Вы находитесь на странице: 1из 134

AFFIDAVIT IN SUPPORT OF APPLICATION FOR SEIZURE WARRANT

I, Aaron Stewart, Special Agent of the Federal Bureau of Investigation (“FBI”), being

first duly sworn, hereby declare as follows:

INTRODUCTION AND AGENT BACKGROUND

1. I am an “investigative or law enforcement officer of the United States” within the

meaning of Section 2510(7) of Title 18, United States Code, that is, an officer of the United

States who is empowered by law to conduct investigations of, and to make arrests for, offenses

enumerated against the United States.

2. I have been employed as a Special Agent of the FBI since October 2014 and am

currently assigned to the San Francisco Division. While employed by the FBI, I have

investigated federal criminal violations related to malicious cyber activity by state-sponsored

actors and agents of foreign governments. I have gained experience through training at the FBI

and everyday work relating to conducting these types of investigations. As a federal agent, I am

authorized to investigate violations of United States laws and to execute warrants issued under

the authority of the United States.

3. The facts in this affidavit are based on my personal participation in this

investigation, my training and experience, the work of other agents and investigators, and

documents, records, emails, and other types of information obtained during the investigation

from other sources and witnesses. The FBI has, thus far, conducted open source research,

received information from other government agencies, conducted interviews, and served legal

process. This Affidavit is intended to show merely that there is sufficient probable cause for the

1
requested warrant and does not set forth all of my knowledge about this matter.

4. Each of the following domain names (“the Target Domains”) to be seized is

registered with a U.S.-based registrar as follows:

Target Domain Registrar Paragraph Numbers


1 3adalah.com OnlineNIC 46, 66, 70, 102, 180, 181, 182, 433
2 4svideo.com Namecheap 46, 102, 121, 122, 432
3 acilnews.com OnlineNIC 46, 66, 70, 102, 146, 147, 148, 433
4 aden-alyoum.com OnlineNIC 46, 68, 70, 102, 315, 316, 317, 318, 433
5 adentimes.net OnlineNIC 46, 68, 70, 102, 311, 312, 313, 314, 433
6 afghanpulse.com Namecheap 46, 70, 102, 117, 118, 119, 120, 403, 432
7 afghanwolas.com OnlineNIC 46, 66, 70, 102, 110, 111, 125, 126, 149,
155, 168, 198, 199, 205, 208, 209, 245, 329,
343, 362, 363, 364, 368, 433
8 aftruth.com OnlineNIC 46, 68, 70, 102, 187, 188, 189, 190, 433
9 ageofpakistan.com OnlineNIC 46, 68, 70, 102, 181, 275, 278, 279, 433
10 al-sufia.com OnlineNIC 46, 66, 70, 102, 135, 136, 433
11 alhadathps.com OnlineNIC 68, 199, 205, 426, 427, 428, 429, 433
12 alkhalijalyoum.com OnlineNIC 46, 68, 70, 102, 291, 292, 293, 294, 342, 433
13 alkuwaitonline.com Namecheap 46, 70, 370, 372, 374, 375, 376, 381, 393,
432
14 almasirahpress.com OnlineNIC 46, 66, 70, 102, 319, 320, 321, 322, 323,
324, 433
15 almasirahtv.com OnlineNIC 46, 66, 70, 102, 321, 324, 325, 406, 433
16 alnujaba.com OnlineNIC 46, 69, 70, 76, 102, 286, 288, 289, 290, 433
17 alraialqatari.com OnlineNIC 46, 68, 70, 102, 156, 185, 196, 217, 221,
226, 234, 264, 339, 303, 340, 341, 342, 433
18 alsudanalyoum.com OnlineNIC 46, 66, 70, 102, 110, 114, 140, 176, 183,
191, 192, 193, 194, 202, 237, 245, 329, 412,
433
19 alsudanalyoum.org OnlineNIC 66, 412, 433
20 altanzil.net OnlineNIC 46, 68, 70, 102, 270, 271, 272, 274, 433
21 alwarka.net OnlineNIC 46, 69, 70, 76, 102, 156, 185, 196, 212, 215,
217, 219, 221, 223, 226, 228, 230, 231, 234,
264, 303, 341, 433
22 ansar-allah.com OnlineNIC 46, 66, 70, 102, 110, 125, 149, 155, 168,
198, 208, 334, 335, 336, 337, 338, 403, 433
23 arbaeenpress.com OnlineNIC 69, 76, 386, 387, 388, 389, 433
24 aynanewsagency.org OnlineNIC 46, 66, 102, 346, 347, 348, 433

2
25 bashiqa.com OnlineNIC 46, 69, 70, 76, 102, 156, 185, 196, 212, 214,
215, 217, 218, 219, 221, 223, 226, 228, 232,
234, 264, 303, 341, 433
26 beritadunia.net OnlineNIC 46, 66, 70, 102, 110, 114, 156, 176, 185,
191, 194, 195, 196, 197, 202, 217, 221, 226,
234, 237, 245, 264, 303, 329, 341, 433
27 bhpress24.com Namecheap 46, 370, 371, 372, 373, 376, 380, 393, 432
28 dailymulk.com Namecheap 70, 381, 392, 395, 397, 398, 400, 432
29 faktru.com OnlineNIC 46, 66, 70, 102, 110, 125, 149, 155, 168,
198, 199, 200, 201, 205, 208, 433
30 fatemyoun.com OnlineNIC 46, 66, 70, 102, 132, 133, 134, 433
31 foresight-media.com OnlineNIC 46, 66, 70, 102, 240, 242, 243, 244, 413, 433
32 foresight-media.net OnlineNIC 66, 413, 433
33 frpress24.com Namecheap 46, 70, 85, 102, 103, 104, 105, 432
34 haghighah.com OnlineNIC 46, 66, 70, 102, 110, 114, 176, 191, 194,
202, 237, 245, 326, 328, 329, 343, 362, 364,
368, 433
35 hindkhabar.com OnlineNIC 46, 66, 70, 102, 156, 185, 196, 217, 221,
226, 234, 261, 263, 264, 265, 303, 341, 433
36 imamiatarbiat.com OnlineNIC 46, 66, 70, 102, 110, 125, 149, 152, 155,
168, 169, 170, 198, 208, 363, 382, 384, 410,
433
37 iraqnewsservice.com OnlineNIC 46, 69, 70, 76, 102, 156, 185, 196, 215, 217,
221, 226, 232, 233, 234, 236, 264, 303, 341,
433
38 islahjo.com OnlineNIC 46, 66, 102, 352, 353, 356, 433
39 islamipolitics.com OnlineNIC 68, 70, 414, 415, 417, 433
40 iuvm.info OnlineNIC 46, 66, 70, 125, 150, 155, 358, 370, 377, 390,
433
41 iuvm.net OnlineNIC 66, 70, 358, 390, 433
42 iuvm.org OnlineNIC 46, 66, 70, 329, 102, 343, 358, 359, 362,
364, 368, 369, 390, 433
43 iuvmpress.com OnlineNIC 46, 66, 70, 102, 168, 199, 205, 329, 343,
358, 359, 361, 362, 363, 364, 368, 382, 384,
390, 403, 433
44 iuvmpress.net OnlineNIC 66, 168, 363, 382, 383, 384, 433,
45 iuvmpress.org OnlineNIC 66, 168, 363, 382, 384, 385, 433
46 iuvmtech.com OnlineNIC 46, 66, 70, 102, 329, 343, 358, 359, 362,
364, 365, 368, 390, 433
47 iuvmtv.com OnlineNIC 46, 66, 70, 102, 358, 359, 364, 366, 367,
377, 390, 433
48 j-babel.com OnlineNIC 46, 69, 70, 76, 102, 156, 185, 196, 212, 215,
3
217, 219, 220, 221, 222, 223, 226, 228, 234,
264, 303, 341, 433
49 jamekurdi.com OnlineNIC 46, 66, 102, 70, 110, 125, 149, 155, 168,
198, 208, 295, 296, 298, 299, 433
50 jihadalbina.org OnlineNIC 76, 349, 350, 433
51 kashmir-news.com OnlineNIC 68, 110, 125, 149, 155, 168, 198, 208, 418,
420, 421, 433
52 kashmirline.com OnlineNIC 46, 68, 102, 259, 260, 433
53 khabroona.com Namecheap 46, 370, 378, 432
54 ksastudies.net OnlineNIC 46, 66, 70, 102, 137, 138, 139, 433
55 ksatalks.com Namecheap 46, 70, 370, 373, 379, 380, 432
56 kurdestantimes.com OnlineNIC 46, 69, 70, 76, 102, 210, 211, 212, 215, 219,
223, 228, 433
57 libyaalmokhtar.com OnlineNIC 46, 66, 70, 102, 140, 149, 156, 176, 183,
184, 185, 186, 191, 196, 217, 221, 226, 234,
264, 303, 341, 433
58 maghrebiyon.com OnlineNIC 46, 68, 70, 102, 171, 173, 174, 433
59 marsadz.com OnlineNIC 46, 66, 70, 102, 140, 141, 142, 176, 191, 433
60 masralkenana.com OnlineNIC 46, 68, 70, 102, 256, 257, 258, 433
61 mepanorama.net Namecheap 46, 70, 77, 79, 102, 110, 113, 114, 115, 116,
176, 191, 194, 202, 237, 245, 329, 432
62 moqawemat.com OnlineNIC 46, 102, 280, 282, 284, 433
63 naijafox.com OnlineNIC 46, 69, 70, 76, 102, 253, 254, 255, 433
64 nationvoices.com OnlineNIC 68, 110, 125, 149, 155, 168, 198, 208, 422,
423, 424, 425, 433
65 newsstand7.com Namecheap 35, 46, 70, 80, 81, 83, 84, 85, 86, 105, 406,
430, 432
66 nilenetonline.com OnlineNIC 46, 66, 70, 79, 102, 110, 111, 114, 125, 126,
149, 155, 168, 176, 191, 194, 198, 202, 205,
208, 237, 245, 246, 247, 329, 248, 433
67 nthnews.net OnlineNIC 46, 66, 70, 102, 110, 114, 176, 191, 194,
202, 237, 241, 245, 329, 403, 433
68 pakonlinenews.com OnlineNIC 46, 66, 70, 102, 110, 114, 176, 191, 194,
202, 203, 204, 237, 245, 329, 433
69 pashtokhabar.com OnlineNIC 46, 68, 102, 266, 267, 268, 269, 433
70 pergiustizia.com OnlineNIC 46, 66, 70, 102, 129, 130, 131, 433
71 puketnews.com OnlineNIC 46, 68, 70, 102, 249, 250, 251, 252, 433
72 qarura.com OnlineNIC 46, 69, 70, 76, 102, 212, 215, 219, 223, 225,
227, 228, 433
73 qudspal.com OnlineNIC 66, 70, 125, 149, 152, 155, 170, 183, 377,
409, 410, 433

