Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.
Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.
Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.
Access our web-based solution to dig into and monitor all domain events of interest.
Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.
Independent, evidence-based DNS and abuse intelligence for applicants, advisors, governments, and counsel participating in the ICANN 2026 New gTLD Program.
Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.
Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.
Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.
Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.
Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.
Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.
I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.
A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.
Access our latest research and insights on WHOIS, IP, and DNS data for cybersecurity, data science, and other business purposes through our webinars, podcasts, white papers, threat reports, and videos from the Academy.
Developing an effective cybersecurity product takes more than code — it demands access to trusted, high-coverage Internet intelligence.
Free data feeds can help, but they often lack accuracy, depth, and long-term reliability. Building your own data pipelines can offer more control but comes with substantial technical and maintenance costs.
With thousands of gTLDs and ccTLDs to choose from, individuals and organizations wanting to build their online presence have limitless options. Determining which entities and registrant countries are behind the domain registrations can provide relevant insights into registrant preferences.
The WhoisXML API research team set out to analyze hundreds of millions of domains under selected gTLDs and ccTLDs, allowing us to identify:
The Internet relies on autonomous systems (ASs) and internet service providers (ISPs) to enable global connectivity. Understanding how Internet traffic is routed through these entities is crucial for improving routing performance and avoiding networking bottlenecks.
Moreover, insights into AS and ISP distribution offer valuable information that organizations can leverage for strategic business and market analysis. With this perspective in mind, the WhoisXML API research team analyzed 4.4 million IP ranges, uncovering findings such as:
While businesses gained an advantage by using domains with native-language characters to enter local markets, the utilization of Punycode also gave threat actors more leeway to create look-alike domains.
The WhoisXML API research team analyzed the TLD distribution, IP resolution, and WHOIS registration data of 63,105 unique FQDNs containing native-language characters. We also zoomed in on the FQDN dynamics and took a closer look at some homograph clusters, among other checks.
Our analysis yielded these interesting findings, among others:
Europe is home to many international organizations like Europol, INTERPOL, and NATO, among others. That makes it a prime APT group target.
The WhoisXML API research team analyzed the latest attacks launched by six APT groups known for trailing their sights on Europe using current and historical WHOIS and passive DNS data. We uncovered:
At least 41 advanced persistent threat (APT) groups have reportedly targeted North American countries over the past two decades. And their targets have ranged from individuals (e.g., field experts and think tanks) to entire sectors (e.g., industrial and government).
The WhoisXML API research team analyzed the inner workings of seven of these APT groups1—APT33, APT41, FIN7, Kimsuky, Molerats, Turla, and ZIRCONIUM—by expanding 59 indicators of compromise (IoCs) associated with their latest attacks.
Our study of the seven APT groups known for targeting North America led to the discovery of:
WhoisXML API researchers leveraged historical WHOIS intelligence to expand lists of indicators of compromise (IoCs) connected to six APT groups, namely, APT29, APT32, Earth Lusca, Higaisa, Sandworm Team, and Turla.
The report examined the publicly exposed email WHOIS footprints of domain IoCs reported to belong to APT groups. From 44 IoCs studied, we found:
As DNS abuse and cybercrime remain two sides of the same coin, WhoisXML API researchers decided to build on Spamhaus’s list of TLDs with the worst reputation for spamming.1
Using our WHOIS and DNS intelligence, we retrieved and analyzed thousands of domains under these TLDs that were added in Q4 2022. Our key findings revealed that:
Counterfeiting is an age-old problem that has reached unprecedented proportions following the global shift to online shopping. Let’s investigate this cybercrime—particularly those targeting specific luxury brands using WHOIS, DNS, and IP intelligence gleaned through Maltego and WhoisXML API transforms.
The domain registration landscape can be affected by many things, but WhoisXML API detected and studied six general themes and trends in particular.
As part of mapping the domain registration landscape, we dived into some of the most significant events, trends, and threats that occurred in Q2 2002. Among the registration drivers identified are holidays, seasons, news, global events, technological developments, and industry-specific trends.
