Users inside mainland China report that the nameservers for the .icu top-level domain are resolving to the wrong IP addresses — a disruption that, if confirmed at the registry level, could affect millions of registered names

Users in mainland China are reporting that .icu domains are failing to resolve correctly, with network checks suggesting the problem may reach deeper than a typical registrable domain-based censorship block — pointing to interference at the level of the .icu registry’s own authoritative nameservers.

Unlike blocking individual websites, DNS poisoning that reaches the top-level domain (TLD) authoritative nameserver layer can propagate through the TLD’s entire DNS infrastructure, affecting not just targeted users but the caching servers that serve them.

What the records show

According to IANA — the Internet Assigned Numbers Authority, which maintains the global DNS root — the .icu top-level domain is delegated through four nameservers: a.nic.icu, b.nic.icu, c.nic.icu, and d.nic.icu, which should resolve to specific IP addresses operated by CentralNic on behalf of the registry.

Users testing from Chinese network nodes, using tools like itdog.cn, are instead receiving different IP addresses entirely — including addresses that bear no relation to the registry’s published infrastructure.

At 6:22 a.m. UTC on Tuesday, April 28, 2026, when this publication was written, testing using itdog.cn against one of the authoritative servers, b.nic.icu, by resolving the A record through local ISP DNS servers produced the following result: only 58.13% of attempts resolved to the designated IP address, 185.24.64.108, while the others were polluted.

Among the reported responses, 31.13.94.37 is a known Facebook IP range, consistent with a well-documented pattern in which China’s Great Firewall redirects queries for censored domains to random real IP addresses, a technique that makes anti-poisoning countermeasures significantly harder to deploy than when a fixed set of fake IPs is used.

Shortdot SA, the Luxembourg-based registry operator for .icu, and CentralNic, which handles its technical infrastructure, had not responded to requests for comment.

Why TLD-level nameserver pollution is different

Most DNS censorship in China operates at the level of individual domains — a query for a particular website returns a wrong or blocked IP, while the rest of the internet continues normally. When the Great Firewall observes DNS queries to certain domains, it responds by injecting a poisoned DNS response to the requesting resolver. Due to its position in the network, this typically reaches the requesting resolver before the response from the actual DNS server.

Poisoning the registry’s own nameservers — the a.nic.icu, b.nic.icu, c.nic.icu addresses — is a different order of disruption. Those servers are not individual websites; they are the infrastructure that tells the global DNS system where to find any .icu domain. If those records are being intercepted or misdirected inside China, no .icu query resolved through a Chinese resolver can complete correctly, regardless of whether the individual domain was ever on a blocklist.

Research into the GFW has documented that even when poisoned responses are set aside, the DNS caches of servers inside China can themselves become poisoned — suggesting the attack is not always targeted at individual users, but at the underlying DNS infrastructure.

This is not without precedent. In 2010, a root name server operated inside China began returning poisoned DNS results to global users, preventing users in Chile and the United States from accessing sites including Facebook. The server was shut down to stop the poisoning. In 2014, two-thirds of China’s DNS infrastructure began resolving unrelated domains to a single US-based IP address, causing a widespread internet outage inside China.

The .icu domain and China’s censorship history

The .icu extension is not simply a generic low-cost domain with an outsized presence in China. It carries specific political history.

The 996.ICU project was initiated by an anonymous user on GitHub on 26 March 2019. The person complained that the “996” work schedule — 9am to 9pm, six days a week — recently advocated by some prominent entrepreneurs in the Chinese tech industry risked sending employees straight to the intensive care unit. The name of the domain was the protest itself.

The project spread fast. By 30 April, it had received 240,000 stars on GitHub. Chinese domestic browsers — including Tencent’s QQ browser, Alibaba’s UC browser, and Qihoo’s 360 browser — restricted access to the 996.ICU repository, saying the website contained illegal or malicious information.

In response, workers at Microsoft and GitHub launched a public petition calling on the company to keep the 996.ICU repository uncensored and available to everyone, citing solidarity with Chinese tech workers.

The .icu extension became a template. 611Study.ICU — standing for “study from 6 AM to 11 PM, and end up in ICU” — was launched as a crowdsourced documentation project targeting the enforced schedules of Chinese high school students, with countless students suffering both physically and mentally from the schedule. The project’s revelations that over 2,000 schools had illegally forced students back early for extended study hours triggered public outrage, prompting authorities in at least one Chinese city to issue directives banning early returns.

The .icu extension is also deeply embedded in the Chinese internet commercially. According to domainnamestat.com, the .icu zone has 1,107,698 registered domains to date.

What remains unconfirmed

The reports are circulating on Chinese-language technical forums, with testing tool results as the primary evidence. The claims have not been verified by independent measurement platforms such as OONI or Censored Planet, and no statement has come from Shortdot, CentralNic, or ICANN. It is also possible that what some users are observing reflects localized resolver-level pollution rather than interference at the registry nameserver tier itself — a distinction that matters for the scope of any disruption.

Researchers and domain operators with access to Chinese network nodes can test the behavior directly by querying a.nic.icu from within mainland China and comparing results against the IANA-published delegation record.

Shortdot SA and CentralNic were contacted for comment. This story will be updated as additional information becomes available.

The Hollow “Official” Status

“.edu.eu” is not an official educational domain recognized by the European Union or any member state government. Simply put, it’s claimed to be a commercial project launched in 2018 by a private company called Euro Education Domains Registry Limited (EEDRL).

The company’s claimed business model is straightforward: they registered the “edu.eu” domain and now sell subdomains to educational institutions, such as “school.edu.eu.” This means all “.edu.eu” websites are actually third-level domains, completely controlled by this private enterprise and having no connection to EURid, the official EU domain registry.

