In October, Brian Krebs reported that several websites related to 8Chan and QAnon went offline, albeit only briefly. That happened when the entity protecting them from distributed denial-of-service (DDoS) attacks, CNServers LLC, terminated its service to hundreds of Spartan Host IP addresses, including those associated with VanwaTech or OrcaTech, the Internet service provider (ISP) of most 8Chan and QAnon sites. As a result, the said companies’ websites went offline, but only briefly, as Spartan Host obtained DDoS protection from Russia-based ddos-guard[.]net.

From the report, we obtained several IP addresses and domains related to 8Chan and QAnon, specifically:

• 22 IPv4 addresses
• 6 IP netblocks
• 131 domain names
• 9 subdomains

We used several domain and IP intelligence tools, such as Bulk WHOIS Lookup, Bulk IP Geolocation Lookup, and Reverse IP Lookup, to analyze the affected organizations’ digital footprints. We presented our findings in a way that answer these questions:

• Where are the IP addresses located?
• Are the IP addresses still with VanwaTech?
• How old are the domains?
• Are the domains’ WHOIS records publicly available?

Analysis of the Companies’ IP and Domain Footprints

Are the IP Addresses Still with VanwaTech?

As of the time of writing, two months have passed since the release of the list of associated IP addresses. It would be interesting to see if VanwaTech still maintains the IP addresses associated with 8Chan and QAnon. Bulk IP Geolocation helped us determine that of the 22 IP addresses, only five remained with VanwaTech as of 16 December 2020.

The IP addresses still under VanwaTech’s control are:

• 203[.]28[.]246[.]100
• 203[.]28[.]246[.]1
• 203[.]28[.]246[.]123
• 203[.]28[.]246[.]124
• 203[.]28[.]246[.]138

Where Are the IP Addresses Located?

The five VanwaTech IP addresses are located in the U.S., along with 14 others that are related to 8Chan and QAnon. The other IP addresses can be traced back to China (1 IP address) and Canada (2 IP addresses). The locations are consistent with the fact that QAnon was originally an American movement and 8Chan’s owner is an American.

What Are the Domains’ Registrant Countries?

Like the geolocation of the IP addresses, most of the domains were registered in the U.S. But unlike the IP geolocation results, which only pointed to three countries, 12 registrant countries were named by Bulk WHOIS Lookup, as shown in the chart below.

How Old Are the Domains?

8Chan was established in October 2013 but was rebranded to 8kun in October 2019. QAnon, on the other hand, was created in October 2017. With both entities’ age, it is surprising that about one-fourth (27%) of the domains on the list are more than 20 years old or created before 2000.

Around 14% of the domains were created within 2020 and so were barely a year old, while 37% were created within the last five years.

Are the Domains’ WHOIS Records Publicly Available?

Lastly, we looked at the domains’ WHOIS records and compared the number with redacted records against those whose details were publicly available. As expected, most of the domains—87%, to be exact—were privacy-protected.

Obtaining More Digital Footprints

Using the remaining five IP addresses that point to VanwaTech as their ISP, we were able to uncover other possible inclusions to 8Chan’s and QAnon’s domain footprints. Reverse IP Lookup revealed all the domains that share the given IP addresses.

While 8chan or 8kun is tied with controversial discussions about free speech, it has been linked to mass shootings. QAnon, on the other hand, mostly figured in disinformation campaigns and disproven conspiracy theories. Given these questionable clouds surrounding the two organizations, monitoring domains and IP addresses related to them is necessary.