Business impersonation cost organizations US$2 billion1 in the past year alone, making it one of the most lucrative types of cybercrime. The most common medium to carry out this threat comprises domains and subdomains, mainly in the form of cybersquatting.
To map the business impersonation landscape, WhoisXML API researchers searched the DNS for the digital footprints of Fortune 500 companies and the world’s top CEOs. Among our findings are:
Being at the forefront of global Domain Name System (DNS) data, we identified threat hunting tactics that can help uncover clues and track the footprints of malicious actors and resources even if they redact their WHOIS information.
WhoisXML API, as part of its effort to make the Internet a safer place through transparency and the sharing of data relevant to the battle against cybercrime, was invited to attend the 13th Operation In Our Sites (IOS) conference held in Alicante, Spain, on 6–7 April 2022.
By Alexandre François, Head of Marketing & Security Researcher at WhoisXML API.
Note: Check our webcast “Hot on the Trail of Compulsive Brand Squatters” for an overview of the results discussed in this report as well as related discussions by our security researchers.
Domain brand squatters refer to individuals or entities who register domain names resembling those of legitimate companies. These domains are commonly known as “look-alike domains” or “typosquatting domains.”
Brand squatters may have several tricks up their sleeves, including the sale of counterfeit products and the execution of phishing and malware campaigns. In this research, we are primarily interested in brand squatting activities that could lead or may have already led to phishing campaigns.
In this post we’ll offer practical and technical cyber attack attribution detail on Danil Potekhin who is on the U.S Secret Service Most Wanted Cybercriminals list in terms of the online infrastructure he’s currently running with the idea to assist U.S Law Enforcement on its way to track down and prosecute the cybercriminals behind these campaigns.
CoolWebSearch is a spyware that has been plaguing Microsoft Windows computers users for more than 10 years now. Owing to the malicious program’s age, more than 50 variants have been discovered so far, all the more widening CoolWebSearch’s coverage.
We’ve decided to use Maltego in combination with WhoisXML API’s integration for the purpose of providing actionable and real-time intelligence on a currently active domain portfolio known to have been operated by known high-profile cybercriminals. We used our own high-profile cybercriminal data set for the purpose of empowering fellow researchers and vendors including organizations with the necessary actionable intelligence to help them stay on the top of their game including to assist vendors and organizations on their way to do a proper cyber-attack attribution in terms of tracking down and responding to these campaigns including to assist U.S Law Enforcement and the U.S Intelligence Community on its way to track down and prosecute the cybercriminals behind these campaigns.
As cryptocurrencies gain ubiquity, so do the scams taking advantage of them. DNS intelligence analyses can help individuals and organizations alike avoid the costly repercussions of becoming a crypto scam victim.
The U.S. Department of Justice took down several Iran-owned websites believed to be involved in a misinformation campaign on June 2021.
In an effort to uncover possibly connected artifacts to make the Internet safer and more transparent, we at WhoisXML API dove deep into the threat, specifically three of the seized sites—presstv[.]com, lualuatv[.]com, and almasirah[.]net, aided by our comprehensive DNS intelligence sources.
We decided to a look at the recently discovered Pareto Botnet using Maltego in combination with WhoisXML API’s integration to provide additional actionable intelligence on the campaign, which could be useful to researchers and vendors on their way to tracking down and responding to the cyberattack campaigns.
In this article we’ll elaborate on the Pareto Botnet and offer practical and actionable intelligence on the actual C&C infrastructure which also includes the use of Amazon’s AWS for C&C (Command and Control) purposes.
We decided to take a closer look at the Internet-connected infrastructure of the Liberty Front Press Network in connection with a recent takedown and domain seizure as part of an ongoing law enforcement operation fighting online propaganda online and to offer practical and relevant including actionable intelligence on the Internet-connected infrastructure behind the Liberty Front Press Network including the individuals behind it.
In this analysis, we’ll take a closer look inside the Internet-connected infrastructure behind the Liberty Front Press Network and offer practical and relevant information including actionable intelligence on its Internet-connected infrastructure as well as the individuals behind it.