The European Commission has never authorized any organization to use “.edu.eu” as an official educational identifier. While EEDRL claims in its policy documentation to review applicants’ educational credentials, this review process is purely commercial and carries no legal authority.

The Telling Absence of Legitimate Institutions

A revealing phenomenon is that Europe’s most prestigious public universities—Oxford, Cambridge, Sorbonne, Heidelberg, and others—do not use “.edu.eu” domains. These institutions continue to use their respective national domain suffixes like “.ac.uk,” “.fr,” “.de,” and others.

The majority of organizations that use “.edu.eu” are obscure private schools or self-proclaimed “international institutes” and training providers. The European Institute of Leadership and Management in Dublin (eilm.edu.eu) and the International Business Academy of Switzerland (ibas.edu.eu) are two examples. These institutions frequently advertise impressive-sounding accreditations; however, upon closer examination, it becomes apparent that these credentials are typically obtained from private organizations or industry associations rather than national education departments.

This phenomenon speaks volumes: if “.edu.eu” were truly an authoritative educational identifier, why wouldn’t Europe’s finest universities use it? The answer is simple—it lacks such authority entirely.

A Breeding Ground for Educational Fraud

The fact that “.edu.eu” domains have become a haven for educational scams is even more concerning. In multiple instances, fraudsters have used or exploited this domain suffix that appears to be “official” in order to deceive students.

The Italian “University” Scam

A Reddit user report (archive) exposed a typical fraud: a student paid full tuition to a supposed Italian private university hosted on “iep.edu.eu,” only to have the program suddenly canceled with the “university” disappearing entirely and refusing refunds. Users analyzing the site discovered it was filled with generic templates and stock photos, with no actual campus facilities.

The Scandinavian Degree Mill Network

More serious is a long-running degree-selling operation. According to scholar Dr. Ben Limooie’s LinkedIn disclosure, an individual named “Martin Nielsen” controls multiple “.edu.eu” websites, including “ibss.edu.eu” and “ibas.edu.eu,” specifically to sell fraudulent MBA and DBA degrees. These entities even established fake accreditation bodies to boost credibility, with victims paying thousands of dollars for worthless “degrees.”

Misleading Accreditation Claims

Another troubling pattern involves institutions using impressive-sounding but ultimately meaningless accreditation lists. The European Institute of Management and Technology (eimt.edu.eu) exemplifies this practice. Forum discussions (archive) reveal how these institutions exploit public confusion about accreditation.

EIMT lists numerous credentials including EURASHE, ACBSP candidate status, OTHM, QAHE, DRPF, and others. They claim membership in EAI Malta, which itself holds certain recognitions. However, as education experts point out, these are largely memberships in private organizations rather than official government accreditation. As one forum user succinctly explained: “It’s like, I’ve got a Costco membership, now I’m accredited by Costco, membership doesn’t equal accreditation, ever...”

The fundamental issue is that these institutions “aren’t recognized in the country they are in” and are “going through loopholes of other country recognition” while padding their credentials with “false accreditation fluff.” This strategy deliberately confuses prospective students who may not understand the difference between meaningful government recognition and private organizational memberships.

These cases demonstrate that EEDRL’s claimed “rigorous vetting” is essentially meaningless. Fraudsters can easily create “.edu.eu” subdomains and use their “educational” veneer to implement scams.

Suspicious Infrastructure Patterns

Technical analysis of “.edu.eu” domains reveals concerning patterns that further undermine their credibility. A small dataset examination shows multiple institutions using Chinese DNS infrastructure (DNSPod/Tencent Cloud), which raises questions about their claimed locations and operations.

For example, institutions with names suggesting diverse geographic presence—Southern Technical University Colorado (stu.edu.eu), The Asia Pacific School of Business (apsb.edu.eu), and Eurasian Higher Education and Social Studies (ehess.edu.eu)—all use identical Chinese DNS servers and share the same IP address (203.86.233[.]139). This suggests these “separate” institutions may actually be operated by the same entity.

Even more telling is institutions like The Asia Pacific School of Business, which boasts about having “globally recognized domain name systems” across multiple extensions (apsb.edu.eu, apsb.edu.vn, apsb.edu.ky, apsb.ac.nz, apsb.ac.cn), seemingly focusing more on domain collection than actual educational activities. However, this claim is misleading—none of these domains require educational accreditation to register. Unlike registry-restricted domains like the U.S. “.edu” or U.K. “.ac.uk,” these subdomains can be purchased by anyone willing to pay the registration fee.

WHOIS data reveals further deception: the apsb.ac.cn domain listed on APSB’s website is registered to “海归教育资讯（深圳）有限公司” (Returnee Education Information Shenzhen Co., Ltd.), a Chinese company, not an international educational institution. The registrant contact email “ceo@microbolg.com” contains a typo. This evidence suggests APSB may be a Chinese company targeting overseas education markets rather than the international academic institution it presents itself to be.

Additional patterns emerge across the .edu.eu space: EURACA (euraca.edu.eu), European University (european.edu.eu), and Arab University (alarabia.edu.eu) all use the same webhostbox.net hosting service, with some sharing identical IP addresses (162.241.85[.]111). Multiple “universities” including Avicenna University (avicenna.edu.eu), College.edu.eu, and European University College (euc.edu.eu) share the exact same IP address (52.28.46[.]27) and nameserver configuration.

Subdomain Analysis

The investigation on subdomains reveals a pattern of fraudulent educational institutions using the edu.eu domain. Common red flags include: use of non-existing, virtual or residential addresses as official locations, misleading claims about accreditation and partnerships, hosting infrastructure shared across supposedly separate institutions, misalignment between registered business information and website claims, news media exposure and reports, user reports of scams and degree mills, and attempts to mimic legitimate universities.

All of these institutions appear to target international students with promises of European credentials while lacking proper accreditation or facilities.

