Kris Biradar

Posted on Mar 1

Reverse WHO IS the right way!

#osint #dns

🕵️‍♂️ How I Tracked Down a Domain Bought Using My Debit Card

A Real-World OSINT Investigation

Recently, I found myself in a bizarre situation.
Someone I know purchased a domain using my debit card details.
At that point, it wasn't about the money anymore.
It was about reputation.
And I was determined to find that domain.

🧾 What I Knew

I wasn't starting blind. I had:

Exact transaction time
Registrar: Namecheap
Strong suspicion about who bought it
High probability it was a personal domain This quickly turned into a mini cyber-investigation.

🔍 Attempt 1: Reverse WHOIS API

My first step was obvious: search the internet.
I wanted to find domains registered by an email within a date range.
I discovered the WHOISXML Reverse WHOIS API.

Approach

Logged in using a .edu email (Gmail accounts aren't allowed)
Queried using: - Registrar → Namecheap - Date range → the purchase day - Keyword → suspected email #### Problem Reverse WHOIS stores data date-wise, not at minute-level precision. So I fetched all domains registered via Namecheap that day. ➡ Result: ~23,000 domains Too many.
- ### 🔎 Narrowing the Search Space I looked for patterns. What did I know?
Likeliest use → personal website
Premium pricing suggested serious intent
Indian personal domains rarely choose .xyz, .ai, etc.
.com felt most likely ➡ Reduced list: ~5,200 domains Still too many to verify manually.

🤖 AI Filtering Experiment

I asked AI to generate a script that would:

batch 1,000 domains
send them to Gemini API
prompt: identify domains that look like personal websites for Indian males It returned filtered results. But the domain I wanted wasn't there. Reverse WHOIS can miss:
privacy-protected registrations
uncached entries
delayed listeners Result: Attempt 1 Failed

🏦 Attempt 2: Contacting the Registrar

I contacted Namecheap support:

A fraudulent transaction was made using my card.
They:

blocked the account

refunded my money But refused to reveal the domain. Result: Attempt 2 Failed

- ### 🗂 Attempt 3: ICANN CZDS Zone Files I requested zone files via ICANN CZDS. Problems:

approvals take time

.com requests take longer

backdated downloads aren't available

the domain had already been taken down Result: Inconclusive

🔐 Attempt 4: Certificate Transparency Logs (crt.sh)

I learned about certificate transparency logs.
If the domain hosted HTTPS, its SSL certificate must exist in CT logs.
I tried:

querying crt.sh
connecting via Postgres
batch queries in 5-minute windows #### Issues
connection breakages
SSL errors
slow processing
and my impatience 🙂 Progress: Yes Success: Not yet

🚀 Attempt 5: Google BigQuery + crt.sh Dataset

This changed everything.
The crt.sh dataset is available via Google BigQuery.

Steps

Connected the dataset
Queried certificates issued during the purchase hour
Filtered .com domains
Reduced the time window further ➡ 700 → 200 domains Manual scan… Four entries later… 🎯 Found it. Matched the domain to the person. Result: SUCCESS

🤯 Plot Twist

Later, I discovered something surprising.
The domain was present in my Reverse WHOIS results.
I ignored it because:

I doubted dataset completeness
I trusted AI filtering too much If I had manually verified the 5,200 domains… I would have found it earlier.

🧠 Lessons Learned

✔ Always verify your data
AI helps - but never assume completeness.
✔ Internet datasets are imperfect
Each dataset captures only part of reality.
✔ OSINT requires patience
Impatience slows investigations more than complexity.
✔ Automation helps, manual validation wins
✔ Certificate Transparency logs are gold

🧑‍💻 A Step Toward Ethical Hacking

This wasn't hacking.
It was understanding how internet infrastructure works:

WHOIS & Reverse WHOIS
Registrars
Certificate Transparency
DNS zone files
Data aggregation gaps And the caveats between them.

🏁 Final Thoughts

If you take anything from this:
Double-check your data.
Trust, but verify.
And cultivate patience.
Because the internet always leaves traces -
you just need to know where to look.
Adios.

DEV Community