In 2015, a subreddit called /r/The_Donald was created. This has made a lot of people very angry and widely been regarded as a bad move.

Roughly 5 years after its inception, the Reddit staff banned /r/The_Donald because it was a cesspool of hateful content and harmful conspiracy theories.

Why are we talking about this in 2021?

Well, a lot has happened in the first week of the new year. A lot of words have been written about the fascist insurrection that attempted a coup on the U.S. legislature, so I won’t belabor the point more than I have to.

But as it turns out: The shitty people who ran /r/The_Donald didn’t leave well enough alone when they got shit-canned.

Instead, they spun up a Reddit clone under the domain thedonald.win and hid it behind CloudFlare.

Even worse: Without Reddit rules to keep them in check, they’ve gone all in on Political Violence and terrorism.

(Content Warning: Fascism, political violence, and a myriad of other nastiness in the Twitter thread below.)

If you remember last year, I published a blog post about identifying the real server IP Address from email headers. This is far from a sophisticated technique, but if simple solutions work, why not use them?

(Related, I wrote a post in 2020 about more effectively deplatforming hate and harassment. This knowledge will come in handy if you find yourself needing to stop the spread of political violence, but is strictly speaking not relevant to the techniques discussed on this page.)

Unmasking TheDonald.win

The technique I outlined in my previous post doesn’t work on their Reddit clone software: Although it asks you for an (optional) email address at the time of account registration, it never actually emails you, and there is no account recovery feature (a.k.a. “I forgot my password”).

However, their software is still a Reddit clone!

Reddit has this feature where you can submit links and it will helpfully fetch the page title for you. It looks like this:

How this feature works is simple: They initiate an HTTP request server-side to fetch the web page, parse out the title tag, and return it.

So what happens if you control the server that their request is being routed to, and provide a unique URL?

Well, that was easy! To eliminate false positives, I performed all of this sampling with Tor Browser and manually rebuilt the Tor Circuit multiple times, and always got the same IP address: 167.114.145.140.

An Even Lazier Technique

Just use Shodan, lol

Apparently chuds are really bad at OpSec, and their IP was exposed on Shodan this whole time.

The Road to Accountability

Okay, so we have their real IP address. What can we do with it?

The easiest thing to do is find out who’s hosting their servers, with a simple WHOIS lookup on their IP address.

Hosted by OVH Canada, eh? After all, nothing screams “Proud American” like hosting your website with a French company in a Canadian datacenter.

I immediately wondered if their ISP was aware they were hosting right-wing terrorists, so I filed an innocent abuse report with details about how I obtained their IP address and the kind of behavior they’re engaging in. I’ll update this post later if OVH decides to take action.

Lessons to Learn

First, don’t tolerate violent political extremists, or you’ll end up with political violence on your hands. Deplatforming works.

Second, and most important: Online privacy is hard. Hard enough that bigots, terrorists, and seditious insurrectionists can’t do it right.

This bears emphasizing: None of the techniques I’ve shared on the history of my blog are particularly clever or novel. But they work extremely well, and they’re useful for exposing shitty people.

Remember: Sunlight is the best disinfectant.

Conversely: Basic OSINT isn’t hard; merely tedious.

Other Techniques (from Twitter)

Subdomain leaks (via @z3dster):

Exploiting CloudFlare workers (via @4dwins):

DNS enumeration (via @JoshFarwell):