Investigator Use
Whoisology is a reverse WHOIS research platform that allows investigators to search domain registration records by contact information — finding all domains ever registered using a specific email address, registrant name, or phone number. This capability makes it one of the most powerful tools for mapping the full domain portfolio of a threat actor or fraudulent organization.
What investigators use Whoisology for: discovering all domains registered using the same email address or phone number, building a comprehensive picture of a threat actor's domain activity, identifying shared registration patterns across seemingly unrelated domains, and tracking domain registrations tied to a specific individual or organization.
What Whoisology exposes: reverse WHOIS results linking domains by shared registrant contact fields, registration dates for each domain, current domain status (active, expired, deleted), associated IP addresses and hosting history, and historical WHOIS snapshots predating privacy protection. It indexes over a billion WHOIS records.
The core value of Whoisology lies in connecting domains through shared registration data. A threat actor who registers ten phishing domains using variations of the same email address may not realize that those registrations are linked in a searchable database. Searching Whoisology by any one email reveals all associated domains, building a complete picture of the actor's operations.
For attribution: when investigating a fraudulent website or phishing campaign, the registrant email in the WHOIS record is often the most durable identifier. Even when actors change hosting providers, IP addresses, and domain names, the registrant contact information often stays consistent across campaigns — particularly when using inexperienced cybercriminals who don't practice registration hygiene.
Access tiers: Whoisology offers limited free searches and subscription plans for investigators who need frequent reverse WHOIS access. The database is particularly valuable for law enforcement and fraud investigators who need to document the full scope of an actor's domain activity.
In a workflow: after identifying a registrant email or phone number from a WHOIS record or historical data, search Whoisology to enumerate all associated domains. Feed discovered domains into PhishTank, VirusTotal, and Shodan to assess their activity. Cross-reference registration dates with known incident timelines to build a chronological picture of the actor's campaign history.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
Cert Graph Crawler
Domain OSINT
An open source intelligence tool to crawl the graph of certificate Alternate Names
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
DNS twister
Domain OSINT
DNS Twister generates and monitors domain permutations for typosquatting detection, brand protection, and phishing infrastructure discovery.
Domain Tools
Domain OSINT
DomainTools provides WHOIS lookup, IP history, domain ownership records, and reverse WHOIS for domain and infrastructure investigation.