Ciro Santilli @cirosantilli 35

 Incoming links: Wayback Machine

CIA 2010 covert communication websites  Updated 2025-02-22  +Created 1970-01-01

This article is about covert agent communication channel websites used by the CIA in many countries from the late 2000s until the early 2010s, when they were uncovered by counter intelligence of the targeted countries circa 2011-2013. This discovery led to the imprisonment and execution of several assets in Iran and China, and subsequent shutdown of the channel.

https://raw.githubusercontent.com/cirosantilli/media/master/CIA_Star_Wars_website_promo.jpg

Video 1.

How I found a Star Wars website made by the CIA by Ciro Santilli

. Source. Slightly edited VOD of the talk Aratu Week 2024 Talk by Ciro Santilli: My Best Random Projects.

The existence of such websites was first reported in November 2018 by Yahoo News: www.yahoo.com/video/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html.

Previous whispers had been heard in 2017 but without clear mention of websites: www.nytimes.com/2017/05/20/world/asia/china-cia-spies-espionage.html:

Some were convinced that a mole within the C.I.A. had betrayed the United States. Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources. Years later, that debate remains unresolved.
[...]
From the final weeks of 2010 through the end of 2012, [...] the Chinese killed at least a dozen of the C.I.A.’s sources. [...] One was shot in front of his colleagues in the courtyard of a government building — a message to others who might have been working for the C.I.A.

https://raw.githubusercontent.com/cirosantilli/media/master/Yahoo_CIA_website_article.png

Then in September 2022 a few specific websites were finally reported by Reuters: www.reuters.com/investigates/special-report/usa-spies-iran/, henceforth known only as "the Reuters article" in this article.

Figure 1.
Banner of the Reuters article
. Source.

Figure 2.
Reuters reconstruction of what the applet would have looked like
. Source.

Ciro Santilli heard about the 2018 article at around 2020 while studying for his China campaign because the websites had been used to take down the Chinese CIA network in China. He even asked on Quora: www.quora.com/What-were-some-examples-of-the-websites-that-the-CIA-used-around-2010-as-a-communication-mechanism-for-its-spies-in-China-and-Iran-but-were-later-found-and-used-to-take-down-their-spy-networks but there were no publicly known domains at the time to serve as a starting point. Chris, Electrical Engineer and former Avionics Tech in the US Navy, even replied suggesting that obviously the CIA is so competent that it would never ever have its sites leaked like that:

Seriously a dumb question.

So when Ciro Santilli heard about the 2022 article almost a year after publication, and being a half-arsed web developer himself, he knew he had to try and find some of the domains himself using the newly available information! It was an irresistible real-life capture the flag. The thing is, everyone who has ever developed a website knows that its attack surface is about the size of Texas, and the potential for fingerprinting is off the charts with so many bits and pieces sticking out. Chris, get fucked.

Figure 4.
"Seriously a dumb question" Quora answer by Chris from the US Navy
. Source.

In particular, it is fun to have such a clear and visible to anyone examples of the USA spying on its own allies in the form of Wayback Machine archives.

Given that it was reported that there were "more than 350" such websites, it would be really cool if we could uncover more of those websites ourselves beyond the 9 domains reported by Reuters!

This article documents the list of extremely likely candidates Ciro has found so far, mostly using:

rudimentary IP range search on viewdns.info starting from the websites reported by Reuters
heuristic search for keywords in domains of the 2013 DNS Census plus Wayback Machine CDX scanning

more details on methods also follow. It is still far from the 885 websites reported by citizenlabs, so there must be key techniques missing. But the fact that there are no Google Search hits for the domains or IPs (except in bulk e.g. in expired domain trackers) indicates that these might not have been previously clearly publicly disclosed.

If anyone can find others, or has better techniques: Section "How to contact Ciro Santilli". The techniques used so far have been very heuristic, and that added to the limited amount of data makes it almost certain that several IP ranges have been missed. There are two types of contributions that would be possible:

finding new IP ranges: harder more exiting, and potentially requires more intelligence
better IP to domain name databases to fill in known gaps in existing IP ranges

Perhaps the current heuristically obtained data can serve as a good starting for a more data-oriented search that will eventually find a valuable fingerprint which brings the entire network out.

Disclaimer: the network fell in 2013, followed by fully public disclosures in 2018 and 2022, so we believe it is now more than safe for the public to know what can still be uncovered about the events that took place. The main author's political bias is strongly pro-democracy and anti-dictatorship.

May this list serve as a tribute to those who spent their days making, using, and uncovering these websites under the shadows.

If you want to go into one of the best OSINT CTFs of your life, stop reading now and see how many Web Archives you can find starting only from the Reuters article as Ciro did. Some guidelines:

there was no ultra-clean fingerprint found yet. Some intuitive and somewhat guessy data analysis was needed. But when you clean the data correctly and make good guesses, many hits follow, it feels so good
nothing was paid for data. But using cybercafe Wifi's for a few extra IPs may help.

Figure 7.
DNS Census 2013 website
. Source. This source provided valuable historical domain to IP data. It was likely extracted with an illegal botnet. Data excerpt from the CSVs:
`amazon.com,2012-02-01T21:33:36,72.21.194.1 amazon.com,2012-02-01T21:33:36,72.21.211.176 amazon.com,2013-10-02T19:03:39,72.21.194.212 amazon.com,2013-10-02T19:03:39,72.21.215.232 amazon.com.au,2012-02-10T08:03:38,207.171.166.22 amazon.com.au,2012-02-10T08:03:38,72.21.206.80 google.com,2012-01-28T05:33:40,74.125.159.103 google.com,2012-01-28T05:33:40,74.125.159.104 google.com,2013-10-02T19:02:35,74.125.239.41 google.com,2013-10-02T19:02:35,74.125.239.46`

Figure 8.
The four communication mechanisms used by the CIA websites
. Java Applets, Adobe Flash, JavaScript and HTTPS

Figure 9.
Expired domain names by day 2011
. Source. The scraping of expired domain trackers to Github was one of the positive outcomes of this project.

Video 2.

Compromised Comms by Darknet Diaries (2023)

Source.

It was the YouTube suggestion for this video that made Ciro Santilli aware of the Reuters article almost one year after its publication, which kickstarted his research on the topic.

Full podcast transcript: darknetdiaries.com/transcript/75/

 Read the full article

feedsdemexicoyelmundo.com JavaScript reverse engineering  Updated 2025-02-22  +Created 1970-01-01

 View more

The JavaScript of each website appears to be quite small and similarly sized. They are all minimized, but have reordered things around a bit.

For example consider: web.archive.org/web/20110202190932/http://feedsdemexicoyelmundo.com/mundo.js

First we have to know that the Wayback Machine adds some stuff before and after the original code. The actual code there starts at:

ap={fg:['MSXML2.XMLHTTP

and ends in:

ck++;};return fu;};

We can use a JavaScript beautifier such as beautifier.io/ to be abe to better read the code.

It is worth noting that there's a lot of <script> tags inline as well, which seem to matter.

Further analysis would be needed.

 Read the full article

Gathering key points from the articles  Updated 2025-02-22  +Created 1970-01-01

 View more

citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/ did an investigation and found 885 such websites, but decided not to disclose the list or methods:

Using only a single website, as well as publicly available material such as historical internet scanning results and the Internet Archive's Wayback Machine, we identified a network of 885 websites and have high confidence that the United States (US) Central Intelligence Agency (CIA) used these sites for covert communication.
The websites included similar Java, JavaScript, Adobe Flash, and CGI artifacts that implemented or apparently loaded covert communications apps. In addition, blocks of sequential IP addresses registered to apparently fictitious US companies were used to host some of the websites. All of these flaws would have facilitated discovery by hostile parties.
The websites, which purported to be news, weather, sports, healthcare, and other legitimate websites, appeared to be localized to at least 29 languages and geared towards at least 36 countries.

The question is which website. E.g. at citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ they used data from Censys.

We searched historical data from Censys

citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ mentions scans.io/. citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/ mentions: www.shodan.io/, Censys really seems to be their thing.

Another critical excerpt is:

The bulk of the websites that we discovered were active at various periods between 2004 and 2013. We do not believe that the CIA has recently used this communications infrastructure. Nevertheless, a subset of the websites are linked to individuals who may be former and possibly still active intelligence community employees or assets:
Several are currently abroad
Another left mainland China in the time frame of the Chinese crackdown
Another was subsequently employed by the US State Department
Another now works at a foreign intelligence contractor
Given that we cannot rule out ongoing risks to CIA employees or assets, we are not publishing full technical details regarding our process of mapping out the network at this time. As a first step, we intend to conduct a limited disclosure to US Government oversight bodies.

This basically implies that they must have found some communication layer level identifier, e.g. IP registration, domain name registration, or certificate because it is impossible to believe that real agent names would have been present on the website content itself!

The websites were used from at least as early as August 2008, as per Gholamreza Hosseini's account, and the system was only shutdown in 2013 apparently. citizenlab.ca/2022/09/statement-on-the-fatal-flaws-found-in-a-defunct-cia-covert-communications-system/ however claims that they were used since as early as 2004.

Notably, so as to be less suspicious the websites are often in the language of the country for which they were intended, so we can often guess which country they were intended for!

 Read the full article

Hits with nearby IP hits  Updated 2025-02-22  +Created 1970-01-01

 View more

alljohnny.com: one of the Reuters websites.

208.91.197.132: rdns source: viewdns.info. Big virtual.
65.218.91.17: rdns source? : viewdns.info. Tested viewdns.info range: 65.218.91.13 - 65.218.91. 17
- 65.218.91.9: welcometonyc.net. Hit. rdns source: ipinf.ru. Later also at 208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-21 by viewdns.info
- also on: 65.218.91.17,
  - international-smallbusiness.com. Stylitsic match, but some uncommon features like the country seelctor dropdown.
    Archives:
    web.archive.org/web/20110202031627/http://international-smallbusiness.com/
    web.archive.org/web/20120114080103/http://www.international-smallbusiness.com:80/sa.html
    web.archive.org/web/20110202031657/http://international-smallbusiness.com/style.css
    Also a potential unarchived CGI comms: web.archive.org/web/20110202031627/https://ssl.international-smallbusiness.com/cgi-bin/starting.cgi Perhaps with some better HTML reversing we could confirm a hit.
    208.91.197.132 British Virgin Islands CONFLUENCE-NETWORK-INC 2013-10-19. Big virtual.
    65.218.91.17 United States UUNET 2013-09-06
216.168.229.50: whoisxmlapi 2008-09-01 (15 years) 2010-04-17. Checked viewdns.info range: 216.168.229.45 - 216.168.229.55

62.22.60.49: telecom-headlines.com. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just before worldnewsnetworking.com. Tested viewdns.info range: 62.22.60.34 - 62.22.60.66

62.22.60.33: newsperk.com. Unclear. Stylistically perfect, but no comms not found. 2011. English. Egypt. news.
62.22.60.34: freeslideshow.net. Legit? Attempting to open any HTML archives leads to an infinite page load loop, e.g. 2010. A subpage however exists: web.archive.org/web/20101230001640/http://freeslideshow.net/index_files/a.htm and appears legit.
62.22.60.40: travel-passage.com. Unclear. No archives of toplevel, only subpage: 2009. No clear comms. Chinese.
62.22.60.42: newsupdatesite.com. Hit.
62.22.60.46: flyingtimeline.com. Hit.
62.22.60.47: globalemergenceadvisorsbkserver.com. Legit.
62.22.60.48: currentcommunique.com. Hit.
62.22.60.49: telecom-headlines.com. Hit.
62.22.60.52: collectedmedias.com. Hit.
62.22.60.54: romulusactualites.com. No archives.
62.22.60.55: thefilmcentre.com. Hit.
62.22.60.56: traveltimenews.com. Hit.

62.22.61.206 worldnewsnetworking.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 62.22.61.188 - 62.22.61.224

62.22.61.193: awfaoi.org. Hit.
62.22.61.197: rc5sports.com. Hit.
62.22.61.198: inside-vc.com. Hit.
62.22.61.202: bailsnboots.com. Hit.
62.22.61.203: the-cricketer-online.com. Hit.
62.22.61.204: hollywoodscreen.net. Hit.
62.22.61.206: worldnewsnetworking.com. Hit.
62.22.61.212: nuestrasfinanzas.com. Hit.
62.22.61.215: the-tech-mind.com. Welcome to the US Petabox
62.22.61.217: court-masters.com. Hit.
62.22.61.219: allworldstatistics.com. Hit.
62.22.61.220: newsjaka.com. Hit.
62.22.61.221: biochemresource.com. Archive broken/empty. One archive: contains an epically long URL that might shed light into something: web.archive.org/web/20120529121245/http://www.biochemresource.com/?fp=iboHtuxnjLG66y52DkK1xCFuZDBnVC8wovQepLt2Tk%2Bo1JIgIdVb6WL8kv6sSOEtxwcq4EbiJ0GxFY9N6HSWlg%3D%3D&prvtof=97vgfKVqt1Sd68qgNDPXB0o7Rwo%2FO3GKiiMG7fane6A%3D&poru=Zd9DHFaHFZ6ZrRLm8SW3egagqvdpzHhWb%2FoulRGeEYIUSVATB5gwTIDhluetONjG7xovtb%2FrvDStoqiAF1O8wA%3D%3D&. Asked at: stackoverflow.com/questions/47310661/any-idea-what-are-fp-prvtof-poru-in-a-url but no reply so far. One day my friend, one day.
62.22.61.222: www.news-blitz-ar.com (ipinf.ru). No archives. Perfect theme match.

