlights.com. Hit.
207.210.250.137: fashionforward.info. No archives. cqcounter.com/whois/www/fashionforward.info.html innovative but has a "Member" section. Stock lady visible somwhere at westlahairgrowth.com/?page_id=12158 according to Google images but I couldn't find it easily in the page.
207.210.250.138: inquiry-human-past.com. Hit.
207.210.250.139: thefairwaysaregreen.com. Hit.
207.210.250.142: russiaupdate.com. Hit.
207.210.250.143: archaeologyreview.net. Hit.
207.210.250.144: highspeed-news.com. No archives. cqcounter.com/whois/www/highspeed-news.com.html not found.
207.210.250.146: noticias-caracas.com. Hit.
207.210.250.147: bailandstump.com. Hit.
207.210.250.148: classicalmusic4arab.com. Hit.
207.210.250.149: globalventurestat.com. Hit.
207.210.250.152: al-rashidrealestate.com. Hit.
207.210.250.153: newsintheworld-ru.com. Hit.
207.210.250.154: news-unlimited.info. Hit.

208.93.112.105 fastnews-online.com. TULIP-SYSTEMS in United States. Checked viewdns.info range: 208.93.112.90 - 208.93.112.155

208.93.112.101: cketnews.com: web.archive.org/web/20070612034201/http://cketnews.com/. Archives from 2007 and off style. cqcounter.com/whois/www/cketnews.com.html not found.
208.93.112.105: fastnews-online.com. Hit.
208.93.112.106: travelxtreme.net. Hit.
208.93.112.108: nbanewsroundup.com. Hit.
208.93.112.110: luxuryfive.net. Hit.
208.93.112.111: topfootballnewsonline.com. Hit.
208.93.112.112: todaysportscores.com. Hit.
208.93.112.113: mostefficientself.com. Uncertain. cqcounter.com/whois/www/mostefficientself.com.html hard to tell. One is reminded of fightorgohome.com.
208.93.112.114: dynamicworldnews.com. Hit.
208.93.112.116: gazingvoyage.com. Hit.
208.93.112.123: garundipost.com. Hit.
208.93.112.125: theradioamateurs.com: no archives. cqcounter.com/whois/www/theradioamateurs.com.html not found.

208.254.38.39 todaysengineering.com. COLO-PREM-VZB in United States.

Tested viewdns.info range: 208.254.38.9 - 208.254.38.86. Weirdly empty, doesn't even show the domain iteslf!
- 208.254.38.39: todaysengineering.com. Hit. rdns source: both viewdns.info and 2013 DNS Census
- 208.254.38.56: nejadnews.com. Hit.
68.178.232.100: source: securitytrails.com. 2009-11-24 - 2009-12-11, GoDaddy.com, LLC

208.254.40.117 worldnewsandent.com. COLO-PREM-VZB in United States. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117: Net Range 208.192.0.0 - 208.255.255.255. Tested viewdns.info range: 208.254.40.92 - 208.254.40.135

208.254.40.96: sixty2media.com. Hit.
208.254.40.99: newspoliticssource.com. Hit.
208.254.40.110 musical-fortune.net. Hit.
208.254.40.113: ashoka-gemstones.com. Hit.
208.254.40.117: worldnewsandent.com. Hit.
208.254.40.124: riskandrewardnews.com. Hit.
208.254.40.129: mailb.casella.com. Legit.

208.254.42.205 driversinternationalgolf.com. COLO-PREM-VZB in United States. Tested viewdns.info range: 208.254.42.178 - 208.254.42.233.

208.254.42.35: mystorytimefriends.com. Broken/legit.
208.254.42.194: it-proonline.com. Hit.
208.254.42.200: riccs.mwcog.org. Legit. Reverse IP source: 2012 Internet Census, 2012-05-14.
208.254.42.205: driversinternationalgolf.com. Hit.
208.254.42.209: mardelsurnoticias.com. Hit. Reverse IP source: viewdns.info
208.254.42.215: nowfreshfinances.com. Hit.
208.254.42.216: circulatingnews.net. Hit.
208.254.42.219: westingtonpassnews.com. Hit. Reverse IP source: 2013 DNS Census
208.254.44.155: brandimpact.com. Legit/broken: web.archive.org/web/20070801000000*/brandimpact.com
208.254.45.105: operatorenum.com. Legit/broken: web.archive.org/web/20100301000000*/operatorenum.com

209.162.192.49 rastadirect.net. DF-PTL2-3 in Gresham - United States. Source: securitytrails.com and cqcounter.com/site/rastadirect.net.html. Tested viewdns.info: 209.162.192.30 209.162.192.70
* 209.162.192.44: thejewelofsouthamerica.com. Hit.
* 209.162.192.49: rastadirect.net. Hit.
* 209.162.192.51: yellow-chair-report.com. Hit.
* 209.162.192.54: tutkulu-turu.com. Possible hit. domainsbyproxy.com 2008-03-04. Weird style made up exclusively of cut up images, including the text itself where links would normally be. Turkish. Archive a bit weird with images on top of text. 2011 Copyright 2006. Unarchived link to web.archive.org/web/20110129065840/http://tutkulu-turu.com/login.html with title "Kullanıcı adı" (Username). Headline "Online seyahat etmek acenta" translates to "Online travel agency".
* 209.162.192.57: globalnewsreports.net. Hit.
* 209.162.192.59: easytravelsite.net. Hit.
* 209.162.192.70: phrio.com. Off date. viewdns.info/reverseip/?t=1&host=209.162.192.70

68.178.232.100 - United States - GoDaddy.com - 2011-05-02. Reverse IP source: viewdns.info
- +-20 range: several domains on each IP, but can't find any hits easily
There are actualy talk pages about this IP
- community.spiceworks.com/
- talk.plesk.com/threads/warning-the-domain-resolves-to-another-ip-address.77764/
- support.google.com/cloudidentity/answer/2579934?hl=en actually used as an example here?

