⚠️This is an article written in another language and translated using GPT.There may be some expressions or usage errors.Please point them out.

Recently, a valuable batch of ccTLDs(Country Code Top-Level Domains)was attempted to be stolen, but this activity was discovered by us.We have gathered evidence and documented the entire sequence of events based on what we know. Additionally, we would like to remind everyone to be vigilant about their ccTLDs and, if necessary, take the appropriate measures to secure them.

START:

  • 2023.9.14

    • One user David(@dvcrn)tweeted,

    This means that someone attempted to take over his domain "d.pn" and he shared images clearly showing the complete information of the person attempting the domain takeover, with the key name "JianFei Wang".

    The tweet can still be viewed at: https://twitter.com/dvcrn/status/1702217365575078152

  • 2023.9.19

    • "JianFei Wang" publicly announced in a WeChat group that he had acquired the domain x.st.

    But from the web page's historical snapshot (https://web.archive.org), it's not difficult to discover that the original owner of the domain has always been Harold (https://twitter.com/hrldcpr) while the NS and owner information of the domain were changed to "JianFei Wang". Initially,we had some oubts.Firstly,the original owner remained unchanged, indicating his attachment to this domain. Secondly,even if he were to sell it, the price would obviously be beyond what "JianFei Wang" could afford.As expected,the domain was successfully reclaimed by the original owner on November 21,2023.

  • 2023.9.23

    • "JianFei Wang" once again publicly announced in a WeChat group that he had purchased a new domain: interesti.ng.

    At this point,we are once again alerted to the situation.Subsequently,we discovered not just one omain name,but several,including"eveni.ng, exciti.ng, interesti.ng, lovi.ng, morni.ng".These domains were originally owned by Mark Kychma, but later,"JianFei Wang"'s whois information appeared for them. However, the original owners have successfully reclaimed the domains. These domains were merely part of his "testing" phase.

    Our conversation with Mark Kychma.

  • 2023.11.4

    • The whois information for "f.cd" was changed. However, shortly after, on November 24, 2023, the registry relocked the domain. This clearly indicates that the registry became aware of the change. Despite this, the WHOIS information continued to display "JianFei Wang"'s details.Given that single-character".cd"domains are generally not allowed for registration,his attempt to acquire this domain stands out.Unfortunately,we cannot determine how he obtained the domain,but its relocking contradicts the registry's regulations. For now, we won't delve further into discussing this particular domain.

  • 2023.12.10

    • "JianFei Wang" once again announced in a WeChat group that he had acquired"x.ke."

    The domain name was once featured in an auction in the.ke domain,but it was later purchased by someone else.Therefore,we had deep suspicions about the origin of this domain until we learned from a conversation with Max(Nam.es) that x.ke is listed for sale on https:1-single-letter-domains.com.

    However,considering the asking price,it doesn't seem like a domain "JianFei Wang" would be willing to spend money on and could afford. Nevertheless, there is currently no substantial evidence indicating that the domain was stolen. As of today, the domain name is still in his possession.

    Rampant Plunder:

  • 2024.1.11

    • We inadvertently discovered that the owner of the domain wm.mw had changed. Here is the WHOIS information from August 2023:

    On November 15, 2023, the WHOIS information for the domain was updated to:

    And on January 11, 2024, the WHOIS information was updated to:

    And we suddenly recalled that we had also come across the email "frank@xrun.uk" when reviewing the WHOIS information for the domain ho.st recently.

    And ho.st belongs to Host.io, a domain data provider created by the IPinfo.io team. Ho.st has been used as a redirect domain, making it unlikely to be easily sold independently. The fact that various email addresses ere have all changed to "frank@xrun.uk" is evidently abnormal. However, it's easy to notice a connection between "frank@xrun.uk"and "meetfeifei@gmail.com.".

  • 2024.1.15

    • During our search,we suddenly discovered that the status of the domain "gov.cx" was listed as "pendingTransfer." This domain is associated with the government of Christmas Island,and such a situation is clearly unusual:

    Then, as we attempted to search for other valuable domain names,we were astonished to find that a large number of single-character domains almost simultaneously showed a status of "pendingTransfer."

    All share a common characteristic:being under the management of CoCCA. These domains include:e.hn,h.hn,o.hn,p.hn,whois.hn,i.sb,technolo.gy,ener.gy,x.cx,t.cx,and others.

    So many single-character domain names simultaneously showing a"pendingTransfer"status,and all from different owners,is abnormal.However,upon learning of this situation,we didn't rush to report it to CoCCA. Instead, we patiently waited to see who would ultimately own this batch of domains and to which registrar the domains would be discover more domains with a "pendingTransfer" status, including 4.gs, f.sb, k.hn, and others. In the end, we got the results we anticipated.