63.131.229.12 cyberreportagenews.com. Tested viewdns.info range: 63.131.228.248 - 63.131.229.30

63.131.229.2: fightskillsresource.com. Hit
63.131.229.4: unitedterritorynews.com. Hit
63.131.229.9: show-dustry.com. Hit
63.131.229.10: afghanpoetry.net. Hit. Also at 74.254.12.166 in another range.
63.131.229.11: mythriftytrip.com. Hit
63.131.229.12: cyberreportagenews.com. Hit.
63.131.229.13: sunrise-news.com. Hit.
63.131.229.15: cricketnewsforindia.com. Archive quite broken, likely hit.
63.131.229.16:
- nutricion-saludable.info. No archives.
- nutricion-saludable.net. Hit.
63.131.229.18: itnl-xchange.com. Hit.
63.131.229.20:
- fixashion.net. Hit.
- a few others

63.130.160.50 theglobalheadlines.com. Found with: 2013 DNS census secureserver.net MX records intersection 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 63.130.160.35 - 63.130.160.75

63.130.160.50: theglobalheadlines.com. Hit.
63.130.160.51:
- hai-pow.com. Hit.
- secudenetworksecurity.com. No archives.
63.130.160.53: echessnews.com. Hit.
63.130.160.59: technologiewissen.com. No archives from the time. Would be Technology knowledge in German, so another likely German hit. Shame.
63.130.160.60: boxingstop.net. Hit.
63.130.160.61: bookmarksthis.com. No archives.
63.130.160.62: azerinews.org. Hit.

64.16.204.55 holein1news.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 64.16.204.50 - 64.16.204.63. With did Wayback Machine have so few archives here? TODO stopping viewdns.info exploration a bit short due to that.

64.16.204.35: ironcityfootball.com. Legit/broke.
64.16.204.51: africannewsandsports.com. No archives. rdns source: viewdns.info
64.16.204.53: bosniakbusinessnews.com. No archives. A Bosniak is someone from an ethnicity from Bosnia.
64.16.204.54: affairesdumonde.com. No archives. rdns source: viewdns.info
64.16.204.55: holein1news.com. Hit.
64.16.204.56: fightorgohome.com. No archives. rdns source: viewdns.info
64.16.204.58: tech-topix.com. Hit.
64.16.204.60: pakpoldaily.com. No archives. rdns source: viewdns.info. TODO meaning? Might be Indonesian, maybe linked to police: www.facebook.com/watch/?v=880204266271955

65.61.127.163 capture-nature.com. whois.arin.net/rest/net/NET-65-61-96-0-1/pft?s=65.61.127.163: Net Range: 65.61.96.0 - 65.61.127.255. Organization. Name: TierPoint, LLC. Tested viewdns.info range: 65.61.127.149 -

65.61.127.46: anahuacchamber.com 2012-12-22T14:59:01
65.61.127.117: medicaresupplementalinsurance.com, 2013-08-21T09:49:41. Legit.
65.61.127.121: counter-images.com 2013-08-22T11:14:44: web.archive.org/web/20110208173132/http://www.counter-images.com/
65.61.127.125 zaphound.com 2013-08-21T02:25:40. Legit.
65.61.127.130: ambitions.org 2013-08-22T01:43:40. Legit.
65.61.127.161: european-footballer.com. 2011 archive. web.archive.org/web/20110319111233/http://european-footballer.com/. The website is quite broken so it is hard to say, but possible hit.
65.61.127.163: capture-nature.com. Hit.
65.61.127.164: futbolistico.net. 2012-02-20T03:25:33. Legit. web.archive.org/web/20130509004058/http://futbolistico.net/
65.61.127.165: travelconnectionsonline.com. Ciro initially though this might be a hit. But upon Googling it, there's now a mirror at: travelconn.tripod.com/. Combined with the lack of a standard communications mechanism and the 2001 copyright, maybe it isn't a hit after all
65.61.127.166: globalnewsbulletin.com: Hit.
65.61.127.167: internationalwhiskylounge.com. No Wayback Machine archives.
65.61.127.168: the-golden-rule.info 2013-09-20T02:13:52. Website error archived: web.archive.org/web/20131011012026/http://the-golden-rule.info/
65.61.127.169: crossovernews.net. Hit.
65.61.127.170: newsidori.com. Very broken 2013 archive: 2013. "Idori" sounds Japanese, but the meaning is unclear.
65.61.127.171: nrgconsultingandnews.com. 2013-08-13T18:45:05. No archives.
65.61.127.172: premierstriker.com. No Wayback Machine archives from the time, and has been since parked by something apparently as of 2022 onwards. Last resolved: 2012-01-11.
65.61.127.174: dedrickonline.com. Hit.
65.61.127.175: altworldnews.com. Hit.
65.61.127.176: american-historyonline.com. No Wayback Machine archives. Last resolved: 2011-09-08.
65.61.127.177: material-science.org 2009. Shallow, narrow. No comms found. .org hit?
65.61.127.178: tee-shot.net. Hit.
65.61.127.180: screencentral.info. Buggy Wayback Machine archive from 2013: web.archive.org/web/20130713224951/http://screencentral.info/. Last resolved: 2013-05-08.
65.61.127.181: worldnewsandtravel.com. No Wayback Machine archives. Last resolved: 2011-11-13.
65.61.127.182: pangawana.com. Hit.
65.61.127.183: cutabovenews.com. Hit.
65.61.127.184: worldwildlifeadventure.com. Hit.
65.61.127.186: explorealtmeds.com. Hit.
65.61.127.194: 16 domains, so unclear.
- about-video-games.com: web.archive.org/web/20121013013710/http://about-video-games.com/
- aboutfaceonline.com: web.archive.org/web/20120701000000*/aboutfaceonline.com
65.61.127.200: cdl-link.com (ipinf.ru). Legit.
65.61.127.222: asianwhitecoffee.com 2012-07-16T09:21:05 web.archive.org/web/20110903080036/http://asianwhitecoffee.com/. Could be legit.

66.45.179.205 noticiasporjanua.com. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 66.45.179.187 - 66.45.179.223

66.45.179.187: mail03.gatesfoundation.org. Legit.
66.45.179.192: thegraceofislam.com. Hit.
66.45.179.193: arabicnewsunfiltered.com. Hit.
66.45.179.194: raulsonsglobalnews.com. Hit.
66.45.179.195: aryannews.net. Hit.
66.45.179.199: attivitaestremi.com. Hit.
66.45.179.200: foodwineandsuch.com. No archives.
66.45.179.201: hitthepavementnow.com. Hit.
66.45.179.203: noticiascontinental.com. Hit.
66.45.179.205: noticiasporjanua.com. Hit.
66.45.179.206: podisticamondiale.com. Hit.
66.45.179.207: reflectordenoticias.com. Hit.
66.45.179.208: havenofgamerz.com. Hit.
66.45.179.209: vejaaeuropa.com. web.archive.org/web/20130810131440/http://www.vejaaeuropa.com/: Welcome to the US Petabox. Shame, could be another Brazil hit since "veja" (look in Brazilian Portuguese) would be "mira" in Spanish, not "veja".
66.45.179.210: sa-michigan.com. Hit.
66.45.179.211: absolutebearing.net. Hit.
66.45.179.212: grandretirement.net. No archives.
66.45.179.213: myportaltonews.com. Hit.
66.45.179.214: investmentintellect.com. Hit.
66.45.179.215: nigeriastar.net 2012-03-12. Hit.

66.104.169.184 bcenews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.169.158 - 66.104.169.189

66.104.169.162: bestsportsnews.net. Archive broken.
66.104.169.163: doctorsoncallsite.com. Hit.
66.104.169.164: lightandshadowonline.com. Hit.
66.104.169.168: plugged-into-news.net. Hit.
66.104.169.169: worldsportsite.com. Likely hit, but comms not found. 2011. Arabic. . sports. has some apparently unrelated archives from 2008.
66.104.169.171: golf-on-holiday.com. Hit.
66.104.169.172: perspectiva-noticias.com. Hit.
66.104.169.175: aquaswimming.com. Hit.
66.104.169.177: dojo-temple.com. Hit.
66.104.169.179: neighbour-news.com. Hit.
66.104.169.180: medicatechinfo.com. Hit.
- 205.178.189.131: securitytrails.com 2009-06-25 - 2009-07-02 Network Solutions, LLC., "ip_count": 726755. Moved to new one 2009-07-02 - 2010-11-03
66.104.169.181: brickmanfinancialnews.com. Hit.
66.104.169.182: casanewsnow.com. Hit.
66.104.169.183: aworldofnews.com. No archives.
66.104.169.184: bcenews.com. Hit.
66.104.169.197: teamshula.com. Legit.

66.104.173.186 myworldlymusic.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 66.104.173.158 - 66.104.173.194

66.104.173.161: fanatic-pc-gamers.com. 2013: Welcome to the US Petabox
66.104.173.163: runakonews.com. Hit.
66.104.173.164: shoppingadventure.net. Hit.
66.104.173.165: entertaining-ly.com. Hit.
66.104.173.166: zubeenews.com. Hit.
66.104.173.169: smart-financeology.com. Hit.
66.104.173.173: remarkably has two potential hits, both shown in viewdns.info, and one of them was also in the 2013 DNS Census.
- worldfeedstoday.com. No main page archives. Subpage archive: 2011. English. news.
- world-newsfeeds.com. No archives.
66.104.173.175: media-coverage-now.com. Hit.
66.104.173.176: jbc-online-news.com. Hit.
66.104.173.177: webscooper.com. Hit.
66.104.173.178: dk-dcinvestment.com. Hit.
66.104.173.179: newsforthetech.com. Welcome to the US Petabox.
66.104.173.180: stara-turistick.com. Hit.
66.104.173.181: playbackpolitics.com. Hit.
66.104.173.182: snapnewsfront.net. Hit.
66.104.173.183: ingenuitytrendz.com. Hit.
66.104.173.184: armashoy.com. Hit.
66.104.173.185: baocontact.com. Hit.
66.104.173.186: myworldlymusic.com. Hit.
66.104.173.189: hitpoint-gaming.com. Hit.

66.104.175.40 beyondnetworknews.com. whois.arin.net/rest/net/NET-66-104-0-0-1/pft?s=66.104.175.40. Net Range:66.104.0.0 - 66.107.255.255. 2012 Internet Census puts most/all hits in this range under ip66-104-175-34.z175-104-66.customer.algx.net, algx.net redirects to verizon.com as of 2023. Related: superuser.com/questions/956568/why-are-my-pings-going-to-customer-algx-net. Tested viewdns.info range: 66.104.175.24 - unknown

66.104.175.34: itwebtoday.com. Hit.
66.104.175.35: drglobalnews.com. Hit.
66.104.175.36: adilnews.net. Hit.
66.104.175.37: technewstogo.com. web.archive.org/web/20110201205946/http://technewstogo.com/ "UNDER CONSTRUCTION"
66.104.175.40: beyondnetworknews.com. Hit.
66.104.175.41: grubbersworldrugbynews.com. Hit.
66.104.175.44: yourtripfinder.net. Hit.
66.104.175.45: rollinsnetwork.com. Hit.
66.104.175.46: infosharenews.com. Hit.
66.104.175.47: southasiaheadlines.com. Hit.
66.104.175.48: worlddispatch.net. Hit.
66.104.175.49: webworldsports.com. Hit.
66.104.175.50: fly-bybirdies.com. Hit.
66.104.175.51: businessexchangetoday.com. Hit.
66.104.175.52: mensajeradenoticias.com. Hit.
66.104.175.53: info-ology.net. Hit.
66.104.175.54: marketflows.net. Hit.
66.104.175.57: metanewsdaily.com. Hit.
66.104.175.218: remote.taxconsultantsgroup.com. No archives.

66.175.106.148 activegaminginfo.com. whois.arin.net/rest/net/NET-66-175-106-128-1/pft?s=66.175.106.148: Net Range: 66.175.106.128 - 66.175.106.159. Customer Name: DIAMOND-COLESON. Tested viewdns.info range: 66.175.106.131 - 66.175.106.178

66.175.106.10: nationalchecktrust.com. Legit?
66.175.106.134: paddlescoop.com. Hit.
66.175.106.137: kessingerssportsnews.com. Hit.
66.175.106.138: factorforcenews.com. Hit.
66.175.106.140: aroundthemiddleeast.com. No Wayback Machine hits. Last resolved: 2012-06-29.
66.175.106.142: kanata-news.com. Hit.
66.175.106.143: thecricketfan.com. Hit.
66.175.106.146: inews-today.com. Initially found with 2013 DNS Census virtual host cleanup heuristic keyword searches which gave IP address 193.203.49.212. But that has no nearby hits. 66.175.106.146 was later found on viewdns.info, and slotted into this other existing IP range.
- 193.203.49.211 datingso.com: legit? Russian dating website
- 193.203.49.212 inews-today.com. Hit.
- 193.203.49.223 zatysi.net: legit
- 193.203.49.226 kinotopik.com: legit? Russian
- 193.203.49.229 rotor-volgograd.com. Legit.
- 193.203.49.233 ordercytotec.com. Broken.
66.175.106.147: starwarsweb.net. Hit.
66.175.106.149: feedsdemexicoyelmundo.com. Hit.
66.175.106.150: noticiasmusica.net. Hit.
66.175.106.155: atomworldnews.com. Hit.
66.175.106.158: nouvellesetdesrapports.com. Hit.
66.175.106.166: exchange.katzbarron.com. Legit. Reverse IP source: 2012 Internet Census
66.175.106.183: mail.lfdatacenter.com. No archives.

