CIA 2010 covert communication websites / Hits without nearby IP hits Updated 2025-06-12 +Created 1970-01-01
View more
Here we list of suspected domains for which the correct IP was apparently not found since there are no neighbouring hits.
These are suspicious, and suggest either that we didn't obtain the correct reverse IP, or a change in CIA methodology from an older time at which they were not yet using the obscene IP ranges.
For example, in the case of inews-today.com, 2013 DNS Census gave one IP 193.203.49.212, but then viewdns.info gave another one 66.175.106.146 which fit into an existing IP range, and which assumed to be the correct IP of interest.
A similar case happened when we found IP 212.209.74.126 for headlines2day.com with dnshistory.org: dnshistory.org/historical-dns-records/a/headlines2day.com.
It is also possible that some of them are simply false positives so they should be taken with a grain of salt. Further reverse engineering e.g. of comms or HTML analysis might be able to exclude some of them.
It is interesting to note that Reuters seems to have featured disproportionately many hits from that range, one wonders why that happened. It is possible that they chose these because they actually didn't have any nearby hits to give away less obvious information, though they did pick some from the ranges as wel.
In what follows we list the domains with possible reverse IPs and what was explored so far for each. We consider IPs not in a range to be uncertain, and that instead their domains might have been previously in a range which we
dailynewsandsports.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches
  • 216.119.129.94. rdns source: viewdns.info "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2012-04-13". Tested viewdns.info range: 216.119.129.85 - 216.119.129.86, 216.119.129.89 - 216.119.129.99, ran out of queries for 87 and 88
    • 216.119.129.90: eastdairies.com 2011-04-04. Promising name and date, but no archives alas.
    • 216.119.129.97: miideaco.com 2016-02-01
  • 216.119.129.114 Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches, also present on viewdns.info but at a later date from previous "location": "United States", "owner": "A2 Hosting, Inc.", "lastseen": "2013-11-29". Tested viewdns.info range: 216.119.129.109 - 216.119.129.119
    • 216.119.129.110: dommoejmechty.com.ua. Legit.
    • 216.119.129.111: dailybeatz.com: Legit
    • 216.119.129.113:
      • audreygeneve.com
      • reyzheng.com
      • jacintorey.com
    • 216.119.129.114: dailynewsandsports.com. hit.
    • 216.119.129.115: afxchange.com legit/broken
    • 216.119.129.116: danafunkfinancial.com: legit
  • 208.73.33.194 on securitytrails.com
iranfootballsource.com:
iraniangoalkicks.com:
iraniangoals.com:
football-enthusiast.com:
  • 212.4.18.14: Tested viewdns.info range: 212.4.18.1 - 212.4.18.29. This is a curious case, rather close to 212.4.18.129 sightseeingnews.com, but not quite in the same range apparently. Viewdns.info also agrees on its history with only "212.4.18.14", "location" : "Milan - Italy", "owner" : "MCI Worldcom Italy Spa", "lastseen" : "2013-06-30" of interest.
cyhiraeth-intlnews.com:
europeannewsflash.com:
outlooknewscast.com:
farsi-newsandweather.com:
global-view-news.com:
health-men-today.com:
firstnewssource.com:
pars-technews.com:
newdaynewsonline.com:
sportsnewsfinder.com:
newsworldsite.com:
todaysnewsreports.net:
hassannews.net:
todayoutdoors.com:
globaltourist.net:
terrain-news.com:
intlnewsdaily.com
opensourcenewstoday.com:
Read the full article
CIA 2010 covert communication websites / ipinf.ru Updated 2025-06-12 +Created 1970-01-01
View more
alljohnny.com had a hit: ipinf.ru/domains/alljohnny.com/, and so Ciro started looking around... and a good number of other things have hits.
Not all of them, definitely less data than viewdns.info.
But they do reverse IP, and they show which nearby reverse IPs have hits on the same page, for free, which is great!
Shame their ordering is purely alphabetical, doesn't properly order the IPs so it is a bit of a pain, but we can handle it.
OMG, Russians!!!
The data here had a little bit of non-overlap from other sources. 4 new confirmed hits were found, plus 4 possible others that were left as candidates.
Read the full article
CIA 2010 covert communication websites / Overview of Ciro Santilli's investigation Updated 2025-06-12 +Created 2025-05-07
View more
Ciro Santilli hard heard about the 2018 Yahoo article around 2020 while studying for his China campaign because the websites had been used to take down the Chinese CIA network in China. He even asked on Quora about it, but there were no publicly known domains at the time to serve as a starting point. Chris, Electrical Engineer and former Avionics Tech in the US Navy, even replied suggesting that obviously the CIA is so competent that it would never ever have its sites leaked like that:
Seriously a dumb question.
Figure 1.
"Seriously a dumb question" Quora answer by Chris from the US Navy
. Source.
In 2023, one year after the Reuters article had been published, Ciro Santilli was killing some time on YouTube when he saw a curious video: Video 1. "Compromised Comms by Darknet Diaries (2023)". As soon as he understood what it was about and that it was likely related to the previously undisclosed websites that he was interested in, he went on to read the Reuters article that the podcast pointed him to.
Being a half-arsed web developer himself, Ciro knows that the attack surface of a website is about the size of Texas, and the potential for fingerprinting is off the charts with so many bits and pieces sticking out. And given that there were at least 885 of them, surely we should be able to find a few more than nine, right?
