Threat Intelligence · Case Study

One signal exposed an entire criminal hosting cluster.

A single certificate — on a domain that looked completely legitimate — unraveled a 150-domain bulletproof hosting operation. Not one of those domains had been caught by any public domain feed.

Flagged 14 July 2026 · Feeds checked 14 July 2026 09:00 UTC

1
signal detected
150
domains uncovered
0
in public domain feeds
01

The domain that looked legitimate

Our pipeline flagged mail.e-socialstatement[.]com— a polished replica of the U.S. Social Security Administration’s member portal.

Look at the page and you’d move on. So would an automated website scanner: clean layout, federal-blue styling, the right words. Nothing on the surface says “phishing.”

But the domain resolved into AS213790, an Iranian network our pipeline scores 1.0 for bulletproof behavior with an abuse score of 95 / 100— parts of which Spamhaus DROP independently lists as criminal-controlled address space. The U.S. Social Security Administration does not host on Iranian bulletproof infrastructure. The surface lied. The infrastructure didn’t.

Network
AS213790 · IR
Bulletproof
1.00
Abuse score
95 / 100
Domains on ASN
44

Has a website ≠  is legitimate.

Phishing pages are built to look real — that’s the entire point. A surface check waves them through. Only the infrastructure gives them away.

02

The pivot: one lead becomes the whole map

A confirmed-bad domain isn’t an endpoint — it’s a thread. Attackers register throwaway domains cheaply but reuse hosting, so the infrastructure is what ties a campaign together. We pulled the thread.

  1. 01Start from the one flagged domain → its hosting networkAS213790
  2. 02Expand to the network's registered address space5 × /24 · 1,270 IPs
  3. 03Sweep every address for a live TLS service171 responding
  4. 04Read the certificate each host presents — the names behind the IPs63 serving certs
  5. 05Harvest the certificate domain names→ 150 domains

The certificate is the tell. Attackers hide domains behind bare IP addresses, but the TLS certificate a server presents names them out loud. Mapped in minutes on 14 July 2026 — no prior knowledge of a single one of these domains.

03

What was hiding on the network

One tenant, offshorehost[.]info, advertises the service by name. The rest is a full-spectrum cybercrime host. Indicators defanged.

Financial & crypto phishing

Credential-harvest lookalikes for banks and exchanges.

*.mabanqueparibas[.]comcoinspot[.]support

Brand-impersonation certificates

Forged certs naming brands they can't legitimately serve.

*.samsung.com (+50 SANs)www.apple.comms-telemtry[.]com

Government & benefit scams

The lead that started it all — a fake U.S. Social Security Administration portal.

e-socialstatement[.]com

Criminal marketplaces

Stolen-card and narcotics storefronts.

carderz[.]todrugmaniac[.]tobreakingbad[.]ws

Malware & stealer panels

Command panels and stealer-log tooling.

apilogtool[.]onlinesoft-setup[.]companel.win-tools[.]net

Spam & anonymity infrastructure

Bulk mailers, proxy services, a Tor hidden service.

smtp-zone[.]suproxiesfood[.]com*.onion
04

The part that matters: we were first

We checked every domain and IP against the public threat feeds the industry runs on — OpenPhish, URLhaus, ThreatFox, Feodo Tracker, Spamhaus, FireHOL.

150 attacking domainslisted in public domain feeds
Datazag
150 found
Public feeds
0 listed
5 malicious netblocksflagged by public IP reputation lists
Datazag
5 mapped
Spamhaus / FireHOL
2 listed
Datazag infrastructure detectionPublic threat feeds

Public domain feeds are reactive. A domain gets listed afterit’s been reported attacking someone. Every one of these 150 was still invisible to them — the operation was mapped while it was still being built.

Public IP lists corroborate, but don’t cover. Spamhaus DROP independently flags 2 of the 5 netblocks — strong third-party validation that the network is criminal. Yet even Spamhaus misses 3 of the 5, including the block serving the fake Apple, the BNP Paribas lookalike, and a Tor service.

The threat announces itself at the infrastructure, long before the domain.

Domain-first · reactive

Wait for a domain to attack, get reported, and propagate to a feed. By then the campaign has run — and the next hundred domains are already registered.

Infrastructure-first · proactive

Find the reused, expensive thing — the hosting — and every domain on it falls out at once. One signal, the whole operation, before the phishing page ever lands in an inbox.

What this means if it’s your feed

These 150 domains and 5 netblocks would have arrived as scored, annotated records in your SIEM or warehouse — before the first phishing email was sent — because the intelligence is delivered as data into the stack you already run.

For MSSPs, one investigation like this, white-labeled across your client base, is a retention artifact no reactive feed can produce.

Not every flagged certificate unravels a 150-domain cluster. Every one is checked the same way.

Datazag · Infrastructure Intelligence

Findings from a single investigation conducted by the Datazag detection pipeline. Indicators are defanged; domains named are assessed as malicious infrastructure. Feed snapshot taken 14 July 2026 09:00 UTC. Public-feed comparison reflects ingested feed snapshots (OpenPhish, URLhaus, ThreatFox, Feodo Tracker, Spamhaus DROP/ASN-DROP, FireHOL) and may differ from live feed state. Published 14 July 2026.