Case Study for Cyber Police on Website and Domain Investigation

1. Executive Summary

Between 2022 and 2026, a network of at least thirteen fake "consulting firm" websites was used to recruit U.S. persons, including current and former security-clearance holders, to write "source-based" reports on defence, foreign-policy, and national-security topics, in exchange for payment routed from overseas. The operation presented itself as ordinary commercial consultancies based in the UK, Indonesia, the UAE, Australia, and elsewhere. Investigators assessed that the true direction sat with actors working on behalf of the People's Republic of China (PRC).

The case is a near-perfect teaching specimen because the operators made the same mistakes most front-company networks make: they reused infrastructure, reused content, reused identities, and reused money rails. Each reuse created a pivot, a point at which one confirmed indicator could be used to discover the next. This article reconstructs the investigation as a ten-phase methodology, identifies the pivot at each step, and closes with a field checklist and the parallel public warning issued in India.

The single most important lesson: domain investigations are correlation problems, not lookup problems. No individual record proved the case. The case was proven by the consistency of overlap across registration data, hosting, content, imagery, network telemetry, device telemetry, persona graphs, and financial rails.

2. Case Background

The triggering signals were ordinary and came from several directions at once, the realistic state for most units:

• Human reporting. Recruits who grew suspicious self-reported. One analyst at a Washington-area firm noticed Chinese-language characters in the email headers of a purported UAE company and was asked to supply an un-redacted version of a sample report, abnormal in legitimate freelance work, and contacted authorities. A career political reporter, offered an implausibly high per-article fee, independently researched the firm and walked away.
• Tips and referrals. Tips flagged that LinkedIn accounts tied to two of the sites might be engaged in state-sponsored activity.
• Suspicious-activity reporting. Two of the sites were the subject of suspicious-activity reports.
• Victim impersonation. A legitimate non-profit, finding its name cloned by one of the sites, publicly stamped "FAKE" across the fraudulent job posts, itself an open-source lead.

From these scattered entry points, investigators worked outward. The phases below are presented in analytic order; in practice they ran in parallel and fed one another.

3. The Investigative Methodology

Phase 0, Intake, Scoping, and Preservation

Objective: convert a raw lead into a defensible investigative footing before evidence decays.

Step 0.1, Define the seed. Start from a single confirmed artefact: one domain, one job post, one email address, one persona. Here the seeds were individual "consulting" domains surfaced from LinkedIn job postings.

Step 0.2, Snapshot everything immediately. Live websites are volatile. Several of the sites in this matter were already inactive by April 2026; the investigation depended on having captured them earlier (the affidavit repeatedly records the date each site was "last visited"). Capture the rendered page, the HTML source, the job postings, contact emails, and the page as it appears in search-engine caches. Record exact visit timestamps, they become part of the evidentiary record.

Step 0.3, Open legal-process channels early. Domain and platform data sit with third parties and are subject to retention limits. In this matter, investigators obtained multiple rounds of judicial process over two years (search warrants on associated accounts, and legal returns from registrars, hosting companies, and platforms). Preservation requests should precede the substantive warrants.

Pivot created: the seed domain → its WHOIS record and its hosting provider.

Phase 1, Domain Registration Analysis (WHOIS and Registry Data)

Objective: establish who registered the domain, when, through whom, and, critically, whether the same registration fingerprints appear on other domains.

Step 1.1, Pull the full registration record. For each domain capture: registrant name, postal address, email, registration date, and registrar. In this case the table spanned GoDaddy, 1API, NameSilo, NameCheap, Wix, PDR Ltd., and Spaceship, a deliberate spread across registrars that itself signals an actor avoiding single-provider exposure.

Step 1.2, Identify the controlling registry. Above the registrar sits the registry that actually controls the top-level domain: VeriSign for every .com and Public Interest Registry (PIR) for every .org. This matters operationally because seizure and redirection are executed at the registry, not the registrar. Knowing the registry early tells you who must ultimately be served.