66.237.236.247 comunidaddenoticias.com. Tested viewdns.info range: 66.237.236.222 - 66.237.236.254

66.237.236.227: newsandmusicminute.com. Hit.
66.237.236.229: pearls-playlist.com 2011-11-13. Hit.
66.237.236.230: beyondthefringe.info 2013-01-02. Hit.
66.237.236.231: primetimemovies.net 2011-06-22. Hit.
66.237.236.235: persephneintl.com. Hit.
66.237.236.236: directoalgrano.net 2012-01-23. Hit.
66.237.236.240: actualizaciondebeisbol.com. Hit.
66.237.236.243: mygadgettech.com. Hit.
66.237.236.247: comunidaddenoticias.com. Hit.
66.237.236.249: sumerjaseahora.com. Hit.

69.84.156.90 stickshiftnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 69.84.156.64 - 69.84.156.95

69.84.156.69: al-ashak-news-me.com. Hit.
69.84.156.70: theventurenews.info. No archives. business.
69.84.156.71: worldfinancetoday.net. Hit.
69.84.156.72: autonewsarabia.com. Hit.
69.84.156.74: blue-moon-news.com. Hit.
69.84.156.75: theoutergreen.com. No archives. Might have been another golf hit.
69.84.156.76: tnc-urdu.com. Hit.
69.84.156.79: jassimnews.com. No archives/broken.
69.84.156.80: noticiasdenuestromundo.com. No archives. Spanish. news.
69.84.156.82: arabicnewsonline.com. Hit.
69.84.156.83: unganadormundial.com. Hit.
69.84.156.84: focusonbokeh.com. No archives/broken. Only a "Sony" logo remains: web.archive.org/web/20110207222330/http://focusonbokeh.com/images/logo_014.jpg
69.84.156.85: classic-rocktopia.com. No archives. Presumably rock climbing.
69.84.156.87: i7diver.com. No archives.
69.84.156.88: diariodeelmundo.com. Hit.
69.84.156.89: todaysarabnews.com. Hit.
69.84.156.90: stickshiftnews.com. Hit.
69.84.156.91: theinternationalgoal.com. Hit.

74.116.72.236 techtopnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.116.72.215 - 74.116.72.254

74.116.72.199: newsungraphics.com. Legit.
74.116.72.209: newsung.com. Legit/broken.
74.116.72.214: ofinancialinc.com. Legit.
74.116.72.219: stockpromoters.com. Legit.
74.116.72.227: dayenews.com. hit.
74.116.72.229: guide-daventure.com. Hit.
74.116.72.230: spaceage-exchange.com. No archives.
74.116.72.231: bleachersfootballnews.com. Hit.
74.116.72.232: indirectfreekick.com. Hit.
74.116.72.233: wwiichronicles.net. Hit.
74.116.72.234: petroleumagenews.com. Hit.
74.116.72.235: the-open-book-online.com. Hit.
74.116.72.236: techtopnews.com. Hit.
74.116.72.237: noticiasdiariasdedeportes.com. No archives. Sad, another potential Brazil hit.
74.116.72.238: pohandakhbar.com. No archives. TODO meaning. "akhbar" is news in Arabic. But what is "Poh"? Sounds like a South Asian name.
74.116.72.239: crickettoday.info. Hit.
74.116.72.240: zafernews.com. Hit.
74.116.72.241: itechnewstoday.com. Broken/GoDaddy takeover
74.116.72.242: gdgtsource.com. Hit.
74.116.72.243: waronfilmonline.com. No archives.
74.116.72.244: arborstribune.org. No archives.
74.116.72.245: wineenthusiastonline.com. Welcome to the US Petabox.
74.116.72.246: vuvuzelanews.com. Hit.
74.116.72.247: ballbatstumpsandbails.com. Hit.
74.116.72.248: kioni-sailing.com. No archives.
74.116.72.249: round-trip-travel.com. Hit.
74.116.72.250: arabicnewsource.com. Hit.

74.254.12.168 non-stop-news.net. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 74.254.12.158 - 74.254.12.195. This domain exceptionally also has a second IP also with multihits: 207.239.196.230. The fact that the range has rdns sources with hits from both 2013 DNS Census and viewdns.info suggests this range is correct.

74.254.12.163: half-court.net. Hit.
74.254.12.163: dailywellnessnews.com. Hit.
74.254.12.165: dylandon.net. Hit. rdns source: viewdns.info.
74.254.12.166: afghanpoetry.net. Hit.
74.254.12.168: non-stop-news.net. Hit.
74.254.12.169: soldiersofsouthasia.com. Hit.
74.254.12.170: greek-news.info. 2013. Welcome to the US Petabox. rdns source: viewdns.info
74.254.12.171: autism-news.org. Hit.
74.254.12.172: thesportsguidebook.com. rdns source: 2013 DNS Census. Only has archive of one subpage: 2009. English. sports.
74.254.12.174: reliefline.info. web.archive.org/web/20090416064302/http://www.reliefline.info:80/ Archive too broken.
74.254.12.176: pakcricketgrd.com. Hit.
74.254.12.177: networkofnews.com. Hit.
74.254.12.179: wineconnaisseur.net. Hit.
74.254.12.180: helpinghandssite.com. Hit.
74.254.12.185: newskwest.com. No archives.
74.254.12.187: efiinvestment.com. No archives.
74.254.12.188: first-tee-golf.com. Hit.
74.254.12.189: fabu-foto.com. Hit.
74.254.12.190: viptravelabroad.com. Hit.

199.85.212.118 just-kidding-news.com

199.85.212.118 rdns source: 2013 DNS Census virtual host cleanup heuristic keyword searches, dnshistory.org (2009-09-23 -> 2011-01-25) and viewdns.info: "location": "United States", "owner": "VIMRO, LLC", "lastseen": "2012-01-11". Tested viewdns.info range: 199.85.212.95 - 199.85.212.128. Not sure worth it given the many 2013 DNS Census misses surrounding.
- 199.85.212.98: colorsxpress.com. Legit
- 199.85.212.104:
  - jobindons.com 2013-10-19.
  - piogroup.org 2012-12-29.
- 199.85.212.105: mide-news.com. Hit.
- 199.85.212.109: game2be.com. Infinite load loop: web.archive.org/web/20080102074404/http://www.game2be.com/
- 199.85.212.111:
  - newsandsportscentral.com. Hit.
  - and many many others, not bothering with it
- 199.85.212.115: veryperi.com. Legit? 2011. Style is similar.
- 199.85.212.116: approselect.com. Legit?
- 199.85.212.117: innovative-software-solutions.com. broken/legit
- 199.85.212.118: just-kidding-news.com. Hit.
- 199.85.212.119: invisus.com. Legit
- 199.85.212.120: allurebyjustine.com. Legit?
- 199.85.212.121: stockprouniversity.com
- 199.85.212.122: stjosephswoodshop.com Legit?
- 199.85.212.125: time-spacer.net. Welcome to the US Petabox.
- 199.85.212.132: qualitytrans.net. Legit?
- 199.85.212.134: mywellnessminder.com. Legit?
- 199.85.212.138: crystalglassinc.com
- 199.85.212.140: davistech-llc.com
68.178.232.100: see rastadirect.net. rdns source: viewdns.info: "location": "United States", "owner": "GoDaddy.com, LLC", "lastseen": "2012-06-29"
209.85.45.84. Tested viewdns.info range: 209.85.45.74 - 209.85.45.94.
- 209.85.45.2: dz8.dailyrazor.com
- 209.85.45.2: jr4consulting.com
- 209.85.45.41: guitarzza.com. No archives of time.
- 209.85.45.46: evergraindecking.com. No archives of time.
- 209.85.45.114: mauritiuspropertyconsultant.com. Legit/ broken.
- 209.85.45.160: bieltvedt.net. No archives of time.
- 209.85.45.160: golfstats.dk. No archives.
- 209.85.45.225: infokus.ca
- 209.85.45.225: mail.tomlatham.net
- 209.85.45.225: mail.tomlatham.org
- 209.85.45.239: flavacationcenter.com

204.176.38.143 noticiassofisticadas.com. Found with: 2013 DNS Census virtual host cleanup. Tested viewdns.info range: 204.176.38.125 - 204.176.38.154

204.176.38.130: i-pressnews.com. Hit.
204.176.38.132: turkishnewslinks.com. Hit.
204.176.38.134: photographyarecord.com. Hit.
204.176.38.135: breakingthewicket.com. Hit.
204.176.38.136: politicalworldtoday.com. Hit.
204.176.38.137: hi-tech-today.com. Hit.
204.176.38.138: continental-business-news.com. TODO. 2011. Cannot find comms. Also header and footer are not limited width which is unusual. Further HTML similarity reversing would be needed.
204.176.38.139: bigscreenbattles.com. Hit.
204.176.38.141: rakotafootball.com. Hit.
204.176.38.142: senderosdemontana.com. Hit.
204.176.38.143: noticiassofisticadas.com. Hit.
204.176.38.144: techno-today.com. Hit.
204.176.38.145: tickettonews.com. Hit.
204.176.38.146: dps-digitalphotosharing.com. Hit.
204.176.38.147: theputtingreen.com. Hit.
204.176.38.149: sportsnewstodayar.com. Hit.
204.176.38.150: kairuafricanews.com. Hit.

204.176.39.115 globalprovincesnews.com. Tested viewdns.info range: 204.176.39.93 - 204.176.39.124

204.176.39.97: beamingnews.com. Hit.
204.176.39.98: cubriendonoticias.com. Hit.
204.176.39.100: rowleyworldpost.com. Hit.
204.176.39.101: noticiastopicas.com. No archives.
204.176.39.103: economicnewsbuzz.com. Hit.
204.176.39.104: spectranewsonline.com. Hit.
204.176.39.105: entertainmentnewscompany.com. Hit.
204.176.39.107: guidetoelectronics.net. Uncertain. 2010. English. tech, electronics. Possible CGI comms variant.
204.176.39.110: arabnewsatdawn.com. Hit.
204.176.39.114: messengergalaxy.com. Uncertain. 2011. Would be the first example of something more commercial/service offering we've seen so far. Possible CGI comms variant.
204.176.39.115: globalprovincesnews.com. Hit.
204.176.39.116: mahparah-news.com. Hit.
204.176.39.119: commercialspacedesign.com. Hit.

207.210.250.132 aeronet-news.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 207.210.250.126 - 207.210.250.157

207.210.250.131: starrynightnews.com. Hit.
207.210.250.132: aeronet-news.com. Hit.
207.210.250.133: bakaribulletin.com. Hit.
207.210.250.134: deprensaenlarevisiondehoy.com. Hit.
207.210.250.135: icwb-news.com. Hit.
207.210.250.136: sportsreelhighlights.com. Hit.
207.210.250.137: fashionforward.info. No archives.
207.210.250.138: inquiry-human-past.com. Hit.
207.210.250.139: thefairwaysaregreen.com. Hit.
207.210.250.142: russiaupdate.com 2011-11-13. No archives of the time, only older unrelated archives: web.archive.org/web/20010429003443/http://russiaupdate.com/.
207.210.250.143: archaeologyreview.net. Hit.
207.210.250.144: highspeed-news.com. No archives.
207.210.250.146: noticias-caracas.com. Hit.
207.210.250.147: bailandstump.com. Hit.
207.210.250.148: classicalmusic4arab.com. No archives.
207.210.250.149: globalventurestat.com. Hit.
207.210.250.152: al-rashidrealestate.com. Hit.
207.210.250.153: newsintheworld-ru.com. Hit.
207.210.250.154: news-unlimited.info. No archives. Shame, as perfect theme, and has per ipinf.ru/domains/207.210.250.154/

208.254.40.117 worldnewsandent.com. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117: Net Range 208.192.0.0 - 208.255.255.255. Tested viewdns.info range: 208.254.40.92 - 208.254.40.135

208.254.40.96: sixty2media.com. Hit.
208.254.40.99: newspoliticssource.com. Hit.
208.254.40.110 musical-fortune.net. Hit.
208.254.40.113: ashoka-gemstones.com. Hit.
208.254.40.117: worldnewsandent.com. Hit.
208.254.40.124: riskandrewardnews.com. Hit.
208.254.40.129: mailb.casella.com. Legit.

208.254.42.205 driversinternationalgolf.com. Not too far from 208.254.40.117 right? Tested viewdns.info range: 208.254.42.178 - 208.254.42.233.

