Whois and registrar records connect the dots between domain names used in prostitution crime.
The United States government has filed an in rem action against 500 domain names for forfeiture that it says were used in prostitution and sex trafficking ring.
Over a period of six years, the conspirators paid over $25,000 to register the domains through Domain.com, the suit states. I reviewed the list of domains and found that they were almost all registered at either Domain.com or HiChina.
It’s interesting to read about how the FBI connected the dots between the domain names. It used as much publicly available Whois information as it could, while also connecting the dots using DomainTools and records from the registrars and hosts. Here’s the description from the FBI about how it uncovered the domain names used in the ring:
On or about November 2018, the FBI accessed publicly available information regarding twenty-five domains associated with the email address email@example.com.
Using Domaintools—an open source tool that queries WHOIS records, passive Domain Name Service (DNS) data, IP addresses, hosting data, and other DNS information—
investigators learned that the twenty-five domains were hosted on IP address 184.108.40.206, along with hundreds of other domains.
Records from Domain.com revealed that for all twenty-five domain names, the subscriber was Weixuan Zhou, with an email address of firstname.lastname@example.org, a telephone number of 213-431-0920. The billing information for this account showed the card holder name as Weixuan Zhou and a billing address: ti yu lu no. 613 Guang Zhou, China.
Most of the other hundreds of domains hosted on the same IP address shared the same or similar registration information: registered to Weixuan Zhou through Domain.com, LLC, with historical registrant email information identified as email@example.com or firstname.lastname@example.org.
Credit card activity shows Weixuan Zhou paying Domain.com for these domains from August 2012 to June 2018. Finanacial records for Zhou, from August 16, 2012 through June 1, 2018, show payments made via credit card to Domain.com totaling $11,202.04. One specific example shows that Zhou’s Wells Fargo credit card made multiple payments to Domain.com in September 2014. This credit card’s September 2014 balance was paid down from Weixuan Zhou’s Wells Fargo checking account. The source of these funds originated from cash deposits at banks in Texas, Colorado, Oregon, Washington, and California.
80. Records from PayPal showed that beginning on or around February 15, 2018, and continuing through October 10, 2018, the PayPal account linked to email@example.com sent
147 transactions totaling $6,150.14 to Domain.com. The subpoena return also showed on or around January 31, 2016, and continuing through September 2017, the PayPal account linked to firstname.lastname@example.org sent 169 transactions totaling $10,241.74 to Domain.com. The total payments sent to Domain.com from Zhou’s two PayPal accounts were approximately $16,391.88