Step 1.3, Cross-reference registration fields across the domain set. This is the phase's highest-value move. Here, the same stolen identity (case label Identity Theft Victim 1, a Florida resident) and address appeared on the registrations for two different domains. The same email address used to register one domain reappeared on another. Registrant addresses clustered in revealing ways: Pakistan for one site, Thailand for another, a Delaware "123 Market Street" that matched no real business, and, for one site, the genuine address and phone number of an unrelated New York dental practice, with a mismatched ProtonMail contact.

Step 1.4, Treat "privacy" registrations as a lead, not a wall. One site claimed a London address that resolved to a company-formation agent advertising paid "privacy address" services, a legitimate business being used to manufacture a credible Western façade. The investigator's response was not to stop at the registered address but to research the address itself.

⚑ Investigator takeaway / red flags

• Same registrant identity or email across nominally unrelated companies.
• Registrant address that is a co-working space, formation agent, mail-drop, or an unrelated real business.
• A spread of registrars and recent registration dates clustered within weeks of one another (several domains here were registered days apart).

Pivot created: shared registrant identity/email → a second domain, and → the human victim whose identity was stolen (Phase 9).

Phase 2, Hosting and Infrastructure Correlation

Objective: group domains by the machines and networks that serve them.

Step 2.1, Resolve each domain to its hosting IP and provider. Obtain legal returns from hosting companies (in this matter, providers such as Hosteons, Monster Megs, and others supplied records). Record the serving IP, the account, and the login history.

Step 2.2, Cluster on shared IPs and shared infrastructure. Two further "consulting" sites were found hosted on the same IP address as a known target domain, an IP that resolved to an internet service provider operating a content-delivery network (CDN). The affidavit's own reasoning is instructive: actors reuse server and CDN infrastructure because they already hold accounts there, which makes standing up each new site faster and cheaper. Shared infrastructure is therefore a primary clustering signal, not a coincidence.

Step 2.3, Pull account login telemetry. Hosting accounts carry login IP histories. For one site, the hosting account's logins resolved to Macau, to Hong Kong, and to Chinanet Hunan Province Network in Changsha, China, before later logins shifted to cloud-provider IPs consistent with VPN use. This single account record bridged Phase 2 (infrastructure) and Phase 5 (network attribution).

⚑ Investigator takeaway / red flags

• Multiple "independent" companies on one hosting IP or CDN.
• Account logins that resolve to a different region than the company's claimed location.
• A migration over time from residential/regional IPs to cloud/VPN IPs (operational-security maturation).

Pivot created: shared hosting IP → sibling domains; login IPs → geographic attribution.

Phase 3, Website Content and Template Fingerprinting

Objective: prove common authorship of multiple sites from the text itself.

Step 3.1, Extract and normalise the content. Collect site copy and, especially, the associated job postings wherever they were syndicated (LinkedIn, Upwork, Hubstaff Talent, Wellfound, Jobsoid, Australian job boards, and others).

Step 3.2, Search distinctive strings. Run open-source searches on verbatim and idiosyncratic phrases. In this case, excerpts from one site's postings returned only that site and a sibling, a strong common-authorship signal. The thumbnail logos of two sites in search results were identical.

Step 3.3, Hunt for shared errors and "tells." The operators' copy carried the same grammatical errors across sites (e.g., a recurring malformed sentence about contracts and monthly salary). Treat repeated, distinctive mistakes as a fingerprint, natural authors do not independently reproduce the same broken phrasing.

Step 3.4, Find un-purged template scaffolding. The clearest tell of hasty mass-production: leftover template placeholders left in published posts, such as bracketed fields like "[Indeed/Upwork]", "[application deadline]", "[Your Company Name]", "[Your Contact Email]", and boilerplate equal-opportunity language never filled in. One site's job post even left in a literal reference to a sibling company's acronym, directly linking the two.

⚑ Investigator takeaway / red flags

• Verbatim or near-verbatim job descriptions across "competing" firms.
• Identical idiosyncratic errors.
• Visible template placeholders or references to another entity.
• Generic, stock consultancy language with no verifiable client work.

Pivot created: shared text/errors → confirmed sibling domains; references in copy → named personas and entities.

Phase 4, Image Provenance and Synthetic-Media Detection

Objective: determine whether the people depicted on the site are real, stolen, stock, or AI-generated.

