Identifying Anonymous Website Owners

Summary: From one supposedly anonymous website, we were able to identify a network of UK adult services, based in the Midlands, controlled by a middle aged woman from Eastern Europe, now also living in the Midlands. Alongside managing this network of websites, she is also the sole director of a legitimately registered business that has the potential to launder the income received from the adult service website.

The Process:

1. The original website given to us to investigate, in order to determine the beneficial owner, offered various adult services within the Midlands (let’s call this ‘website A’). The domain name used had no historical registration details available i.e. it was showing as anonymous, and was hidden behind the Cloudflare system - effectively protecting the website behind a wall, meaning it can’t easily be located (sometimes this wall can be bypassed - but not in this instance).

2. We analysed all of the domain names that redirected to the investigated website e.g. the name of Website B and Website C, once entered in a browser, actually point to Website A. We found 17 of these domains pointing to Website A.

3. 16 of these redirection domains showed ownership belonging to a person with a fake historical name of a well known person.

4. However, one of these 17 domains had an email address in the public registration data that clearly referenced the investigated website (this was confirmed on Internet Archive as the email address was listed as a contact email on an original version of the target website).

5. Searching again for domains registered using this new found email address revealed a further 12 domains.

6. Some of these 12 domains listed the assumed ‘real name’ of the registrant in the time period of 2014-18 (the domain registration data had both the ‘real name’ as well as the email address listed on an earlier version of the target website).

7. Taking this further, and searching again for domains registered using this assumed real name found 22 more domains - all related to escorts. Fortunately, it was a fairly unique name.
   
   So, to recap. We had a website offering potentially illegal services. This had anonymous registration information, but through looking at the registration details of associated domains, we were able to locate the potential registrant of Website A. We now had to verify this person existed.

8. The name of this person had been used in a Companies House registration of a presently trading limited company in the Midlands (but she had registered an accountants address to mask her own real address).

9. Using the company name, it was possible to find a company website selling web design and SEO services, with a legitimate front end. This was verified, as the website actually listed the company number in it’s footer. The web design services site was not hidden behind the Cloudflare wall - so we could see other domains listed as utilising this same server - all of the other domains were relating to escort services throughout the Midlands, and some of them actually redirected to Website A.

10. The services offered on the web design business were of very low quality, and at a very high cost. Attempting to access the site checkout was not possible - so it was clear any earnings the business made were not from online sales on this website. The business did, however, list substantial earnings in their company filings.

11. The web design business was based on WordPress, so it was possible to view the names of the people that updated the site (e.g. blog posts etc - although these blog posts were actually copied from a legitimate business hundreds of miles away). One name matched the woman we expected to see.

12. The company address, listed at Companies House, is a small accountants office (accountants often do offer their address as a service to clients wishing to retain some anonymity). However, the single director listed at Companies House also had a previous company, now dissolved. That listing has a home address.

13. The home address was verified using public records and our own data systems as being the residence of the person we were expecting.
    
    So, another recap. We have a name from the domain registration particulars, and are able to match that to a web design business and home address in the Midlands. We now need to verify that this person is related to both this business and the original Website A.

14. Using the X(Twitter) link from Website A, we were able to see the ‘X’ username of the business. Using our own systems, we were able to correlate that to a new email address. A personal Gmail one. Again, after investigations, we found this email was also registered to a personal Facebook account.

15. Looking at the Facebook account revealed the woman we expected to see, at the home address we also expected. So, we can now link the woman to Website A, the home address, and the ‘legitimately’ listed business at Companies House.

16. The social media accounts gave us profile images.

The collection and processing of all this data, and then the analysis to provide the identified links and individuals were all that was required for a client at this stage. However, with further review (and if required), it would be worth delving in to the many websites linked to this person, that also offer adult services in the Midlands, London and Manchester - many of which share the same Google analytics code, suggesting shared ownership, as well as a level of technical organisation. It would also be worth looking at the checkout processes on the adult websites to determine how and where this is processed, if it is linked, and if those funds are then listed as earnings of the ‘legitimate’ web design business.

Conclusion: The owner of ‘Website A’ had multiple websites and domains hidden behind the Cloudflare service. However, one mistake by the ultimate beneficiary many years ago meant that the ownership of the business could be identified and associated with an Eastern European woman from the Midlands.