208.254.42.35: mystorytimefriends.com. Broken/legit.
208.254.42.194: it-proonline.com. Hit.
208.254.42.200: riccs.mwcog.org. Legit. Reverse IP source: 2012 Internet Census, 2012-05-14.
208.254.42.205: driversinternationalgolf.com. Hit.
208.254.42.209: mardelsurnoticias.com. Hit. Reverse IP source: viewdns.info
208.254.42.215: nowfreshfinances.com. Hit.
208.254.42.216: circulatingnews.net. Hit.
208.254.42.219: westingtonpassnews.com. Hit. Reverse IP source: 2013 DNS Census
208.254.44.155: brandimpact.com. Legit/broken: web.archive.org/web/20070801000000*/brandimpact.com
208.254.45.105: operatorenum.com. Legit/broken: web.archive.org/web/20100301000000*/operatorenum.com

210.80.75.55 philippinenewsonline.net. Tested viewdns.info range: 210.80.75.30 - 210.80.75.67

210.80.75.35: aroundtheworldnews.net. No archives. ipinf.ru/domains/210.80.75.33/ disagrees and places it at .33.
210.80.75.36: e-commodities.net. Hit.
210.80.75.37: trekkingtoday.com. Hit.
210.80.75.41: multinews-33.com. Hit.
210.80.75.42: movimientodenticias.com. No archives.
210.80.75.43: gulfandmiddleeastnews.com. Hit.
210.80.75.44: whirlybirdinflight.com. Hit.
210.80.75.45: kings-game.net. Hit.
210.80.75.46: topglobalnewsdaily.com. Hit.
210.80.75.49: recipe-dujour.com. Hit.
210.80.75.53: sportsman-elite.com. No archives.
210.80.75.55: philippinenewsonline.net. Hit.
210.80.75.56: technewsforme.com. Hit.
210.80.75.59: goldeportesnoticias.com. No archives.
210.80.75.68: gigabyte-usa.com. Legit.

212.4.16.232 mynewscheck.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.16.214 - 212.4.17.10.

212.4.16.224: lanoticiasdehoyelinforme.com. Hit.
212.4.16.232: mynewscheck.com. Hit.
212.4.16.239: saktimarsgolf.com 2012-06-29. Broken/legit/no archives of relevant date: web.archive.org/web/20081031060207/http://saktimarsgolf.com/
212.4.16.245: financial-crisis-news.com. Hit.
212.4.16.252: minutosdenoticias.com. Hit. web.archive.org/web/20100517151612/http://minutosdenoticias.com/

Other hits:

208.91.197.132. rdns source: viewdns.info: "location" : "British Virgin Islands", "owner" : "Confluence Networks Inc", "lastseen" : "2013-09-26". So this is after the previous one, unlikely to be correct.
205.178.189.131. source: securitytrails.com

212.4.17.38 fightwithoutrules.com. whois.arin.net/rest/net/NET-208-192-0-0-1/pft?s=208.254.40.117. Net Range: 208.192.0.0 - 208.255.255.255. Organization: Name: Verizon Business. Tested viewdns.info range: 212.4.17.8 - 212.4.17.79

212.4.17.41: newtechfrontier.com. Hit.
212.4.17.43: smart-travel-consultant.com. Hit.
212.4.17.46: atentlaloc.com. Hit.
212.4.17.53: newsresolution.net. Hit.
212.4.17.56: lesummumdelafinance.com. Hit.
212.4.17.56: thepinnacleoffinance.com. No Wayback machine archives.
212.4.17.61: tech-stop.org. Archive: 2011. Feels likely. No commons found. .org hit? Has subdomain "gear.tech-stop.org" according to 2013 DNS Census, which suggests CGI comms, but no links to it
212.4.17.98: topbillingsite.com. Hit.
212.4.17.122: b2bworldglobal.com. Hit.

There were also some other reverse IP hits for fightwithoutrules.com, but no CIA websites there:

204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26. Many domains.
208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20. Many domains.

212.4.18.129 sightseeingnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.4.18.115 - 212.4.18.148. TODO expand. Interesting wide/sparse range? Or perhaps it's two separate ranges?

212.4.18.129: sightseeingnews.com. Hit. Presumably also present under fgnl.net on its second IP range, since this is near 212.4.18.133? viewdns.info gives this as the only IP for the domain.
212.4.30.210: iprintitaly.com. Legit: web.archive.org/web/20230000000000*/http://www.iprintitaly.com/

212.209.74.105 globalbaseballnews.com. Tested viewdns.info range: 212.209.74.100 - 212.209.74.132. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches

212.209.74.105: globalbaseballnews.com. Hit.
212.209.74.106: football-de-luxe.com. Hit.
212.209.74.111: worldconcerns.info. No archives.
212.209.74.112: developmental-league.com. Unclear. CGI comms variant? 2010. English. CGI. American football.
212.209.74.115: mediocampodefutbol.com. Hit.
212.209.74.117: myengineeringaffinity.com. Hit.
212.209.74.122: atthemovies.biz. Archive very broken. Has link to unarchived JAR: web.archive.org/web/20110809232811oe_/http://www.atthemovies.biz/movieslides.jar. Would have been the fist .biz hit found: Non .com .net TLDs
212.209.74.123: worldfinancialexchangenews.com. Hit.
212.209.74.124: urouttahere.com. No archives. Meaning presumably "you're out of here"? One wonders what the theme would have been!
212.209.74.125: avoilurefixe.com. Hit.
212.209.74.126: headlines2day.com. Hit.
- 118.139.174.11. Reverse IP source: viewdns.info
  - 118.139.174.11: 712 domain hits on it
  - 118.139.174.21: theargentineanwineco.com 2013-09-26. No Wayback machine archive.
  - nothing else on the +-20 range
- 184.168.221.91. Reverse IP source: 2013 DNS Census
  - 184.168.221.91: 40k hits on 2013 DNS Census
212.209.74.127: construction-zones.com. Unclear. CGI comms variant? 2009. No known comms found. English. construction. Has a login page: web.archive.org/web/20091130144158/http://construction-zones.com/login.html so maybe CGI comms variant

212.209.79.40 hydradraco.com. Found with: visual inspection of full 2013 DNS Census virtual host cleanup list just after globalbaseballnews.com. Tested viewdns.info range: 212.209.79.35 - 212.209.79.63

212.209.79.34: fgnl.net. Hit. securitytrails.com provides IP history:
- 212.209.79.34: 2008-09-01 - 2010-04-19.
- 212.4.18.133: 2010-04-19 - 2019-06-19. Tested viewdns.info range: 212.4.18.122 - 212.4.18.148
both under MCI Communications Services, Inc. d/b/a Verizon Business.
212.209.79.37: fitness-sources.com. Hit.
212.209.79.40: hydradraco.com. Hit.
212.209.79.41: noticiasdelmundolatino.com. Hit.
212.209.79.42: suparakuvi.com. Hit.
212.209.79.44: myigadgets.net. Unclear. 2010. tech. Contains some helpers to: iGoogle. This page is very interesting. and quite different from the others, as it contains highly specialized functionality. No known comms found. The choice of homepage languages is also very suspicious: Arabic, Farsi, French, Chinese and Spanish.
212.209.79.46: cetusdelph.com. Hit.
212.209.79.47: willtoworship.com. Hit.
212.209.79.48: themvconnection.com. Hit.
212.209.79.51: pi-resources.net. Hit.
212.209.79.52: newel-adserver.com. Redirects to newel.com which is legit.
212.209.79.53: ourscubaworld.com. Hit.
212.209.79.58: tech-love-home.com. Hit.
212.209.79.60: first-solo-aviation.com. Hit.
212.209.79.61: china-destinations.org. Hit.

212.209.90.84 thenewseditor.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 212.209.90.64 - 212.209.90.99

212.209.90.69: worldedgenews.com. Hit.
212.209.90.72: talkingpointnews.info. No archives.
212.209.90.75: prebitinvestment.com. No archives.
212.209.90.77: energy-bulb.com 2011. English. energy. Comms not found, but has unarchived link to: web.archive.org/web/20110128182345/https://webmail.energy-bulb.com/login.html. CGI comms variant?
212.209.90.79: freeblink.com. No archives for timerange, then legit.
212.209.90.80: nsmovies.net. Hit.
212.209.90.82: middleeastjournal.net. Hit.
212.209.90.84: thenewseditor.com. Hit.
212.209.90.87: newsandweathersource.com. Hit.
212.209.90.89: pakisports.com. Hit.
212.209.90.90: vriha-aesthetics.com. Hit.
212.209.90.92: amishkanews.com. Hit.
212.209.90.93: theentertainbiz.com. Hit.
212.209.90.94: eurosportssummary.com. Hit.
212.209.91.14: teracom.net. Legit

216.105.98.152: modernarabicnews.com. Found with: 2013 DNS Census virtual host cleanup heuristic keyword searches. Tested viewdns.info range: 216.105.98.125 - 216.105.98.167

216.105.98.118:
- estudashboard.com: broken
- fintrade.us: legit
216.105.98.132: europeantravelcafe.com. Likely a hit, but comms not found. 2010. English. Europe. travel. Marked copyright 2009. There's a currency converter at: web.archive.org/web/20100724024644/http://www.europeantravelcafe.com/tools.html which could be suspicious.
216.105.98.134: fuenteneta.com. No archives.
216.105.98.135: ilat-news.com. No archives.
216.105.98.136: etherealinspirations.net. No archives.
216.105.98.137: the-news-zone.com. Archive very broken: web.archive.org/web/20130814194744/http://the-news-zone.com/
216.105.98.138: photozoomnews.com. No archives.
216.105.98.139: cultura-digital.net. Hit.
216.105.98.140: uaeshoppingspree.com. Hit.
216.105.98.141: jabarifootball.com. No archives. "Jabari" is a Swahili/Arabic name^[ref]
216.105.98.142: globalreview-ar.com. No archives. Shame, could have been our first Argentinian site.
216.105.98.144: garanziadellasicurezza.com. Archives quite broken: web.archive.org/web/20110424044637/http://www.garanziadellasicurezza.com:80/ Unarchived JAR: /web/20110424044637oe_/http://www.garanziadellasicurezza.com/garanzia.jar Would be another precious Italy hit...
216.105.98.145: montanismoaventura.com. Hit.
216.105.98.146: large-format-news.com. No archives.
216.105.98.147: nepalnewsbrief.com. Hit. dnshistory.org marks it as having IP 2010-03-10 -> 2010-08-15 216.169.148.94 ^[ref]. This range does feel a bit different from the others, too many broken archives, and relatively early ones too. Explored viewdns.info range: 216.169.148.84 - 216.169.148.104, empty for period.
216.105.98.148: teclafinance.com. No archives. One wonders what "tecla" would have stood for. It is Portuguese for "keyboard key", but finance is English so.
216.105.98.149: entreman.com: legit? web.archive.org/web/20110128212738/http://entreman.com/
216.105.98.152: modernarabicnews.com. Hit.
216.105.98.153: global-headlines.com. No archives of the period, then was a legitimate WordPress website for a while.
216.105.98.154: everythingcricket.org. Hit.
216.105.98.156: familyhealthonline.net. Hit.
216.105.98.157: delacorne.com. No archives.
216.105.98.158: econfutures.com. No archives.
216.105.98.161: kstcloud.com. No archives.

219.90.61.123 journeystravelled.com Tested viewdns.info range: 219.90.61.100 - 219.90.61.133

219.90.61.100: pressstory.com: "Under construction". web.archive.org/web/20110128124548/http://pressstory.com/
219.90.61.103: bet2plays.com. "Under construction". Unlikely thematic, too spicy.
219.90.61.110: surya-brahma.com. Hit
219.90.61.111: classicalmusicboxonline.com. Hit.
219.90.61.116: athletepro.net. Hit.
219.90.61.117: lajornadanow.com. Hit.
219.90.61.119: aviation-navigation.com. No archives.
219.90.61.120: theinternationalworld.com. Hit.
219.90.61.121: thepyramidnews.com. Hit.
219.90.61.122: iran-newslink-today.com. Hit.
219.90.61.123: journeystravelled.com. Hit.

219.90.62.243 fitness-dawg.com. whois.arin.net/rest/net/NET-219-0-0-0-1/pft?s=219.90.62.243. Net Type: Allocated to APNIC. Tested viewdns.info range: unknown - 219.90.62.255

219.90.62.173:
- dominatingduos.com: 2013-08-12T17:53:09. No archive
- has other domains
219.90.62.193: centralnewsreleasers.com. Only a 2018 of the robots.txt: web.archive.org/web/*/http://centralnewsreleasers.com/* so likely not a hit
219.90.62.209: penniesbythemillions.com. No archives.
219.90.62.229: information-junky.com. Hit.
219.90.62.231: todosperuahora.com. Hit.
219.90.62.232: race26point2.com. Hit. No archives, but has subdomain: secure.race26point2.com, so likely CGI comms.
219.90.62.233: theworld-news.net. Hit.
219.90.62.234: recuerdosdeviajeonline.com. Hit
219.90.62.235: ordenpolicial.com. No Wayback Machine archives. Last resolved: 2012-01-11.
219.90.62.237: elcorreodenoticias.com. Hit.
219.90.62.238: freshtechonline.com. Hit.
219.90.62.240: cityworldnewsnow.com. Hit. No archives but has subdomain: secure.cityworldnewsnow.com so likely CGI comms.
219.90.62.241: newscentertoday.com. Hit.
219.90.62.242: ride-captain.com. Hit.
219.90.62.244: easytraveleurope.com. Hit.
219.90.62.245: world-news-now.net. Hit.
219.90.62.246: negativeaperture.com. Hit.
219.90.62.247: conquermstoday.com. Hit
219.90.62.249: forensic-exchange.com. 2013 archive: web.archive.org/web/20130714094026/http://forensic-exchange.com/. Appears to be a buggy Wayback Machine archive somehow, so inconclusive.

 Read the full article

IP range search  Updated 2025-02-22  +Created 1970-01-01

 View more

One promising way to find more of those would be with IP searches, since it was stated in the Reuters article that the CIA made the terrible mistake of using several contiguous IP blocks for those website. What a phenomenal OPSEC failure!!!