Step 4.1, Reverse-image-search every face and logo. The "leadership team" page of the flagship site ("Our Skilled Leaders," with named executives and titles) was run through reverse image search. The Chief Communications Officer photo returned an exact match to the website of a Nigeria-based human-resources company, same photos, names, and titles, on a similar template. Investigators concluded both sites were built from a common template stocked with the same personnel images.

Step 4.2, Triage the matches. A match can mean (a) stolen from a real person/company, (b) a stock-photo library, or (c) AI generation. On another site, the CEO's photo showed strong similarity to a real executive at a U.S. accounting firm, while the remaining "employees" matched stock images. Across the network, the affidavit records that twelve of the thirteen sites used stock or AI-generated photography.

Step 4.3, Flag AI-generated media explicitly. Several sites used images assessed as AI-generated, and recruiting videos on social platforms used narration that "sounded computer-generated." Synthetic media is now a baseline indicator of a manufactured persona; capture it and note the basis for the assessment.

⚑ Investigator takeaway / red flags

• A "leadership team" whose faces appear on other, unrelated websites.
• Stock or AI-generated executive portraits.
• Computer-generated voice-over in recruitment videos.

Pivot created: image match → the unrelated real entity (to be ruled out) and → confirmation of fabricated personnel.

Phase 5, Network Attribution (IP Geolocation and VPN Awareness)

Objective: establish where the operators actually were, behind the claimed locations.

Step 5.1, Geolocate every IP from platform and hosting records. Pull account-creation IPs, login IPs, and email-send IPs from Google, Meta, LinkedIn, and hosting providers, then resolve each through open-source geolocation. In this matter, the recurring resolutions were Macau, Hong Kong, Shanghai, and Changsha. A stolen-identity Gmail account was created from an IP resolving to a Hong Kong ISP; a related Facebook account was created the same day from a second Hong Kong IP, which then accessed the Gmail account roughly thirteen times in one day, co-location that bound two personas together.

Step 5.2, Distinguish true location from obfuscation. Resolutions to cloud-service providers were explicitly read as possible VPN use rather than as the operator's real location. Do not over-claim attribution from a cloud IP; treat the residential/regional resolutions and the consistency of the cluster as the stronger signal.

Step 5.3, Watch the metadata that travels with accounts. A Google account's Terms-of-Service country changed from Bangladesh to Hong Kong on a specific date, a small administrative artefact that nonetheless tracked the account's centre of gravity. Account "country" fields, currency settings, and ToS jurisdictions are all attributable telemetry.

⚑ Investigator takeaway / red flags

• A "UK/UAE/Australian" company whose every login resolves to China, Hong Kong, or Macau.
• Account currency or ToS country set to a jurisdiction inconsistent with the claimed HQ.
• A later shift to cloud/VPN IPs (security maturation, not exoneration).

Pivot created: IP cluster → geographic attribution; co-located IPs → persona linkage (Phase 7).

Phase 6, Device and Telecom Fingerprinting

Objective: extract device- and carrier-level signals that geolocation alone cannot give.

This phase is the most technically distinctive in the case and is frequently underused by units.

Step 6.1, Pull device records from platform legal returns. Google/Android records expose, for an associated device: the configured time zone, the locale, and the mobile-network identifiers. In this matter, an Android device tied to the operation reported time zone Asia/Shanghai and locale zh_CN_#Hans (simplified-Chinese), even where a different device's locale had been set to en-US, the time zone still read Asia/Shanghai.

Step 6.2, Decode the MCC+MNC identifiers. The decisive technical move: mobile records carry a Mobile Country Code + Mobile Network Code for both the SIM operator and the cell (serving) operator. Resolving these codes through MCC-MNC reference data identified the SIM operator as China Unicom (Hong Kong) and the cell operator as China Mobile (China). MCC/MNC resolution converts an opaque numeric pair into a named carrier and country and is far harder for a subject to spoof than a self-declared profile field.

Step 6.3, Corroborate across devices and personas. The same technique applied to a stolen-identity account's device returned a SIM operator resolving to Macau and a cell operator resolving to China, reinforcing the cluster.

