THE SOVIET UNION AND THE DOMINANCE OF .SU

This article is an excerpt from the Twitter thread posted on my profile (@jbadrenas):

Did you know that the Soviet Union had its own Top-Level Domain (TLD), the .su?

It was created in 1990 and, to this day, there are still more than 100,000 sites that use it.

What’s this all about now? It turns out that talking to @gemmafontane, passed on to me a Wikipedia entry linking to a project of theirs (denadal.cat). The page in question is http://et.wikipedia.su/wiki/Caganer.

At first glance, it may seem like a regular Wikipedia page. However, what stands out is the “et.” Upon inspection, we see that it’s simply the language setting. This link is the Estonian version of the entry. So far, so good.

However, the next thing to note is the “.su.” Since when does Wikipedia use different domains? Upon checking, we see that they still use “.org,” so something doesn’t add up.

Opening the link with the .su domain, we see that the page is an identical clone of the original Wikipedia. The only thing that catches the eye is some strange icons in the bottom left corner. Checking the page’s code, it appears to be a music player (or so they claim).

Yes, there is music playing, and it’s quite lively. Let’s continue…

We begin to analyze where all of this comes from. First, we use SemrushSemrush to gauge its relevance. We see that the page has existed since September 2021, approximately. We also notice that it experienced rapid growth, only to fall to almost 0.

Another crucial point to highlight is that the page has nearly 11 million backlinks. However, most of them are spam, which was quite predictable. Interestingly, some “legitimate” pages have fallen into the trap and link to this domain instead of the .org.

We begin our real investigation First, we look for who is behind the wikipedia.sudomain. We don’t find the name, but we do find the server and the owner’s email.

* Small note: Normally, domain owner information is public (name, address, email, etc.), although it can be made private upon request. In the case of private information, you can only obtain it with a court order.

For example, if we try to find out who is behind wikipedia.org, we see that much of the information is not public.

We continue our investigation… Who is behind the email belhak.ru@gmail.com? Searching on Google, we see that this person has developed an Android application, Hak1. Not very interesting…

However, we have a surprise. This person is listed as the owner of the “Officialnii Sait” porn website. Just by reading the Google results, we can already tell what the page is about, so there’s no need to visit it. We have another lead to follow… we’ll do that later. For now, let’s continue with the main investigation. If we search for one of the domains we found earlier on Who.is, we can see the IP address, which is 217.107.34.200.

And with the IP, we can determine the location, which, surprisingly, is in Russia. Specifically, in Moscow.

If we look up the second domain we found, we see that it is in a different location. We find this a bit suspicious, so we use another tool to perform the same process, and sure enough, the surprise is revealed: the domain is hosted in Moscow.

For the more curious folks, we can find out which other pages are hosted on the same server at the end of this page: https://www.gositestat.com/site/oficialnii-sait.com.

But… who is behind all of this? Remember that at the beginning, we tried to find out who created the fake Wikipedia without success. If we do the same search for the porn page we found, BINGO! We have a name and a surname. Furthermore, we have the email that verifies it.

We’ve now found the mastermind behind all of this. Finding an “obsolete” domain that doesn’t belong to anyone and creating an exact duplicate of Wikipedia is not an easy task. And finding information about the creator… that’s even more difficult. Only one result in Google, the one we saw earlier.

While investigating the web with Screaming Frog, we see there are around 300 subdomains and millions of pages. In just 5 minutes, it has already found about 200,000 pages… Obviously, the content has been copied automatically with some scraper or similar program, as it’s impossible to do manually. An impressive feat of engineering, without a doubt.

And to wrap things up, the icing on the cake. It seems our protagonist wants to showcase their culinary tastes through the server’s name…

As a curiosity, the page uses cookies from:

Yandex: a search engine (and more)
Mail.ru: an email provider
Rossgram: a national production social network
Yadro: an engineering culture portal
Avito: advertising platform

Of course, all Russian.

And finally, I’d like to remind everyone that nothing happens until it does. There are more and more phishing attacks, so be cautious with everything you receive.

And that’s the end of the thread. If you’ve made it this far and liked it, follow me for more similar posts. In my TL, I talk about digital marketing, e-commerce, and technology. And if you don’t follow me, follow @gemmafontane as well. Without her, this story wouldn’t exist.