4
74 qudspal.net OnlineNIC 46, 66, 70, 102, 110, 125, 149, 150, 151,
152, 153, 155, 170, 168, 198, 208, 409, 410,
411, 433
75 raitunisia.com OnlineNIC 46, 66, 70, 102, 110, 114, 140, 175, 176,
177, 178, 179, 183, 191, 194, 202, 237, 245,
329, 433
76 reflejo24.com Namecheap 401, 402, 403, 404, 432
77 risolattj.com OnlineNIC 46, 66, 70, 90, 102, 329, 343, 344, 345, 362,
364, 368, 433
78 sachtimes.com OnlineNIC 46, 66, 70, 102, 110, 125, 149, 150, 154,
155, 156, 157, 158, 159, 160, 161, 165, 168,
185, 196, 198, 208, 217, 221, 226, 234, 264,
303, 341, 377, 433
79 saghalein-ins.com OnlineNIC 46, 66, 70, 102, 143, 144, 145, 433
80 saudiuncovered.com Namecheap 46, 70, 370, 376, 381, 432
81 sayyidali.com OnlineNIC 46, 66, 70, 79, 102, 110, 111, 123, 125, 126,
127, 128, 149, 150, 155, 168, 198, 205, 208,
245, 377, 433
82 sizinyol.com OnlineNIC 46, 66, 70, 102, 330, 331, 332, 333, 433
83 soleimanquran.com Namecheap 405, 406, 432
84 svetpress.com Namecheap 70, 381, 392, 394, 395, 396, 398, 400, 408,
432
85 syria-scope.com OnlineNIC 46, 102, 122, 354, 355, 433,
86 tanincenter.com OnlineNIC 46, 102, 357, 358, 390, 433,
87 theleadersnews.com GoDaddy 46, 70, 102, 162, 163, 164, 165, 167, 431,
88 twtoday.net OnlineNIC 35, 68, 80, 81, 97, 98, 100, 101, 141, 430,
433,
89 uaealyoum.com Namecheap 70, 372, 376, 392, 391, 393, 432
90 usjournal.net OnlineNIC 35, 46, 58, 59, 60, 66, 70, 80, 81, 87, 88, 89,
90, 91, 92, 93, 94, 102, 343, 427, 430, 433
91 usjournal.us OnlineNIC 35, 66, 80, 81, 94, 95, 96, 430, 433
92 whatsupic.com OnlineNIC 46, 66, 70, 102, 106, 107, 109, 110, 111,
112, 114, 125, 126, 149, 155, 168, 176, 191,
194, 198, 202, 205, 208, 237, 245, 329, 433
93 yaqeenagency.net OnlineNIC 46, 68, 70, 102, 156, 185, 196, 217, 221,
226, 234, 264, 300, 301, 302, 303, 304, 309,
341, 433
94 yemeniat.net OnlineNIC 309
95 yenihaber7.com Namecheap 381, 392, 395, 398, 399, 400, 401, 404, 408,
432
96 zonablanca.org Namecheap 70, 381, 392, 395, 398, 400, 407, 408, 432

5
5.

As outlined below, the Target Domains are believed to be part of the Liberty Front Press

network.

6. As set forth below, there is probable cause to believe that the Target Domains

constitute property used, or intended to be used, to commit or facilitate violations of 50 U.S.C.

§ 1705 and 22 U.S.C. § 611 et seq. (the “Subject Offenses”), and subject to seizure and forfeiture

pursuant to 18 U.S.C. § 981(a)(1)(C) and 28 U.S.C. § 2461(c). I make this Affidavit for a

warrant to seize the property described in Attachments A through C, the Target Domains.

7. The procedure by which the government will seize the Target Domains is

described in Attachments A through C hereto and below.

BACKGROUND ON DOMAIN NAMES

8. Based on my training and experience and information learned from others, I am

aware of the following:

9. Internet Protocol Address: An Internet Protocol address (“IP address”) is a

unique numeric address used by computers on the Internet. An IP address is a series of four

6
numbers, each in the range 0-255, separated by periods (e.g., 121.56.97.178). Every computer

attached to the Internet must be assigned an IP address so that Internet traffic sent from and

directed to that computer may be directed properly from its source to its destination. An IP

address acts much like a home or business street address -- it enables computers connected to the

Internet to properly route traffic to each other. The assignment of IP addresses to computers

connected to the Internet is controlled by internet service providers (“ISPs”).

10. Domain Name: A domain name is a simple, easy-to-remember way for humans

to identify computers on the Internet, using a series of characters (e.g., letters, numbers, or other

characters) that correspond with a particular IP address. For example, “usdoj.gov” and

“cnn.com” are domain names.

11. Domain Name System: The domain name system (“DNS”) is, among other

things, a hierarchical convention for domain names. Domain names are composed of one or

more parts, or “labels,” that are delimited by periods, such as “www.example.com.” The

hierarchy of domains descends from right to left; each label to the left specifies a subdivision, or

subdomain, of the domain on the right. The right-most label conveys the “top-level” domain.

For example, the domain name “www.example.com” means that the computer assigned that

name is in the “.com” top-level domain, the “example” second-level domain, and is the web

server.

12. Domain Name Servers: DNS servers are computers connected to the Internet that

convert, or resolve, domain names into IP addresses.

13. Registry: For each top-level domain (such as “.com”), there is a single company,

7
called a “registry,” that determines which second-level domain resolves to which IP address. For

example, the registry for the “.com” and “.net” top-level domains are VeriSign, Inc.

