Home / Industry

QAnon and 8Chan Digital Footprint Analysis and Investigation Expansion

In October, Brian Krebs reported that several websites related to 8Chan and QAnon went offline, albeit only briefly. That happened when the entity protecting them from distributed denial-of-service (DDoS) attacks, CNServers LLC, terminated its service to hundreds of Spartan Host IP addresses, including those associated with VanwaTech or OrcaTech, the Internet service provider (ISP) of most 8Chan and QAnon sites. As a result, the said companies' websites went offline, but only briefly, as Spartan Host obtained DDoS protection from Russia-based ddos-guard[.]net.

From the report, we obtained several IP addresses and domains related to 8Chan and QAnon, specifically:

  • 22 IPv4 addresses
  • 6 IP netblocks
  • 131 domain names
  • 9 subdomains

We used several domain and IP intelligence tools, such as Bulk WHOIS Lookup, Bulk IP Geolocation Lookup, and Reverse IP Lookup, to analyze the affected organizations' digital footprints. We presented our findings in a way that answer these questions:

  • Where are the IP addresses located?
  • Are the IP addresses still with VanwaTech?
  • How old are the domains?
  • Are the domains' WHOIS records publicly available?

Analysis of the Companies' IP and Domain Footprints

Are the IP Addresses Still with VanwaTech?

As of the time of writing, two months have passed since the release of the list of associated IP addresses. It would be interesting to see if VanwaTech still maintains the IP addresses associated with 8Chan and QAnon. Bulk IP Geolocation helped us determine that of the 22 IP addresses, only five remained with VanwaTech as of 16 December 2020.

ISPNumber of IP Addresses
N.T. Technology, Inc.12
VanwaTech5
FranTech Solutions2
OVH SAS2
CHINANET Guangdong Province Network1

The IP addresses still under VanwaTech's control are:

  • 203[.]28[.]246[.]100
  • 203[.]28[.]246[.]1
  • 203[.]28[.]246[.]123
  • 203[.]28[.]246[.]124
  • 203[.]28[.]246[.]138
Where Are the IP Addresses Located?

The five VanwaTech IP addresses are located in the U.S., along with 14 others that are related to 8Chan and QAnon. The other IP addresses can be traced back to China (1 IP address) and Canada (2 IP addresses). The locations are consistent with the fact that QAnon was originally an American movement and 8Chan's owner is an American.

What Are the Domains' Registrant Countries?

Like the geolocation of the IP addresses, most of the domains were registered in the U.S. But unlike the IP geolocation results, which only pointed to three countries, 12 registrant countries were named by Bulk WHOIS Lookup, as shown in the chart below.

How Old Are the Domains?

8Chan was established in October 2013 but was rebranded to 8kun in October 2019. QAnon, on the other hand, was created in October 2017. With both entities' age, it is surprising that about one-fourth (27%) of the domains on the list are more than 20 years old or created before 2000.

Around 14% of the domains were created within 2020 and so were barely a year old, while 37% were created within the last five years.

Are the Domains' WHOIS Records Publicly Available?

Lastly, we looked at the domains' WHOIS records and compared the number with redacted records against those whose details were publicly available. As expected, most of the domains — 87%, to be exact — were privacy-protected.

Obtaining More Digital Footprints

Using the remaining five IP addresses that point to VanwaTech as their ISP, we were able to uncover other possible inclusions to 8Chan's and QAnon's domain footprints. Reverse IP Lookup revealed all the domains that share the given IP addresses.

IP AddressNumber of Connected Domains and Subdomains
203[.]28[.]246[.]10024
203[.]28[.]246[.]1+300
203[.]28[.]246[.]123179
203[.]28[.]246[.]1242
203[.]28[.]246[.]13831


While 8chan or 8kun is tied with controversial discussions about free speech, it has been linked to mass shootings. QAnon, on the other hand, mostly figured in disinformation campaigns and disproven conspiracy theories. Given these questionable clouds surrounding the two organizations, monitoring domains and IP addresses related to them is necessary.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IP Addressing

Sponsored byIPv4.Global

DNS Security

Sponsored byAfilias

Cybercrime

Sponsored byThreat Intelligence Platform

Brand Protection

Sponsored byAppdetex

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byAfilias

Whois

Sponsored byWhoisXML API