Registry:

• register.edu[.]eu - The domain registry itself (EURO EDUCATION DOMAINS REGISTRY LIMITED) shows highly suspicious characteristics. Registry operated by EURO EDUCATION DOMAINS REGISTRY LIMITED. Virtual Dublin address. Email from mail.ru servers, fails authentication. Irish company using Russian email hosting.

Active Fraudulent Institutions and Degree Mills:

• stu.edu[.]eu - Southern Technical University Colorado. Residential address in Franktown CO. Same IP (203.86.233.139) as apsb and ehess domains. Misappropriates legitimate Iraqi university name.

• eibm.edu[.]eu - European Institute of Leadership and Management. Flagged on Reddit as “scam institution run by Indians.”

• eam.edu[.]eu - European Academy of Medical Sciences. UK registration mismatch. Residential/HVAC contractor addresses. Invalid US nonprofit number format.

• american.edu[.]eu - University of America in Paris. Residential building address. Member of suspicious global-edu.eu network. Name confusion with legitimate American University of Paris.

• ieu.edu[.]eu - International European University Kiev. Major news coverage. Multiple Reddit warnings. Conditional accreditation only. Poland campus investigated.

• knu.edu[.]eu - Fake “Open University of Taras Shevchenko.” Flagged on degreeforum as scam. Misappropriates legitimate KNU address. No affiliation with real university.

• eilm.edu[.]eu - European Institute of Leadership & Management. Residential Dublin address. No Irish company registration. Negative Trustpilot reviews citing AI-generated content.

• alzette.edu[.]eu - Alzette University. Misappropriates Crescent College and Mbway Lyon addresses. Multiple fake social profiles.

• euu.edu[.]eu - European Union University. Listed in degree mill databases. Wikipedia unaccredited institutions list.

• eimt.edu[.]eu - European Institute of Management And Technology. Questioned on degreeforum. Invalid accreditation claims. Swiss registration but suspicious practices.

• egs.edu[.]eu - European Global School. UK media coverage linking to scams. Misappropriates Istanbul USM address. False accreditation claims.

• euraca.edu[.]eu - European Academy for Sustainable Development. Same IP (162.241.85.111) as european and alarabia domains. Misappropriated VAT number.

• european.edu[.]eu - European University. Misappropriates London Strength and Conditioning address. Same hosting as euraca/alarabia.

• aiu.edu[.]eu - Amsterdam International College. Reddit users visited address - building manager denied existence. False campus claims.

• eim.edu[.]eu - European Institute of Management. Same Reddit reports as eimt. “Scam institution run by Indians.”

• douglas.edu[.]eu - Douglas Business School. Warehouse address. Facebook user reports “scamming everywhere.” Targets Chinese students.

• aic.edu[.]eu - Amsterdam International College (alternative domain). WordPress errors. Same reports as aiu domain. Fake LinkedIn credentials.

• hgu.edu[.]eu - Harold Gillies University. Florida registration document found. Login-only access. Minimal verification possible.

• aue.edu[.]eu - American University of Europe. Misappropriates AUE-FON University New York address.

• wpunu.edu[.]eu - World Peace of United Nations University. Account suspended. Indian court document confirms not UGC recognized.

• iis.edu[.]eu - Institute For International Studies. Convenience store address in Brooklyn. Registry’s press release highlights this domain.

• wsu.edu[.]eu - Western State University. Claims Curacao licensing but not in NL registers. WhatsApp-only contact.

• wilmingtonmu.edu[.]eu - Wilmington Metropolitan University. Mall/Regus address. Not found in UK QUALIFI database despite claims.

• aaguc.edu[.]eu - AAGUC-APSB and GAFM United College. New Zealand address but no company registration found. AI/stock images only.

• apsb.edu[.]eu - Asia Pacific School of Business. Same IP (203.86.233.139) as stu/ehess. Chinese company owns related domains. Multiple TLD collection focus.

• ehess.edu[.]eu - Eurasian Higher Education And Social Studies. Same infrastructure cluster as stu/apsb. No physical address.

• huparis.edu[.]eu - Horizons University. Multiple Reddit flags. Misappropriates Academy Geopolitics De Paris address.

• psychologicalsafetyacademy.edu[.]eu - Psychological Safety Academy. No contact info. Stock images only. Limited content.

• ibas.edu[.]eu - International Business Academy of Switzerland. LinkedIn professional identifies as controlled by “Martin Nielsen” for fake degree sales.

• cmu.edu[.]eu - California Metropolitan University. Misappropriates legitimate CMU name. Non-existent San Francisco address.

• ibss.edu[.]eu - International Business School of Scandinavia. Same LinkedIn disclosure as ibas - controlled by “Martin Nielsen.” Media coverage of scam network.

• rcu.edu[.]eu - Reading Century University. Technical analysis on forums shows Chinese infrastructure. Fake California location claims.

• eae.edu[.]eu - European Academy of Engineering. Antique store address in Gothenburg. Multiple Chinese academic connections found.

• ceu.edu[.]eu - Colorado Economics University. Building directory doesn’t list university. Chinese media coverage with misleading content.

• avicenna.edu[.]eu - Avicenna University. Same IP (52.28.46.27) as college/euc domains. Redirects to .hu domain.

• euroamerican.edu[.]eu - EuroAmerican Education. No Swiss company registration found. Stock content only. Associated with eimt findings.

• winncollege.edu[.]eu - Winn College. California address not in building directory.

• iep.edu[.]eu - IEP Italy International Education Partners. Reddit user paid tuition, program canceled, no refunds. SSL expired. Rome address not in directory.

• amu.edu[.]eu - American Management University. USA Today “zombie colleges” investigation. Multiple scam network coverage.

An Elegantly Packaged Deception

Weighing all evidence, the true nature of “.edu.eu” domains is clear: this is a commercial project operated by a private company with neither official authority nor effective oversight.