The easiest way would be if Wayback Machine itself had an IP search function, but we couldn't find one: Search Wayback Machine by IP.

viewdns.info was the first easily accessible website that Ciro Santilli could find that contained such information.

Our current results indicate that the typical IP range is about 30 IPs wide.

E.g. searching: viewdns.info/iphistory and considering only hits from 2011 or earlier we obtain:

capture-nature.com
- 65.61.127.163 - Greenacres - United States - TierPoint - 2013-10-19
activegaminginfo.com
- 66.175.106.148 - United States - Verizon Business - 2012-03-03
iraniangoals.com
- 68.178.232.100 - United States - GoDaddy.com - 2011-11-13
- 69.65.33.21 - Flushing - United States - GigeNET - 2011-09-08
rastadirect.net
- 68.178.232.100 - United States - GoDaddy.com - 2011-05-02
iraniangoalkicks.com
- 68.178.232.100 - United States - GoDaddy.com - 2011-04-04
headlines2day.com
- 118.139.174.1 - Singapore - Web Hosting Service - 2013-06-30. Source: viewdns.info
- 184.168.221.91 2013-08-12T06:17:39. Source: 2013 DNS Census grep
fightwithoutrules.com
- 204.11.56.25 - British Virgin Islands - Confluence Networks Inc - 2013-09-26
- 208.91.197.19 - British Virgin Islands - Confluence Networks Inc - 2013-05-20
- 212.4.17.38 - Milan - Italy - MCI Worldcom Italy Spa - 2012-03-03
fitness-dawg.com
- 219.90.62.243 - Taiwan - Verizon Taiwan Co. Limited - 2012-01-11

Neither of these seem to be in the same ranges, the only common nearby hit amongst these ranges is the exact 68.178.232.100, and doing reverse IP search at viewdns.info/reverseip/?host=68.178.232.100&t=1 states that it has 2.5 million hostnames associated to it, so it must be some kind of Shared web hosting service, see also: superuser.com/questions/577070/is-it-possible-for-many-domain-names-to-share-one-ip-address, which makes search hard.

Ciro then tried some of the other IPs, and soon hit gold.

Initially, Ciro started by doing manual queries to viewdns.info/reversip until his IP was blocked. Then he created an account and used his 250 free queries with the following helper script: cia-2010-covert-communication-websites/viewdns-info.sh. The output of that script can be seen at: github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/viewdns-info.sh.

Ciro then found 2013 DNS Census which contained data highly disjoint form the viewdns-info one!

Summaries of the IP range exploration done so far follows, combined data from all databases above.

 Read the full article

List of websites  Updated 2025-02-22  +Created 1970-01-01

 View more

As a JSON: github.com/cirosantilli/media/blob/master/cia-2010-covert-communication-websites/hits.json. OurBigBook Markup to JSON conversion helper cia-2010-covert-communication-websites/bigb-to-json:

cia-2010-covert-communication-websites/bigb-to-json cia-2010-covert-communication-websites.bigb

Hit criteria: has Wayback Machine archive, and clear indication of a known communication mechanism. The mechanism itself doesn't need to be archived however, a link to it is enough given other supporting elements: IP range, site style, date, web archive date pattern. JS commons are always quickly visually inspected, other mechanisms we look only at filename patterns. Commented edge cases that didn't make the cut can be found mostly under Section "IP range search" and Section "2013 DNS Census virtual host cleanup heuristic keyword searches".