We decided to take a closer look at the Internet-connected infrastructure used by individuals on the most recently released U.S Sanctions List and offer additional insights into the infrastructure including to look for and provide actionable intelligence on their whereabouts.
In this analysis, we’ll take a closer look at the Internet-connected infrastructure of individuals on the U.S Sanctions List and offer an in-depth discussion on the actual Internet-connected infrastructure.
We decided to take a closer look at the U.S Election 2016 interference provoked by several spear phishing and malicious campaigns, courtesy of Russia, for the purpose of offering and providing actionable threat intelligence including possible attribution clues for some of the known participants in this campaign. We hope that way to potentially assist fellow researchers and Law Enforcement professionals on their way to track down and prosecute the cybercriminals behind these campaigns.
In this analysis, we’ll take a closer look at the Internet connected infrastructure behind the U.S Election 2016 campaign in terms of malicious activity and offer practical, relevant and actionable threat intelligence on their whereabouts.
Note: A special thanks to Ed Gibbs, WhoisXML API's Advanced Threat Researcher & Technical Account Manager, for his help compiling the domain and subdomain files used in this post.
Cryptocurrencies have gone a long way since their inception. Perhaps the most significant evidence that they have become embedded into our digital society is that as of February 2021, more than 4,000 cryptocurrencies were in existence. A decade ago, most people didn’t even know what Bitcoin was.
Cryptocurrency investing has changed the lives of certain people, too—from the Winklevoss twins who became billionaires through Bitcoin mining to the more recent rags-to-riches story of a Dogecoin millionaire who initially invested his life savings.
We decided to take a peek at the prolific “Jabber ZeuS” gang using exclusively public and proprietary sources in order to offer additional insights into the online infrastructure of the cybercriminals in question using Matelgo in combination with WhoisXML API’s integration. As a result came up with some pretty interesting findings in the context of exposing additional domains registered by the original “Jabber ZeuS” gang, which could greatly assist researchers and vendors on their way to track down the cybercriminals behind these campaigns.
We’ve recently decided to map and research various domain registrations made by well-known and established online cybercriminals. We took several hundred emails known to belong to well-known cybercriminals and decided to cross-check them for related domain registrations by using Maltego and WhoisXML API’s vast and in-depth real-time and historical WHOIS records database.
In this article, we’ll thoroughly discuss the relevant findings for this study based on several hundred email addresses known to be owned and operated by known cybercriminals and checked them for related domain registrations. Then we will provide actionable intelligence on the online infrastructure of these newly discovered domains known to be managed and registered by known cybercriminals.
We’ve recently decided to map and research various domain registrations made by well-known and established online cybercriminals. We took several hundred emails known to belong to well-known cybercriminals and decided to cross-check them for related domain registrations by using Maltego and WhoisXML API’s vast and in-depth real-time and historical WHOIS records database.
In this article, we’ll thoroughly discuss the relevant findings for this study based on several hundred email addresses known to be owned and operated by known cybercriminals and checked them for related domain registrations. Then we will provide actionable intelligence on the online infrastructure of these newly discovered domains known to be managed and registered by known cybercriminals.
We’ve recently decided to take an in-depth and personal look inside the modern money mule recruitment ecosystem by using WhoisXML API’s powerful and versatile real-time and historical WHOIS records database, which is one of the security industry’s and the Web’s leading databases for real-time and historical OSINT records. WhoisXML API’s data is a highly recommended tool in the arsenal of OSINT researchers and analysts, which also includes cybercrime researchers and threat intelligence analysts for relevant enrichment and research and analysis.
We've recently came across to a third-party research indicating a pretty interesting and important Iran-based foreign influence and disinformation campaign. So, we've decided to take a deeper look by using Maltego and WhoisXML API so as to offer additional insights into the disinformation campaign in terms of its online infrastructure.
In this analysis, we'll use public campaign sources for the sample data and will offer an in-depth peek inside its online infrastructure by using Maltego and WhoisXML API’s vast real-time and historical WHOIS database as well as specifying additional IoCs (Indicators of Compromise) for the purpose of assisting researchers and vendors on their way to stay on top of this campaign.