210.80.75.55 philippinenewsonline.net. UUNET in Australia. Tested viewdns.info range: 210.80.75.30 - 210.80.75.67

210.80.75.35: aroundtheworldnews.net. No archives. ipinf.ru/domains/210.80.75.33/ disagrees and places it at .33.
210.80.75.36: e-commodities.net. Hit.
210.80.75.37: trekkingtoday.com. Hit.
210.80.75.41: multinews-33.com. Hit.
210.80.75.42: movimientodenticias.com. No archives. cqcounter.com/whois/www/movimientodenticias.com.html blank.
210.80.75.43: gulfandmiddleeastnews.com. Hit.
210.80.75.44: whirlybirdinflight.com. Hit.
210.80.75.45: kings-game.net. Hit.
210.80.75.46: topglobalnewsdaily.com. Hit.
210.80.75.49: recipe-dujour.com. Hit.
210.80.75.53: sportsman-elite.com. Hit.
210.80.75.55: philippinenewsonline.net. Hit.
210.80.75.56: technewsforme.com. Hit.
210.80.75.59: goldeportesnoticias.com. Hit.
210.80.75.68: gigabyte-usa.com. Legit.

212.4.16.232 mynewscheck.com. UUNET in Cassano d'Adda - Italy. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.16.214 - 212.4.17.198. ipinf.ru/domains/?search=212.4.17.125&cust=1 says they are /19, so .16 and .17 are both the same range from a registration perspective::

212.4.16.224: lanoticiasdehoyelinforme.com. Hit.
212.4.16.232: mynewscheck.com. Hit.
212.4.16.239: saktimarsgolf.com 2012-06-29. Broken/legit/no archives of relevant date: web.archive.org/web/20081031060207/http://saktimarsgolf.com/. cqcounter.com/whois/www/saktimarsgolf.com.html blank.
212.4.16.245: financial-crisis-news.com. Hit.
212.4.16.252: minutosdenoticias.com. Hit. web.archive.org/web/20100517151612/http://minutosdenoticias.com/

212.4.17.38 fightwithoutrules.com. UUNET in Cassano d'Adda - Italy. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117. Net Range: 208.192.0.0 - 208.255.255.255. Organization: Name: Verizon Business. Tested viewdns.info range: see 212.4.16.* above

212.4.17.38: fightwithoutrules.com. Hit.
212.4.17.41: newtechfrontier.com. Hit.
212.4.17.43: smart-travel-consultant.com. Hit.
212.4.17.46: atentlaloc.com. Hit.
212.4.17.53: newsresolution.net. Hit.
212.4.17.56: lesummumdelafinance.com. Hit.
212.4.17.56: thepinnacleoffinance.com. No Wayback machine archives. cqcounter.com/whois/www/thepinnacleoffinance.com.html blank.
212.4.17.61: tech-stop.org. Archive: 2011. Feels likely. No commons found. .org hit? Has subdomain "gear.tech-stop.org" according to 2013 DNS Census, which suggests CGI comms, but no links to it
212.4.17.98: topbillingsite.com. Hit.
212.4.17.122: b2bworldglobal.com. Hit.
212.4.17.125: worldaroundyunnan.com. Hit.
212.4.17.160: localtoglobalnews.com. Hit.

There were also some other reverse IP hits for fightwithoutrules.com, but no CIA websites there:

204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26. Many domains.
208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20. Many domains.

Other hits:

208.91.197.132. rdns source: viewdns.info: "location" : "British Virgin Islands", "owner" : "Confluence Networks Inc", "lastseen" : "2013-09-26". So this is after the previous one, unlikely to be correct.
205.178.189.131. source: securitytrails.com

212.4.18.129 sightseeingnews.com. UUNET in Cassano d'Adda - Italy. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.18.115 - 212.4.18.148. TODO expand. Interesting wide/sparse range? Or perhaps it's two separate ranges?

212.4.18.129: sightseeingnews.com. Hit. Presumably also present under fgnl.net on its second IP range, since this is near 212.4.18.133? viewdns.info gives this as the only IP for the domain.
212.4.30.210: iprintitaly.com. Legit: web.archive.org/web/20230000000000*/http://www.iprintitaly.com/

212.209.74.105 globalbaseballnews.com. UUNET in Sweden. Tested viewdns.info range: 212.209.74.100 - 212.209.74.132. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches

212.209.74.105: globalbaseballnews.com. Hit.
212.209.74.106: football-de-luxe.com. Hit.
212.209.74.111: worldconcerns.info. No archives. cqcounter.com/whois/www/worldconcerns.info.html empty.
212.209.74.112: developmental-league.com. Unclear. CGI comms variant? 2010. English. CGI. American football.
212.209.74.115: mediocampodefutbol.com. Hit.
212.209.74.117: myengineeringaffinity.com. Hit.
212.209.74.122: atthemovies.biz. Hit.
212.209.74.123: worldfinancialexchangenews.com. Hit.
212.209.74.124: urouttahere.com. Hit.
212.209.74.125: avoilurefixe.com. Hit.
212.209.74.126: headlines2day.com. Hit.
- 118.139.174.11. Reverse IP source: viewdns.info
  - 118.139.174.11: 712 domain hits on it
  - 118.139.174.21: theargentineanwineco.com 2013-09-26. No Wayback machine archive. cqcounter.com/whois/www/theargentineanwineco.com.html not found.
  - nothing else on the +-20 range
- 184.168.221.91. Reverse IP source: 2013 DNS Census
  - 184.168.221.91: 40k hits on 2013 DNS Census
212.209.74.127: construction-zones.com. Unclear. CGI comms variant? 2009. No known comms found. English. construction. Has a login page: web.archive.org/web/20091130144158/http://construction-zones.com/login.html so maybe CGI comms variant

212.209.79.40 hydradraco.com. UUNET in Sweden. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just after globalbaseballnews.com. Tested viewdns.info range: 212.209.79.35 - 212.209.79.63