(“VeriSign”), which has its headquarters at 12061 Bluemont Way, Reston, Virginia; the registry

for “.org” top-level domain is Public Internet Registry, which has its headquarters at 1775

Wiehle Avenue, Suite 200 Reston, Virginia 20190; and the registry for “.info” top-level domain

is Afilias, Inc., which has its headquarters at 300 Welsh Road, Building 3, Suite 105, Horsham,

Pennsylvania 19044.

14. Registrar & Registrant: Domain names may be purchased through a registrar,

which acts as the intermediary between the registry and the purchasers of the domain name. The

individual or business that purchases, or registers, a domain name is called a “registrant.”

Registrants control the IP address, and thus the computer, to which their domain name resolves.

Thus, a registrant may easily move a domain name to another computer anywhere in the world.

Registrars typically maintain customer and billing information about the registrants who used

their domain name registration services.

15. WHOIS: A “WHOIS” search provides publicly available information as to which

entity is responsible for a particular IP address or domain name. A WHOIS record for a

particular IP address or domain name will list a range of IP addresses that that IP address falls

within and the entity responsible for that IP address range and domain name. For example, a

WHOIS record for the domain name XYZ.COM might list an IP address range of 12.145.67.0 -

12.145.67.99 and list Company ABC as the responsible entity. In this example, Company ABC

would be responsible for the domain name XYZ.COM and IP addresses 12.145.67.0 -

8
12.145.67.99.

RELEVANT STATUTES

International Emergency Economic Powers Act

16. The International Emergency Economic Powers Act (“IEEPA”), 50 U.S.C.

§§ 1701–1706, authorizes the President to impose economic sanctions on a foreign country,

individual, or organization in response to an unusual or extraordinary threat to the national

security, foreign policy, or economy of the United States when the President declares a national

emergency with respect to that threat.

17. Pursuant to the authority under IEEPA, the President of the United States and the

executive branch have issued orders and regulations governing and prohibiting certain

transactions by U.S. persons or involving U.S. goods. Title 50, United States Code, Section

1705 provides:

A person who willfully commits, willfully attempts to commit, or willfully


conspires to commit, or aids or abets in the commission of a violation of any
license, order, or regulation issued under this chapter shall, upon conviction, be
fined or may be imprisoned for not more than twenty years, or both; and any
officer, director, or agent of any corporation who knowingly participates in such
violation may be punished by a like fine, imprisonment, or both.

The Iranian Transactions and Sanctions Regulations

18. On March 15 and May 6, 1995, the President issued Executive Orders Nos.

12957 and 12959, prohibiting, among other things, the exportation, reexportation, sale, or

supply, directly or indirectly, to Iran of any goods, technology, or services from the United

States or by a United States person, and on August 19, 1997, issued Executive Order No.

13059 clarifying the previous orders (collectively, the “Executive Orders”). The Executive
9
Orders authorized the United States Secretary of the Treasury to promulgate rules and

regulations necessary to carry out the Executive Orders. Pursuant to this authority, the

Secretary of the Treasury promulgated the Iranian Transactions Regulations (renamed in 2013,

the Iranian Transactions and Sanctions Regulations, the “ITSR”) implementing the sanctions

imposed by the Executive Orders.

19. The ITSR, Title 31, Code of Federal Regulations, Section 560.204, prohibits,

among other things, the exportation, reexportation, sale, or supply, directly or indirectly, from

the United States, or by a United States Person, of goods, technology, or services to Iran or the

Government of Iran (with certain limited exceptions), including the exportation, reexportation,

sale or supply of goods, technology or services to a third country knowing that such goods,

technology or services are intended for Iran or the Government of Iran, without a license from

the United States Department of the Treasury, Office of Foreign Assets Control (“OFAC”).

20. The ITSR further prohibit transactions that evade or avoid, have the purpose

of evading or avoiding, cause a violation of, or attempt to violate the ITSR. 31 C.F.R. §

560.203.

Sanctions Concerning the IRGC

21. Executive Order 13224. On September 23, 2001, under the authority of IEEPA

and other authorities, the President of the United States issued Executive Order 13224 “Blocking

Property and Prohibiting Transactions With Persons Who Commit, Threaten to Commit, or

Support Terrorism.” While Executive Order 13224—issued two weeks after the September 11,

2001 attacks on the United States—targeted Al Qaeda, the United States has subsequently used it

10
to target Iran. 1

22. Section 1 of Executive Order 13224 states, in part, that: “…all property and

interests in property of the following persons that are in the United States or that hereafter come

within the United States, or that hereafter come within the possession or control of United States

persons are blocked:

(b) foreign persons determined by the Secretary of State, in consultation with the

Secretary of the Treasury and the Attorney General, to have committed, or to pose

a significant risk of committing, acts of terrorism that threaten the security of U.S.

nationals or the national security, foreign policy, or economy of the United

States.”

23. Section 105 of the Countering America’s Adversaries Through Sanctions Act

(“CAATSA”) mandated the imposition of Executive Order 13224 penalties on the Islamic

Revolutionary Guard Corps (“IRGC”) and its officials, agents, and affiliates by October 30,

2017.

24. On October 13, 2017, OFAC designated the IRGC as a Specially Designated

National pursuant to Executive Order 13224 and consistent with CAATSA. OFAC designated

the IRGC for its activities in support of the IRGC-Qods Force (“IRGC-QF”), which was

designated pursuant to Executive Order 13224 on October 25, 2007, for providing support to a

number of terrorist groups, including Hizballah, Hamas, and the Taliban.

25. The State Department has authority under Section 219 of the Immigration and

1
See “Iran Sanctions,” Congressional Research Service, RS20871, updated July 23, 2020.

11
Nationality Act (Title 8, United States Code, Section 1189) to designate an entity as a Foreign

Terrorist Organization (“FTO”). On April 15, 2019, the IRGC was designated as an FTO by the

United States Government.

Foreign Agents Registration Act

26. The U.S. Department of Justice administers the Foreign Agent Registration Act

(“FARA”). FARA establishes a registration, reporting, and disclosure regime for agents of

foreign principals (which includes foreign non-government individuals and entities) so that the

U.S. government and the people of the United States are informed of the source of information

and the identity of persons attempting to influence U.S. public opinion, policy, and law. FARA

requires, among other things, that persons subject to its requirements submit periodic registration

statements containing truthful information about their activities and the income earned from

them. Disclosure of the required information allows the federal government and the American

people to evaluate the statements and activities of such persons in light of their function as

foreign agents. Specifically,

a. FARA states that “[n]o person shall act as an agent of a foreign principal unless he
has filed with the Attorney General a true and complete registration statement.” 22
U.S.C. § 612(a).

b. FARA defines “foreign principal” to include “a government of a foreign country,”


a “foreign political party,” and “a person outside of the United States” who is not a
United States citizen. Id. § 611(b). The term “government of a foreign country” is
defined to include any person “exercising sovereign de facto or de jure political
jurisdiction over any country,” including “any group or agency to which such
sovereign de facto or de jury authority or functions are directly or indirectly
delegated.” Id. § 611(e).

c. FARA defines the term “agent of a foreign principal” to have two requirements.
12
First, the person must either “act[] as an agent, representative, employee, or
servant” of a foreign principal, or act “at the order, request, or under the direction
or control, of a foreign principal,” or be a person “any of whose activities are
directly or indirectly supervised, directed, controlled, financed, or subsidized in
whole or in major part by a foreign principal.” Id. § 611(c)(1). Second, the person
must either “engage[] within the United States in political activities for or in the
interests of such foreign principal,” or “act[] within the United States as a public
relations counsel, publicity agent, information-service employee or political
consultant for or in the interests of such foreign principal,” or “within the United
States represent[] the interests of such foreign principal before any agency or
official of the Government of the United States.” Id.

d. The term “political activities” means any activity that the person engaging in
believes will, or that the person intends to, in any way influence any agency or
official of the Government of the United States or any section of the public within
the United States with reference to formulating, adopting, or changing the
domestic or foreign policies of the United States or with reference to the political
or public interests, policies, or relations of a government of a foreign country or a
foreign political party. Id. § 611(o).