Even more detrimentally, it has either been designed for educational fraud and degree mills or has become one.

For students, seeing a “.edu.eu” domain should raise red flags rather than provide reassurance. This suffix cannot validate any educational credentials and may actually serve as a warning signal. When choosing educational institutions, focus on:

• Whether the institution has formal accreditation from its country’s education department

• Whether degrees are internationally recognized

• Whether there’s a physical campus and complete educational infrastructure

• Whether there’s verifiable faculty and alumni networks

The existence of “.edu.eu” domains serves as an illustration of a more extensive issue: commercial packaging frequently takes the place of authoritative identifiers when legitimate channels are unable to provide them. However, for students, appealing packaging can never serve as a substitute for genuine educational value.

References

This article is based on the following public sources:

• EEDRL’s official announcement about “.edu.eu” launch

• Register.edu.eu official website policy documentation

• Domain application eligibility requirements

• Reddit scam case discussion

• LinkedIn degree mill exposure post

• EILM institutional review page

• Fake university monitoring organization report

• Degree forum related discussion

Dataset

A list of 224 edu.eu subdomains detected through OSINT methods. Approximately 61 of them host live websites:

• List of 224 edu.eu subdomains

Nearly a decade later, my recent analysis of domain registration data suggests this trust may be eroding in ways that would surprise even the most cynical observers. After examining zone files from ICANN’s Centralized Zone Data Service (CZDS) for both .ngo and .ong domains, I discovered that over 5% of all registered domains in these supposedly protected spaces appear to be associated with online gambling operations.

The numbers: out of 9,193 total .ngo/.ong domains currently registered, my analysis identified 471 domains that likely involve online gambling activities. That’s roughly one in every 19 domains – a proportion that raises serious questions about the effectiveness of current validation processes.

It’s important to note that this analysis represents a preliminary examination rather than a comprehensive, peer-reviewed study. The findings presented here are based on keyword identification and basic website verification to rule out false positives, which while suggestive, may not capture the full complexity of domain usage patterns. This preliminary look is intended to highlight potential concerns and prompt further investigation rather than serve as definitive proof of systematic abuse. More rigorous analysis would require deeper verification methods, manual review of borderline cases, and consultation with domain registry operators.

The Analysis

I analyzed the complete zone files for both .ngo and .ong domains, looking for telltale signs of gambling operations.

The simple lookup started with keyword matching to find domains that looked suspicious. Then, Python scripts were used to check live websites to get rid of false positives. The keywords were numbers and words that are often used in the names of online gambling sites, such as “88,” “68,” “33,” “bet,” “win,” “vip,” “casino,” and “poker.”

While this methodology isn’t definitive (some legitimate organizations might use these terms in non-gambling contexts), the subsequent verification of live websites strongly suggests the majority of flagged domains are indeed operating gambling services.

Examples of suspect domains include:

• 188bet[.]ngo and 188bet[.]ong

• bet365[.]ngo, bet365[.]ong, 888poker[.]ong

• fun88[.]ngo, win88[.]ong, lucky88[.]ngo

• gamebaidoithuong[.]ngo - Vietnamese gambling terminology

• 1xbet[.]ngo, m88[.]ong, w88[.]ngo - popular international betting brands

• vip79[.]ngo, 333win[.]ong, 98win[.]ngo - VIP and winning-themed sites

The full list of suspect domains reveals a concerning pattern of what appears to be systematic abuse of domains meant to serve the public good.

How We Got Here: The Erosion of Validation

Understanding how gambling operations infiltrated spaces reserved for nonprofits requires looking at the evolution of .ngo/.ong registration policies. When these domains first launched, they featured rigorous pre-validation requirements. Organizations had to provide extensive documentation proving their NGO status, and domains were immediately placed on server hold while the Public Interest Registry (PIR) directly verified legitimacy. The process required meeting seven specific criteria, including acting in the public interest, being non-profit-focused, and having limited government influence.

The original system also included OnGood, a comprehensive community platform that served as a global directory of validated NGOs. This platform allowed organizations to showcase their missions, connect with supporters, and even collect donations – all within a verified ecosystem that provided additional legitimacy.

However, the landscape changed dramatically around 2020 when PIR implemented significant policy changes to “simplify” the registration process. The new system replaced pre-validation with self-certification, allowing domains to go live immediately upon registration. Instead of submitting documentation, registrants now only need to check a box stating they understand and agree to the policies and certify their organization meets eligibility requirements.

This shift from proactive verification to reactive auditing created the vulnerability that gambling operations appear to have exploited. While PIR retains the right to conduct audits and cancel domains for policy violations, the current system essentially operates on an honor system – asking bad actors to police themselves.

What This Means for the Future

Gambling sites getting into .ngo and .ong domains is more than just a technical policy failure; it’s a breach of trust that these domains were meant to build. People who donate to organizations with .ngo domains should reasonably expect them to be real nonprofit organizations. Not only do gambling operations in this space trick users, but they could also hurt trust in the whole nonprofit digital ecosystem.

The timing of these changes also raises questions about priorities. The elimination of the OnGood platform and the relaxation of validation requirements in 2020 coincided with PIR’s efforts to streamline operations and reduce costs. While operational efficiency is important, the cost of reduced trust and potential fraud may far exceed any savings from simplified processes.

What This Means for Donors and NGOs

For donors and supporters, this analysis suggests treating .ngo/.ong domains as a positive indicator rather than a definitive guarantee of legitimacy, particularly for domains registered after 2020. The validation that once made these domains trustworthy has been significantly weakened, requiring the same due diligence you’d apply to any other domain.

For legitimate NGOs using these domains, the situation creates an unfortunate association problem. Organizations that chose .ngo/.ong domains specifically for their credibility benefits now find themselves sharing digital space with gambling operations. This may prompt some organizations to reconsider their domain strategy or advocate for stronger validation requirements.