212.209.79.34: fgnl.net. Hit. securitytrails.com provides IP history:
- 212.209.79.34: 2008-09-01 - 2010-04-19.
- 212.4.18.133: 2010-04-19 - 2019-06-19. Tested viewdns.info range: 212.4.18.122 - 212.4.18.148
both under MCI Communications Services, Inc. d/b/a Verizon Business.
212.209.79.37: fitness-sources.com. Hit.
212.209.79.40: hydradraco.com. Hit.
212.209.79.41: noticiasdelmundolatino.com. Hit.
212.209.79.42: suparakuvi.com. Hit.
212.209.79.44: myigadgets.net. Unclear. 2010. tech. Contains some helpers to: iGoogle. This page is very interesting. and quite different from the others, as it contains highly specialized functionality. No known comms found. The choice of homepage languages is also very suspicious: Arabic, Farsi, French, Chinese and Spanish.
212.209.79.46: cetusdelph.com. Hit.
212.209.79.47: willtoworship.com. Hit. domainsbyproxy.com
212.209.79.48: themvconnection.com. Hit.
212.209.79.51: pi-resources.net. Hit.
212.209.79.52: newel-adserver.com. Redirects to newel.com which is legit. cqcounter.com/whois/www/newel-adserver.com.html blank.
212.209.79.53: ourscubaworld.com. Hit.
212.209.79.58: tech-love-home.com. Hit.
212.209.79.60: first-solo-aviation.com. Hit.
212.209.79.61: china-destinations.org. Hit.

212.209.90.84 thenewseditor.com. UUNET in Sweden. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.209.90.64 - 212.209.90.99

212.209.90.69: worldedgenews.com. Hit.
212.209.90.72: talkingpointnews.info. Hit.
212.209.90.74: globalinvestmentnews.net. Hit.
212.209.90.75: prebitinvestment.com. Hit.
212.209.90.77: energy-bulb.com 2011. English. energy. Comms not found, but has unarchived link to: web.archive.org/web/20110128182345/https://webmail.energy-bulb.com/login.html. CGI comms variant?
212.209.90.79: freeblink.com. No archives for timerange, then legit. cqcounter.com/whois/www/freeblink.com.html off-style
212.209.90.80: nsmovies.net. Hit.
212.209.90.82: middleeastjournal.net. Hit.
212.209.90.84: thenewseditor.com. Hit.
212.209.90.87: newsandweathersource.com. Hit.
212.209.90.89: pakisports.com. Hit.
212.209.90.90: vriha-aesthetics.com. Hit.
212.209.90.92: amishkanews.com. Hit.
212.209.90.93: theentertainbiz.com. Hit.
212.209.90.94: eurosportssummary.com. Hit.
212.209.91.14: teracom.net. Legit

216.93.248.194 esmundonoticias.com. TWDX in Chelmsford - United States.

dnshistory.org/historical-dns-records/a/esmundonoticias.com 2010-02-05 -> 2010-08-02 216.93.248.194. Tested viewdns.info range: 216.93.248.184 216.93.248.204. viewdns.info/reverseip/?host=216.93.248.194&t=1 gives:
- hits:
  - esmundonoticias.com 2012-01-11
  - kukrinews.com 2011-06-22
    dnshistory.org/historical-dns-records/a/kukrinews.com 2010-02-26 -> 2010-08-07 216.93.248.194
    viewdns.info/iphistory/?domain=kukrinews.com 216.93.248.194 Malden - United States TWDX 2011-06-22
  - lasthournews.com 2010-02-27 -> 2010-08-07
  - tech-geek-news.com 2012-01-11
- not hits;
  - 216.93.248.194: coxsackielive.com 2012-06-29. No archives. dawhois.com/www/coxsackielive.com.html off.
  - 216.93.248.194: datapakassociates.org 2012-04-27. No rachives. dawhois.com/www/datapakassociates.org.html off.
  - 216.93.248.194: easywebworld.net 2012-02-27. Broken: web.archive.org/web/20101229051406/http://easywebworld.net/ "This Site Is Under Construction. Come Back Soon!" so seems legit. dawhois.com/www/easywebworld.net.html same.
  - 216.93.248.194: librarianhelper.com 2013-06-30. Parked domain girl. dawhois.com/www/librarianhelper.com.html not found.
  - 216.93.248.194: ualbanycornerstone.org 2012-04-13. Legit.
viewdns.info/iphistory/?domain=esmundonoticias.com 216.93.248.194 Malden - United States TWDX 2012-01-11. Tested. viewdns.info/reverseip/?t=1&host=216.93.248.194 small virtual.

216.104.38.114 all-sport-headlines.com. SINGLEHOP-LLC in United States.

viewdns.info/iphistory/?domain=all-sport-headlines.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-11-12 virtual
- 216.104.38.114 United States SINGLEHOP-LLC 2012-09-21. Tested viewdns.info range: 216.104.38.104 216.104.38.124
  - viewdns.info/reverseip/?t=1&host=216.104.38.114
    hits:
    * wahidfutbol.com
    * wildbirds-seasia.com
    not hits:
    web.archive.org/web/0/oaksathighlandlakes.com no archives
    web.archive.org/web/20110208080756/http://www.weathersbyhoa.com/cgi-bin/index.pl?action=main
    web.archive.org/web/20110202205540/http://www.themeadowssubdivisionhoa.com/cgi-bin/index.pl?action=main
    web.archive.org/web/20110208074306/http://bsheroics.com/ humm off there is a chance. They have actual twitter: x.com/bsheroics nevermind. And: www.facebook.com/profile.php?id=100078200499209
    afterawhilecrocodile.info 2011-07-26. Legit.
securitytrails.com/domain/all-sport-headlines.com/history/a adds
- 66.246.218.219 Cologix, Inc 2008-09-01 (17 years) 2008-11-25 (16 years) 3 months. viewdns.info/reverseip/?t=1&host=66.246.218.219 empty.