⚑ Investigator takeaway / red flags

• Device time zone / locale inconsistent with the persona's claimed nationality.
• MCC/MNC pairs resolving to carriers in the suspected origin region.
• A mismatch between a manually set en-US locale and an un-edited Asia/Shanghai time zone (partial, imperfect obfuscation).

Pivot created: device telemetry → high-confidence regional attribution that complements network data.

Phase 7, Cross-Platform Persona Correlation

Objective: collapse a swarm of online personas into a smaller set of real operators.

Step 7.1, Build the persona graph. Each fake company spawned personas across LinkedIn, Meta/Facebook, Twitter/X, Bluesky, Telegram, Gmail, Outlook, and ProtonMail. Inventory every handle, display name, and email, and the dates and IPs of their creation and use.

Step 7.2, Link personas through shared selectors. The strongest links were: a shared email account used across multiple personas; identical profile photographs across platforms; near-identical bios (the recurring line "… the Rightinfo. Keep up with international hotspot issues" appeared on multiple profiles); and creation from the same IP on the same day.

Step 7.3, Pierce a persona with cookie linkage. The most powerful attribution in the case: a LinkedIn account for a fabricated "Deputy Director, Personnel" persona was linked to a real subject's LinkedIn account via cookies, and the same IP address (resolving to South Africa, where that subject lived at the time) was used both to create the fake-persona account and to log into the subject's true-name account, on multiple dates. Cookie and shared-IP linkage is what connects a disposable persona back to a human.

Step 7.4, Note jurisdiction-hopping selectors. Personas were paid through, and registered with, emails on country-specific domains (e.g., .uk addresses) while operating from elsewhere, another reminder to weight behaviour and telemetry over self-declared nationality.

⚑ Investigator takeaway / red flags

• One photograph or one bio line shared across "different" people.
• Multiple personas created from one IP in a short window.
• A fake persona and a real account linked by cookies or a shared device/IP.

Pivot created: persona graph → the human operators (subjects) and → their financial instruments.

Phase 8, Financial and Payment Tracing

Objective: show the money path, which simultaneously proves the laundering element and attributes the operation.

Step 8.1, Map both legs: infrastructure spend and recruit payouts. Two money flows matter. Inbound (paying for domains/hosting) was settled with cards issued by banks in Pakistan, India, the UAE, Thailand, France, and China, and with cryptocurrency, via processors such as Stripe to U.S.-based registrars/hosts. Outbound (paying recruits) ran through PayPal, Wise, and cryptocurrency.

Step 8.2, Unwrap fictitious-name payment accounts to their funding instruments. A PayPal account that paid one recruit was registered to a fictitious name with a Great Britain address, but its linked funding instruments were five China-issued cards (Ping An Bank, Bank of China, Agricultural Bank of China, Shanghai Pudong Development Bank, and Bank of Communications). Another recruit's payment account linked to eight China-issued cards across seven Chinese banks. The cut-out account name is cosmetic; the linked cards are the attribution.

Step 8.3, Recognise laundering-tradecraft signatures. Distinct behavioural markers recurred: small one-cent test payments before real transfers; payments split across several smaller transactions; a batch of payments reversed and blamed on a PayPal "hiccup"; and a billing currency switched to Hong Kong dollars mid-stream. These patterns are themselves indicators.

Step 8.4, Reuse the financial cluster as a pivot. The same set of China-issued cards reappeared behind payment accounts used to pay different recruits, meaning a confirmed card cluster could be used to discover additional victims and personas, closing the loop back to Phases 7 and 9.

⚑ Investigator takeaway / red flags

• A Western-named payment account funded by cards from the suspected origin country.
• Test-transfers, split payments, reversals, and mid-stream currency changes.
• The same funding instruments behind multiple "unrelated" payers.

Pivot created: shared card cluster → additional personas, recruits, and domains.

Phase 9, Victim and Human-Source Verification

Objective: confirm that "registrants" and "personnel" are stolen identities, and corroborate the scheme through the people who were targeted.