e. An agent must also register if it acts within the United States as a publicity agent
or information-service employee of a foreign principal. A “publicity agent” refers
to “any person who engages directly or indirectly in the publication or
dissemination of oral, visual, graphic, written, or pictorial information or matter
of any kind, including publication by means of . . . broadcasts, motion pictures, or
otherwise.” Id. § 611(h). An “information-service employee” includes any
person “who is engaged in furnishing, disseminating, or publishing accounts,
descriptions, information, or data with respect to the political, industrial,
employment, economic, social, cultural, or other benefits, advantages, facts, or
conditions or any country other than the United States or of any government of a
foreign country . . . .” Id. § 611(i).

f. The term “agent of a foreign principal” does not include any news or press service
or association organized under the laws of the United States or any State or other
place subject to the laws of the United States, or any newspaper, magazine,
periodical, or other publication for which there is on file with the United States
Postal Service information in compliance with Section 3611 of title 39, published
in the United States, solely by virtue of any bona fide news or journalistic
activities, including the solicitation or acceptance of advertisements,
subscriptions, or other compensation therefor, so long it is at least 80 per centum
beneficially owned by, and its officers and directors, if any, are citizens of the
United States, and such news or press service or association, newspaper,

13
magazine, periodical, or other publication, is not owned, directed, supervised,
controlled, subsidized, or financed, and none of its policies are determined by any
foreign principal. Id. § 611(d).

g. FARA imposes criminal penalties on any person who “willfully violates any
provision” of the statute. 22 U.S.C. § 618(a)(1).

Statutory Basis for Seizure

27. Title 18, United States Code, Section 981(a)(1)(C) provides that any property, real

or personal, which constitutes or is derived from proceeds traceable to a violation of a specified

unlawful activity, to wit: the International Emergency Economic Powers Act, Title 50, United

States Code, Section 1705; and the Foreign Agents Registration Act, Title 22, United States

Code, Section 611 et seq., or a conspiracy to commit such an offense, is subject to forfeiture.

28. Title 18, United States Code, Section 981(b)(2) authorizes seizure of property

subject to civil forfeiture based upon a warrant supported by probable cause. Title 18, United

States Code, Section 981(b)(3) permits the issuance of a civil seizure warrant by a judicial officer

in any district in which a forfeiture action against the property may be filed pursuant to Title 28,

United States Code, Section 1355(b). A forfeiture proceeding may be brought in this district

because acts or omissions giving rise to forfeiture occurred in this district.

29. Title 21, United States Code, Section 853(f) (as incorporated by Title 18, United

States Code, Section 982(b)(1)) provides that a criminal seizure warrant for property subject to

forfeiture may be sought in the same manner in which a search warrant may be issued under

Federal Rule of Criminal Procedure 41. A court shall issue a criminal seizure warrant if it

determines that the property to be seized would, in the event of a conviction, be subject to

14
forfeiture and that a restraining order would be inadequate to assure the availability of the

property for forfeiture.

30. Neither a restraining order nor an injunction is sufficient to guarantee the

availability of the Target Domains for forfeiture. By seizing the Target Domains and redirecting

each Target Domain to another website, the Government will prevent third parties from

acquiring the name and using it to commit additional crimes. Furthermore, seizure of the Target

Domains will prevent third parties from continuing to access the Target Domain websites in their

present form. A restraining order or injunction will still render the Target Domains subject to

entry and vulnerability to cyber-attacks, whereas seizure will ensure that the Target Domains

cannot be used for any nefarious purpose

31. Title 18, United States Code, Section 981(h) provides that venue for civil

forfeitures brought under this section lies in the district either where the defendant owning the

property is located or in the judicial district where the criminal prosecution is brought.

32. Title 21, United States Code, Section 853(j), incorporating Title 21, United States

Code, Section 881(j), provides that venue for criminal forfeitures brought under this section lies

in the district where the defendant owning the criminal forfeiture is located or in the judicial

district where the criminal prosecution is brought.

33. As set forth below, there is probable cause to believe that the Target Domains are

subject to civil and criminal forfeiture because they constitute or are derived from proceeds

traceable to a violation of the Subject Offenses. They are accordingly subject to seizure pursuant

to Title 18, United States Code, Section 981(b); and Title 21, United States Code, Section 853(f).

15
FACTS SUPPORTING PROBABLE CAUSE

Overview

34. As described throughout this application, the FBI believes that the Government of

Iran, through the IRGC as well as individuals acting on behalf of the IRGC, is engaging in a

covert influence campaign both inside the United States and elsewhere through the use of

domains registered in the United States, in violation of IEEPA. This belief, as explained

throughout

content from the domains which is

consistent with Iranian foreign policy and IRGC disinformation tradecraft, open source

reporting, and returns from legal process which indicate that the Target Domains were registered

under false names and originate in Iran. As a result, the FBI asserts that there is probable cause

to seize each of the Target Domains as property which constitutes or is derived from proceeds

traceable to a violation of 50 U.S.C. § 1705, as described above.

35. Finally, Target Domains newsstand7.com, usjournal.net, usjournal.us, and

twtoday.net, described in detail below, have been used by the IRGC and those acting on behalf

of the IRGC and the Government of Iran to engage in political activities and disseminate

information, as defined by FARA, without proper registration pursuant to FARA and without

notifying the American public with a conspicuous label that the content of the domains was

being published on behalf of the IRGC and the Government of Iran. As a result, there is

probable cause to seize these domains as property which constitutes or is derived from proceeds

traceable to a violation of FARA.

16
Background on Iranian Foreign Policy

36. The February 11, 1979, fall of the Shah of Iran, who was a key U.S. ally,

shattered U.S.-Iran relations. According to a February 2020 Congressional Service Report, Iran

has since pursued policies that every successive U.S. Administration has considered inimical to

U.S. interests in the Near East region and beyond. Iran’s authoritarian political system and

human rights abuses have further contributed to the U.S.-Iran rift.

37. On April 29, 2020, the Congressional Research Service published that the

ideology of Iran’s 1979 Islamic revolution still infuses Iran’s foreign policy today. Iran’s leaders

assert that the political structure of the Middle East is heavily weighted in favor of the United

States and its regional allies and against those who Iranian leaders describe as “oppressed

peoples,” such as the Palestinians and Shia Muslims. Shias are politically and economically

disadvantaged minorities in many countries of the region. Iranian leaders claim that Western

intervention and the creation of Israel have distorted the region’s politics and economics. Iran’s

leadership has a history of taking advantage of regional conflicts to advance a broader goal of

overturning a power structure in the Middle East that it asserts favors the United States, Israel,

Saudi Arabia, and other Sunni Muslim Arab regimes.

Iranian Cyber Influence Operations

38. The nation of Iran has been identified by several reputable sources as one of

numerous countries that implement state-sponsored, malign foreign influence campaigns

utilizing cyberspace. According to the Homeland Security Advisory Council Interim Report of

the Countering Foreign Influence Subcommittee on May 21, 2019, Iran was alleged to be

17
involved in malign foreign influence activities, whose aim is “designed to sow discord,

manipulate public discourse, discredit the electoral system, bias the development of policy, or

disrupt markets for the purpose of undermining the interests of the United States and its allies.”

39. Further, the Iranian Action Group of the U.S. Department of State described the

Republic of Iran as a “leading threat actor in cyberspace, which uses cyberespionage,

propaganda, and attacks to influence events, shape foreign perceptions, and counter perceived

threats.” Although the IRGC is oftentimes behind Iranian cyber-based attacks, it often uses

individuals outside of the government to assist with these operations. Similarly, the

Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security

reported that the U.S. intelligence community and various private sector threat intelligence

organizations have identified the IRGC as a driving force behind Iranian state-sponsored

cyberattacks—either through contractors in the Iranian private sector or by the IRGC itself.

40. A June 25, 2019, assessment of Iran’s cyber power by the Center for Strategic and

International Studies Senior Vice President James Andrew stated that Iran’s cyber operations are

conducted primarily by the IRGC, the Basij, and Iran’s Passive Defense Organization.

According to the assessment, the IRGC is behind a series of incidents against American targets,

Israeli critical infrastructure, Saudi Arabia, and other Gulf states.