ip	domain	Wayback Machine	language	country mentions	comms	theme	notes
?	all-sport-headlines.com	2011	Arabic		JAR	news	split images^[ref]^[ref]Arabic-looking alphabet, image only so can't Google translate easily.
?	firstnewssource.com	2011	Farsi	Iran	JAR	news	Copyright 2009. Split images. `rss-items`.
?	global-view-news.com	2011	English		JAR	news	split images^[ref]^[ref]
?	globaltourist.net	2010	English		JAR	travel	split images^[ref]^[ref], `rss-items`. speed.jar "speed test" JAR pattern. Seems to have been legit both before.
?	hassannews.net	2010	Arabic		SWF	news	CSS or archive quite broken. Split images^[ref]^[ref]. `rss-items`.
?	health-men-today.com	2011	Arabic		JAR	news	`rss-items`. Encoding broken.
?	intlnewsdaily.com	2011	English		JAR	news	`rss-items`
?	newdaynewsonline.com	2011	English		JAR	news
?	newsincirculation.com	2011	Arabic		JAR	news
?	newsworldsite.com	2011	Pashto	Afghanistan	JAR	news
?	pars-technews.com	2011	Farsi	Iran	JAR	news	"pars" presumably means "Parsi" or something of the same root
?	sportsnewsfinder.com	2011	Chinese	China	JAR	news	体育新闻发现者 (sports news finder)
?	terrain-news.com	2011	Pashto	Afghanistan	JAR	news
?	theworldnewsfeeds.com	2011	English		JAR	news	`rss-items`. Split images^[ref]^[ref]
?	todayoutdoors.com	2011	English		JAR	sports, travel	split images^[ref]^[ref]
?	todaysnewsreports.net	2010	Arabic		JAR	news
?	weblognewsinfo.com	2011	English		JAR	news	Split images, `rss-items`.
?	opensourcenewstoday.com	2010	Arabic		JAR	news	copyright 2010
?	techwatchtoday.com	2011	English		JAR	tech, news	Marked copyright 2008. Split images^[ref]^[ref]. Later legit.
?	cyhiraeth-intlnews.com	2011	English		JAR	news	en.wikipedia.org/wiki/Cyhyraeth "The cyhyraeth is a ghostly spirit in Welsh mythology, a disembodied moaning voice that sounds before a person's death." WTF! So the serious looking black actress lady is meant to represent the voice of death?. Split images^[ref]^[ref]. `rss-items`
?	24hoursprimenews.com	2009	English		JAR	news	split images^[ref]^[ref]
?	dailynewsandsports.com	2013	English		JAR	sports
?	europeannewsflash.com	2011	English		JAR	news	Split images^[ref]^[ref]
?	farsi-newsandweather.com	2011	Farsi	Iran	JAR	news	split images^[ref]^[ref]
?	iranfootballsource.com	2011	Farsi		JS	sports, football
?	iraniangoalkicks.com	2008	Farsi	Iran	JAR	sports, football
?	iraniangoals.com	2009	Farsi	Iran	JS	sports, football
?	mywebofnews.com	2011	Arabic		JAR	news	Split images^[ref]^[ref]. `rss-items`.
?	news-latina.com	2011	English		JAR	news	copyright 2007
?	outlooknewscast.com	2011	Farsi	Iran	JAR	news
?	rastadirect.net	2010	English		JAR	fansite
?	todaysengineering.com	2011	English		CGI	engineering
?	worldofonlinenews.com	2011	English		JAR	news	split images^[ref]^[ref]. Later legit.
62.22.60.42	newsupdatesite.com	2011	English		JAR	news	rdns source
62.22.60.46	flyingtimeline.com	2011	English		JAR	airplanes
62.22.60.48	currentcommunique.com	2011	English	Egypt	SWF	news
62.22.60.49	telecom-headlines.com	2011	English		JS	tech
62.22.60.52	collectedmedias.com	2011	French		JS	news	Marked copyright 2008
62.22.60.55	thefilmcentre.com	2011	English		JS	films
62.22.60.56	traveltimenews.com	2011	English		JS	news
62.22.61.193	awfaoi.org	2010	Arabic	Iraq	JAR	not-for-profit	This was the first clear .org hit with comms we've been able to find. Title translation: "Arab women to help Iraq", so perhaps "awfaoi" stands for "Arab Women For A O? Iraq". This fits well into the .org theme. Marked copyright 2008.
62.22.61.197	rc5sports.com	2011	English		JAR	sports
62.22.61.198	inside-vc.com	2011	English		CGI	finance	"vc" is a standard abbreviation for venture capital
62.22.61.202	bailsnboots.com	2011	English		SWF	sports, cricket	"Bail" is one part of the thing your're supposed to hit with th eball in cricket.^[ref]
62.22.61.203	the-cricketer-online.com	2011	English		JAR	sports, cricket	marked copyright 2009.
62.22.61.204	hollywoodscreen.net	2011	English		JS	films
62.22.61.206	worldnewsnetworking.com	2011	Arabic		JAR	news
62.22.61.212	nuestrasfinanzas.com	2011	Spanish		JAR	finance
62.22.61.217	court-masters.com	2011	English		JAR	sports, tennis
62.22.61.219	allworldstatistics.com	2011	English		JS	statistics
62.22.61.220	newsjaka.com	2011	English	Indonesia	JS	news	"jaka" presumably means Jakarta, the capital of Indonesia. There is a Indonesia section on the left sidebar. But the news are quite global however.
63.131.229.2	fightskillsresource.com	2011	English		JS	sports, martial arts
63.131.229.4	unitedterritorynews.com	2011	English		JS	news
63.131.229.9	show-dustry.com	2011	English		CGI	entertainment	The website name is a neologism with "show" and "industry".
63.131.229.11	mythriftytrip.com	2011	English		CGI	travel	thrifty means: "using money and other resources carefully and not wastefully"
63.131.229.12	cyberreportagenews.com	2011	English		JAR	news	rdns source
63.131.229.13	sunrise-news.com	2011	English		JAR	news	rdns source
63.131.229.15	cricketnewsforindia.com	2013	English	India	JS	sports, cricket	archive quite broken, lots of missing files, including the JS
63.131.229.16	nutricion-saludable.net	2010	Spanish		CGI	health
63.131.229.20	fixashion.net	2011	English		JS	fashion
63.130.160.50	theglobalheadlines.com	2010	English		JAR	news	this has several archives from 2013, marked as Live Web Proxy Crawls and explained "mostly by the Save Page Now", so presumably by counter intelligence or amateurs
63.130.160.51	hai-pow.com	2011	English		JAR	sports, martial arts
63.130.160.53	echessnews.com	2011	Chinese	China	JAR	sports, boxing	Chinese title: 我的象棋世界 (My Chinese Chess world). rdns source. Split images^[ref]^[ref]
63.130.160.60	boxingstop.net	2010	Polish	Poland	JAR	sports, boxing
63.130.160.62	azerinews.org	2009	Azerbaijani	Azerbaijan	JAR	news	rdns source. Split images, `rss-items`.
64.16.204.55	holein1news.com	2010	English		JAR	sports, golf
64.16.204.58	tech-topix.com	2013	English		CGI	tech	Archive quite broken, but link to CGI comms.
65.61.127.163	capture-nature.com	2011	English		JAR	photography	Reuters example. Since became legitimate, Ciro contacted the owner, and he was unaware of the domain's history.
65.61.127.166	globalnewsbulletin.com	2013	English	Tunisia, Afghanistan, Iran, Egypt	CGI	news	PHP pages, images `/images/index_01.jpg`
65.61.127.169	crossovernews.net	2011	English		JAR	sports, basketball
65.61.127.174	dedrickonline.com	2010	German		JS	sports
65.61.127.175	altworldnews.com	2013	English		CGI	news	Epoch times link, PHP pages
65.61.127.178	tee-shot.net	2011	English		SWF	sports, golf	nice domain name
65.61.127.182	pangawana.com	2011	Arabic	Afghanistan	JS	news
65.61.127.183	cutabovenews.com	2011	English	Algeria, various others	JS	sports, basketball
65.61.127.184	worldwildlifeadventure.com	2011	English		JAR	travel
65.61.127.186	explorealtmeds.com	2013	English		JAR	health	the JAR was not archived, but there's a link to it
65.218.91.9	welcometonyc.net	2010	English		CGI	travel
65.218.91.17	alljohnny.com	2004	English		CGI	fansite	mega early hit from 2004 to 2005. Then a gap, then they redid the domain: 2011. Same authors given content similarities e.g. "Submit Your Favorite Carson Moment". Reusing the domain after all these years, the lack of OPSEC is just mind blowing! New website marked Copyright 2003. Part of Oleg Shakirov's findings. One of the Reuters websites. Search documented at: Searching for Carson.
66.45.179.192	thegraceofislam.com	2011	English		CGI	religion, Islam
66.45.179.193	arabicnewsunfiltered.com	2011	Arabic		JAR	news	rdns source
66.45.179.194	raulsonsglobalnews.com	2011	English		JAR	news
66.45.179.195	aryannews.net	2010	Pashto	Afghanistan	JAR	news	rdns source. Heil.
66.45.179.199	attivitaestremi.com	2011	Italian		CGI	sports
66.45.179.201	hitthepavementnow.com	2011	English		CGI	sports, running
66.45.179.202	newimages.org	2011	Turkish	Turkey	JAR	photography	JAR unarchived
66.45.179.203	noticiascontinental.com	2011	Spanish	South America	CGI	news
66.45.179.205	noticiasporjanua.com	2011	Spanish		JAR	news
66.45.179.206	podisticamondiale.com	2010	Italian	Italy	JAR	sports, running	marked copyright 2010
66.45.179.207	reflectordenoticias.com	2011	Spanish		JAR	news
66.45.179.208	havenofgamerz.com	2011	English		CGI	gaming	marked copyright 2009
66.45.179.210	sa-michigan.com	2011	English		JAR	sports	"sa" is an abbreviation for the site title "Sports Alive"
66.45.179.211	absolutebearing.net	2010	English		CGI	travel, sports, boats
66.45.179.213	myportaltonews.com	2011	English		JS	news
66.45.179.214	investmentintellect.com	2011	English		JAR	finance
66.45.179.215	nigeriastar.net	2011	English	Nigeria	JAR	news	Contains link to unarchived JAR
66.104.169.163	doctorsoncallsite.com	2011	English		JAR	health
66.104.169.164	lightandshadowonline.com	2010	English		JAR	photography
66.104.169.168	plugged-into-news.net	2010	English		JAR	news	JAR uses .zip extension! First instance, wow
66.104.169.171	golf-on-holiday.com	2011	English		JAR	sports, golf
66.104.169.172	perspectiva-noticias.com	2011	Spanish		JS	news
66.104.169.175	aquaswimming.com	2009	English		JAR	sports, swimming
66.104.169.177	dojo-temple.com	2011	English		CGI	sports, martial arts	TODO meaning of "kama"? Kama lol?
66.104.169.179	neighbour-news.com	2010	English	Germany	JAR	news	Mentions of Goethe-Institut and Germany all over. JAR unarchived
66.104.169.180	medicatechinfo.com	2010	English		JS	health
66.104.169.181	brickmanfinancialnews.com	2011	English		JS	finance
66.104.169.182	casanewsnow.com	2011	English		JAR	JAR unarchived. TODO why "casa"? Doesn't seem to have any link to Spanish or Portuguese.
66.104.169.184	bcenews.com	2011	Albanian	Albania	JAR	news
66.104.173.163	runakonews.com	2011	English	Africa	CGI	news	"Runako" is an African given name.
66.104.173.164	shoppingadventure.net	2010	English		JAR	travel, shopping	JAR unarchived
66.104.173.165	entertaining-ly.com	2011	English		JAR	entertainment
66.104.173.166	zubeenews.com	2011	English		JS	news	"Zubee" is a Muslim name: muslimnames.com/zubee.
66.104.173.169	smart-financeology.com	2011	English		JAR	finance
66.104.173.175	media-coverage-now.com	2010	English		SWF	news
66.104.173.176	jbc-online-news.com	2011	English		JS	news	TODO meaning of "JCB". JS unarchived.
66.104.173.177	webscooper.com	2011	English		JAR	news
66.104.173.178	dk-dcinvestment.com	2010	English		JAR	finance	TODO meaning of "dk;dc".
66.104.173.180	stara-turistick.com	2011	Croatian		JAR	tourism
66.104.173.181	playbackpolitics.com	2011	English		JS	news
66.104.173.182	snapnewsfront.net	2011	English	Japan	JS	news
66.104.173.183	ingenuitytrendz.com	2011	English		JAR	tech
66.104.173.184	armashoy.com	2011	Spanish	Spain	SWF	guns	meaning: "Weapons Today". In First World countries the CIA felt it would be safe to touch edgier subjects like guns
66.104.173.185	baocontact.com		English		JAR		HTML archive almost empty, but JAR was archived. One wonders what "bao" refers to, could be Chinese, but the small snippet of visible website is in English.
66.104.173.186	myworldlymusic.com	2011	English	Pakistan	JAR	music	JAR unarchived
66.104.173.189	hitpoint-gaming.com	2011	English		JS	gaming	Marked copyright 2010
66.104.175.34	itwebtoday.com	2011	English		JS	tech
66.104.175.35	drglobalnews.com	2011	English		JAR	news	TODO meaning of "dr"? rdns source.
66.104.175.36	adilnews.net	2010	Arabic		SWF	news	Adil is an Arabic masculine name
66.104.175.40	beyondnetworknews.com	2011	English	Egypt	CGI	news
66.104.175.41	grubbersworldrugbynews.com	2011	English		JS	sports, rugby
66.104.175.44	yourtripfinder.net	2010	English		CGI	travel	comms not found, CGI from unarchived subpage assumed
66.104.175.45	rollinsnetwork.com	2011	English		CGI	tech	CGI linked to but not archived
66.104.175.46	infosharenews.com	2011	English		JAR	news
66.104.175.47	southasiaheadlines.com	2011	English	Bangladesh, Bhutan, India, Maldives, Nepal, Pakistan, Sri Lanka Tibet	JAR	travel	JAR linked to but missing from archive
66.104.175.48	worlddispatch.net	2010	Arabic		SWF	news
66.104.175.49	webworldsports.com	2011	Arabic		JAR	sports
66.104.175.50	fly-bybirdies.com	2011	English		JAR	travel
66.104.175.51	businessexchangetoday.com	2011	English		CGI	news, finance	PHP pages
66.104.175.52	mensajeradenoticias.com	2011	Spanish		CGI	news	CGI unarchived
66.104.175.53	info-ology.net	2010	English		JAR	news
66.104.175.54	marketflows.net	2011	English		JAR	finance
66.104.175.57	metanewsdaily.com	2010	English		CGI	news
66.175.106.134	paddlescoop.com	2011	English	Bangladesh, Pakistan, India, England	JAR	sports, cricket
66.175.106.137	kessingerssportsnews.com	2010	English		JS	sports
66.175.106.138	factorforcenews.com	2009	English		JAR	news
66.175.106.142	kanata-news.com	2010	English	Canada	JS	news	"Kanata" is a place in Ottawa, Canada. The name is likely of Indigenous origin.
66.175.106.143	thecricketfan.com	2011	English		JAR	news
66.175.106.146	inews-today.com	2011	English	Egypt	JAR	news	Marked copyright 2008
66.175.106.147	starwarsweb.net	2010	English		SWF	fansite	well, not even the CIA can escape Star Wars. TODO identify boy.
66.175.106.148	activegaminginfo.com	2011	Chinese		JAR	gaming	the website is entitled "活跃游戏" which means "Lively games", or "active games" as in the domain name itself
66.175.106.149	feedsdemexicoyelmundo.com	2011	Spanish	Mexico	JS	news
66.175.106.150	noticiasmusica.net	2010	Brazilian Portuguese	Brazil	JAR	music
66.175.106.155	atomworldnews.com	2011	English	Egypt	JAR	news
66.175.106.158	nouvellesetdesrapports.com	2011	French	Egypt, Tunisia	JAR	news
66.237.236.227	newsandmusicminute.com	2011	Pashto		JS	music
66.237.236.229	pearls-playlist.com	2011	English		SWF	music
66.237.236.230	beyondthefringe.info	2012	English		JAR	rugs	JAR unarchived
66.237.236.231	primetimemovies.net	2009	English		JS	films	JS unarchived
66.237.236.235	persephneintl.com	2013			JAR		archive very broken, JAR unarchived. Full title: "Persephne International", reference to Greek Goddess of "spring, the dead, the underworld, grain, and nature"
66.237.236.236	directoalgrano.net	2010	Spanish		JAR	news
66.237.236.240	actualizaciondebeisbol.com	2011	Spanish		JS	sports, baseball
66.237.236.243	mygadgettech.com	2009	Chinese		CGI	tech	Archive very broken
66.237.236.247	comunidaddenoticias.com	2011	Spanish	Ecuador	JAR	news
66.237.236.249	sumerjaseahora.com	2011	Spanish		CGI	sports, SCUBA diving	submerge yourself now
69.84.156.69	al-ashak-news-me.com	2011	Arabic		JS	news
69.84.156.71	worldfinancetoday.net	2011	English		JAR	finance
69.84.156.72	autonewsarabia.com	2011	Arabic		JAR	cars
69.84.156.74	blue-moon-news.com	2011	Arabic		JS	news
69.84.156.76	tnc-urdu.com	2011	Urdu		JAR	tech	TODO meaning of "tnc"?
69.84.156.82	arabicnewsonline.com	2011	Arabic		JAR	news	rdns source. Some very similar domains: modernarabicnews.com, arabicnewsource.com. Needed more creativity here! Later legit.
69.84.156.83	unganadormundial.com	2010	Spanish		CGI	sports, fitness
69.84.156.88	diariodeelmundo.com	2011	Spanish		JAR	news
69.84.156.89	todaysarabnews.com	2011	Arabic		JAR	news	JAR unarchived.
69.84.156.90	stickshiftnews.com	2011	English		JAR	cars
69.84.156.91	theinternationalgoal.com	2011	Spanish		CGI	news
72.34.53.174	electronictechreviews.com	2011	English		JAR	tech	JAR unarchived. Split images, `rss-items`. Present at "Mass Deface III" pastebin.
72.34.53.174	just-the-news.com	2011	Arabic		JAR	news	copyright 2009. Present at "Mass Deface III" pastebin. JAR unarchived.
72.34.53.174	kickitnews.com	2010	Arabic		JAR	sports, football	copyright 2009. Present at "Mass Deface III" pastebin.
72.34.53.174	moyistochnikonlaynovykhigr.com	2011	Russian	Russia		fansite	copy of myonlinegamesource.com, but on a Russian transliterated domain rather than the English one, very interesting
72.34.53.174	myhealthlibrary.net	2011	English		JAR	health	present at: "Mass Deface III" pastebin.
72.34.53.174	myonlinegamesource.com	2011	Russian	Russia		gaming	Can't find comms, but stylistically perfect. `rss-items`. Present at "Mass Deface III" pastebin.