We decided to take an in-depth look into the infamous hxxp://omerta.cc cybercrime-friendly forum community, which is currently sharing the same infrastructure as the original E-Shop for stolen credit cards information which we’ve already profiled and elaborated on in two separate white papers and case studies. There I decided to continue monitoring and investigating the original E-Shop for stolen credit cards information which we profiled in our original white paper - hxxp://thefreshstuffs.at and came up with some pretty interesting results. Those results also include an additional set of E-shops for stolen credit card information that are actively sharing the same infrastructure of the original E-Shop for stolen credit card information, which we profiled in our original research.
We’ve recently become aware of a malicious targeted spear-phishing client-side exploits dropping campaign that targets legitimate security researchers by approaching them personally or using social media in an attempt to entice them into verifying the validity of a supposedly newly discovered and recently launched Zero Day flaw, which in reality once executed drops malicious software on the hosts of the affected researchers. So, we decided to research even further and offer practical and relevant including actionable intelligence on the campaign’s infrastructure for the purpose of assisting fellow researchers and the industry on its way to track down and monitor the campaign.
In this research and analysis, we’ll use a sample seed of Emotet known and confirmed botnet C&C malicious and fraudulent IPs and offer a detailed peek inside its network infrastructure including an additional set of malicious MD5s which we stumbled upon while profiling it in order to assist security researchers, clients and customers on their way to stay on top of their game in terms of the Emotet botnet.
The Domain Name System (DNS) is one of the most crucial systems that make the Internet work. It is commonly referred to as the Internet’s phonebook, though it may also be compared to a Global Positioning System (GPS) that points domain names to the correct IP addresses.
The DNS is intricately involved in almost every Internet service—websites, chat services, email services, and social media sites. Subsequently, it is a common target of cyber attackers. One of the most famous DNS attacks occurred in October 2016, disrupting the services of several high-profile websites for about 18 hours, and some of the affected websites were PayPal, Twitter, Netflix, Amazon, and Spotify.
The campaign relies on Hostinger’s legitimate infrastructure for botnet C&C communication where we’ve also managed to identify the actual domains and IPs in questions including the actual MD5s that are currently in circulation and we’ve decided to share the results of our findings in an in-depth and comprehensive report on the topic.
In this article we’ll discuss the use of Maltego in combination with WhoisXML API for the purpose of mapping and exposing a currently active bulletproof hosting provider.
WHOIS data, in its totality, is an abundant reservoir that aids organizations in strengthening their cybersecurity posture.
It’s no secret that Cybercriminal operations are not very different from how legitimate businesses operate. Much like a CEO heads a global corporation, a mastermind may stand behind the most notorious and widespread cybercriminal gang.
In the early 2000s, the most prominent cybercriminal rings had a mafia-like structure as they were led by the so-called “dons”. Each don had a right-hand man known as a “consiglieri,” who made sure the wheels of the operation kept turning.
The very first cybercriminal gangs that gained notoriety for reaping millions of dollars from victims the world over while evading capture for years include CarderPlanet, Shadowcrew, and the RBS WorldPay Gang. Times may have changed, and the rings’ structure, tools, tactics, and targets may no longer follow those of the old crews, but cybercriminal attacks continue to linger on. Though we still see reports on the misdeeds of individual threat actors today, cybercriminal rings continue to wreak greater havoc due to the scale of their operations — the case in point: The Business Club.
This downloadable white paper will take a closer look at the Club in action and show how domain intelligence feeds and APIs could help in similar situations.
Hospitals and other healthcare service providers have been among criminals’ favorite breach targets in the past few years. One of what has been dubbed the biggest data breaches of the 21st century involved a healthcare insurance giant — Anthem.
The Anthem breach reported in February 2015 was said to have exposed around 78.8 million customer records. This incident put the personal data of the insurer’s clients at risk of theft. The question is: could Anthem have prevented the breach? This downloadable white paper will take a look at the case in greater detail and illustrate how Domain Research Suite can help.