In particular, it is fun how these websites provide to anyone "live" examples of the USA spying on its own allies in the form of Wayback Machine archives.
Given all of this, Ciro knew he had to try and find some of the domains himself using the newly available information! It was an irresistible real-life capture the flag.
Chris, get fucked.
Video 1.
Compromised Comms by Darknet Diaries (2023)
Source.
It was the YouTube suggestion for this video that made Ciro Santilli aware of the Reuters article almost one year after its publication, which kickstarted his research on the topic.
Full podcast transcript: darknetdiaries.com/transcript/75/
Ciro Santilli pinged the Podcast's host Jack Rhysider on Twitter and he ACK'ed which is cool, though he was skeptical about the strength of the fingerprints found, and didn't reply when clarification was offered. Perhaps the material is just not impactful enough for him to produce any new content based on it. Or also perhaps it comes too close to sources and methods for his own good as a presumably American citizen.
The first step was to try and obtain the domain names of all nine websites that Reuters had highlighted as they had only given two domains explicitly.
Thankfully however, either by carelessness or intentionally, this was easy to do by inspecting the address of the screenshots provided. For example, one of the URLs was:
https://www.reuters.com/investigates/special-report/assets/usa-spies-iran/screencap-activegaminginfo.com.jpg?v=192516290922
which corresponds to activegaminginfo.com.
Figure 2.
Inspecting the Reuters article HTML source code
. Source. The Reuters article only gave one URL explicitly: iraniangoals.com. But most others could be found by inspecting the HTML of the screenshots provided, except for the Carson website.
Once we had this, we were then able to inspect the websites on the Wayback Machine to better understand possible fingerprints such as their communication mechanism.
The next step was to use our knowledge of the sequential IP flaw to look for more neighbor websites to the nine we knew of.
This was not so easy to do because the websites are down and so it requires historical data. But for our luck we found viewdns.info which allowed for 200 free historical queries (and they seem to have since removed this hard limit and moved to only throttling), leading to the discovery or some or our own new domains!
This gave us a larger website sample size in the order of the tens, which allowed us to better grasp more of the possible different styles of website and have a much better idea of what a good fingerprint would look like.
Figure 3.
viewdns.info activegameinfo.com domain to IP
. Source.
Figure 4.
viewdns.info aroundthemiddleeast.com IP to domain
. Source.
The next major and difficult step would be to find new IP ranges.
This was and still is a hacky heuristic process for us, but we've had the most success with the following methods:
Figure 5.
DNS Census 2013 website
. Source. This source provided valuable historical domain to IP data. It was likely extracted with an illegal botnet. Data excerpt from the CSVs:
amazon.com,2012-02-01T21:33:36,72.21.194.1
amazon.com,2012-02-01T21:33:36,72.21.211.176
amazon.com,2013-10-02T19:03:39,72.21.194.212
amazon.com,2013-10-02T19:03:39,72.21.215.232
amazon.com.au,2012-02-10T08:03:38,207.171.166.22
amazon.com.au,2012-02-10T08:03:38,72.21.206.80
google.com,2012-01-28T05:33:40,74.125.159.103
google.com,2012-01-28T05:33:40,74.125.159.104
google.com,2013-10-02T19:02:35,74.125.239.41
google.com,2013-10-02T19:02:35,74.125.239.46
Figure 6.
The four communication mechanisms used by the CIA websites
. Java Applets, Adobe Flash, JavaScript and HTTPS
Figure 7.
Expired domain names by day 2011
. Source. The scraping of expired domain trackers to Github was one of the positive outcomes of this project.
Finally, at the very end of our pipeline, we were left with a a few hundred domains, and we just manually inspected them one by one as far as patience would allow it to confirm or discard them.
Figure 8.
You can never have enough Wayback Machine tabs open
. This is how the end of the fingerprint pipeline looks like: as many tabs as you have the patience to go through one by one!
Read the full article
CIA 2010 covert communication websites / Possible hits Updated 2025-06-12 +Created 2025-04-05
View more
Likely hits possible but whose archives is too broken to be easily certain. If:
were to ever be found, these would be considered hits.
africainnews.com
globalsentinelsite.com. dawhois.com/www/globalsentinelsite.com.html empty. Copyright 2011 on top and 2008 on bottom. Unusually wide, has a few sections, but somewhat shallow. Copyright 2008. JAR JAR. a.rss-item
todaysolar.com. This might just be legit, but keeping it around just in case.
Read the full article
CIA 2010 covert communication websites / securitytrails.com Updated 2025-06-12 +Created 1970-01-01
View more
They appear to piece together data from various sources. This is the most complete historical domain -> IP database we have so far. They don't have hugely more data than viewdns.info, but many times do offer something new. It feels like the key difference is that their data goes further back in the critical time period a bit.
TODO do they have historical reverse IP? The fact that they don't seem to have it suggests that they are just making historical reverse IP requests to a third party via some API?
E.g. searching thefilmcentre.com under historical data at securitytrails.com/domain/thefilmcentre.com/history/al gives the correct IP 62.22.60.55.
But searching the IP 62.22.60.55 is empty and there's no historical data option?
Account creation blacklists common email providers such as gmail to force users to use a "corporate" email address. But using random domains like ciro@cirosantilli.com works fine.
Their data seems to date back to 2008 for our searches.
Read the full article