How Can WHOIS History Help with Cybercrime Investigations?

domain name extensions

By this time, half the world’s population is already familiar with cybercrime. Whether it’s social engineering, phishing, hacking, or other types of cyber attacks, chances are that regular Internet users and companies with Internet-facing or connected systems have encountered them at one point.

What comes after a cyber attack is an investigation. And while it is difficult to determine who is behind an attack immediately, cybercrime investigators can start with information that would lead them closer to finding out who the attackers are. Some of those puzzle pieces can be obtained from historical WHOIS records. You may visit to learn more about WHOIS History. But, in a nutshell, here are the specific data points it provides each time a web property’s domain ownership history changes:

  • Registration date
  • Nameservers
  • WHOIS server
  • Registrar name
  • Registrant contact details
  • Administrative contact details
  • Technical contact details

The registrant, administrative, and technical details include the contact person’s name, organization, street address, phone number, and email address. These historical WHOIS records can help cybercrime investigators and security teams in several ways.

See Domain Ownership Details before Data Redaction

WHOIS record redaction has been widely implemented since the Internet Corporation for Assigned Names and Numbers (ICANN) encouraged domain registrars to do so. While this complies with privacy regulations, such as the General Data Protection Regulation (GDPR), redaction has become a challenge for cybercrime investigators.

Consider the domain ozaydininsaat[.]com, for example. This domain is a verified phishing domain on PhishTank. The details of its owner or registrant, however, are protected by Privacy Protect, LLC. Without knowing who the domain could be attributed to, investigators could face a roadblock.

Consulting a WHOIS history database, though, could provide additional information about ozaydininsaat[.]com. Even though a WHOIS lookup search detects that the domain was recently registered, historical WHOIS records reveal it has a past. Below are some of its domain ownership history details:

  • The domain history database dug up WHOIS records as far back as 31 August 2012. It was registered under a person from Turkey during that period, but the registrant’s name was not disclosed.
  • In December 2013, the domain’s ownership changed to a person named “K. S*****,” who is also from Turkey. The registrant’s email address was ***877@*****[.]com. This domain ownership history record remained the same until October 2014, when then owner dropped the domain.
  • The domain became active again between June 2016 to July 2019. At that time, the registrant was someone named “S. T*****,” also from Turkey, with the email address *****sinem_@*****[.]com.

The domain name has apparently changed hands several times over the course of eight years, and the domain history records uncovered by the database could help investigators.

Unveil Domain Connections Based on Historical WHOIS Records

The domain ownership history details we uncovered could be used to map out the domain’s past associations and get more clues. The email address ***877@*****[.]com, for instance, matched the historical WHOIS records of 756 domain names. The name “K. S*****,” meanwhile, appears in the domain name history records of 266 other domains.

On the other hand, *****sinem_@*****[.]com did not match any other domain’s WHOIS history record, but the name “S. T*****” appeared in the WHOIS records of two other domains.

At best, these domain connections could lead investigators closer to finding out who the attackers are. At the very least, they could unveil more suspicious domains that are worth looking into. A visual representation of the additional data points that investigators could unveil with the help of a WHOIS history database is provided below.

Cybercrime investigators can use domain name history records to deepen their investigations and unearth more clues. These data points could help them achieve the ultimate goal of solving cybercrime cases, but equally important is the fact that they could also discover more suspicious domains. By doing so, organizations and users can be protected from potentially dangerous but undisclosed domain names.

Log In

Forgot password?

Forgot password?

Enter your account data and we will send you a link to reset your password.

Your password reset link appears to be invalid or expired.

Log in

Privacy Policy

Add to Collection

No Collections

Here you'll find all collections you've created before.