Indicators of Compromise (IOCs)
Technical fingerprints linking sister domains to shared infrastructure. Compiled from IPS News, Dutable, Stop Kompromat Medium, and public OSINT. Use for abuse reports and threat correlation — not for direct operator contact.
Contact indicators
Recovery and operator contact patterns documented across victim reports and investigative stings.
| Indicator | Type |
|---|---|
[email protected] | Documented address |
[email protected] | Documented address |
ih*@protonmail.com (pattern) | Email pattern |
ih*@gmail.com (pattern) | Email pattern |
The ih*@protonmail.com and ih*@gmail.com patterns appear in multiple OSINT mappings. Treat wildcard matches as network-affiliated until disproven.
Hosting indicators
- Swiss VPS providers (documented in OSINT)
- Dutch VPS providers (documented in OSINT)
- WordPress clone deployments across clusters
WordPress clone deployments reuse themes and plugin stacks across clusters. Registrar and hosting abuse@ contacts are the primary takedown vector — see /reports for a copy-paste IOC block.
Infrastructure fingerprints
| Fingerprint | Relevance |
|---|---|
| Shared Google Analytics IDs across sister domains | Cross-domain correlation |
| Shared Google AdSense IDs | Cross-domain correlation |
| TDS/cloaking — content may differ for bots vs humans | Cross-domain correlation |
| Telegram republication ~15 minutes after web publish | Cross-domain correlation |
| English-language pivot post-2023 Roskomnadzor blocks | Cross-domain correlation |
Operational notes
- TDS/cloaking — Automated crawlers may index sanitized content while victims see full defamatory articles. Preserve both views where possible (Wayback, archive.today, curl with varied user-agents).
- Analytics reuse — Shared Google Analytics and AdSense IDs tie ostensibly independent brands to one operator set per IPS News and Dutable.
- Telegram lag — Web publish → channel repost typically ~15 minutes. See /telegram.
- English pivot — Post-2023 RKN blocks coincided with English copy on .se/.cloud mirrors (Stop Kompromat Medium).
IOCs are allegations from public sources. Infrastructure rotates. Submit new indicators via /submit.