216.105.98.152: modernarabicnews.com. SAVVY-NET in United States. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 216.105.98.125 - 216.105.98.167

216.105.98.118:
- estudashboard.com: broken cqcounter.com/whois/www/estudashboard.com.html not found
- fintrade.us: legit
216.105.98.132: europeantravelcafe.com. Hit.
216.105.98.134: fuenteneta.com. Hit.
216.105.98.135: ilat-news.com. Hit.
216.105.98.136: etherealinspirations.net. Hit.
216.105.98.137: the-news-zone.com. Hit.
216.105.98.138: photozoomnews.com. No archives. cqcounter.com/whois/www/photozoomnews.com.html empty
216.105.98.139: cultura-digital.net. Hit.
216.105.98.140: uaeshoppingspree.com. Hit.
216.105.98.141: jabarifootball.com. No archives. "Jabari" is a Swahili/Arabic name ^[ref]. cqcounter.com/whois/www/jabarifootball.com.html not found.
216.105.98.142: globalreview-ar.com. No archives. Shame, could have been our first Argentinian site. cqcounter.com/whois/www/globalreview-ar.com.html empty.
216.105.98.144: garanziadellasicurezza.com. Hit.
216.105.98.145: montanismoaventura.com. Hit.
216.105.98.146: large-format-news.com. Hit.
216.105.98.147: nepalnewsbrief.com. Hit. dnshistory.org marks it as having IP 2010-03-10 -> 2010-08-15 216.169.148.94 ^[ref]. This range does feel a bit different from the others, too many broken archives, and relatively early ones too. Explored viewdns.info range: 216.169.148.84 - 216.169.148.104, empty for period. domainsbyproxy.com.
216.105.98.148: teclafinance.com. Hit.
216.105.98.149: entreman.com. Hit.
216.105.98.152: modernarabicnews.com. Hit.
216.105.98.153: global-headlines.com. Hit.
216.105.98.154: everythingcricket.org. Hit.
216.105.98.156: familyhealthonline.net. Hit.
216.105.98.157: delacorne.com. Hit.
216.105.98.158: econfutures.com. Hit.
216.105.98.161: kstcloud.com. No archives. cqcounter.com/whois/www/kstcloud.com.html not found

219.90.61.123 journeystravelled.com. UUNET in Taiwan. Tested viewdns.info range: 219.90.61.100 - 219.90.61.133

219.90.61.100: pressstory.com: "Under construction". web.archive.org/web/20110128124548/http://pressstory.com/. cqcounter.com/whois/www/pressstory.com.html same
219.90.61.103: bet2plays.com. "Under construction". Unlikely thematic, too spicy. cqcounter.com/whois/www/bet2plays.com.html same
219.90.61.110: surya-brahma.com. Hit
219.90.61.111: classicalmusicboxonline.com. Hit.
219.90.61.116: athletepro.net. Hit.
219.90.61.117: lajornadanow.com. Hit.
219.90.61.119: aviation-navigation.com. Hit.
219.90.61.120: theinternationalworld.com. Hit.
219.90.61.121: thepyramidnews.com. Hit.
219.90.61.122: iran-newslink-today.com. Hit.
219.90.61.123: journeystravelled.com. Hit.

219.90.62.243 fitness-dawg.com. UUNET in Taiwan. whois.arin.net/rest/net/NET-219-0-0-0-1/pft?s=219.90.62.243. Net Type: Allocated to APNIC. Tested viewdns.info range: unknown - 219.90.62.255

219.90.62.173:
- dominatingduos.com: 2013-08-12T17:53:09. No archive. cqcounter.com/whois/www/dominatingduos.com.html empty
- has other domains
219.90.62.193: centralnewsreleasers.com. Only a 2018 of the robots.txt: web.archive.org/web/*/http://centralnewsreleasers.com/* so likely not a hit. cqcounter.com/whois/www/centralnewsreleasers.com.html not found.
219.90.62.209: penniesbythemillions.com. No archives. cqcounter.com/whois/www/penniesbythemillions.com.html not found.
219.90.62.229: information-junky.com. Hit.
219.90.62.231: todosperuahora.com. Hit.
219.90.62.232: race26point2.com. Hit. No archives, but has subdomain: secure.race26point2.com, so likely CGI comms. cqcounter.com/whois/www/race26point2.com.html somewaht in-style and also a "members" link, presumably linking to secure.race26point2.com. The "26" and "2" are not very clear, but tagline clarifies "leading the race on the latest running news and events" so it's a running news website
219.90.62.233: theworld-news.net. Hit.
219.90.62.234: recuerdosdeviajeonline.com. Hit
219.90.62.235: ordenpolicial.com. Hit.
219.90.62.240: cityworldnewsnow.com. Hit. No archives but has subdomain: secure.cityworldnewsnow.com so likely CGI comms. cqcounter.com/whois/www/cityworldnewsnow.com.html in-style, arab world mentions.
219.90.62.237: elcorreodenoticias.com. Hit.
219.90.62.238: freshtechonline.com. Hit.
219.90.62.240: cityworldnewsnow.com. Hit.
219.90.62.241: newscentertoday.com. Hit.
219.90.62.242: ride-captain.com. Hit.
219.90.62.244: easytraveleurope.com. Hit.
219.90.62.245: world-news-now.net. Hit.
219.90.62.246: negativeaperture.com. Hit.
219.90.62.247: conquermstoday.com. Hit
219.90.62.249: forensic-exchange.com. 2013 archive: web.archive.org/web/20130714094026/http://forensic-exchange.com/. Appears to be a buggy Wayback Machine archive somehow, so inconclusive. cqcounter.com/whois/www/forensic-exchange.com.html in-style, clarifies focus on computer.

 Read the full article

CIA 2010 covert communication websites / Hits without nearby IP hits  Updated 2025-05-26  +Created 1970-01-01

 View more

Here we list of suspected domains for which the correct IP was apparently not found since there are no neighbouring hits.

These are suspicious, and suggest either that we didn't obtain the correct reverse IP, or a change in CIA methodology from an older time at which they were not yet using the obscene IP ranges.

For example, in the case of inews-today.com, 2013 DNS Census gave one IP 193.203.49.212, but then viewdns.info gave another one 66.175.106.146 which fit into an existing IP range, and which assumed to be the correct IP of interest.

A similar case happened when we found IP 212.209.74.126 for headlines2day.com with dnshistory.org: dnshistory.org/historical-dns-records/a/headlines2day.com.

It is also possible that some of them are simply false positives so they should be taken with a grain of salt. Further reverse engineering e.g. of comms or HTML analysis might be able to exclude some of them.

