URL Shortening Gone Wrong with GCHQ | WhoisXML API

Threat Reports

URL Shortening Gone Wrong with GCHQ

In 2016, cybersecurity researchers discovered that British spies were using a free URL shortener to try gathering intelligence and influencing online activists during the protests in Iran since 2009.1

That URL shortener could be alive and kicking still as WhoisXML API threat researcher Dancho Danchev found out. His deep dive into the URL shortening service using six domains as jump-off point revealed:

  • Five active IP address resolutions
  • Eight possibly connected domains, given that they shared the IP addresses of the domains tagged as indicators of compromise (IoCs)
  • An email address that could belong to the domainer who sold two of the domains identified as IoCs

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.vice.com/en/article/78kw7z/gchq-url-shortener-twitter-honeypot-arab-spring
Try our WhoisXML API for free
Get started