The bigger lesson here is that it’s hard to keep trust in digital spaces, not just with domain names. The .ngo/.ong experiment shows how quickly trust can fade when verification systems are weakened, even with good intentions. As we increasingly rely on digital indicators of legitimacy, the systems that create and maintain these indicators become critical infrastructure for trust in the digital age.

Moving forward, the question isn’t just whether PIR will address this specific abuse, but whether the nonprofit sector will demand the validation standards necessary to preserve the trust these domains were meant to create. The alternative – a digital landscape where legitimate charities and gambling operations are indistinguishable by their domain names – serves no one except those seeking to exploit the goodwill of donors.

Complete list of suspect domains identified in this analysis - 471 domains

Note: This analysis represents a snapshot in time based on publicly available zone file data. Domain usage can change, and some domains may have legitimate explanations for keyword matches. The findings should be considered indicative rather than definitive proof of gambling operations.

What is Typosquatting?

Typosquatting is a form of cybersquatting that targets users who incorrectly type a website address into their browser. This social engineering technique relies on the predictable mistakes people make when manually entering URLs.

Common typosquatting methods include:

• Simple keyboard typos (pressing adjacent keys)

• Character omission (forgetting a letter)

• Character transposition (swapping letters)

• Character replacement (using similar-looking characters)

• Domain hyphenation (adding hyphens between words)

• TLD variation (using .co, .cm instead of .com)

According to a 2015 research, over one-fifth of all .com domain registrations are now typo domains, with the number growing each year. This isn’t just annoying – it’s potentially devastating for both individuals and organizations.

Google’s googleapis.com Domain

Before getting into the findings, let’s understand what makes googleapis.com particularly valuable to attackers.

The googleapis.com domain serves as one of the primary endpoints that developers integrate into their applications. This includes high-volume services like:

• Google Fonts API

• Cloud Storage (e.g. Google’s version of S3)

When developers make API calls to these services, they typically use endpoints like

https://domains.googleapis.com

or other service-specific subdomains. The domain handles billions of API requests daily from applications worldwide.

A simple example for Google Fonts usage:

<link rel=”stylesheet” href=”https://fonts.googleapis.com/css?family=Tangerine”>

A simple example for Google-hosted Bootstrap and JQuery usage:

<script src=”https://ajax.googleapis.com/ajax/libs/bootstrap/5.3.3/js/bootstrap.min.js”></script>
<script src=”https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js”></script>

Keyboard Proximity Search & WHOIS Data

I began looking into potential typosquatting vectors for googleapis.com using keyboard proximity analysis to identify likely typos. Using a combination of algorithm-generated typo permutations and manual analysis of common developer mistakes, I identified a list of high-risk domain variations.

The next step was querying WHOIS servers to determine registration status, ownership patterns, and potential malicious indicators for these domains.

Here’s what I found when analyzing key typosquatting domains:

• gogleapis[.]com - created on 2014-09-09

• googleapis[.]net - created on 2024-12-18

• googleapk[.]com - created on 2010-11-16

• googleapjs[.]com - created on 2019-08-31

• gooogleapis[.]com - created on 2020-02-1

• googeapis[.]com - created on 2022-07-18

• googleapi[.]com - created on 2004-04-02

• googlepis[.]com - created on 2016-07-13

• googleapp[.]com - created on 2008-05-15

• googleqpis[.]com - created on 2024-03-13

• gogleapi[.]com - created on 2024-03-07

• googieapis[.]com - created on 2017-05-13

• gogleapi[.]com - created on 2024-03-07

• googlrapis[.]com - created on 2016-03-07

• googapis[.]com - created on 2016-03-08

• googpeapi[.]com - created on 2024-07-05

• googleapls[.]com - created on 2019-04-23

• googleapics[.]com - created on 2024-11-0

• googleapls[.]com - created on 2019-04-23

• googleaips[.]com - created on 2024-08-26

• googlaepis[.]com - created on 2017-01-27

Findings

1. Legitimate Google Domains vs. Typosquats:

   The domains registered by Google LLC through MarkMonitor (googleapis[.]com, googleapi[.]com, googlepis[.]com, googleapp[.]com, googleqpis[.]com) all use Google’s nameservers. This is expected as it’s possible that Google proactively registers common typos to protect users.

   However, I identified 17 typosquatted variations present in the dataset that aren’t likely controlled by Google.

2. Recently Registered Domains (Potential Threats):

   Several domains were registered in the past year, suggesting active typosquatting campaigns:

   • googleapis[.]net (Dec 2024) - Alibaba Cloud, using Cloudflare nameservers

   • gogleapi[.]com (Mar 2024) - NAMECHEAP, using Namecheap hosting

   • googpeapi[.]com (Jul 2024) - NameCheap, using Cloudflare nameservers

   • googleapics[.]com (Nov 2024) - NameSilo, using Host-WW nameservers

   • googleaips[.]com (Aug 2024) - REGISTER S.P.A., using Register.it nameservers

3. Long-lived Typosquats:

   Some typosquatting domains have been active for surprisingly long periods:

   • gogleapis[.]com (since 2014)

   • googleapk[.]com (since 2010)

   These long-established domains may have built significant traffic over time.

4. Very Recent Activity:

   The domain googleqpis[.]com was updated on March 14, 2025 (today!)

My Experiment

To quantify the real-world impact of typosquatting against googleapis.com, I conducted a controlled experiment:

Methodology:

The particular typo I targeted (.cm instead of .com) has been documented as a frequent typosquatting vector. According to research by Brian Krebs, ..cm typosquatting sites received over 12 million visits in just the first quarter of 2018.