41. A January 2018 report of the Carnegie Endowment for International Peace

indicated that “Iran’s offensive cyber activities are almost exclusively overseen by the IRGC”

(with little prospect of oversight of elected officials) and “composed of a scattered set of

independent contractors who mix security work, criminal fraud, and more banal software

18
development.”

42. Known Iranian cyber operations have typically focused on “soft” targets. More

specifically, expert witness Philip Howard from Oxford Internet Institute at the Open Hearing on

Foreign Influence Operations’ Use of Social Media Platforms Before the Select Committee on

Intelligence of the U.S. Senate on August 1, 2018, described Iran as one of several studied

countries that has organized dedicated disinformation campaigns, and, in particular, had a

recently exposed social media manipulation operation. Iran’s use of inauthentic social media

accounts, which garnered more than one million followers, “focused on promoting particular

policy interests that are aligned with the Iranian government,” according to Park Advisors in a

report produced with the support of the U.S. Department of State’s Global Engagement Center.

43. Iranian state-sponsored foreign influence and information operations have been

far-reaching and targeted. For example, in the written testimony of Joseph M. Humire regarding

Iran’s Strategic Penetration of Latin America before the U.S. House of Representatives

Committee on Foreign Affairs, Subcommittee on the Western Hemisphere, Subcommittee on the

Middle East & North Africa, Mr. Humire wrote:

While subtle and often under the radar, Iran’s ‘cultural’ outreach has been
significant over the last decade and is only growing in both size and scope. One
of the most visible outcomes of this outreach is their Spanish language 24-hour
news broadcast, HispanTV, that is operated by the larger, state-owned Islamic
Republic of Iran Broadcaster (‘IRIB’). Launched in 2012, this Iranian network
has grown to broadcast in at least 16 countries throughout Latin America, often in
conjunction with what is known as counter-hegemonic news media in the region,
namely the Venezuela-based TeleSUR. This media network provides Iran with a
large megaphone to enhance its influence and information operations in the
region.

44. Targeted influence topics have included messaging against the current U.S.

19
President, U.S. withdrawal from the Joint Comprehensive Plan of Action (“JCPOA”), anti-Israeli

narratives, and condemnation of Saudi Arabia, an Iranian adversary. Similarly, pro-Iranian,

inauthentic news media imitating authentic news sources have been produced by Iranian actors

and posted on websites that are prominent in search results for authentic news media.

45. The above demonstrates a history of intent, capability, and tactics by the Iranian

Government and the IRGC in creating inauthentic electronic content for use in mass, coordinated

disinformation campaigns, for the purpose of influencing public opinion regarding U.S. politics

and foreign policy.

Iran’s Current Covert Influence Campaign

46.

the following Target Domains were operated by or on

behalf of the IRGC: 4svideo.com, moqawemat.com, 3adalah.com, acilnews.com, aden-

alyoum.com, adentimes.net, afghanpulse.com, afghanwolas.com, aftruth.com,

ageofpakistan.com, al-sufia.com, alkhalijalyoum.com, almasirahpress.com,

almasirahtv.com, alnujaba.com, alraialqatari.com, alsudanalyoum.com, altanzil.net,

alwarka.net, ansar-allah.com, aynanewsagency.org, bashiqa.com, beritadunia.net,

faktru.com, fatemyoun.com, foresight-media.com, frpress24.com, haghighah.com,

hindkhabar.com, imamiatarbiat.com, iraqnewsservice.com, islahjo.com, iuvm.org,

iuvmpress.com, iuvmtech.com, iuvmtv.com, j-babel.com, jamekurdi.com, kashmirline.com,

20
ksastudies.net, kurdestantimes.com, libyaalmokhtar.com, maghrebiyon.com, marsadz.com,

masralkenana.com, mepanorama.net, naijafox.com, nilenetonline.com, nthnews.net,

pakonlinenews.com, pashtokhabar.com, pergiustizia.com, puketnews.com, qarura.com,

qudspal.net, raitunisia.com, risolattj.com, sachtimes.com, saghalein-ins.com, sayyidali.com,

sizinyol.com, syria-scope.com, tanincenter.com, theleadersnews.com, usjournal.net,

whatsupic.com, yaqeenagency.net and yemaniat.net.

following Target Domains were operated by or on behalf of the

IRGC: alkuwaitonline.com, bhpress24.com, iuvm.info, khabroona.com, ksatalks.com,

newsstand7.com, and saudiuncovered.com. This information, as described below, is consistent

with information that the FBI has obtained from open sources, U.S. internet service providers,

and through the use of criminal process which also indicates that the Government of Iran, and the

IRGC in particular, is behind this covert influence and disinformation campaign, and has

violated the Subject Offenses to advance this campaign.

21
48.

Liberty Front Press

49.

FireEye first publicly reported on Liberty Front Press activity in a report dated August 21, 2018,

entitled “Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites &

Social Media Targeting Audiences in U.S., UK, Latin America, Middle East.” FireEye provided

supplemental reporting regarding Liberty Front Press on September 7, October 19, November

15, and December 6, 2018; and February 1, March 18, and April 23, 2019.

As outlined in this Affidavit, the FBI believes the Target Domains

to be part of the Liberty Front Press network.

50. According to FireEye reporting, Liberty Front Press activity originated from Iran

and was aimed at audiences in the U.S., U.K., Latin America, and the Middle East. The Liberty

Front Press operation leverages a network of inauthentic news sites and clusters of associated

22
accounts across multiple social media platforms to promote political narratives in line with

Iranian interests. These narratives included anti-Saudi, anti-Israeli, and pro-Palestinian themes,

as well as support for specific U.S. policies favorable to Iran, such as the JCPOA.

51. FireEye assessed that Liberty Front Press originated from Iran-based actors based

on a combination of indicators, including website registration data, social media accounts linked

to Iranian phone numbers, and the promotion of content consistent with Iranian political

interests.

52. For example, registrant emails for two inauthentic news sites included in the

Liberty Front Press network, libertyfrontpress.com and institutomanquehue.org, were associated

with advertisements for website designers in Tehran and with the Iran-based site gahvare.com,

respectively. Furthermore, FireEye identified multiple Twitter accounts directly affiliated with

the sites, as well as other associated Twitter accounts, that were linked to phone numbers with

the +98 Iranian country code. Finally, FireEye observed inauthentic social media personas,

masquerading as American liberals supportive of a current U.S. Senator and former candidate for

U.S. President, heavily promoting Quds Day, a holiday established by Iran in 1979 to express

support for Palestinians and opposition to Israel, and which takes place on the last Friday of

Ramadan.

53. According to FireEye, the namesake of the Liberty Front Press network,

libertyfrontpress.com, publishes primarily political news stories related to the U.S., and language

used by social media accounts affiliated with the site portray it as operated by individuals based

in the United States. Much of the content on the site has been appropriated from legitimate news

23
sources, including Politico, RawStory, and CNN. Content that appears to be original to

libertyfrontpress.com contains poorly written English.

54. FireEye reported that the registration email for domain libertyfrontpress.com was

associated with several advertisements for website designers in Tehran from 2014. The

registration email for libertyfrontpress.com links the website to at least one other site identified

as part of the Liberty Front Press network. Furthermore, fake personas and social media

accounts linked to other websites identified as part of the Liberty Front Press network have

promoted libertyfrontpress.com

55. FireEye reported that libertyfrontpress.com has maintained social media accounts

on multiple platforms, including Twitter, Facebook, Instagram, Google Plus, and YouTube.

Most of these Twitter accounts are linked to phone numbers with the Iranian +98 country code,

despite listing their locations as being within the U.S. Many were created on the same day as at

least one other account, evidencing an organized and coordinated effort to promote the fake news

site. Most of libertyfrontpress.com’s affiliated social media accounts appear orientated toward

particular countries or regions. For example, of the accounts focused on the Middle East, three

of the Twitter accounts identified by FireEye focused on Palestinian themes, and others focused

on Yemen, Syria, Bahrain and potentially Qatar. These accounts have pushed content in line

with Iranian interests.