72.34.53.174	mytravelopian.com	2011	English		JAR	travel
72.34.53.174	recursosdenoticias.com	2011	Spanish		JAR	news	Split images, `rss-items`. Present at "Mass Deface III" pastebin.
72.34.53.174	sayaara-auto.com	2010	Arabic		JAR	cars
72.34.53.174	technologytodayandtomorrow.com	2011	English		JAR	tech	`rss-items`. Present at "Mass Deface III" pastebin.
72.34.53.174	todaysnewsandweather-ru.com	2011	Russian	Russia	JS	news	JavaScript with SHAs
74.116.72.227	dayenews.com	2011	English		JAR	news	rdns source. Previously 69.74.45.67.
74.116.72.229	guide-daventure.com	2011	French	France	JAR	travel
74.116.72.231	bleachersfootballnews.com	2011	English		JAR	sports, football	TODO meaning of "Bleacher"? Possible reference to Bleacher Report.
74.116.72.232	indirectfreekick.com	2011	English		JAR	sports, football
74.116.72.233	wwiichronicles.net	2011	English		CGI	history
74.116.72.234	petroleumagenews.com	2011	English		JAR	oil
74.116.72.235	the-open-book-online.com	2011	English		JS	literature
74.116.72.236	techtopnews.com	2011	English		JAR	tech
74.116.72.239	crickettoday.info	2013	Pashto		JS	sports, cricket	JS unarchived. The requested URL /cricket.js was not found on this server
74.116.72.240	zafernews.com	2011	Arabic		JAR	news
74.116.72.242	gdgtsource.com	2011	English		CGI	tech	Presumably "gdgt" stands for "GaDGeT", which is mentioned on subtitle
74.116.72.246	vuvuzelanews.com	2011	English		JAR	sports, football	Vuvuzela is this plastic horn, popular in football stadiums. The term is of African origin. Later legit. rdns source. Previously at 69.74.45.86.
74.116.72.247	ballbatstumpsandbails.com	2011	English		JAR	sports, cricket
74.116.72.249	round-trip-travel.com	2010	English		CGI	travel	this got archived a lot of times, though all seem to be Alexa crawls.
74.116.72.250	arabicnewsource.com	2011	Arabic		CGI	news
74.254.12.163	half-court.net	2010	English	Philippines	JAR	sports, basketball
74.254.12.164	dailywellnessnews.com	2011	English		JAR	health	rdns source. split images^[ref]^[ref].
74.254.12.165	dylandon.net	2011	Chinese		SWF	music	"Dylan" presumably a reference to Bob Dylan? "Don" unclear. Maybe Don McLean?
74.254.12.166	afghanpoetry.net	2010	English	Afghanistan	SWF	poetry	Also at 63.131.229.10^[ref] in a range.
74.254.12.168	non-stop-news.net	2010	Farsi		JAR	news
74.254.12.169	soldiersofsouthasia.com	2011	English		JAR	history
74.254.12.171	autism-news.org	2011	English		SWF	health	copyright 2007. Split images. `rss-items`. Previously at 69.74.45.67.
74.254.12.176	pakcricketgrd.com	2011	Urdu		JAR	sports, cricket	TODO meaning of "grd"
74.254.12.177	networkofnews.com	2011	English		JAR	news	rdns source. Later legit.
74.254.12.179	wineconnaisseur.net	2010	English		JS	wine
74.254.12.180	helpinghandssite.com	2011	English		JAR	news
74.254.12.188	first-tee-golf.com	2011	English		JAR	sports, golf
74.254.12.189	fabu-foto.com	2011	English		CGI	photography
74.254.12.190	viptravelabroad.com	2011	English		JS	travel
199.85.212.105	mide-news.com	2010	English		CGI	news	"MIDE" stands for "Middle East". Comms not archived, presumably CGI comms variant.
199.85.212.111	newsandsportscentral.com	2009	English		JAR	news	rdns source
199.85.212.118	just-kidding-news.com	2011	English		JAR	news	epic name
204.176.38.130	i-pressnews.com	2011	English		JAR	news
204.176.38.132	turkishnewslinks.com	2011	English	Turkey	JAR	news
204.176.38.134	photographyarecord.com	2011	English		CGI	photography	Cute
204.176.38.135	breakingthewicket.com	2011	English		CGI	sports, cricket
204.176.38.136	politicalworldtoday.com	2011	English	Egypt	JAR	news
204.176.38.137	hi-tech-today.com	2011	English		JAR	tech
204.176.38.139	bigscreenbattles.com	2011	English		JAR	films
204.176.38.141	rakotafootball.com	2011	English		JAR	sports, football	"Rakota" is an Indian family name
204.176.38.143	noticiassofisticadas.com	2011	Spanish		CGI	news
204.176.38.142	senderosdemontana.com	2011	Spanish		JS	sports, cycling	Talks about mountain biking and Eurobike 2010, so likely Spain focused, but it is not direct enough to be certain. JS unarchived.
204.176.38.144	techno-today.com	2011	English		JAR	tech	was legit previously.
204.176.38.145	tickettonews.com	2011	English		JAR	news	rdns source. Epoch times link.
204.176.38.146	dps-digitalphotosharing.com	2011	English		JAR	photography
204.176.38.147	theputtingreen.com	2011	English		JAR	sports, golf
204.176.38.149	sportsnewstodayar.com	2011	Arabic	Lebanon, others	JAR	sports	"ar" on domain name presumably means "Arabic"
204.176.38.159	kairuafricanews.com	2011	English	Africa	JAR	news	what is "Kairu"? en.wikipedia.org/wiki/Kairu a place in India? en.wiktionary.org/wiki/kairu "frog" in Japanese? rdns source
204.176.39.97	beamingnews.com	2011	Arabic		JAR	news	Nice design. rdns source
204.176.39.98	cubriendonoticias.com	2011	Spanish		JAR	news	archive quite broken. JAR unarchived.
204.176.39.100	rowleyworldpost.com	2011	English	Egypt, others	JAR	news
204.176.39.103	economicnewsbuzz.com	2011	Korean		CGI	finance	Love the kawaii style
204.176.39.104	spectranewsonline.com	2011	English		CGI	news	marked copyright 2010.
204.176.39.105	entertainmentnewscompany.com	2011	Chinese		SWF	films, music	Title: "娱乐新闻公司", lit. Entertainment News Company
204.176.39.110	arabnewsatdawn.com	2011	Arabic		CGI	news	cute, the Arab chick's drink actually has a cocktail umbrella on it. Marked copyright 2010.
204.176.39.115	globalprovincesnews.com	2010	Arabic		JS	news
204.176.39.116	mahparah-news.com	2011	Farsi		JS	news
204.176.39.119	commercialspacedesign.com	2013	Farsi		CGI	architecture	C O N C E P T U A L design. A rare example of a fake company website.
207.210.250.131	starrynightnews.com	2011	Arabic		JS	news	interesting design
207.210.250.132	aeronet-news.com	2011	English		JAR	airplanes
207.210.250.133	bakaribulletin.com	2011	English	Africa	JS	news	Bakari could either be a given name, or a village in Togo
207.210.250.134	deprensaenlarevisiondehoy.com	2011	Spanish		JAR	news
207.210.250.135	icwb-news.com	2011	English		JAR	news	ICWB stands for "Inner Circle Worldwide Business (News)", the title of the website
207.210.250.136	sportsreelhighlights.com	2011	English		JAR	sports
207.210.250.138	inquiry-human-past.com	2011	English		JAR	history
207.210.250.139	thefairwaysaregreen.com	2011	Thai		JAR	sports, golf
207.210.250.143	archaeologyreview.net	2010	English		JAR	history, archeology
207.210.250.146	noticias-caracas.com	2011	Spanish	Venezuela	CGI	news	Caracas is the capital of Venezuela. But you knew that, right?
207.210.250.147	bailandstump.com	2011	English		JS	sports, cricket	"Bail" and "Stump" are the two parts of the thing your're supposed to hit with the ball in cricket.^[ref]
207.210.250.149	globalventurestat.com	2008	English		SWF	news
207.210.250.152	al-rashidrealestate.com	2010	Arabic	Egypt	CGI	finance, real-estate
207.210.250.153	newsintheworld-ru.com	2011	Russian		JAR	news
208.254.40.96	sixty2media.com	2011	English	Various	JAR	news	Epoch times link
208.254.40.99	newspoliticssource.com	2013	Arabic		JAR	news	One of the news mentions Snowden
208.254.40.110	musical-fortune.net	2010	English		CGI	music	images `/images/banner-02.jpg`
208.254.40.113	ashoka-gemstones.com	2010	English		JAR	jewelry
208.254.40.117	worldnewsandent.com	2010	Arabic	Egypt	CGI	mews
208.254.40.124	riskandrewardnews.com	2013	English		CGI	finance
208.254.42.194	it-proonline.com	2011	English		CGI	tech	images `/images/header_01.jpg`
208.254.42.205	driversinternationalgolf.com	2011	English		CGI	sports, golf
208.254.42.209	mardelsurnoticias.com	2011	Spanish		JAR	news	weird mixture of Portuguese and Spanish language external links
208.254.42.215	nowfreshfinances.com	2011	English		CGI	finance	CGI unarchived
208.254.42.216	circulatingnews.net	2010	English		JAR	travel
208.254.42.219	westingtonpassnews.com	2011	English		JAR	news
210.80.75.36	e-commodities.net	2011	English		JAR	finance
210.80.75.37	trekkingtoday.com	2011	English		JAR	sports, running	split images^[ref]^[ref]. rdns source.
210.80.75.41	multinews-33.com				JAR	news	No archives of the HTML, but the JAR was archived
210.80.75.43	gulfandmiddleeastnews.com	2011	Arabic		JS	news
210.80.75.44	whirlybirdinflight.com	2011	English		JAR	helicopters
210.80.75.45	kings-game.net	2011	English		JAR	gaming, chess	JAR unarchived
210.80.75.46	topglobalnewsdaily.com	2011	English		JS	news
210.80.75.49	recipe-dujour.com	2011	English		JAR	cooking	nice design
210.80.75.55	philippinenewsonline.net	2010	Philippines		JAR	news
210.80.75.56	technewsforme.com	2011	Farsi		JAR	tech
212.4.16.224	lanoticiasdehoyelinforme.com	2010	Spanish		JAR	news
212.4.16.232	mynewscheck.com	2011	English	Canada	JAR	news	rdns source
212.4.16.245	financial-crisis-news.com	2011	Russian	Russia	JAR	news	rdns source
212.4.16.252	minutosdenoticias.com	2010	Spanish		CGI	news	CSS
212.4.17.38	fightwithoutrules.com	2011	Russian		JAR	sports, combat sports
212.4.17.41	newtechfrontier.com	2010	English		CGI	tech	since became legit: newtechfrontier.com/
212.4.17.43	smart-travel-consultant.com	2011	Chinese		CGI	travel	ajaxtax.js may be of interest for fingerprinting. Title: "智能旅行顾问", lit. Smart Travel Consultant
212.4.17.46	atentlaloc.com	2009	English	Quatar, Lebanon, Israel, Iran	JS	jewelry	Tlaloc is an Aztec deity, and Aten is an Egyptian deity. Both appear to be somewhat linked to gold, thus their usage in a jewelry website. Creative domain name.
212.4.17.53	newsresolution.net	2010	English	Côte d'Ivoire, Lebanon, Sudan	JAR	news, UN Peacekeeping
212.4.17.56	lesummumdelafinance.com	2010	French	France	JAR	finance
212.4.17.98	topbillingsite.com	2011	English		CGI	films
212.4.17.122	b2bworldglobal.com	2011	English		CGI	news
212.4.18.14	football-enthusiast.com	2011	English	Europe	JS	sports, football
212.4.18.129	sightseeingnews.com	2010	English		JAR	travel
212.209.74.105	globalbaseballnews.com	2011	English		JS	sports, baseball
212.209.74.106	football-de-luxe.com	2010	French	France	JAR	sports, football
212.209.74.112	developmental-league.com	2010	English		CGI	sports, American football	CGI comms variant?
212.209.74.115	mediocampodefutbol.com	2010	Spanish		JAR	sports, football
212.209.74.117	myengineeringaffinity.com	2011	English		JAR	tech
212.209.74.123	worldfinancialexchangenews.com	2010	English		SWF	finance	SWF unarchived.
212.209.74.125	avoilurefixe.com	2011	French	Tunisia	JAR	airplanes	"à voilure fixe" is French for "with fixed wing", i.e. fixed wing aircraft
212.209.74.126	headlines2day.com	2011	Farsi		JAR	news	marked copyright 2009
212.209.79.34	fgnl.net	2011	English	Iran	CGI	news	four letter domain! FGNL stands for "Farsi Global News Links" Marked copyright 2009.
212.209.79.37	fitness-sources.com	2010	English		JS	sports, fitness
212.209.79.40	hydradraco.com	2011	English		JAR	sports, American football	TODO meaning of the name?
212.209.79.41	noticiasdelmundolatino.com	2011	Spanish		JAR	news
212.209.79.42	suparakuvi.com	2011	French	France	JAR	news	a Tour Eiffel image, and young people stuff, i.e. first world stuff. It's for France alright. But TODO meaning of domain name? Ciro's second language French didn't cut it this time.
212.209.79.46	cetusdelph.com	2011	English		JS	sports, scuba
212.209.79.47	willtoworship.com	2011	English		JAR	religion, Christianity	marked copyright 2007 (!)
212.209.79.48	themvconnection.com	2011	English		JAR	music
212.209.79.51	pi-resources.net	2010	English		JS	private investigators	"pi" stands for Private Investigators. The CIA must have had some fun making this one.
212.209.79.53	ourscubaworld.com	2011	English		JS	sports, scuba
212.209.79.58	tech-love-home.com	2011	Chinese		JS	tech	Title: "消费类电子产品", lit. Consummer Electronics
212.209.79.60	first-solo-aviation.com	2010	English		JAR	airplanes
212.209.79.61	china-destinations.org	2011	Chinese		JS	travel	title: "中国目的地指南", lit. "China Destination Guide"
212.209.90.69	worldedgenews.com	2011	English		JAR	news
212.209.90.80	nsmovies.net	2010	English		JAR	films	"ns" stands for "Nirguna Saguna", two separate Hindu names/deities. But there are no other Indian references beyond those.
212.209.90.82	middleeastjournal.net	2010	Arabic		JS	news
212.209.90.84	thenewseditor.com	2011	English		JAR	news
212.209.90.87	newsandweathersource.com	2009	English		JAR	news	marked copyright 2009.
212.209.90.89	pakisports.com	2010	English	Pakistan	SWF	sports
212.209.90.90	vriha-aesthetics.com	2011	Arabic		JS	news
212.209.90.92	amishkanews.com	2011	English	India	JS	news	Amishka is an Indian name, plus some prominent mentions of Bollywood both point to India specifically
212.209.90.93	theentertainbiz.com	2011	English		JAR	entertainment
212.209.90.94	eurosportssummary.com	2011	English		JAR	sports
216.93.248.194	esmundonoticias.com	2011	Spanish		JAR	news	`rss-items`. Shares IP with kukrinews.com.
216.93.248.194	kukrinews.com	2010	English		JS	News	JavaScript with SHAs. Talks to `/cgi-bin/news.cgi`. A Kukri is the national weapon of Nepal. Slogan: "Nepal's Sharp Edge", thus matching the website name. Split image header. Copyright 2009. Shares IP with esmundonoticias.com.
216.105.98.139	cultura-digital.net	2008	Spanish		CGI	news	Marked copyright 2008. Previously legit.
216.105.98.140	uaeshoppingspree.com	2013	English	UAE	JAR	shopping	Archive quite broken, but has link to unarchived JAR. Has an unusually personal touch "As you can probably tell from the title of my website, shopping is my very favorite pastime."
216.105.98.145	montanismoaventura.com	2012	Spanish	Spain	JS	sports, mountaineering	JS unarchived. Marked copyright 2010.
216.105.98.147	nepalnewsbrief.com	2008	English	Nepal	JAR	news	Marked copyright 2006 (!) If true this would be the earliest known reference to a date in the websites.
216.105.98.152	modernarabicnews.com	2013	Arabic		JAR	news	HTML archive quite broken, but JAR was archived thankfully.
216.105.98.154	everythingcricket.org	2011	English		JAR	sports, cricket	Also has archives from 2009, but they were a bit broken. The 2011 one is marked copyright 2011, so they actually bothered to updated that.
216.105.98.156	familyhealthonline.net	2011	English		CGI	health
219.90.61.110	surya-brahma.com	2011	Spanish		JAR	news	Surya and Brahman are Hindu concepts, but the website appears to have nothing to do with India or Hinduism. Interesting.
219.90.61.111	classicalmusicboxonline.com	2010	English		CGI	music
219.90.61.116	athletepro.net	2010	English		JAR	sports
219.90.61.117	lajornadanow.com	2010	Spanish		JAR	news
219.90.61.120	theinternationalworld.com	2011	English		JAR	news	rdns source. `rss-items`.
219.90.61.121	thepyramidnews.com	2011	Farsi	Iran	JAR	news
219.90.61.122	iran-newslink-today.com	2011	Farsi	Iran	JAR	news
219.90.61.123	journeystravelled.com	2011	English		JAR	travel
219.90.62.229	information-junky.com	2011	English	Ghana	JAR	news
219.90.62.231	todosperuahora.com	2011	Spanish	Peru	CGI	news
219.90.62.233	theworld-news.net	2010	Urdu		CGI	news
219.90.62.234	recuerdosdeviajeonline.com	2011	Spanish		SWF	travel	marked "Copyright 2009"
219.90.62.237	elcorreodenoticias.com	2011	Spanish	Venezuela	JAR	news
219.90.62.237	ride-captain.com	2011	English		JAR	sports, motorcyles
219.90.62.238	freshtechonline.com	2011	English		CGI	tech
219.90.62.241	newscentertoday.com	2011	English		JAR	news	Copyright 2008. rdns source. `rss-items`. Later legit, with a pause The domain name you have entered is not available. It has been taken down because the email address of the domain holder (Registrant) has not been verified..
219.90.62.243	fitness-dawg.com	2021	English		JAR	sports, fitness
219.90.62.244	easytraveleurope.com	2012	English		JAR	travel	nice design
219.90.62.245	world-news-now.net	2011	English		JAR	news
219.90.62.246	negativeaperture.com	2011	English		CGI	photography	nice domain name
219.90.62.247	conquermstoday.com	2011	English		CGI	health	MS means multiple sclerosis. Comms not found, CGI from unarchived subpage assumed. Has a subdomain "heal.conquermstoday.com" according to 2013 DNS Census, but no links to it in the archive.

