The latest articles on DEV Community by Kris Biradar (@biradarkris). https://dev.to/biradarkris https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2170768%2F4cb14e75-bfae-41ba-8fb5-efa1d1c068fa.png https://dev.to/biradarkris en Kris Biradar Sun, 01 Mar 2026 08:54:00 +0000 https://dev.to/biradarkris/reverse-who-is-the-right-way-3p73 https://dev.to/biradarkris/reverse-who-is-the-right-way-3p73 <h2> 🕵️‍♂️ How I Tracked Down a Domain Bought Using My Debit Card </h2> <h3> A Real-World OSINT Investigation </h3> <p>Recently, I found myself in a bizarre situation.<br> Someone I know purchased a domain using <strong>my debit card details</strong>.<br> At that point, it wasn't about the money anymore.<br> It was about <em>reputation</em>.<br> And I was determined to find that domain.</p> <h3> 🧾 What I Knew </h3> <p>I wasn't starting blind. I had:</p> <ul> <li>Exact transaction time </li> <li>Registrar: <strong>Namecheap</strong> </li> <li>Strong suspicion about who bought it </li> <li>High probability it was a personal domain This quickly turned into a mini cyber-investigation.</li> </ul> <h3> 🔍 Attempt 1: Reverse WHOIS API </h3> <p>My first step was obvious: search the internet.<br> I wanted to find domains registered by an email within a date range.<br> I discovered the <strong>WHOISXML Reverse WHOIS API</strong>.</p> <h4> Approach </h4> <ul> <li>Logged in using a <code>.edu</code> email (Gmail accounts aren't allowed)</li> <li>Queried using:  - Registrar → Namecheap   - Date range → the purchase day   - Keyword → suspected email #### Problem Reverse WHOIS stores data <strong>date-wise</strong>, not at minute-level precision. So I fetched <strong>all domains registered via Namecheap that day</strong>. ➡ Result: ~23,000 domains Too many.</li> <li>- ### 🔎 Narrowing the Search Space I looked for patterns. What did I know?</li> <li>Likeliest use → personal website </li> <li>Premium pricing suggested serious intent </li> <li>Indian personal domains rarely choose <code>.xyz</code>, <code>.ai</code>, etc. </li> <li> <code>.com</code> felt most likely ➡ Reduced list: <strong>~5,200 domains</strong> Still too many to verify manually.</li> </ul> <h3> 🤖 AI Filtering Experiment </h3> <p>I asked AI to generate a script that would:</p> <ul> <li>batch 1,000 domains</li> <li>send them to Gemini API</li> <li>prompt: identify domains that look like personal websites for Indian males It returned filtered results. But the domain I wanted wasn't there. Reverse WHOIS can miss:</li> <li>privacy-protected registrations </li> <li>uncached entries </li> <li>delayed listeners <strong>Result: Attempt 1 Failed</strong> </li> </ul> <h3> 🏦 Attempt 2: Contacting the Registrar </h3> <p>I contacted Namecheap support:</p> <blockquote> <p>A fraudulent transaction was made using my card.<br> They:</p> <ul> <li>blocked the account </li> <li>refunded my money But refused to reveal the domain. <strong>Result: Attempt 2 Failed</strong> </li> <li>- ### 🗂 Attempt 3: ICANN CZDS Zone Files I requested zone files via <strong>ICANN CZDS</strong>. Problems:</li> <li>approvals take time </li> <li> <code>.com</code> requests take longer </li> <li>backdated downloads aren't available </li> <li>the domain had already been taken down <strong>Result: Inconclusive</strong> </li> </ul> </blockquote> <h3> 🔐 Attempt 4: Certificate Transparency Logs (crt.sh) </h3> <p>I learned about certificate transparency logs.<br> If the domain hosted HTTPS, its SSL certificate must exist in CT logs.<br> I tried:</p> <ul> <li>querying crt.sh </li> <li>connecting via Postgres </li> <li>batch queries in 5-minute windows #### Issues</li> <li>connection breakages </li> <li>SSL errors </li> <li>slow processing </li> <li>and my impatience 🙂 <strong>Progress: Yes</strong>  <strong>Success: Not yet</strong> </li> </ul> <h3> 🚀 Attempt 5: Google BigQuery + crt.sh Dataset </h3> <p>This changed everything.<br> The crt.sh dataset is available via <strong>Google BigQuery</strong>.</p> <h4> Steps </h4> <ol> <li>Connected the dataset </li> <li>Queried certificates issued during the purchase hour </li> <li>Filtered <code>.com</code> domains </li> <li>Reduced the time window further ➡ 700 → 200 domains Manual scan… Four entries later… 🎯 Found it. Matched the domain to the person. <strong>Result: SUCCESS</strong> </li> </ol> <h3> 🤯 Plot Twist </h3> <p>Later, I discovered something surprising.<br> The domain <strong>was present</strong> in my Reverse WHOIS results.<br> I ignored it because:</p> <ul> <li>I doubted dataset completeness </li> <li>I trusted AI filtering too much If I had manually verified the 5,200 domains… I would have found it earlier.</li> </ul> <h3> 🧠 Lessons Learned </h3> <p>✔ Always verify your data <br> AI helps - but never assume completeness.<br> ✔ Internet datasets are imperfect <br> Each dataset captures only part of reality.<br> ✔ OSINT requires patience <br> Impatience slows investigations more than complexity.<br> ✔ Automation helps, manual validation wins<br> ✔ Certificate Transparency logs are gold</p> <h3> 🧑‍💻 A Step Toward Ethical Hacking </h3> <p>This wasn't hacking.<br> It was understanding how internet infrastructure works:</p> <ul> <li>WHOIS &amp; Reverse WHOIS </li> <li>Registrars </li> <li>Certificate Transparency </li> <li>DNS zone files </li> <li>Data aggregation gaps And the caveats between them.</li> </ul> <h2> 🏁 Final Thoughts </h2> <p>If you take anything from this:<br> Double-check your data. <br> Trust, but verify. <br> And cultivate patience.<br> Because the internet always leaves traces - <br> you just need to know where to look.<br> <strong>Adios.</strong></p> osint dns