Step 9.1, Interview the identity-theft victims. Investigators located and interviewed the two real U.S. persons whose identities anchored the registrations and the "HR Director" persona. One confirmed they had never registered an internet domain and had never heard of the firms; the other learned their identity had been used after their U.S. passport was found listed for sale on a cyber-criminal marketplace. Victim interviews convert an inference ("this looks like a stolen identity") into evidence ("the named person disclaims it").

Step 9.2, Debrief the recruits. Recruits (case labels A through K) supplied the operation's communications, taskings, contracts, and payment records, and their own accounts of the recruitment arc. Their materials showed the handlers' escalation from open-source "analysis" to demands for "exclusive/insider" information, the move to Telegram, and the grading of reports by source sensitivity.

Step 9.3, Preserve the victim/recruit materials to evidentiary standard. Contracts, confidentiality agreements, message logs, and payment confirmations provided by cooperating recruits are core exhibits; handle chain-of-custody accordingly.

Investigator takeaway: the human layer both validates the technical findings and surfaces the operation's intent, which the technical layer alone cannot establish.

Pivot created: victim/recruit evidence → intent, attribution corroboration, and additional selectors (emails, handles, accounts).

Phase 10, Attribution Synthesis and Behavioural Analysis

Objective: assemble the indicators into an attribution assessment and characterise the sponsor's intent.

Step 10.1, Build the indicator matrix. The affidavit's Table 1 is the model deliverable: domains as columns, indicators as rows, an "X" at each intersection. Indicator rows included shared stolen identity, shared hosting IP, identical/idiosyncratic job text, stock/AI imagery, location mismatch, shared persona, suspicious-activity reporting, Chinese-language site build, un-deleted template text, and impersonation of a real entity. The matrix is the case, it shows that no domain stands alone.

Step 10.2, Analyse tasking substance for sponsor intent. The topics the operators demanded mapped onto a single state's priorities: the South China Sea and Sabina Shoal, Xinjiang/Uyghur policy, U.S.–China trade and tariff deliberations, Trump-administration China policy, and NATO's assessment of the Ukraine conflict. The operators also reposted news framed to favour that state's narrative. Tasking analysis turns "who paid" into "who benefits."

Step 10.3, Account for behavioural tradecraft. Cut-outs and co-optees, alias use, encrypted-app migration, denial of state affiliation, and meetings/payments structured to obscure origin all matched documented intelligence tradecraft, reinforcing the assessment without resting the case on any single artefact.

Step 10.4, Calibrate confidence and language. Note where attribution is strong (consistent telemetry, financial linkage, victim disclaimers) and where it is inferential (cloud/VPN IPs, persona inference). The filing's careful framing, actors believed to be working "wittingly and unwittingly" on a state's behalf, is a model of calibrated attribution language.

4. The Pivot Map, How One Indicator Becomes the Next

The investigation's power came from chaining pivots. Read this as the analytic spine of the case:

5. Investigator's Field Checklist

A condensed working list for a unit opening a similar matter:

1. Snapshot the live site, source, job posts, and search-cache copies with exact timestamps.
2. Preserve registrar, registry, hosting, and platform records before they age out.
3. WHOIS: capture and cross-reference registrant name, email, address, date, registrar across the whole suspected set.
4. Registry: identify the controlling registry (it is who executes any seizure/redirect).
5. Hosting: resolve serving IPs; cluster on shared IP/CDN; pull account login histories.
6. Content: search distinctive strings; record shared grammatical errors and template placeholders.
7. Imagery: reverse-image every face and logo; flag stock and AI-generated media and computer-generated voice-over.
8. Network: geolocate every creation/login/send IP; mark cloud/VPN IPs as obfuscation, not location.
9. Device/telecom: extract time zone, locale, and MCC/MNC; decode MCC/MNC to named carrier + country.
10. Personas: graph handles across platforms; link via shared email/photo/bio, same-IP-same-day creation, and cookies.
11. Money: map inbound (infra) and outbound (recruits); unwrap cut-out accounts to funding cards; log test/split/reversed/currency-switch behaviour; reuse card clusters as a pivot.
12. Humans: interview identity-theft victims; debrief recruits; preserve contracts, logs, and payment records.
13. Synthesise: build the indicator matrix; analyse tasking topics for sponsor intent; calibrate attribution language.
14. Action: serve the registry to redirect to law-enforcement name servers, lock against transfer pending forfeiture, and post the seizure notice.