It is interesting to note that Reuters seems to have featured disproportionately many hits from that range, one wonders why that happened. It is possible that they chose these because they actually didn't have any nearby hits to give away less obvious information, though they did pick some from the ranges as wel.

In what follows we list the domains with possible reverse IPs and what was explored so far for each. We consider IPs not in a range to be uncertain, and that instead their domains might have been previously in a range which we

dailynewsandsports.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches

216.119.129.94. rdns source: viewdns.info "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2012-04-13". Tested viewdns.info range: 216.119.129.85 - 216.119.129.86, 216.119.129.89 - 216.119.129.99, ran out of queries for 87 and 88
- 216.119.129.90: eastdairies.com 2011-04-04. Promising name and date, but no archives alas.
- 216.119.129.97: miideaco.com 2016-02-01
216.119.129.114 Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches, also present on viewdns.info but at a later date from previous "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2013-11-29". Tested viewdns.info range: 216.119.129.109 - 216.119.129.119
- 216.119.129.110: dommoejmechty.com.ua. Legit.
- 216.119.129.111: dailybeatz.com: Legit
- 216.119.129.113:
  - audreygeneve.com
  - reyzheng.com
  - jacintorey.com
- 216.119.129.114: dailynewsandsports.com. hit.
- 216.119.129.115: afxchange.com legit/broken
- 216.119.129.116: danafunkfinancial.com: legit
208.73.33.194 on securitytrails.com
- 69.64.155.77 Amazon.com, Inc. 2008-12-10 (16 years) 2008-12-19 (16 years) 9 days
- 68.178.232.100 GoDaddy.com, LLC 2008-10-04 (16 years) 2008-11-02 (16 years) 29 days
- 208.73.33.194 Jumpline Inc 2008-09-01 (17 years) 2008-10-03 (16 years) 1 month

iranfootballsource.com:

34.98.99.30 Kansas City - United States Google LLC 2021-05-24
184.168.221.94 United States GoDaddy.com 2020-07-21
50.63.202.66 United States GoDaddy.com 2020-07-07
50.63.202.86 United States GoDaddy.com 2020-05-28
184.168.221.94 United States GoDaddy.com 2020-05-13
50.63.202.74 United States GoDaddy.com 2020-04-29
50.18.223.191 San Jose - United States Amazon.com 2015-03-23. Sources: 2013 DNS Census and viewdns.info
- no viewdns.info hits +- 10
85.13.200.108 United Kingdom Coreix Dedicated Customer Allocation 2013-06-30. Source: viewdns.info
- 85.13.200.108: 1000 hits, so unlikely to be the one

iraniangoalkicks.com:

68.178.232.100: treverse IP source: viewdns.info. see rastadirect.net.
208.71.138.130 2010-02-22 -> 2010-08-06, QWK.net Hosting, L.L.C.. source: dnshistory.org/historical-dns-records/a/iraniangoalkicks.com. Large shared hosting domain, no good nearby hits, several legit sites.
securitytrails.com/domain/iraniangoalkicks.com/history/a says:
- 2011-03-31 68.178.232.100
- 2008-09-01 208.71.138.130

iraniangoals.com:

68.178.232.100: see rastadirect.net
69.65.33.21 - Flushing - United States - GigeNET - 2011-09-08. Also at: dnshistory.org/historical-dns-records/a/iraniangoals.com 2009-08-03 -> 2011-01-12 69.65.33.21 viewdns.info/reverseip/?t=1&host=69.65.33.21 80 virtual nothing pops to eye on quick read:
- 69.65.33.2: onemincustomerservice.com. web.archive.org/web/20091015044922/http://www.onemincustomerservice.com/. Doesn't feel like a hit. cqcounter.com/whois/www/onemincustomerservice.com.html error
- 69.65.33.5: 400+ domains
- 69.65.33.6: 4 domains but recent resolutions only
- similar status for everything else withing +-20. A couple of domains, no easy hits
securitytrails.com/domain/iraniangoals.com/history/a same from 2008-09-17

football-enthusiast.com:

212.4.18.14: Tested viewdns.info range: 212.4.18.1 - 212.4.18.29. This is a curious case, rather close to 212.4.18.129 sightseeingnews.com, but not quite in the same range apparently. Viewdns.info also agrees on its history with only "212.4.18.14", "location" : "Milan - Italy", "owner" : "MCI Worldcom Italy Spa", "lastseen" : "2013-06-30" of interest.

cyhiraeth-intlnews.com:

dnshistory.org/historical-dns-records/a/cyhiraeth-intlnews.com 2009-07-31 -> 2011-01-05 0.0.0.0 WTF?
viewdns.info/iphistory/?domain=cyhiraeth-intlnews.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-27 virtual
- 0.0.0.0 Unknown Unknown 2011-07-02. Hmm also the 0.0.0.0. Weird!

news-latina.com: domainsbyproxy.com 2007-12-17

dnshistory.org/historical-dns-records/a/news-latina.com 2010-03-11 -> 2010-08-16 64.92.111.3. this has several hits for the same IP on DNS Census 2013 which is unusual. Tested viewdns.info range: 64.92.111.1 - 64.92.111.13
- 64.92.111.2 virtual
- 64.92.111.3 virtual
viewdns.info/iphistory/?domain=news-latina.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-08-11 virtual
- 64.92.111.3 United States MASSIVE-NETWORKS 2011-07-27 mdeium virtual viewdns.info/reverseip/?t=1&host=64.92.111.3

europeannewsflash.com:

viewdns.info/iphistory/?domain=europeannewsflash.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-10-09 virtual
- 216.131.66.209 San Francisco - United States STRTEC 2011-09-08. Tested viewdns.info range: 216.131.66.201 216.131.66.219
dnshistory.org/historical-dns-records/a/europeannewsflash.com 2010-02-06 -> 2010-08-02 216.131.66.209. Tested.

outlooknewscast.com:

dnshistory.org/historical-dns-records/a/outlooknewscast.com
- 2009-08-08 -> 2011-02-11 74.53.159.130. Tested viewdns.info range: 74.53.159.120 - 74.53.159.140
  - 74.53.159.130: aeromedhistory.org 2014-11-29
  - 74.53.159.130: mariposahorticultural.com 2022-11-28
  - 74.53.159.130: thewritestuffresume.com 2011-04-04. Legit.
viewdns.info/iphistory/?domain=outlooknewscast.com
- 204.93.178.121 Chicago - United States SERVERCENTRAL 2011-09-08. Tested viewdns.info range: 204.93.178.111 - 204.93.178.131. Skimmed through, nothing of great interest.
- 74.53.159.130 United States SOFTLAYER 2011-04-04. Tested.