1. I registered the domain googleapis[.]cm (Cameroon TLD)

2. Implemented a Matomo instance to track visitors

3. Created a minimal PHP endpoint, using Matomo PHP SDK, at *.googleapis[.]cm

Results:

Within just 24 hours, my typosquatted domain received connections from several surprising sources:

• A United States-based medical service organization that provides services to more than 20,000 healthcare organizations

• An Indonesian government organization

• A water purification facility

• A media publication tool

• A small social media website

• An online education platform

The affected organizations have been notified about the vulnerability in their code.

Exploitation Methods

Had a malicious actor controlled any typosquatted variant of googleapis.com—whether through TLD confusion (.cm, .co, .net), character omission (googleapi.com), character insertion (gooogleapis.com), or character transposition (googelapis.com)—they could exploit any website that accidentally referenced these misspelled domains in their code. These attack vectors aren’t limited to the .cm TLD example from my experiment; they apply to any typosquatted variant that appears in a website’s HTML, CSS, or JavaScript. Here’s how attackers could exploit different types of mistyped Google API endpoints:

1. For fonts.googleapis[.]cm (CSS resources): Attackers controlling this domain could return weaponized CSS using attribute selectors to exfiltrate sensitive data from form fields and page content, effectively creating data-stealing stylesheets. They might deploy specially crafted font files with malicious ligatures that capture and leak information when specific character combinations are displayed, or implement CSS-based keyloggers that track user input through clever selector combinations and background image requests that encode captured keystrokes in the requested URL parameters.

2. For ajax.googleapis[.]cm (JavaScript libraries): By controlling this domain, attackers could serve compromised versions of popular JavaScript libraries like jQuery or Angular with embedded backdoors or tracking code that executes in the context of the victim site. These malicious scripts could harvest form data, cookies, and authentication tokens; manipulate the DOM to alter page content, insert convincing phishing forms, or redirect users to fraudulent sites; and even inject cryptojacking scripts that silently mine cryptocurrency using visitors’ CPU resources, all while appearing to come from a trusted Google domain.

3. For storage.googleapis[.]cm: Controlling this domain would allow attackers to serve malicious executables, libraries, or container images in place of legitimate software that developers and applications expect to download from Google’s storage. This creates a particularly dangerous vector for software supply chain attacks where deployment pipelines, CI/CD systems, or automated update mechanisms unknowingly pull and integrate compromised packages, potentially affecting thousands of downstream systems and providing persistent access that survives beyond the initial compromise.

The impact of such an attack could be especially severe as the malicious code would execute with the privileges of the trusted website domain, bypassing same-origin policy protections. For websites handling sensitive information—like the healthcare organization in my findings—this could lead to HIPAA violations and exposure of protected health information.

Conclusion

A single mistyped character in a domain name can lead to data breaches, credential theft, and malware distribution. The financial and reputational damage from such attacks can be enormous, especially when they impact critical infrastructure or healthcare organizations.

As a Chinese-speaking immigrant living in Canada, like many others, I often use Chinese keywords to search for news on Google. This is how I stumbled upon a series of Chinese-language websites that appear to be local Chinese news platforms. These sites are frequently updated and have strong ties to local Chinese communities and organizations, particularly those connected to Beijing. The news content on these websites generally supports Beijing’s perspective, presenting themselves as official news sources to the Chinese community in Canada, portraying an image of authoritative news providers in Chinese.

An initial investigation of backlinks and keyword analysis has discovered that around 200 websites, featuring similar content in Chinese and targeting a global audience, potentially share a common agenda. It’s important to note that this analysis report has not verified all ~200 websites, as our focus was only on a small subset of them.

Note: In February 2024, the Citizen Lab at the University of Toronto revealed that at least 123 websites, originating from the People’s Republic of China and masquerading as local news outlets in 30 countries across Europe, Asia, and Latin America, were spreading pro-Beijing disinformation and ad hominem attacks amidst a plethora of commercial press releases. This operation was named “Paperwall.” However, the Chinese websites discussed in our specific analysis are not part of the “Paperwall” campaign identified by the Citizen Lab. They are all Chinese-language publications and do not share any characteristics with the “Paperwall” websites. There is no clear evidence to suggest any connection between them.

An analysis of the infrastructure and content of a small subset of these websites has been performed below, focusing primarily on those targeting Canada, especially the Greater Toronto Area. We will explore how these websites have been used to influence the ideologies within the Chinese Canadian communities and affect the political landscape.

Key Findings

1. Widespread Network: The analysis identified over 200 potentially related websites actively publishing content that aligns with Beijing’s geopolitical interests. This analysis examined a small subset of these outlets. These outlets not only target local communities but also connect with global audiences, suggesting a coordinated effort to shape perceptions on a larger scale.

2. Centralized Control and Common Infrastructure: Evidence from technology stack analysis, such as shared WordPress themes and user accounts across multiple sites, suggests a centralized operational structure. This commonality points to a concerted effort to maintain and control the narrative dispersed through these channels.

3. Direct Ties to Pro-Beijing Organizations: Links have been established between these media outlets and organizations like CTCCO and Easyca.ca, which are known for their pro-Beijing stances. Such associations are indicative of an organized attempt to utilize community media as a tool for political influence and community manipulation.

4. Potential Impact on Local Elections and Community Relations: The content distributed by these outlets often focuses on promoting specific political figures and policies favorable to Beijing, which could influence voter perceptions and decisions in local Canadian elections.

A Network of Pro-Beijing News Websites Originating from Canada

An initial search uncovered the following websites, which represent just a subset of hundreds of similar sites. These were identified through connections such as backlinks, identical DNS infrastructure, site builders, user accounts, or WHOIS records.

