Exposing Rogue Free VPN Users – An OSINT Analysis – CircleID


According to recent research conducted by DNS Threat Researcher Dancho Danchev, the National Security Agency (NSA) seemingly runs a free VPN domain portfolio to lure malicious users and learn more about their Internet activities.

Here is an overview of the key findings and additional enrichment conducted with WhoisXML API’s intelligence tools and Maltego:

  • 24 domains were identified as part of the free VPN services campaign.
  • 22 possible registrant email addresses are known for involvement in the campaign.
  • Research on Maltego using the WhoisXML API Reverse WHOIS Search transform uncovered 174 domains related to the registrant email addresses.

Data Set: Free VPN Services Courtesy of the NSA

Danchev obtained a list of domains related to the NSA-operated free VPN services. The said list contained 24 domains used to identify related web properties that could hint at ties to potential threat actors or malicious campaigns. A portion of these 24 domains are:

  • bluewebx[.]com
  • bluewebx[.]us
  • irs1[.]ga
  • iranianvpn[.]net
  • irsv[.]me
  • dnsspeedy[.]tk

The full list of the domains is available for download here.

In-Depth Research Findings

Over the course of the in-depth investigation, 22 registrant email addresses linked to the NSA-owned free VPN services were identified. Using the registrant email addresses as search terms for Maltego research using the WhoisXML API Reverse WHOIS Search transform, we obtained 174 related domains. That means the domains’ WHOIS records shared the registrant email addresses. Examples of the connected domains include:

  • 17silu[.]com
  • 0008[.]club
  • 118km[.]cn
  • maturediva[.]com
  • gaysexvideo[.]us
  • 7l0[.]com
  • lemodagarments[.]com
  • 024jk[.]cn
  • alisale[.]xyz
  • 52haoli[.]com

A bulk WHOIS lookup for the 174 email domains revealed the following:

  • Only 125 of the domains had retrievable current WHOIS records.
  • A total of 40 domains (32%) were created in 2021. The remaining 68% were created between 2002 and 2020.
  • Only 84 of the domains had unredacted or non-privacy-protected registrant email addresses.
  • Of the 92 domains whose WHOIS records revealed their registrant country, a majority (58 or 63%) were registered in China. It’s also interesting to note that none of them are based in Iran.

A bulk malware check using Threat Intelligence Platform API, meanwhile, showed that two of the 174 domains connected to the registrant email addresses were dubbed “dangerous” on various threat sources. These are cnairs[.]com and avxz[.]com.

A bulk DNS lookup performed on the 174 domains revealed that 98 currently resolved to IP addresses, which could mean they are in use. It may be best for individuals and organizations alike to avoid connections to and from these 98 IP addresses due to their connection to domains related to an ongoing malicious campaign. Examples of these IP addresses are:

  • 156[.]235[.]127[.]229
  • 216[.]12[.]164[.]161
  • 137[.]175[.]109[.]146
  • 23[.]80[.]133[.]27
  • 107[.]165[.]118[.]140
  • 173[.]82[.]107[.]121
  • 104[.]165[.]41[.]82
  • 47[.]88[.]84[.]51
  • 47[.]91[.]202[.]66
  • 47[.]91[.]205[.]63

All of the web properties mentioned in this post could pose varying levels of risk to individuals and organizations that knowingly or unknowingly have dealings with or grant system or network access to them. And avoiding them may be a worthy endeavor, given their potential connection to an ongoing malicious campaign.

If you are a security researcher working on the same or a similar investigation, talk to us by filling out this form. We can share resources like the complete list of web properties possibly related to the ongoing campaign.

Source: https://circleid.com/posts/20211028-exposing-rogue-free-vpn-users-an-osint-analysis



What is a VPN? Can it really protect my online privacy and security? – Fox News

Privacy has never been in such short supply.  There’s one technology I’ve found essential to fighting back against big tech’s prying and spying routine.   A VPN, or virtual private network, can be a very good idea for you to secure your internet connection, and it can be an effective way for you to protect your online privacy and security.


Read More

How to Pick a VPN for Torrenting – How-To Geek


When you pick a VPN for torrenting, you need to look out for a few key security features, like a kill switch and transparent no-log policy. Also, avoid United States-based VPN providers and servers.

If you’re going to torrent, you’re going to need a VPN to protect yourself while doing so. How do you pick a good VPN for torrenting, though, is there something …….

Read More

The best Thailand VPN in 2023 – TechRadar

Thailand isn’t just beautiful beaches, breath-taking jungles, playful monkeys and yummy Pad Thai. Something that tourists often forget is that authorities are infamous for their strong grip on the internet. That’s where the best Thailand VPN apps can come handy.

Following the 2006 military coup d’état, online censorship and surveillance have been growing year by year. Now beyond solely …….

Read More