24hoursprimenews.com:

dnshistory.org/historical-dns-records/a/24hoursprimenews.com 2009-12-14 -> 2011-10-04 216.9.68.24. Mid virtual: viewdns.info/reverseip/?t=1&host=216.9.68.24 had a quick look but no hits:
- web.archive.org/web/20110208211446/http://mynews-togo.com/ invalid page. dawhois.com/www/mynews-togo.com.html same.
- web.archive.org/web/20110207202025/http://nefiexpo.com/
viewdns.info/iphistory/?domain=24hoursprimenews.com 216.9.68.24 United States VONAGE-BUSINESS 2012-01-11. Tested.
securitytrails.com/domain/24hoursprimenews.com/history/a same

farsi-newsandweather.com:

dnshistory.org/historical-dns-records/a/farsi-newsandweather.com 2010-02-07 -> 2010-08-03 69.49.101.19. Tested viewdns.info range: 69.49.101.9 - 69.49.101.19
viewdns.info/iphistory/?domain=farsi-newsandweather.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-01-11 virtual
- 69.49.101.19 Canada INFB-AS 2011-11-13. Tested.

global-view-news.com:

dnshistory.org/historical-dns-records/a/global-view-news.com 2010-02-13 -> 2010-08-04 67.220.228.130. Tested viewdns.info range: 67.220.228.120 - 67.220.228.160:
- 67.220.228.150: investfromhome.co.uk 2011-09-05. No archives.
viewdns.info/iphistory/?domain=global-view-news.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-01-11 virtual
- 69.90.161.195 Canada COGECO-PEER1 2011-09-08. Unknown. Tested viewdns.info range: 69.90.161.185 69.90.161.205. Some virtual misses. viewdns.info/reverseip/?t=1&host=69.90.161.195 medium virtual, canada.

health-men-today.com:

dnshistory.org/historical-dns-records/a/health-men-today.com
- 2011-01-07 -> 2011-01-07 69.90.162.165. Tested viewdns.info range: 69.90.162.155 - 69.90.162.175. Virtuals.
- 2009-11-30 -> 2010-05-27 67.220.228.224. New range with global-view-news.com? Tested viewdns.info range: 67.220.228.214 67.220.228.234
  - 67.220.228.223: stagedwithdistinction.com 2011-10-09. One archive of godaddy only.
- 2009-08-01 -> 2009-09-19 69.42.58.50. Tested viewdns.info range: 69.42.58.40 - 69.42.58.60. Virtuals, canada.
viewdns.info/iphistory/?domain=health-men-today.com
- 204.11.56.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2014-04-19. Virtuals.
- 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Unknown range.
- 69.90.162.165 Canada COGECO-PEER1 2012-06-29. Tested.
securitytrails.com/domain/health-men-today.com/history/a
- 69.42.58.50 Aptum Technologies 2008-09-01 (17 years) 2008-09-04 (17 years) 3 days

firstnewssource.com:

dnshistory.org/historical-dns-records/a/firstnewssource.com
- 2010-02-09 -> 2010-02-09 67.220.228.150 TODO new range with global-view-news.com? Tested.
- 2010-08-03 -> 2010-08-03 69.90.162.70 TODO new range with global-view-news.com?

pars-technews.com:

dnshistory.org/historical-dns-records/a/pars-technews.com 2009-08-08 -> 2011-02-13 74.220.219.104 Tested viewdns.info range: 74.220.219.94 74.220.219.114. viewdns.info/reverseip/?t=1&host=74.220.219.104 medium virtual haven't bothered much.
viewdns.info/iphistory/?domain=pars-technews.com 74.220.219.104 United States UNIFIEDLAYER-AS-1 2012-11-12. Tested.

newdaynewsonline.com:

dnshistory.org/historical-dns-records/a/newdaynewsonline.com 2010-03-10 -> 2010-08-15 76.163.54.16. Tested viewdns.info range: 76.163.54.6 76.163.54.26. viewdns.info/reverseip/?t=1&host=76.163.54.16 empty.
- 76.163.54.23: leewoodwork.com 2014-07-05
viewdns.info/iphistory/?domain=newdaynewsonline.com
- 74.91.154.56 United States INTERNAP-BLOCK-4 2012-11-12 unknown range. Tested viewdns.info range: 74.91.154.46 74.91.154.66
  - 74.91.154.61: benefitsla.com 2013-04-21. Legit.
- 76.163.54.16 United States WINDSTREAM 2011-09-08 unknown range. Tested.

sportsnewsfinder.com:

dnshistory.org/historical-dns-records/a/sportsnewsfinder.com 2009-08-11 -> 2011-02-24 66.113.196.128. Tested viewdns.info range: 66.113.196.118 66.113.196.138. viewdns.info/reverseip/?t=1&host=66.113.196.128 empty.
viewdns.info/iphistory/?domain=sportsnewsfinder.com
- 50.63.202.58 United States AS-26496-GO-DADDY-COM-LLC 2013-03-23 some similar hits on other sites, possibly all flukes
- 207.150.219.159 United States AFFINITY-INTER 2013-03-02
- 66.113.196.128 United States NETNATION 2012-01-11. Tested.

newsworldsite.com:

viewdns.info/iphistory/?domain=newsworldsite.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2013-05-20 big virtual
- 204.93.159.80 Chicago - United States SERVERCENTRAL 2013-04-21. Tested viewdns.info range: 204.93.159.70 204.93.159.90. viewdns.info/reverseip/?t=1&host=204.93.159.80 medium virtual.
  - 204.93.159.84: team-merk.com 2011-08-11. No archives.

