🕵️♂️ How I Tracked Down a Domain Bought Using My Debit Card
A Real-World OSINT Investigation
Recently, I found myself in a bizarre situation.
Someone I know purchased a domain using my debit card details.
At that point, it wasn't about the money anymore.
It was about reputation.
And I was determined to find that domain.
🧾 What I Knew
I wasn't starting blind. I had:
- Exact transaction time
- Registrar: Namecheap
- Strong suspicion about who bought it
- High probability it was a personal domain This quickly turned into a mini cyber-investigation.
🔍 Attempt 1: Reverse WHOIS API
My first step was obvious: search the internet.
I wanted to find domains registered by an email within a date range.
I discovered the WHOISXML Reverse WHOIS API.
Approach
- Logged in using a
.eduemail (Gmail accounts aren't allowed) - Queried using: - Registrar → Namecheap - Date range → the purchase day - Keyword → suspected email #### Problem Reverse WHOIS stores data date-wise, not at minute-level precision. So I fetched all domains registered via Namecheap that day. ➡ Result: ~23,000 domains Too many.
- - ### 🔎 Narrowing the Search Space I looked for patterns. What did I know?
- Likeliest use → personal website
- Premium pricing suggested serious intent
- Indian personal domains rarely choose
.xyz,.ai, etc. -
.comfelt most likely ➡ Reduced list: ~5,200 domains Still too many to verify manually.
🤖 AI Filtering Experiment
I asked AI to generate a script that would:
- batch 1,000 domains
- send them to Gemini API
- prompt: identify domains that look like personal websites for Indian males It returned filtered results. But the domain I wanted wasn't there. Reverse WHOIS can miss:
- privacy-protected registrations
- uncached entries
- delayed listeners Result: Attempt 1 Failed
🏦 Attempt 2: Contacting the Registrar
I contacted Namecheap support:
A fraudulent transaction was made using my card.
They:
- blocked the account
- refunded my money But refused to reveal the domain. Result: Attempt 2 Failed
- - ### 🗂 Attempt 3: ICANN CZDS Zone Files I requested zone files via ICANN CZDS. Problems:
- approvals take time
.comrequests take longer- backdated downloads aren't available
- the domain had already been taken down Result: Inconclusive
🔐 Attempt 4: Certificate Transparency Logs (crt.sh)
I learned about certificate transparency logs.
If the domain hosted HTTPS, its SSL certificate must exist in CT logs.
I tried:
- querying crt.sh
- connecting via Postgres
- batch queries in 5-minute windows #### Issues
- connection breakages
- SSL errors
- slow processing
- and my impatience 🙂 Progress: Yes Success: Not yet
🚀 Attempt 5: Google BigQuery + crt.sh Dataset
This changed everything.
The crt.sh dataset is available via Google BigQuery.
Steps
- Connected the dataset
- Queried certificates issued during the purchase hour
- Filtered
.comdomains - Reduced the time window further ➡ 700 → 200 domains Manual scan… Four entries later… 🎯 Found it. Matched the domain to the person. Result: SUCCESS
🤯 Plot Twist
Later, I discovered something surprising.
The domain was present in my Reverse WHOIS results.
I ignored it because:
- I doubted dataset completeness
- I trusted AI filtering too much If I had manually verified the 5,200 domains… I would have found it earlier.
🧠 Lessons Learned
✔ Always verify your data
AI helps - but never assume completeness.
✔ Internet datasets are imperfect
Each dataset captures only part of reality.
✔ OSINT requires patience
Impatience slows investigations more than complexity.
✔ Automation helps, manual validation wins
✔ Certificate Transparency logs are gold
🧑💻 A Step Toward Ethical Hacking
This wasn't hacking.
It was understanding how internet infrastructure works:
- WHOIS & Reverse WHOIS
- Registrars
- Certificate Transparency
- DNS zone files
- Data aggregation gaps And the caveats between them.
🏁 Final Thoughts
If you take anything from this:
Double-check your data.
Trust, but verify.
And cultivate patience.
Because the internet always leaves traces -
you just need to know where to look.
Adios.
Top comments (0)