56. FireEye reported that the site’s original Twitter accounts, @libertyfrontpr and

@libertyfrontp, began tweeting content in April 2017 that included American-themed material,

such as photographs of the Statue of Liberty. The two accounts, which linked to

24
libertyfrontpress.com in their bios, also used language to suggest U.S. origins, such as the use of

“our country” in reference to the United States. In mid-July 2018, FireEye observed these two

accounts drop their direct affiliation with libertyfrontpress.com and rebrand under the pretense of

being operated by American liberals.

57. FireEye reported that the rebranded accounts heavily promoted Quds Day and

also tweeted general opposition to the current U.S. Presidential Administration. In July 2018,

two other Palestine-focused libertyfrontpress.com-affiliated accounts, @LFPressPalestin and

@QudsPalestine, changed their account names to @PalestinianRes (display name: “Palestinian

Resistance”) and @VoiceofQuds (display name: “Voice of Quds”), respectively. Collectively,

pro-Palestine, anti-Israel, anti-Saudi and anti-U.S. President themes appear to be common across

most of the libertyfrontpress.com-affiliated social media accounts, irrespective of their purported

regions and areas of focus.

58. Another domain reported on by FireEye as part of the Liberty Front Press

network, Target Domain usjournal.net, describes itself as “a genuinely independent online

media outlet dedicated to strengthening and supporting independent journalism, and to

improving the public’s access to independent information sources.” The website prominently

features material pertinent to Iranian interests; for example, the site’s “Around The World”

section, situated prominently at the top of the homepage, displays subsections titled “Yemen

Crisis,” “Syrian Civil War,” “Bahrain Revolution,” and “Palestinian Cause.”

59. FireEye reported that usjournal.net has maintained social media accounts on

Twitter, Facebook, and Instagram. The site’s official Twitter account, @USJOURNAL0, was

25
created on Aug. 19, 2017, and lists California, USA, as its location, but it is linked to a phone

number with the +98 Iranian country code.

60. FireEye reported that, prior to July 2018, usjournal.net listed an individual as a

writer for the site that FireEye assessed to be a fabricated persona created to promote US Journal

material. The “Elizabeth Tacher” persona’s Twitter (@BethTacher) and usjournal.net profile

pictures are taken from a French actress. The persona also has a Facebook page

(https://www.facebook. com/elizabeth.tacher.988) that listed usjournal.net pages among its

favorites, along with several pages that advocated for the impeachment of the current U.S.

President. According to FireEye, Twitter account @BethTacher has also promoted messaging

from the Iranian media organization Quest 4 Truth, which has been linked to the Iranian state-

owned media organization Press TV.

61. Based on a tip from FireEye, Facebook started its own investigation into Liberty

Front Press and identified additional accounts and pages from the network. Facebook reported

that some of the accounts attempted to conceal their location and primarily posted political

content focused on the Middle East, as well as the UK, U.S., and Latin America. Beginning in

2017, the accounts increased their focus on the UK and U.S. Facebook reported that accounts

and pages linked to Liberty Front Press typically posed as news and civil society organizations

sharing information in multiple countries, without revealing their true identity, and promoted a

pro-Iranian agenda. Based on the tip from FireEye, Facebook reported on August 21, 2018 that

it removed 652 pages, groups and accounts for coordinated inauthentic behavior that originated

in Iran and targeted people across multiple internet services in the Middle East, Latin America,

26
UK and U.S.

62. Facebook was able to link the Liberty Front Press network to Iranian state media

through publicly available website registration information, as well as the use of related IP

addresses and Facebook pages sharing the same admins. For example, according to Facebook,

one part of the network, “Quest 4 Truth,” claimed to be an independent Iranian media

organization, but is in fact linked to Press TV, an English-language news network affiliated with

Iranian state media.

63. Consistent with Facebook’s finding, Liberty Front Press’s activities are indicative

of a state-sponsored influence campaign. The anti-U.S., anti-Saudi and anti-Israeli material

being promoted is in line with Iranian foreign policy and similar to previously identified Iranian

covert influence campaigns. Also consistent with known Iranian covert influence campaigns, the

network accomplishes Iranian propaganda objectives by manipulating U.S. public discourse and

sowing discord in the American people through use of U.S. social media platforms and

inauthentic news media outlets.

the FBI believes

there is probable cause to believe the IRGC is directing this campaign and that the domains

associated with the Liberty Front Press activities are registered on behalf of the IRGC.

64. Furthermore, based on my training and experience, the breadth and sophistication

of the network is consistent with Iranian state-sponsored influence campaigns carried out by the

IRGC. Liberty Front Press represents a widespread, orchestrated and coordinated effort utilizing

potentially thousands of inauthentic domains and social media accounts to promote pro-Iranian

27
political interests. For example, in its investigation of Liberty Front Press to date, the FBI has

identified well over 1,000 domains, email accounts and social media accounts from Twitter,

Facebook, Instagram and YouTube, and the FBI believes that likely many more exist. In

addition, many of the personas used by the network appear well-crafted and detailed. For

example, persona “Liam Jay Campbell” claims to be “a journalist and English MA graduate from

Sacramento,” claims to have attended California State University, and maintains social media

accounts on Twitter and Reddit. It is unlikely that any Iran-based group or entity other than the

Government of Iran– or an organization supported by the Government of Iran, like the IRGC–

would have the resources to pursue an influence campaign as broad and sophisticated as Liberty

Front Press.

Additional Investigative Activity

65. As part of its investigation, the FBI conducted searches of publicly available

WHOIS domain name registration records. The FBI also obtained subscriber and transaction

records from the U.S.-based registrars for the Target Domains, as well as additional relevant

subscriber and transaction records from other U.S.-based service providers.

66. Subscriber and transaction records from OnlineNIC revealed that 43 Target

Domains—sizinyol.com, sayyidali.com, sachtimes.com, qudspal.net, qudspal.com,

nthnews.net, nilenetonline.com, libyaalmokhtar.com, jamekurdi.com, iuvmpress.org,

iuvmpress.net, iuvmpress.com, iuvm.org, islahjo.com, imamiatarbiat.com,

hindkhabar.com, haghighah.com, foresight-media.net, foresight-media.com, faktru.com,

beritadunia.net, aynanewsagency.org, ansar-allah.com, alsudanalyoum.org,

28
alsudanalyoum.com, almasirahtv.com, almasirahpress.com, afghanwolas.com,

acilnews.com, 3adalah.com, usjournal.us, usjournal.net, saghalein-ins.com, risolattj.com,

raitunisia.com, pergiustizia.com, pakonlinenews.com, marsadz.com, ksastudies.net,

iuvmtv.com, iuvmtech.com, fatemyoun.com, al-sufia.com, iuvm.info, iuvm.net, and

whatsupic.com—all belong to a single OnlineNIC account, associated with ID number 319223

and the name Amir Hossein Sadri, indicating they were registered by the same user(s). The

registrant Amir Hossein Sadri claims to be from Dubai and utilizes domain@atenahost.com as

his email address. According to open source research by the FBI, Atena Host is an Iran-based

web hosting company. Of the 43 Target Domains listed above, usjournal.us, usjournal.net,

saghalein-ins.com, risolattj.com, raitunisia.com, pergiustizia.com, pakonlinenews.com,

marsadz.com, ksastudies.net, iuvmtv.com, iuvmtech.com, fatemyoun.com, and al-sufia.com

were registered through a Tehran, Iran-based IP address, to wit: 80.75.14.116.

67. There is probable cause to believe that the registration information associated

with these domains is materially false and was fraudulently submitted to hide from OnlineNIC

that the true user of the domains is the IRGC, which would have prevented OnlineNIC from

providing registration services to these domains. As explained throughout, there is probable

cause to believe that these domains are part of an Iranian disinformation campaign. However,

the purported registrant claims to be located in Dubai, located in the United Arab Emirates—

which the FBI assesses is because the IRGC believed that OnlineNIC would be less likely to

scrutinize a registration made by an Emirati as opposed to an Iranian. However, both through the

content posted on these domains (which is consistent with Iranian foreign policy and consistent

29
with IRGC disinformation tactics) and registration data such as the Iran-based email address and

IP address, there is probable cause to believe that the registrant was actually acting on behalf of

the IRGC.