• CC.NEWS - ccmedia[.]news/

• 国际艺术新闻网 -- International Arts News: Arts without Borders - www[.]artnewsnet[.]com/

• 加拿大和世界报道 -- Canada & World Report - www[.]canadanewsreport[.]com/

• 多伦多新闻网 -- 连接多伦多和世界 - www[.]torontonewsnet[.]com/

• 纽约都市新闻网 -- 来自世界之都的深度报道 - www[.]newyorknewsnet[.]com/

• 世界华文媒体-World Chinese Media -- 全球中文媒体之媒体 - www[.]worldchinesemedia[.]com/

• ChineseCanadianVoice[.]ca - www[.]chinesecanadianvoice[.]ca/

• 国家电视新闻网 - www[.]ntvnewsnet[.]com/

• 健康生活报道-健康、体育、生活新闻 -- Health Life Report - www[.]healthlifereport[.]com/

• 美国西部新闻 -- 西部新闻尽收眼底 - www[.]uswestnews[.]com/

• 环球华语新闻中心 - www[.]cgctv[.]com/

Mimicking Legitimacy: The Strategic Naming and Presentation of Pro-Beijing News Sites

An important aspect of the influence exerted by the network of pro-Beijing news sites in Canada is their strategic naming and presentation, which meticulously mimics the appearance of legitimate and authoritative news sources. This tactic is evidently designed to enhance credibility and trust among the target audiences, particularly within the Chinese Canadian community.

Packaging to Appear Authoritative

Another site, cntvcanada[.]com, styles itself as “加拿大国家电视台 (Canada National Television),” packaging itself in a manner that closely mirrors China’s state broadcaster, CCTV.

The 加拿大国家电视台 (Canada National Television) website

A Canada National TV news truck (Source: China Daily)

This nomenclature and styling are likely intended to confer upon it an unwarranted level of credibility akin to that of a national broadcaster, leveraging the formal tone and visual presentation typical of government-run entities.

The TV Station is operated by the entity “CANADA NATIONAL TV INC.”, according to the Ontario Business Registry.

Imitation of Established Media Names

Many of the websites in this network have adopted names that resonate with well-known media outlets, both in style and substance.

The “国家电视新闻网 (National TV News Network)” website

For example, “国家电视新闻网 (National TV News Network)” at ntvnewsnet[.]com, suggests an affiliation with national television, potentially leading visitors to believe it is a legitimate state or national news service.

Unauthorized Use of Official Symbols

The use of official symbols or logos without authorization is another tactic employed to gain unwarranted legitimacy.

torontonewsnet[.]com uses the City of Toronto’s logo as its “favicon”

For instance, torontonewsnet[.]com uses the City of Toronto’s logo as its “favicon” without authorization, a clear strategy to mislead readers into associating the site with Toronto’s official communications.

Linguistic and Cultural Resonance

The names often include terms like “global,” “international,” “national,” or direct references to major cities or regions (e.g., New York, Toronto, Western U.S.), which are designed to resonate with diaspora communities from those regions.

Technology Stack Analysis

WordPress Themes / Site Builders

The majority of these sites employ the ‘colormag’ theme, albeit with different version updates. This commonality could suggest a shared preference or guidance in their website design choices, potentially indicating a coordinated effort or common source of technical support.

Username Enumeration

We examined each site’s user accounts using a method known as user enumeration. The scan identified that a single account might be managing at least six WordPress sites, as indicated by the consistent use of usernames across these websites.

The presence of common usernames across multiple sites, particularly when these usernames are associated with editorial roles, significantly strengthens the argument for a shared operational structure.

For instance, the username Editor is linked to six different websites, suggesting that either a single individual or a group operating under this generic username has control over the content on these platforms. Similarly, the username jzwgq is associated with six sites, and jzz with three, indicating a pattern of recurring usernames across multiple platforms, which is less likely to be coincidental.

Note: The username admin is often chosen by system administrators for new WordPress installations and does not necessarily signify a connection between sites. However, Editor is not a default administrator username for WordPress.Dataframe: Most frequent usernames and associated websites

The Infrastructure

DNS Analysis

The examination of A records, nameservers, and TXT records for the listed websites offers valuable insights into their infrastructural connections and potential control dynamics.

Ａ Records

The A records reveal that several websites share the same IP address (162.241.240[.]199), suggesting they are hosted on the same server or within the same hosting environment. This commonality in hosting could indicate a centralized operational structure or shared administrative resources. However, the presence of unique IP addresses for other sites (66.96.162[.]139, 50.62.182[.]6, and 52.60.232[.]75) means these sites might be independently managed or hosted with different intentions or levels of control.

Nameservers

The nameservers provide further evidence of potential connections between the sites. Many of the websites use the same pair of nameservers (ns1.server-602265.lifeandwealthhosting[.]com and ns2.server-602265.lifeandwealthhosting[.]com), reinforcing the notion of a shared hosting or management environment.

TXT records

TXT records, particularly those specifying SPF (Sender Policy Framework) settings, highlight how these websites manage email sending and potentially share similar security or email handling policies. The inclusion of the same domain (websitewelcome[.]com) in several SPF records points to a shared approach to email management or a common service provider.

WHOIS Records Analysis

The WHOIS records analysis reveals intriguing details about the registration and administrative contacts of the domains.

1. Registrant Location: A significant number of the domains are registered in Ontario, Canada, with the registrant’s province listed as ON or ONTARIO and the country as CA (Canada). This geographic clustering suggests a centralized operation or a targeted strategy focused on the Canadian context, particularly relevant for those websites aimed at the Chinese Canadian community.

2. Registrar Consistency: Many of the domains are registered through ENOM, INC., a common registrar, which could indicate a preferencewith this particular service provider.

3. Domain Creation and Expiration Dates: The dates when these domains were created and their expiration dates provide a timeline of the network’s development.

The Content

Sustained presence since 2016

We structurely retrieved all posts across all target websites. The analysis illustrates the number of posts per month across the network of websites starting from 2016, according to WHOIS data.

The graph shows an initial period of growth in posting frequency, with a particularly sharp peak around 2020. Despite the fluctuations, there is a sustained presence of activity, which suggests a consistent effort to maintain an active content feed over multiple years.