todaysnewsreports.net:

viewdns.info/iphistory/?domain=todaysnewsreports.net
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-07-01
- 205.178.189.129 United States NETWORK-SOLUTIONS-HOSTING 2013-05-20 likely virtual
- 173.255.131.72 Reno - United States UK-2 Limited 2012-08-27. Tested viewdns.info range: 173.255.131.62 173.255.131.82. Virtual and modern hits only.
- 67.213.211.232 United States UK-2 Limited 2011-09-07 unknown. Tested viewdns.info range: 67.213.211.222 67.213.211.242. viewdns.info/reverseip/?t=1&host=67.213.211.232 empty.
  - 67.213.211.236: icf-finan.com 2015-01-20
  - 67.213.211.237: playinside.me 2016-02-04. Nice domain hack, but no.
  - 67.213.211.239: reality-sexxx.com 2011-09-08

hassannews.net:

viewdns.info/iphistory/?domain=hassannews.net
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-07-08
- 205.178.189.131 United States NETWORK-SOLUTIONS-HOSTING 2013-07-01. Likely virtual.

todayoutdoors.com:

dnshistory.org/historical-dns-records/a/todayoutdoors.com
- 2009-08-11 -> 2010-07-07 174.133.44.90. Tested viewdns.info range: 174.133.44.80 174.133.44.100. Virtual and modern. viewdns.info/reverseip/?t=1&host=174.133.44.90 two modern domains.
- 2011-03-01 -> 2011-03-01 174.123.172.82 unknown. Tested viewdns.info range: 174.123.172.72 174.123.172.92. Virtuals.
viewdns.info/iphistory/?domain=todayoutdoors.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-07-02 virtual
- 174.123.172.82 United States SOFTLAYER 2011-04-04. Tested.

globaltourist.net:

dnshistory.org/historical-dns-records/a/ 2009-07-30 -> 2011-01-01 69.59.20.215 unknown. Tested viewdns.info range: 69.59.20.205 69.59.20.225. Virtuals.
viewdns.info/iphistory/?domain=globaltourist.net
- 216.172.170.14 United States NETWORK-SOLUTIONS-HOSTING 2013-07-08
- 216.21.239.197 United States NETWORK-SOLUTIONS-HOSTING 2012-06-25
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2012-04-09 big virtual
- 174.136.34.154 United States IHNET 2012-03-12 unknown. Tested viewdns.info range: 174.136.34.144 174.136.34.164
- 74.119.145.101 Frankfurt am Main - Germany PERFORMIVE 2011-09-07. Tested viewdns.info range: 74.119.145.91 74.119.145.111. One virtual.
- 69.59.20.215 United States ATLRETAIL 2011-06-22. Tested viewdns.info/reverseip/?t=1&host=69.59.20.215
  - web.archive.org/web/20080521063605/http://piasawine.com/ index of

terrain-news.com:

JAR
viewdns.info/iphistory/?domain=terrain-news.com None in simple ranges.
- 204.11.56.25 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-11-08. Virtuals.
- 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Virtual 167. viewdns.info/reverseip/?host=208.91.197.19&t=1 not very promising.
  - eurotravelnyc.com legit web.archive.org/web/20110201195411/http://eurotravelnyc.com/
- 208.187.167.20 United States DATANOC 2012-01-11. Tested viewdns.info range: 208.187.167.10 208.187.167.30. Newer domains. viewdns.info/reverseip/?t=1&host=208.187.167.20 only has one conck.ooo. WTF.
securitytrails.com/domain/terrain-news.com/history/a same:
- 208.91.197.19 Confluence Networks Inc 2012-05-12 (13 years) 2012-05-31 (13 years) 19 days
- 208.187.167.20 Lanset America Corporation 2008-11-12 (16 years) 2009-12-09 (15 years) 1 year

intlnewsdaily.com

dnshistory.org/historical-dns-records/a/intlnewsdaily.com 2010-02-21 -> 2010-08-06 75.126.136.179. unknown range. viewdns.info/reverseip/?t=1&host=75.126.136.179 empty checked 75.126.136.171 - 75.126.136.179
viewdns.info/iphistory/?domain=intlnewsdaily.com
- 208.91.197.19 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-05-20. Virtual. Tested.
- 63.247.95.50 Austell - United States NTHL 2012-06-29 unknown. Tested viewdns.info range: 63.247.95.40 63.247.95.60
  - 63.247.95.50: 2b-sports.com 2013-04-21
  - 63.247.95.50: caldentalinsurance.com 2014-07-05
  - 63.247.95.50: cameronbal-photography.com 2012-06-29
  - 63.247.95.50: congbetham.com 2014-07-05
  - 63.247.95.50: essentialintelligenceagency.com 2023-03-07
  - 63.247.95.50: isabellavalentina.com 2014-07-05
  - 63.247.95.50: jhraccounting.com.au 2021-05-03
  - 63.247.95.50: missouribreaks294.com 2012-06-29
  - 63.247.95.50: startorganize.com 2011-08-11
  - 63.247.95.50: tifocus.net 2011-08-11
  - 63.247.95.50: tifocus.org 2011-08-10
  - 63.247.95.50: whitepartyorlando.com 2012-01-11
- 204.11.56.25 (ipinf.ru) viewdns.info/reverseip/?t=1&host=204.11.56.25 Virtual 2,999
securitytrails.com/domain/intlnewsdaily.com/history/a empty on dates

opensourcenewstoday.com:

viewdns.info/iphistory/?domain=opensourcenewstoday.com
- 68.178.232.100 United States AS-26496-GO-DADDY-COM-LLC 2011-11-13 virtual
- 64.16.193.48 Riyadh - Saudi Arabia Saudi Telecom Company JSC 2011-09-08. Tested viewdns.info range: 64.16.193.38 64.16.193.55. Ran out. viewdns.info/reverseip/?t=1&host=64.16.193.48 virtual 55, lots of porn
securitytrails.com/domain/opensourcenewstoday.com/history/a
- 64.16.193.48 Saudi Telecom Company JSC 2010-05-04 (15 years) 2010-05-20 (15 years) 16 days

techwatchtoday.com:

viewdns.info/iphistory/?domain=techwatchtoday.com
- 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-11-29 virtual
- 66.11.225.226 United States TNWEB-LEW-001 2012-01-11 unknown. Checked 66.11.225.220 - 66.11.225.233
dnshistory.org/historical-dns-records/a/techwatchtoday.com 2009-08-11 -> 2011-02-26 66.11.225.226 big shared host
securitytrails.com/domain/techwatchtoday.com/history/a same
- 66.11.225.226 TNWEB LLC 2008-11-04 (16 years) 2009-04-10 (16 years) 5 months