68. Subscriber and transaction records from OnlineNIC revealed that 19 Target

Domains—yemaniat.net, yaqeenagency.net, twtoday.net, pashtokhabar.com,

maghrebiyon.com, kashmirline.com, altanzil.net, alraialqatari.com, alkhalijalyoum.com,

alhadathps.com, ageofpakistan.com, aftruth.com, adentimes.net, aden-alyoum.com,

nationvoices.com, puketnews.com, kashmir-news.com, masralkenana.com,

islamipolitics.com, and masralkenana.com— all belong to a single OnlineNIC account,

associated with ID number 595619 and the name Ibrahim Hosein and email address

ibrahimhosein87@gmail.com. Based on the content of these domains being consistent with

Iranian foreign policy and IRGC disinformation tactics, as well as Iran-based logins to accounts

linked to several of the domains, there is probable cause to believe that these domains were

actually registered and operated on behalf of the IRGC.

69. Subscriber and transaction records from OnlineNIC revealed that 9 Target

Domains—qarura.com, naijafox.com, kurdestantimes.com, j-babel.com, bashiqa.com,

alwarka.net, iraqnewsservice.com, alnujaba.com and arbaeenpress.com—are associated with

account ID 590434 and the name “hussein ali,” along with an email address, to wit:

hosein.tamimi2011@gmail.com. Based on the content of these domains being consistent with

Iranian foreign policy and IRGC disinformation tactics, as well as Iran-based logins to accounts

linked to several of the domains, there is probable cause to believe that these domains were

30
actually registered and operated on behalf of the IRGC.

70. Legal process returns from Cloudflare, a U.S.-based company providing internet

infrastructure and security services, identified the following Iran-based IP addresses that utilized

its services: 5.160.10.154, 5.160.10.11, 5.160.10.149, 5.160.10.72, 5.160.10.131, 5.160.10.145,

5.160.10.146, 5.160.10.241, 5.160.10.140, 5.160.10.152, 5.160.10.148, 5.160.10.162,

5.160.10.236. Each of these Iran-based IP addresses begins with the same three octets 2–

5.160.10”–and a WHOIS query by the FBI revealed that IP addresses that begin with “5.160.10”

belong to the same Iran-based internet service provider Respina. These IP addresses were used

to access Cloudflare accounts which managed DNS settings for the following 72 Target

Domains: alkuwaitonline.com, ksastudies.net, jamekurdi.com, saghalein-ins.com,

yemaniat.net, pergiustizia.com, al-sufia.com, sayyidali.com, raitunisia.com, iuvm.org,

dailymulk.com, frpress24.com, afghanpulse.com, zonablanca.org, puketnews.com,

hindkhabar.com, iuvmpress.com, yaqeenagency.net, qudspal.net, uaealyoum.com,

usjournal.net, sizinyol.com, marsadz.com, iuvmtech.com, sachtimes.com, iuvm.info, aden-

alyoum.com, iraqnewsservice.com, qarura.com, aftruth.com, adentimes.net,

alsudanalyoum.com, faktru.com, naijafox.com, acilnews.com, almasirahpress.com,

whatsupic.com, masralkenana.com, theleadersnews.com, foresight-media.com,

afghanwolas.com, 3adalah.com, alwarka.net, alnujaba.com, ageofpakistan.com,

kurdestantimes.com, almasirahtv.com, pakonlinenews.com, iuvmtv.com, nthnews.net,

2
An “octet” is one of the four sections of an IP address. Each octet is distinguishable from another by the presence
of a decimal.

31
alraialqatari.com, islamipolitics.com, altanzil.net, imamiatarbiat.com, libyaalmokhtar.com,

haghighah.com, mepanorama.net, svetpress.com, risolattj.com, fatemyoun.com, ansar-

allah.com, saudiuncovered.com, ksatalks.com, nilenetonline.com, newsstand7.com,

beritadunia.net, maghrebiyon.com, bashiqa.com, j-babel.com, alkhalijalyoum.com,

qudspal.com, and iuvm.net.

Seyed Sajjad Shahidian and Payment24

71. On June 16, 2020, Seyed Sajjad Shahidian (“Shahidian”) pled guilty to one count

of conspiracy to commit offenses against and to defraud the United States in the United States

District Court for the District of Minnesota for his role in conducting financial transactions in

violation of U.S. sanctions against Iran. Shahidian was extradited from London, United

Kingdom following his arrest on November 11, 2018, and was subsequently indicted on

December 18, 2018.

72. According to the defendant’s guilty plea and documents filed in court, Payment24

was an internet-based financial services company with approximately 40 employees and offices

in Tehran, Shiraz, and Isfahan, Iran. The primary business of Payment24 was helping Iranian

citizens conduct prohibited financial transactions with businesses based in the United States,

including the unlawful purchase and exportation of computer software, software licenses, and

computer servers from United States companies. According to Payment24’s website, the

company charged a fee to circumvent “American sanctions,” and claimed to have brought in

millions of dollars of foreign currency into Iran.

73. On its website, Payment24 sold a package to assist its Iranian clients with making

32
online purchases from United States-based businesses, which included a PayPal account, a

fraudulent “ID card and address receipt,” a remote IP address from the United Arab Emirates,

and a Visa gift card. The Payment24 website also offered its clients advice on how to create

accounts with a foreign identity and how to avoid restrictions on foreign websites, including

advising clients to “never attempt to log into those sites with an Iranian IP address.”

74. According to the defendant’s guilty plea and documents filed in court, Shahidian

admitted to making material misrepresentations and omissions to United States-based businesses

regarding the destination of the United States-origin goods. In order to accomplish the

transactions, Shahidian obtained payment processing accounts from United States-based

companies like PayPal using fraudulent passports and other false residency documentation to

falsely represent that his customers resided outside of Iran. Shahidian admitted to opening

hundreds of PayPal accounts on behalf of his Payment24 customers who resided in Iran and to

unlawfully bringing millions of U.S. dollars into the economy of Iran.

Payment24 was used regularly to pay for the registration

of domains. Customers would go to Payment24’s website and provide the invoices for domains.

Payment24 would then pay the invoices on behalf of its customers using Shahidian’s PayPal

accounts. OnlineNIC was a domain registration company for which Payment24 paid customer

invoices. There was no way for ordinary Iranians to make payments to OnlineNIC because of

the sanctions regimes described above.

33
76. Subscriber and transaction records from OnlineNIC revealed that Paypal accounts

belonging to Shahidian and/or Payment24 were used to pay for OnlineNIC bills for account IDs

590434 and 272129 from 2016 to 2018. OnlineNIC accounts 590434 and 272129 were used to

register Target Domains alnujaba.com, alwarka.net, arbaeenpress.com, bashiqa.com,

iraqnewsservice.com, j-babel.com, jihadalbina.org, kurdestantimes.com, naijafox.com and

qarura.com.

77. Subscriber and transaction records from Namecheap showed that an account

belonging to Shahidian and/or Payment24 was used to pay for a purchase of the domain name

mepanorama.com and the renewal of mepanorama.org and Target Domain mepanorama.net

on July 10, 2016.

Twitter Report

78. On June 13, 2019, Twitter released an article by Yoel Roth, Head of Site Integrity

on Twitter, entitled, “Information operations on Twitter: principles, process, and disclosure.” In

the article, Twitter disclosed that 4,779 accounts were from Iran, and they believed that “all are

associated with—or directly backed by—the Iranian government” and were subsequently

removed by Twitter. Of the 4,779 accounts, 1,666 accounts were tweeting news content in line

with the views of the Iranian state, which Twitter considers “Platform Manipulation” and is in

violation of the Twitter Rules. Of the remaining accounts, 248 accounts were discussing issues

related to Israel, and 2,865 accounts were engaged in using “false personas to target

conversations about political and social issues in Iran and globally.”

79.

34
Notably, references to

Target Domains nilenetonline.com, mepanorama.net and sayyidali.com were tweeted by some

of the 4,779 accounts that were removed by Twitter.

The Target Domains

80. There is probable cause to believe that each of the Target Domains is property

which constitutes or is derived from proceeds traceable to violations of IEEPA, as they are used

by or on behalf of the IRGC, a component of the Government of Iran. Had the registrants of the

domains truthfully registered the domains as being used by or on behalf of the IRGC, the U.S.

service providers would not have provided hosting services as it is prohibited by U.S. sanctions

targeting the IRGC (described above). Additionally, Target Domains newsstand7.com,

usjournal.net, usjournal.us, and twtoday.net are also subject to seizure as they are property

that constitutes or is derived from proceeds traceable to violations of FARA.

