SecurityTrails Blog · Apr 07 · by Esteban Borges Seizure and What Happens to Seized Domains

Reading time: 5 minutes

What really happens when the FBI seizes a domain?

Earlier today when surfing on HackerNews, we came across this article: Sex marketplace seized by U.S. justice authorities

For those who don't know about it… Until today, Backpage was the second biggest classified advertising service in the US after Craigslist.


According to some media reports, 90% of its revenue came from sex classified ads. The problem with that seems to be that these online ad services were being used to facilitate sex traffic and prostitution activities.

A friend of ours asked an interesting question:

Is there a way that SecurityTrails can alert you when the government does something like this? I'm sure this stuff happens more than you think.

Which got us thinking: what is happening when the FBI is seizing domain names?

So we started digging using SecurityTrails.

First, we notice by going to that there is a new HTML page:


It’s a single image on the HTML page and all other pages seem to 404. The code is very simple with a single image:


So we keep digging… Where is the FBI keeping these pages?

When first looking it seems like is hosted on Verizon with a redirect coming from DNSMadeEasy (Tiggee, LLC) for the initial redirect from the apex domain of “” to “”. (You can also see all the other subdomains from this view.)


With the “” record is pointing at:

MCI Communications Services, Inc. d/b/a Verizon Business - -

And that hasn’t changed in a long time:


So it looks like they just put this page in place on the existing web server so people can see the FBI splash page while DNS is propagating.

Then, we wanted to check out to see if the WHOIS record is changing so we did a current WHOIS search and found out the contact info has been changed on the admin contact to “United States Postal Inspection Service”:


You can see the last historical record from December 1:


On how it used to look:


Then we did a current WHOIS to see if the site’s nameservers have been changed but if it hasn’t propagated yet (we don’t currently display this in SecurityTrails but will start to do it next week for use cases like this).

Right now I am just doing a WHOIS on my computer:

% whois
Registry Domain ID: 3112173_DOMAIN_COM-VRSN
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2018-04-06T17:58:13Z
Creation Date: 1999-01-19T05:00:00Z
Registry Expiry Date: 2025-01-19T05:00:00Z
Registrar: Ascio Technologies, Inc. Danmark - Filial af Ascio technologies, Inc. USA
Registrar IANA ID: 106
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +442070159370
Domain Status: ok
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form:
>>> Last update of whois database: 2018-04-06T20:37:03Z <<<

You can see that there are two name servers that the FBI appears to be using for seized domains:


They’re all apparently hosted by a company called Consolidated Communications, Inc once the records propagate:


At this point, we started digging into this seized domain list to see what we were able to discover from the confiscated domains.

Some interesting domains already seized by the FBI found on the same list:

A curious fact: 80% of the total seized domain names from these Name Servers are related to generic online pharmacy websites like:

Another interesting thing we found, it seems the FBI isn’t only focused on online pharmacies, it also has shut down a lot of online “jersey” stores already, some examples:

As well as illegal online DVD stores:

And the list goes on, with around 984 seized domain names.

As you can see we can help you make sense of changes on the Internet for security investigations with the large amount of current and historical information in our databases.

We hope you found this useful! Remember to submit to our [Data Bounty program][bounty] if you found any interesting stories using our domain and IP intelligence platform or automating your apps with a free SecurityTrails API account.

Esteban Borges Blog Author

Esteban is a seasoned cybersecurity specialist, and marketing manager with nearly 20 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

Subscribe to the SecurityTrails newsletter
Sign up for our newsletter today!

Get the best cybersec research, news, tools,
and interviews with industry leaders