 Read the full article

CIA 2010 covert communication websites / Overview of Ciro Santilli's investigation  Updated 2025-05-26  +Created 2025-05-07

 View more

Ciro Santilli hard heard about the 2018 Yahoo article around 2020 while studying for his China campaign because the websites had been used to take down the Chinese CIA network in China. He even asked on Quora about it, but there were no publicly known domains at the time to serve as a starting point. Chris, Electrical Engineer and former Avionics Tech in the US Navy, even replied suggesting that obviously the CIA is so competent that it would never ever have its sites leaked like that:

Seriously a dumb question.

Figure 1.
"Seriously a dumb question" Quora answer by Chris from the US Navy
. Source.

In 2023, one year after the Reuters article had been published, Ciro Santilli was killing some time on YouTube when he saw a curious video: Video 1. "Compromised Comms by Darknet Diaries (2023)". As soon as he understood what it was about and that it was likely related to the previously undisclosed websites that he was interested in, he went on to read the Reuters article that the podcast pointed him to.

Being a half-arsed web developer himself, Ciro knows that the attack surface of a website is about the size of Texas, and the potential for fingerprinting is off the charts with so many bits and pieces sticking out. And given that there were at least 885 of them, surely we should be able to find a few more than nine, right?

In particular, it is fun how these websites provide to anyone "live" examples of the USA spying on its own allies in the form of Wayback Machine archives.

Given all of this, Ciro knew he had to try and find some of the domains himself using the newly available information! It was an irresistible real-life capture the flag.

Chris, get fucked.

Video 1.

Compromised Comms by Darknet Diaries (2023)

Source.

It was the YouTube suggestion for this video that made Ciro Santilli aware of the Reuters article almost one year after its publication, which kickstarted his research on the topic.

Full podcast transcript: darknetdiaries.com/transcript/75/

Ciro Santilli pinged the Podcast's host Jack Rhysider on Twitter and he ACK'ed which is cool, though he was skeptical about the strength of the fingerprints found, and didn't reply when clarification was offered. Perhaps the material is just not impactful enough for him to produce any new content based on it. Or also perhaps it comes too close to sources and methods for his own good as a presumably American citizen.

The first step was to try and obtain the domain names of all nine websites that Reuters had highlighted as they had only given two domains explicitly.

Thankfully however, either by carelessness or intentionally, this was easy to do by inspecting the address of the screenshots provided. For example, one of the URLs was:

https://www.reuters.com/investigates/special-report/assets/usa-spies-iran/screencap-activegaminginfo.com.jpg?v=192516290922

which corresponds to activegaminginfo.com.

Once we had this, we were then able to inspect the websites on the Wayback Machine to better understand possible fingerprints such as their communication mechanism.

The next step was to use our knowledge of the sequential IP flaw to look for more neighbor websites to the nine we knew of.

This was not so easy to do because the websites are down and so it requires historical data. But for our luck we found viewdns.info which allowed for 200 free historical queries (and they seem to have since removed this hard limit and moved to only throttling), leading to the discovery or some or our own new domains!

This gave us a larger website sample size in the order of the tens, which allowed us to better grasp more of the possible different styles of website and have a much better idea of what a good fingerprint would look like.

The next major and difficult step would be to find new IP ranges.

This was and still is a hacky heuristic process for us, but we've had the most success with the following methods:

step 1) get huge lists of historic domain names. The two most valuable sources so far have been:
- 2013 DNS Census
- scraping expired domain trackers
step 2) filter the domain lists down somehow to a more manageable number of domains. The most successful heuristics have been:
- for 2013 DNS Census which has IPs, check that they are the only domain in a given IP, which was the case for the majority of CIA websites, but was already not so common for legitimate websites
- they have the word news on the domain name, given that so many of the websites were fake news aggregators
step 3) search on Wayback machine if any of those filtered domains contain URL's that could be those of a communication mechanism. In particular, we've used a small army of Tor bots to overcome the Wayback Machine's IP throttling and greatly increase our checking capacity

Figure 5.
DNS Census 2013 website
. Source. This source provided valuable historical domain to IP data. It was likely extracted with an illegal botnet. Data excerpt from the CSVs:
`amazon.com,2012-02-01T21:33:36,72.21.194.1 amazon.com,2012-02-01T21:33:36,72.21.211.176 amazon.com,2013-10-02T19:03:39,72.21.194.212 amazon.com,2013-10-02T19:03:39,72.21.215.232 amazon.com.au,2012-02-10T08:03:38,207.171.166.22 amazon.com.au,2012-02-10T08:03:38,72.21.206.80 google.com,2012-01-28T05:33:40,74.125.159.103 google.com,2012-01-28T05:33:40,74.125.159.104 google.com,2013-10-02T19:02:35,74.125.239.41 google.com,2013-10-02T19:02:35,74.125.239.46`

Figure 6.
The four communication mechanisms used by the CIA websites
. Java Applets, Adobe Flash, JavaScript and HTTPS

Figure 7.
Expired domain names by day 2011
. Source. The scraping of expired domain trackers to Github was one of the positive outcomes of this project.

Finally, at the very end of our pipeline, we were left with a a few hundred domains, and we just manually inspected them one by one as far as patience would allow it to confirm or discard the.

Figure 8.
You can never have enough Wayback Machine tabs open
. This is how the end of the fingerprint pipeline looks like: as many tabs as you have the patience to go through one by one!

 Read the full article