 Read the full article

Oleg Shakirov's findings  Updated 2025-02-22  +Created 1970-01-01

 View more

Starting at twitter.com/shakirov2036/status/1746729471778988499, Russian expat Oleg Shakirov comments "Let me know if you are still looking for the Carson website".

He then proceeded to give Carson and 5 other domains in private communication. His name is given here with his consent. His advances besides not being blind were Yandexing for some of the known hits which led to pages that contained other hits:

moyistochnikonlaynovykhigr.com contains a copy of myonlinegamesource.com, and both are present at www.seomastering.com/audit/pefl.ru/, an SEO tracker, because both have backlinks to pefl.ru, which is apparently a niche fantasy football website
4 previously unknown hits from: "Mass Deface III" pastebin. He missed one which Ciro then found after inspecting all URLs on Wayback Machine, so leading to a total of 5 new hits from that source.

Unfortunately, these methods are not very generalizable, and didn't lead to a large number of other hits. But every domain counts!

 Read the full article

Searching for Carson  Updated 2025-02-22  +Created 1970-01-01

 View more

Edit: Carson was found Oleg Shakirov's findingsby Oleg Shakirov: alljohnny.com, communicated at: twitter.com/shakirov2036/status/1746729471778988499, earliest archive from 2004 (!): web.archive.org/web/20040113025122/http://alljohnny.com/, The domain was hidden in plain sight, it was present in a not very visible watermark visible in the Reuters article screenshot! The watermark was added to the CIA to the background image, it is actually present on the website. In retrospect, it was actually present at on the expired domain trackers dataset, but the mega discrete all second word made Ciro Santilli miss it: github.com/cirosantilli/expired-domain-names-by-day-2015/blob/9d504f3b85364a64f7db93311e70011344cff788/07/05/02#L1572

Figure 1.
2004 Wayback Machine archive of alljohnny.com
.

What follows is the previous

The fact that the Reuters article has a screenshot of it, and therefore a Wayback Machine link, plus the specificity of the website topic, will likely keep Ciro awake at night for a while until someone finds that domain.

Some text visible on the Reuters screenshot:

Johnny Carson and The Tonight Show
Your Favorite Host and Comedic Genius
Submit Your Favorite Carson Moment
Heeere's Johnny!
Holy crap, the "Here's Johnny" line from The Shining (1980) is a reference to Johnny Carson: www.youtube.com/watch?v=WDpipB4yehk, www.youtube.com/watch?v=aYnyPAkgyvc, Ciro never knew that... but every American would have understood it at the time.

It is unclear however if this text is plaintext or part of a an image.

Some failed attempts, either dry guesses or from DNS grepping dataset searches:

johnnycarson.com: official
johnnycarson.net: fan site: web.archive.org/web/20010501225614/http://johnnycarson.net/
johnnycarsontonight.com
carson-johnny.com: legit
johnnycarsonshow.com: web.archive.org/web/20110208005558/http://johnnycarsonshow.com/captcha/index.php?d=johnnycarsonshow.com your IP has been blocked
tributetojohnnycarson.com: only one archive web.archive.org/web/20180805132430/http://tributetojohnnycarson.com/
bestofjohnnycarson.com: web.archive.org/web/20130525035938/http://bestofjohnnycarson.com/ Lived past 2013.
bestofjohnny.com/: web.archive.org/web/20130506011824/http://bestofjohnny.com/ empty
johnnycarsonvideo.com: dead early 2000s web.archive.org/web/20130605152818/http://johnnycarsonvideo.com/
johnnycarsontv.com: web.archive.org/web/20230000000000*/johnnycarsontv.com
thejohnnycarsonshow.com: web.archive.org/web/20230000000000*/thejohnnycarsonshow.com
carsonsbest.com: web.archive.org/web/20230000000000*/carsonsbest.com
johnnycarsonfans.com: web.archive.org/web/20230000000000*/johnnycarsonfans.com
web.archive.org/web/20230000000000*/carsonified.com
night:
amazing:
- johnnyamazing.com: broken archives: web.archive.org/web/*/http://johnnyamazing.com/*
carson
- johnneycarson.com: no archives
- johnnycarson.co: no archives
- johnnycarsons.info
- johnnycarsons.com
- johnnycarson.org
- johnnycarsonsdesk.com
- johnny-carson-video.com
- johnnycarsondvd.org
- johnnycarsondvds.org
- johnnycarsondvd.net
- johnnycarsondvd.tv
- johnnycarsondvds.net
- johnnycarsondvds.tv
- johnnycarson.tv
- johnnyguitarcarson.com
- johnnycarsonmovie.com
- hookedonjohnnycarson.com
- johnnycarsonbook.com
- licensingjohnnycarson.com
- johnnnycarson.com
- johnnycarson360.com
- koalajohnnycarson.com
- johnny-carson.com
- johnnycarsonbirthplace.com
- johnnycarsonbirthplace.net
johnny:
- heres:
  - heresjohnnyfilm.com: web.archive.org/web/20131011115733/http://www.heresjohnnyfilm.com/ legit
  - hereisjohnny.net: no archives
  - heresjohnnyradioshow.com: web.archive.org/web/20130509042107/http://heresjohnnyradioshow.com/, Legit most likely: web.archive.org/web/20140517103512/http://heresjohnnyradioshow.com/
  - wherejohnnylives.net: broken archives
  - heresjohnny.com: squat web.archive.org/web/20130607145841/http://heresjohnny.com/ Many other TlD like .net, .co.uk
  - heeeeresjohnny.com: web.archive.org/web/20130612211448/http://heeeeresjohnny.com/: legit
- night:
  - johnnylatenight.com: web.archive.org/web/20150801132622/http://johnnylatenight.com/ Legit broken
  - web.archive.org/web/20110208161513/http://www.johnnysnight.com/
johnnycarson.org: squatted past 2013, nothing before
carsonshow.com: squat: web.archive.org/web/20110224211714/http://carsonshow.com/
tonightshow247.net: web.archive.org/web/20101226190209/http://tonightshow247.net/: squat
tonightshow.tv: web.archive.org/web/20141221222442/http://www.tonightshow.tv/: legit

Searching the Wayback Machine proved fruitless. There is no full text search: Wayback Machine full text search, and a heuristic web.archive.org/web/20230000000000*/Johnny%20Carson search has relevant hits but not the one we want.

Another attempt was to search for "carson" on webmasterhome.cn which lists expired domains in bulk by expiration day, and it search engine friendly. It contains most of the domains we've found so far. Google either doesn't support partial word search or requires you to be a God to find it

so we settle for DuckDuckGo which supports it: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22&t=h_&ia=web Adding years also helps: duckduckgo.com/?q=site%3Awebmasterhome.cn+%22carson%22+2011&ia=web with this we might be getting all possible results. Ciro went through all in 2011, 2012 and 2013 but no luck. Also fuck en.wikipedia.org/wiki/Carson_City,_Nevada and en.wikipedia.org/wiki/Carson,_California :-)

Let's search tools.whoisxmlapi.com/reverse-whois-search for "carson" contained in any historic domain name. 10,001 lines. Grepping those, no good Wayback machine hits for those that also contain "johnny" or "show". Data at: raw.githubusercontent.com/cirosantilli/media/master/cia-2010-covert-communication-websites/tools.whoisxmlapi.com_reverse-whois-search_carson.csv in case anyone want to try and dig...

Let's also search the fortuitously timed 2013 DNS Census.

 Read the full article

secure subdomain search on 2013 DNS Census  Updated 2025-02-22  +Created 1970-01-01

 View more

Grepping the 2013 DNS Census first by overused CGI comms subdomains secure. and ssl. leaves 200k lines. Grepping for the overused "news" led to hits:

secure.worldnewsandent.com,2012-02-13T21:28:15,208.254.40.117
ssl.beyondnetworknews.com,2012-02-13T20:10:13,66.104.175.40

Also tried but failed:

sports:
- secure.motorsportdealers.com,2012-04-10T20:19:09,64.73.117.38 web.archive.org/web/20110501000000*/motorsportdealers.com

OK, after the initial successes in secure., we went a bit more data intensive:

took all secure.* ssl.* URLs in the 2013 DNS Census, 70k entries
cleaned up a bit, e.g. only .com or .net. this left only, 30k entries only
lopped over all of them in archive CDX: Wayback Machine CDX scanning, searching for those that also end in .cgi web.archive.org/cdx/search/cdx?url=$domain&matchType=domain&filter=urlkey:.*.cgi&to=20140101000000. Took an afternoon, but no rate limit block.
this leaves about 1000, so we loop over all of them manually on web archive with a script, and opened any that had the pattern of very vew hits between 2010 and 2013 only, and on those check for visual/thematic style match. Careful not to make more than 15 requests per minute or else 5 min blacklist!

New results: only one...

208.254.42.205 secure.driversinternationalgolf.com,2012-02-13T10:42:20,

After 2013 DNS Census virtual host cleanup heuristic keyword searches we later understood why there were so few hits here: the 2013 DNS Census didn't capture the secure. subdomains of many domains it had for some reason. Shame, because if it had, this method would have yielded many more results.

Figure 1.
You can never have enough Wayback Machine tabs open
.

 Read the full article

Selected screenshots  Updated 2025-02-22  +Created 1970-01-01

 View more

Figure 1.
2010 Wayback Machine archive of starwarsweb.net
.
The Star Wars one. Clearly branded websites like this are rare, which makes finding them all the much more fun. The Reuters article had two of them (Carson and rastadirect.net), so these were probably manually selected from the full hit dataset, and did not serve specifically as entry points. Most of the websites are quite boring and forgetful as you'd expect.
The subtitle "Beyond The Unknown" may be a reference to the Unknown Regions in the Star Wars fictional universe.

Figure 2.
2011 Wayback Machine archive of iranfootballsource.com
. The third Iranian football on top of the two other published by Reuters: iraniangoalkicks.com and iraniangoals.com! Admittedly, this one is the most generic and less well designed one. But still. They pushed the theme too far!

Figure 3.
2010 Wayback Machine archive of dedrickonline.com
.
The German one.
The CIA has had a few Germany espionage scandals in the 2010s:
2014 www.bbc.co.uk/news/world-europe-28243933: a German Intelligence Agency agent was arrested for spying for the CIA
2021 www.reuters.com/world/europe/us-security-agency-spied-merkel-other-top-european-officials-through-danish-2021-05-30/ U.S. spied on Merkel and other Europeans through Danish cables
2020 www.dw.com/en/how-the-uss-cia-and-germanys-bnd-spied-on-world-leaders/a-52358527 it was revealed that Germany and the USA had an agreement to spy on world leaders, notably via compromised Swiss company Crypto AG

Figure 4.
2010 Wayback Machine archive of lesummumdelafinance.com
. A French one. Because it mentions VTT (Mountain Biking in French), it must focus France.

Figure 5.
2011 Wayback Machine archive of attivitaestremi.com
. An Italian one about extreme sports.

Figure 6.
2010 Wayback Machine archive of noticiasmusica.net
.
The Brazilian one.
In 2013 Glen Greenwald claimed that the espionage in Brazil was merely a bridge to other countries of interest such as China and Iran

Figure 7.
2011 Wayback Machine archive of economicnewsbuzz.com
. The Korean one. Love the kawaii style!

Figure 8.
2011 Wayback Machine archive of snapnewsfront.net
. The Japanese one.

Figure 9.
2010 Wayback Machine archive of philippinenewsonline.net
. The Philippine one one.

Figure 10.
2011 Wayback Machine archive of feedsdemexicoyelmundo.com
. The Mexican one.

Figure 11.
2012 Wayback Machine archive of easytraveleurope.com
.

Figure 12.
2011 Wayback Machine archive of tee-shot.net
. One of the many golf-themed sites. Golf appears to be quite popular over in Langley. It's exactly what you'd expect for a mid-level spook to do in their free time!

Figure 13.
2011 Wayback Machine archive of nouvellesetdesrapports.com
.

Figure 14.
2011 Wayback Machine archive of pangawana.com
.

Figure 15.
2011 Wayback Machine archive of recuerdosdeviajeonline.com
.

Figure 16.
2011 Wayback Machine archive of theworld-news.net
.

Figure 17.
2011 Wayback Machine archive of kessingerssportsnews.com
.

Figure 18.
2011 Wayback Machine archive of negativeaperture.com
.

 Read the full article