Proliferation of Repetitive Content Across the Network

One of the most interesting characteristics of the network of pro-Beijing news websites is their widespread use of identical articles across multiple platforms. This tactic not only amplifies the message but also suggests a coordinated approach to content distribution, designed to create an echo chamber effect. This analysis has identified several articles that have been repeatedly published across different sites, often verbatim. This pattern is indicative of a strategic dissemination aimed at maximizing reach and influence among Chinese-speaking audiences globally.

Framing the Hong Kong Protests

The examination of article titles from the network’s coverage of the Hong Kong protests provides a clear insight into the ideological tilt and narrative framing employed by these pro-Beijing news outlets operating within the Canadian Chinese community.

Relevant collection of articles from the “shadow network”:

• 《多伦多华人团体联合总会支持中国人大有关香港国安立法的声明》

• 《香港维护国家安全法 守护特区 扬帆远航》

• 《人民锐评｜香港记协，别再作妖了》

• 《以疫为喻------香港不应再讳疾忌医》

The articles themselves are revealing, showcasing a strong alignment with Beijing’s rhetoric regarding Hong Kong’s political dynamics.

Political Mobilization in the Chinese Canadian Community

One striking example of how these pro-Beijing websites attempt to influence the voting behaviors of the Chinese Canadian community is evident across multiple sites.

Relevant collection of articles from the “shadow network”:

• 《积极助选投票，支持华裔候选人黄素梅竞选连任安省议员》

• 《就差你一票！全加华裔社区掀起投票宣传高潮》

• 《华联总会呼吁加国华人珍惜民主权利踊跃投票》

• 《2019联邦选举公开论坛，呼吁华人积极参与投票》

• 《请为社会正义和加拿大国家利益投票》

• 《华人应该为自己的利益投票》

One particularly notable article from the network of pro-Beijing news websites targets the Chinese Canadian community’s political engagement in Canada. Published on “Canada News Report,” the article titled “积极助选投票，支持华裔候选人黄素梅竞选连任安省议员“ directly appeals to readers to support Su-Mei Huang, a Chinese Canadian incumbent running for re-election as an Ontario provincial legislator.

Su-Mei Huang is portrayed as a self-made politician who climbed the ranks from a nurse to a university professor and ultimately a provincial legislator, all without any political family background. The article highlights her dedication to vulnerable groups, healthcare, education, and public services, and outlines her achievements and future policy goals.

Media Influence in Toronto’s Mayoral Election: The Case of Xiaohua Gong

The 2023 Toronto mayoral race showcased an intriguing examination of media influence and strategy, particularly through the campaign of Xiaohua Gong, a Chinese-Canadian businessman with a controversial past. His campaign’s extensive use of both Chinese and English media platforms highlighted unique approaches to targeting diverse demographic segments within Toronto’s electorate.

Relevant collection of articles from the “shadow network”:

• 《多伦多市长候选人龚晓华（Xiaohua Gong）举办答谢联欢会》

• 《多伦多市长侯选人龚晓华和市民公开对话》

• 《多伦多市长候选人龚晓华和市民及小朋友共渡”六一”儿童节》

• 《多伦多市长侯选人龚晓华筹款晚宴》

• 《龚晓华今宣布竞选多伦多市长》

• 《美国近100家英文媒体报道多伦多市长候选人龚晓华(Xiao Hua Gong)》

The network of pro-Beijing news outlets operating within Canada has shown a keen interest in the Toronto mayoral election, particularly in supporting the candidacy of Xiaohua Gong. The series of articles published across various platforms demonstrates a concerted effort to positively influence public perception of Gong within the Chinese Canadian community.

The “Shadow Network” and Its Ties to Local Pro-Beijing Organizations

This investigation into the network of pro-Beijing Chinese news outlets in Canada reveals a complex web of media influence and associations. Particularly notable is the strong connection these sites have with Easyca.ca, a prominent Chinese-language media company in Canada. Further scrutiny shows that Easyca.ca is closely tied to significant Chinese business and community organizations like the Canada Toronto Fuqing Business Association (加拿大多伦多福清商会) and the Confederation of Toronto Chinese Canadian Organizations (多伦多华人团体联合总会, CTCCO).

Read more:

• National Post: New group with Beijing links to promote friendly candidates in Canadian elections

Media Influence and Business Ties

Easyca.ca has established itself as a major player in the Chinese media landscape in Canada. However, it’s not just a media powerhouse; it also serves as a nexus connecting various elements of the Chinese community in Toronto, including business associations that have shown allegiance to Beijing.

Role of CTCCO in the Network

CTCCO’s frequent appearances in these outlets are particularly significant. As an organization, CTCCO has been known to foster close ties with Chinese consular offices and promote events and viewpoints that are strategically beneficial to China. The consistent coverage of CTCCO by the shadow network suggests a coordinated effort to bolster CTCCO’s credibility and influence among Chinese Canadians, which in turn supports Beijing’s diplomatic and cultural outreach initiatives.

Conclusion of the Investigation into Pro-Beijing Influence Operations in Canadian Chinese-Language Media

This report has unveiled a sophisticated network of Chinese-language news outlets operating in Canada, which appear to systematically propagate pro-Beijing narratives and potentially influence the Chinese Canadian communities, particularly within the Greater Toronto Area. The findings from this investigation highlight several key issues that pose concerns for both the integrity of local media landscapes and the broader democratic processes in Canada.

Final Word

As Canada navigates the complex landscape of global politics and local demographic changes, the importance of safeguarding the informational integrity and independence of its diverse communities cannot be overstated. This investigation into the shadow network of Chinese-language media serves as a critical call to action, urging all stakeholders---from government regulators to community leaders---to take decisive steps to protect the foundational principles of democracy and the diverse fabric of Canadian society.