Investigate a Domain or Website

Editorial

A repeatable workflow for turning a domain, URL, or suspicious website into corroborated ownership and infrastructure context.

Problem

You have a domain or website in front of you and need to turn it into a defensible picture of ownership, infrastructure, and risk without jumping to attribution too quickly.

Suggested workflow

Capture page state -> check DNS and certificate history -> map infrastructure pivots -> corroborate ownership claims -> report with caveats.

Best for

Journalists, investigators, and analysts starting from a site, landing page, or suspicious domain.

Verification posture

Use archived captures, DNS history, and infrastructure pivots together. Any single one of those signals can mislead on its own.

Workflow notes by depth

Beginner: Do not start with attribution. Save the page first, record the domain, and compare two simple sources before making the workflow more technical.

Intermediate: Treat DNS history, certificate reuse, and exposed hosts as clues that need corroboration, not as standalone proof of control.

Advanced: Cluster related infrastructure only after you have enough historical overlap to rule out commodity hosting noise and generic shared services.

Practical cautions

Stay on the passive side of the line. Do not authenticate, bypass controls, or test live infrastructure beyond publicly exposed information that the tools already surface.

Editorial position: Use this page to sequence the work, then move into the linked tools and comparisons for product-level tradeoffs.

Public crypto scam and suspicious-address reporting database

Best for: Checking whether wallets, domains, scam narratives, or crypto abuse indicators have public reports or related community warnings.

Editorial

Open profile

Start by capturing the exact URL, the visible claim, and the time you accessed it before you pivot anywhere else. Domain investigations become harder to defend when the first snapshot is missing.

Recommended sequence

Preserve the visible page with urlscan.io, Wayback Machine, or Archive.today if the content may change.
Check domain history, DNS records, and certificate clues with SecurityTrails, crt.sh, and WHOIS-style lookups.
Expand the infrastructure view with Shodan or Censys when the case depends on hosts, ports, certificates, or related services.
Only move into reporting after you have at least two independent signals that support the same ownership or attribution story.

Where this breaks down

Registrar data can be stale, privacy protection can hide ownership, and reused infrastructure can create false links. A shared host or reused certificate is not proof of a shared operator.

Before you publish

Keep screenshots, timestamps, and the exact pivot trail. If the conclusion depends on inference rather than direct evidence, label it as such.

Read alongside

Collections

Reviews

Compare next

Best for: Investigators, Journalists, OSINT Practitioners

Methodology note

This guide is built for corroboration first. It favors preservation, passive discovery, and evidence you can explain later.

Workflow notes by depth

Practical cautions

Start with tools that fit this job.

Global Forest Watch

ACLED

Pulsedive

FullHunt

Chainabuse