6. Legal Process and Chain of Custody (Procedural Notes)

The operational moves above are only as useful as their admissibility. The case record reflects several disciplines worth replicating:

• Layered, dated process. Multiple search warrants and legal returns were obtained over roughly two years as the picture matured, rather than a single omnibus request. Each return (registrar, hosting, Google, Meta, LinkedIn) was tied to a dated authorisation.
• Provenance for every artefact. "Last visited" dates, the source of each record (which provider produced it), and the basis for each assessment (e.g., why an image is judged AI-generated) are stated. Investigators should likewise document the tool, query, and timestamp behind each open-source finding.
• Seizure mechanics. Because the registry, not the individual operators, controls the domains, the warrant directs the registry to repoint the domains to law-enforcement name servers, to prevent modification or transfer pending forfeiture, and to display a seizure notice. Units pursuing domain seizure should identify the controlling registry and the appropriate forfeiture authority at the outset.
• Calibrated reporting. Distinguish fact, inference, and assessment in writing. Over-claiming attribution from a single cloud IP or an unverified persona will not survive scrutiny.

7. The Defensive Mirror, Sensitising the Target Population

Investigation is reactive; the durable mitigation is awareness on the recruited side. The same modus operandi has prompted parallel public warnings.

On 22 January 2026, India's University Grants Commission, relaying a Ministry of Education alert, circulated guidance to all universities and colleges describing an effectively identical playbook: "vested foreign entities" using job portals (LinkedIn, Naukri.com) to recruit people with journalism and defence backgrounds; commissioning "source-based articles" on troop deployments, weapon systems, defence procurement, and military exercises; paying through domestic bank accounts, at times student accounts and the proceeds of cyber fraud; posing as consulting firms based abroad; and harvesting applicants' PAN and Aadhaar identity documents through intermediaries. The advisory named no country and asked institutions to sensitise students and faculty.

For a Global Cyber Police audience, the operative red flags to push out to clearance holders, journalists, academics, and contractors are:

• Outsized compensation for short "research reports."
• Insistence on non-public, "exclusive," or "insider" detail.
• A quick push to move conversations to Telegram or other encrypted apps.
• Payment from PayPal/Wise accounts in unfamiliar names, or in cryptocurrency.
• "Consultancies" with stock or AI faces, rented addresses, and no verifiable client work.
• Requests for identity documents (PAN/Aadhaar/passport) by an unverified "HR" contact.

The cheapest counter-measure in this entire problem set is teaching a target to recognise the recruitment pitch before they accept the first $500.

8. Conclusion

Front-company website networks are not defeated by a single clever lookup; they are defeated by disciplined correlation across independent data planes, registration, hosting, content, imagery, network, device, persona, and finance, anchored by human verification and assembled into an indicator matrix. The operators in this case were competent enough to spread registrars, rent Western addresses, and migrate to VPNs, yet they were undone by the one thing volume recruitment cannot avoid: reuse. Reused identities, reused servers, reused copy, reused photos, reused devices, reused cards. Every reuse was a pivot, and every pivot tightened the net.

For the investigator, the transferable doctrine is simple to state and demanding to execute: capture early, preserve fast, cross-reference everything, weight telemetry over self-declaration, decode what subjects cannot easily fake (MCC/MNC, cookies, linked funding instruments), and let the consistency of overlap, not any single record, carry the attribution.

All factual assertions derive from the cited public seizure-warrant package (No. 26-sz-42, D.D.C.). The matter consists of allegations; no individuals are named as defendants and the filing notes that "no offender is known to have, or have had, residence within any United States district."

Related reading

• China's Ghost Recruiters — the real case this investigation walkthrough is based on.
• What Is LERS? and the platform-by-platform LERS guide — for the data-request steps in Phases 6–8.
• The 2026 Deepfake Fraud Economy — context for the synthetic-media detection in Phase 4.
• LERS portal hub — where to send formal platform data requests.