🕵️♂️ How I Tracked Down a Domain Bought Using My Debit Card
A Real-World OSINT Investigation
Recently, I found myself in a bizarre situation.
Someone I know purchased a domain using my debit card details.
At that point, it wasn’t about the money anymore.
It was about reputation.
And I was determined to find that domain.
🧾 What I Knew
I wasn’t starting blind. I had:
- Exact transaction time
- Registrar: Namecheap
- Strong suspicion about who bought it
- High probability it was a personal domain
This quickly turned into a mini cyber-investigation.
🔍 Attempt 1: Reverse WHOIS API
My first step was obvious: search the internet.
I wanted to find domains registered by an email within a date range.
I discovered the WHOISXML Reverse WHOIS API.
Approach
- Logged in using a
.eduemail (Gmail accounts aren’t allowed) - Queried using:
- Registrar → Namecheap
- Date range → the purchase day
- Keyword → suspected email
#### Problem
Reverse WHOIS stores data date-wise, not at minute-level precision.
So I fetched all domains registered via Namecheap that day.
➡ Result: ~23,000 domains
Too many. - –
### 🔎 Narrowing the Search Space
I looked for patterns.
What did I know? - Likeliest use → personal website
- Premium pricing suggested serious intent
- Indian personal domains rarely choose
.xyz,.ai, etc. -
.comfelt most likely
➡ Reduced list: ~5,200 domains
Still too many to verify manually.
🤖 AI Filtering Experiment
I asked AI to generate a script that would:
- batch 1,000 domains
- send them to Gemini API
- prompt: identify domains that look like personal websites for Indian males
It returned filtered results.
But the domain I wanted wasn’t there.
Reverse WHOIS can miss: - privacy-protected registrations
- uncached entries
- delayed listeners
Result: Attempt 1 Failed
🏦 Attempt 2: Contacting the Registrar
I contacted Namecheap support:
A fraudulent transaction was made using my card.
They:
- blocked the account
- refunded my money
But refused to reveal the domain.
Result: Attempt 2 Failed- –
### 🗂 Attempt 3: ICANN CZDS Zone Files
I requested zone files via ICANN CZDS.
Problems:- approvals take time
.comrequests take longer- backdated downloads aren’t available
- the domain had already been taken down
Result: Inconclusive
🔐 Attempt 4: Certificate Transparency Logs (crt.sh)
I learned about certificate transparency logs.
If the domain hosted HTTPS, its SSL certificate must exist in CT logs.
I tried:
- querying crt.sh
- connecting via Postgres
- batch queries in 5-minute windows
#### Issues - connection breakages
- SSL errors
- slow processing
- and my impatience 🙂
Progress: Yes
Success: Not yet
🚀 Attempt 5: Google BigQuery + crt.sh Dataset
This changed everything.
The crt.sh dataset is available via Google BigQuery.
Steps
- Connected the dataset
- Queried certificates issued during the purchase hour
- Filtered
.comdomains - Reduced the time window further
➡ 700 → 200 domains
Manual scan…
Four entries later…
🎯 Found it.
Matched the domain to the person.
Result: SUCCESS
🤯 Plot Twist
Later, I discovered something surprising.
The domain was present in my Reverse WHOIS results.
I ignored it because:
- I doubted dataset completeness
- I trusted AI filtering too much
If I had manually verified the 5,200 domains…
I would have found it earlier.
🧠 Lessons Learned
✔ Always verify your data
AI helps - but never assume completeness.
✔ Internet datasets are imperfect
Each dataset captures only part of reality.
✔ OSINT requires patience
Impatience slows investigations more than complexity.
✔ Automation helps, manual validation wins
✔ Certificate Transparency logs are gold
🧑💻 A Step Toward Ethical Hacking
This wasn’t hacking.
It was understanding how internet infrastructure works:
- WHOIS & Reverse WHOIS
- Registrars
- Certificate Transparency
- DNS zone files
- Data aggregation gaps
And the caveats between them.
🏁 Final Thoughts
If you take anything from this:
Double-check your data.
Trust, but verify.
And cultivate patience.
Because the internet always leaves traces -
you just need to know where to look.
Adios.