They say that becoming a cybercrime victim is, in this day and age, a matter of “when” and not “if.” But that doesn’t mean you should let fate determine your company’s future. Focus instead on enhancing your business’s security posture by protecting your brand from all sorts of online threats. A great means to safeguard your digital assets is through Brand Monitor — a specialized online brand protection component of the WhoisXML API Domain Research Suite.
This white paper will tell you how Brand Monitor can help your company combat specific cyber threats like domain name typosquatting, website spoofing, and phishing.
The Web is a tangle of information. Data is everywhere and finding reliable sources can be a challenge in the era of fake news. Websites, as a prime example, can be informative, misleading, or even dangerous.
You may get your hands on something useful or be deceived into clicking on the wrong links or downloading unintended files... and learning more about domain owners and assessing whether they’re trustworthy or with a hidden or malicious agenda is notoriously hard.
This is where the powers of WHOIS database download services come in, whose applications are multiple — ranging from cybersecurity to marketing research to criminal investigation to ensuring a top position in search engine results. How so? This white paper considers a variety of use cases.
In this white paper, we give an overview of the Domain Name System, or DNS, one of the pillars of the Internet. We start by understanding the goal: to assign names to named resources on the Internet and to maintain their database. For this, it is important to understand the structure of domain names and DNS zones. The roles of the actors in the system are domain maintainers, registries and Network Information Centers. The structure of delegation of authority will also be clarified. We give an overview of the structure of data available in the DNS, notably, the resource records (RRs) occurring in zone files. We also review the technology side: the DNS protocol, its operations supporting queries of name resolution, zone file transfers necessary to maintain the system and for reverse mapping. We briefly mention the most popular implementations, notably, BIND, which may be the most prevalent DNS server software. This necessitates a little insight into netblocks and Classless Inter-Domain Routing (CIDR). We address the internal security issues of the DNS as well as the crucial role it plays in cybersecurity. Finally, we provide some references for further reading.
WHOIS data are indeed very useful in the fight against e-mail phishing and similar malicious activities. Whois data and DNS data can be an important part of any anti-phishing security solution. What we have presented here was a hindsight investigation, but as the data in the daily feeds are always fresh and accurate, it is easy to turn this into an actual mail filtering procedure.
If you’ve ever looked at a WHOIS entry, you probably know how much valuable information is contained within the records of just one domain registration. When this information is accurate, it can make getting in touch with other parties on the web a lot easier. In the real world however, accessing consistently accurate WHOIS data is more of a goal than anything else. For every accurate WHOIS record, there are many more inaccurate and sometimes fraudulent records...
The domain information lookup service WHOIS publishes data about the owners of websites around the world. WHOIS also contains personal information of the European Union (EU) citizens. Further, the database maintains location and infrastructure information of cybercriminals who set up websites with malicious intent.
So far, cybersecurity professionals and law enforcement have been able to access the public information of the European Union (EU) citizens unfettered. They have been using the registry to investigate and blacklist cybercriminal operations. Occasionally, this information helps government authorities with their investigations leading to arrests. There are investigations that used WHOIS information among other sources that resulted in charges against money launderers, hackers, and child pornographers, for instance.
The Internet is not just the hotspot of all things digital and technical. Largely due to its ubiquity and countless (and frequently anonymous) points of entry, the web has given rise to a new breed of outlaw – cybercriminals who prey on the wealth of valuable information available online...
The European Union (EU) may unintentionally be giving cyber criminals a helping hand. The EU’s well-intentioned efforts to promote data privacy through its newly launched General Data Protection Regulations (GDPR) have also put handcuffs on the efforts of cybersecurity professionals to protect individuals and organizations from hackers. Unless global Internet authorities and infosec professionals are able to achieve a rapprochement with the EU, black hats may gain unprecedented advantages over white hats. Otherwise, the cybersecurity community will have to develop new approaches to protecting individuals and enterprises against hackers.
We are here to listen. For a quick response, please select your request type. By submitting a request, you agree to our Terms of Service and Privacy Policy.
