The whois history looked strange so I contacted the owner Gregory Soo. He did not list the domain for sale. The domain was stolen from his Network Solutions account.
How did you contact him, and did he offer any additional information?
Great question. I'm wondering the same thing as well. Especially after
@bhartzer said he also talked with the owner, and was told/reported conflicting information.
We just spoke with the owner Gregory Soo and he has told us that the domain name (SOO.com) is not a stolen domain name.
@bhartzer -- Same question, what form of communication did you contact Gregory Soo with?
And how did you/DNProtect confirm you were communicating with the real Gregory Soo and not an imposter attempting to manipulate you/DNProtect into vouching for/removing the alleged stolen status of (Soo.com) from DNProtect's "stolen domain database"?
However, if you look at the WHOIS record for the email address of the SOO domain, there is an email address using makaera.com, as the domain owner. And that domain expired. Did the current owner of SOO purchase makaera.com, set up the email address, and then take control of the SOO domain? Something doesn't add up here.
Did you mention any of the above to
the owner Gregory Soo when
he told you the domain (SOO.com) was not a stolen domain?
vir/.com and montreal/.com - it seems that admin email doesn't have 2FA. The tech email is using 2FA but it is not a smart idea to use user@gmail > another@gmail.
Yes, all very strange. At first I wondered if the gmails were added after losing access to Makaera.com and their historically used
[email protected] email address when
Makaera.com expired on August 22nd, 2021 and was re-registered on November 10th, 2021.
Shortly after wondering why the gmails were added, I noticed Whoxy.com historical WHOIS entries cached the
change in WHOIS emails for Montreal.com from [email protected] to [email protected] sometime around August 21st, 2020 and October 22nd, 2020. eg over a year before Makaera.com expired, and 3+ years after the registrant company was listed as a dissolved status in Canadian business registries.
This August 2020 to October 2020 timeframe also matches up (Vir.com, Soo.com, Montreal.com) with nameserver changes away from long time used sophia.soo.com/rosedelima.vir.com nameservers to the first appearances of ns1/ns2.hostpapa.com nameservers.
All four below domains consistently held nameservers of
sophia.soo.com /
rosedelima.vir.com since at least 2008, with little to no nameserver changes until ns1.hostpapa.com/ns2.hostpapa.com was added to the following domains on the following dates:
Vir.com:
August 23rd, 2020 domain nameservers changed to ns1.hostpapa.com/ns2.hostpapa.com.
Montreal.com:
September 15th, 2020 domain nameservers changed to ns1.hostpapa.com/ns2.hostpapa.com.
Soo.com:
September 15th, 2020 domain nameservers changed to ns1.hostpapa.com/ns2.hostpapa.com.
Makaera.com:
June 18th, 2021 domain nameserver changed to ns1.hostpapa.com/ns2.hostpapa.com. ***Reminder, Makaera.com expired two months later, on August 21st, 2021***
In addition to the nameservers for Montreal.com and Soo.com appearing to have changed to ns1/ns2.hostpapa.com on September 15th, 2020, MX records were also changed on September 15h, 2020 for not only Soo.com and Montreal.com, but also for Makaera.com.
Vir.com had changed mx records in the aforementioned August 23rd, 2020 nameserver change date.
Historical MX Records:
Vir.com
Montreal.com
Soo.com
Makaera.com
If anybody can get in touch with the real Gregory Soo / Makaera Vir 2000, these questions might help add some clarity:
- Who owns the (at least) three valuable domains (Vir.com, Soo.com, Montreal.com) connected to or previously connected to [email protected]?
WHOIS shows Makaera Vir 2000 Inc as the registrant, however Canadian business filings seem to show the corporation (which was formed in 1997) had dissolved nearly 20 years later in January 2017. Benjamin Soo, Gregory Soo, Karl Soo, and May Soo were all listed as directors.
- Were the 2020/2021 nameserver changes away from sophia.soo.com / rosedelima.vir.com to ns1/ns2.hostpapa.com authorized or unauthorized?
- If the HostPapa nameserver changes were authorized, is it possible/has Gregory Soo checked to see if their HostPapa account was compromised after the authorized change?
- If the HostPapa nameserver changes were not authorized, what was the assumed hacker doing changing the nameservers for Vir.com, Montreal.com, and Soo.com, 10 months prior to changing the nameserver of Makaera.com and 14 months before Makaera.com was dropped and re-registered.... is it possible a hacker gained access to the network solutions account in at least 2020, prior to Makaera.com dropping, thus making the new registrant of Makaera.com unrelated to this alleged theft?
Note: The new November 2021 registrant <[email protected]> of Makaera.com has over 38k domains according to Whoxy.com. Which unless a fake email was used, this doesn't seem to be the type of burner email address typically used in these type of thefts, hence why I question if the obvious first registrant of interest (eg the registrant who as of November 2021 had potential access to [email protected] email addresses) is even a registrant of interest at all, or if it's just some domainer who registered the Makaera.com due to its early 1994 WHOIS creation date, or some other metric.