    In particular, "4.gs" was successfully transferred to a registrar named "InterCat Ltd," and then it was promptly transferred again to "West263 International Limited." Upon the transfer to "West263 International Limited," the WHOIS information for "4.gs" was also updated to reflect the new owner's details:

    Following that,"f.sb"and"k.hn"also successfully transferred to the registrar"InterCat Ltd":

    The registrar known as "InterCat Ltd" (https://intercat.org), upon our inquiry, was found to be actually applied for by "JianFei Wang" himself. The information is as follows:

    On the bottom of its website,his contact information is also listed,and he even displays the ICANN logo,although he clearly cannot possess ICANN accreditation:

    With things having reached this point,the evidence is sufficient to indicate that the series of domain thefts were all orchestrated by "JianFei Wang."

    Simultaneously,upon acquiring "4.gs","f.sb" and "k.hn" he promptly posted threads for "domain sale "on the forum(dalao.net). Furthermore, he listed the domain "4.gs" with a fixed price on "West263 International Limited" and also listed it on the Dan.com website at a significantly lower price than the market value,attempting to quickly liquidate the stolen assets.

    ⬆️ The trading threads within the dalao.net forum.⬆️

    ⬆️ The trading threads within the dalao.net forum.⬆️

    Given the circumstances, in order to prevent financial losses resulting from someone purchasing the "ill-gotten" assets and to prevent the domains from being "Transfer" again, we felt it was unnecessary to wait any longer. We promptly contacted the responsible party at CoCCA and Ben Dowling, the owner of ho.st (https://twitter.com/coderholic), to report what we knew. CoCCA, upon learning of the situation, immediately engaged in communication with us, effectively preventing the transfer of the majority of the domains. CoCCA also provided us with information on domains that had undergone abnormal transfers, aligning closely with our findings.

    ⬆️ The email records with Ben.⬆️

    ⬆️ The chat conversations with the CoCCA epresentative.⬆️

    For the domains that have already been successfully transferred,as we are not the original owners,CoCCA has requested our assistance in contacting the original owners.They want the owners to file complaints with the original registrar or CoCCA, and based on that, they will proceed to "lock" the domains.

    With our efforts,we successfully contacted the original owner of"k.hn,"who happened to be a Chinese individual.We explained the situation to them,and upon checking the registrar's website, they confirmed hat the domain was no longer in their account. Additionally, in their email, they found a response from the registrar that also included the email address "frank@xrun.uk."

    From the emails, it's evident that "JianFei Wang" used the method of forging emails from the original domain owner to send a transfer request to the domain's original registrar/registry. He also copied the email cc to "frank@xrun.uk," attempting to first move the domain to his own account within the same registrar. Subsequently, he planned to obtain the transfer code through his own account for what can be described as a "theft" operation.

    Unfortunately, the domain owner, preoccupied with work, didn't promptly check the registrar's response. The registrar, in turn, mistakenly believed the email to be from the original owner and approved the transfer. Currently, the original owner of "k.hn" emphasizes the significance of the domain to him. If unable to recover it, he intends to report the incident to the police.

    ⬆️ Screenshots of the conversation with the original domain owner. ⬆️

    Meanwhile, I advised him to file complaints with the original registrar and CoCCA and on the same evening after sending the emails, the domains "4.gs," "f.sb," and "k.hn" were locked and displayed as "Registrar: Registry Hold - Suspicious Activity." The domains were temporarily taken over by CoCCA until the investigation was completed.

    And next, as we continued the process of digging for information, we found that "InterCat Ltd" (@InterCatLtd) and "JianFei Wang" (@meetfeifei)had even boldly showcased on Twitter the domains they had "acquired" through questionable means. Currently, both of these accounts have been cleared of relevant content, but we have retained evidence. One particularly amusing instance was a tweet by "InterCat Ltd" that read:

    Little did they know, they were the very "mouse" stealing things.

    ⬆️ Archived tweets from "InterCat Ltd" (@InterCatLtd) ⬆️

    ⬆️ Archived tweets from ""JianFei Wang"" (@meetfeifei) ⬆️

    With the situation at hand, though not yet concluded, we had originally planned to expose the entire incident next month. However, upon seeing that Max's domain had also been tampered with by JianFei Wang,and some details had been prematurely disclosed, we speculated that "JianFei Wang" would likely delete his tweets and vehemently deny the matter.

    Therefore, we have decided to fully disclose the situation now to maintain a safe and clean domain environment.

    Additionally, we will communicate with the victims of this incident.The estimated value of the domains affected by this incident is considerable.The online world is not beyond the law;it has already violated legal boundaries.Moreover,even if someone is overseas,they can still be report the incident to the China police.

    Meanwhile,"JianFei Wang" remains active on Twitter,attempting to deflect blame by claiming," It has nothing to do with me; it was done by a hacker friend I know." However,all the evidence points to him,and there is no indication that he is unrelated to this incident.