The Target Domains are Property Constituting or are Derived from Proceeds Traceable to
Violations of IEEPA and FARA.

81. As described below, there is probable cause to believe that Target Domains

newsstand7.com, usjournal.net, usjournal.us, and twtoday.net are property which constitutes

or is derived from proceeds traceable to violations of IEEPA (because they are used by or on

behalf of the IRGC and the Government of Iran) as well as FARA. Neither the IRGC, nor any

individual or entity on the IRGC’s behalf, has registered with the Department of Justice for the

activities taking place using Target Domains newsstand7.com, usjournal.net, usjournal.us,

and twtoday.net. Furthermore, these Target Domains are not properly labeled pursuant to

FARA.

35
82. First, the both the Government of Iran and the IRGC are “Foreign Principals” as

defined by FARA. The term “government of a foreign country” includes any person or group of

persons exercising sovereign de facto or de jure political jurisdiction over any country, other than

the United States, or over any part of such country, and includes any subdivision of any such

group and any group or agency to which such sovereign de facto or de jury authority of functions

are directly or indirectly delegated. 22 U.S.C. § 611(e). Second, the operators of these domains

are acting as agents of the Government of Iran and the IRGC by engaging in political activities,

by attempting to influence any section of the public within the United States with reference to

formulating, adopting, or changing the domestic or foreign policies of the United States or with

reference to the political or public interests, policies, or relations of Iran, acting as information-

service employees by furnishing, disseminating, or publishing accounts, descriptions,

information, or data with respect to the political, industrial, employment, economic, social,

cultural, or other benefits, advantages, facts, or conditions or any country other than the United

States or of any government of a foreign country, and acting as a publicity agent by engaging,

directly or indirectly, in the publication or dissemination of oral, visual, graphic, written, or

pictoral information or matter of any kind. As these activities are taking place in the United

States, in that they are being published in English and targeting a United States audience, and

without the required registration with the Department of Justice,3 the user(s) of Target Domains

3To be clear, registration pursuant to FARA does not require a foreign agent to alter the content of its
publications in any manner; indeed, if registered as required, a foreign agent would be free to facilitate the
production, publication, and dissemination of any content it chooses. Registration would simply allow the
American public consuming such content to be fully informed regarding the foreign principal behind it.

36
newsstand7.com, usjournal.net, usjournal.us, and twtoday.net are violating FARA.

83. Target Domain newsstand7.com.

newsstand7.com was operated by or on behalf of

the IRGC. Open source research by the FBI showed that the home page of English-language

newsstand7.com stated “Awareness Made America Great.” The website further stated that

News Stand 7 provides fact-based news and views from around the country seven days a week to

boost political awareness among Americans, indicating a U.S. target audience. This domain

hosts media that constitutes political activity as defined by FARA. For example, the domain

included several headlines that are in line with Iranian interests and presented a critical

perspective of U.S. issues, including rhetoric like an article targeting the current U.S. President

entitled, “[U.S. President] denies systemic racism in Kenosha, blames democrats for unrest.”

Another article entitled “[U.S. President] helping Bibi to overtake Israel with the support of Arab

allies” shows a cartoon of the current U.S. President with caption, “Don’t worry about anything

[sic] You will achieve entire Palestine with the help of Saudi Arabia.” Further, the domain

highlighted an article entitled, “Buying Iranian Missiles would be a ‘Good Idea’ says Nicolas

Maduro.” The FBI assesses that these articles are consistent with Iranian foreign policy in

general and IRGC disinformation tradecraft in particular. According to

www.pressreleasepoint.com/news-stand-7, newsstand7.com is “run by a small team of political

science students who work seven days a week to provide fact-based news and views from around

the country.” However, FBI investigation has revealed probable cause to believe that the domain

37
is actually being operated on behalf of the IRGC.

84. Subscriber and transaction records from Namecheap revealed an individual from

Biloxi, Mississippi as the registrant for newsstand7.com. Law enforcement database queries by

the FBI revealed an individual by that name located in Biloxi, Mississippi. On September 9,

2020, the FBI contacted that individual. That individual was not aware of Target Domain

newsstand7.com nor its registrant email, demonstrating the fraudulent use of that individual’s

identity to procure the newsstand7.com domain. In addition, subscriber records from Google

for the registrant email revealed that the account was registered from Iran-based IP address

89.196.111.167. The FBI assesses that the domain was fraudulently registered in the name of a

U.S. person to obscure its actual use by the IRGC.

85. The records further revealed that IP address 5.254.77.139 was used by the owner

of Target Domains newsstand7.com and frpress24.com to log in to their Namecheap accounts

within weeks of each other. The records further revealed that newsstand7.com and

frpress24.com were created and re-registered on the same days—March 11, 2019 and March 11,

2020—further indicating these Target Domains are operated by the same user(s).

86. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for newsstand7.com was a subdomain of cloudflare.com, indicating that

newstand7.com utilizes or has utilized Cloudflare for domain name resolution services.

Cloudflare, Inc. is an American web-infrastructure and website-security company that provides

content-delivery-network services, distributed denial of service mitigation, Internet security, and

distributed domain-name-server services. Subscriber and transaction records from Cloudflare for

38
newsstand7.com revealed user logins from Iran-based IP address 5.160.10.72.

87. Target Domain usjournal.net.

usjournal.net was operated by or on behalf of the

IRGC. According to OFAC, the IRGC is a Specially Designated National whose assets are

blocked and with whom U.S. persons are prohibited from doing business.

88. According to FireEye, usjournal.net described itself as “a genuinely independent

online media outlet dedicated to strengthening and supporting independent journalism, and to

improving the public’s access to independent information sources.” However, the domain

prominently features material pertinent to Iranian interests, which is consistent with IRGC

disinformation tradecraft. For example, the domain’s “Around The World” section, situated

prominently at the top of the homepage, displays subsections titled “Yemen Crisis,” “Syrian

Civil War,” “Bahrain Revolution,” and “Palestinian Cause,” which the FBI assesses is designed

to influence a segment of the United States public with regard to U.S. foreign policy toward the

region in an attempt to favor Iranian policy objectives.

89. Additional information suggests that the domain is not an authentic source of

news and opinion, but a front for IRGC influence operations. For example, FireEye further

reported that usjournal.net has maintained social media accounts on Twitter, Facebook, and

Instagram. The website’s official Twitter account @USJOURNAL0 was created on Aug. 19,

2017, and although it listed California, USA as its location, @USJOURNAL0 was linked to a

phone number with the +98 Iran country code. FireEye further reported that, prior to July 2018,

usjournal.net listed an individual as a writer for the site that FireEye assessed to be a fabricated

39
persona, “Elizabeth Tacher” (described above), created to promote U.S. journalistic material.

90. According to the FireEye report, IP address 195.201.83.157 hosted a subdomain

of usjournal.net and Target Domain risolattj.com, indicating these domains were controlled by

the same user(s).

91. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for usjournal.net was a subdomain of cloudflare.com, indicating that

usjournal.net utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for usjournal.net revealed user logins from

Iran-based IP addresses, including 185.176.58.122, 185.212.192.195, and 2.179.167.46.

92. Subscriber and transaction records for usjournal.net from OnlineNIC revealed an

individual located in Palo Alto, California as the registrant. Subscriber and transaction records

further revealed, however, Iran-based registration IP address 80.75.14.116, indicating an Iran-

based user registered usjournal.net with OnlineNIC using a false identity.

93. Subscriber and transaction records from OnlineNIC further revealed that

usjournal.net is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

94. Target Domain usjournal.us. Target Domain usjournal.us shares a second-

level domain name (“usjournal”) with Target Domain usjournal.net. I know based on my

training and experience that—due to the low cost of registering a domain, the competitive nature

of obtaining a particular domain name, and the desire to protect a company’s brand—it is good

40
business practice for the registrant of a domain to register the desired second-level domain name

(e.g., “usjournal”) multiple times using different top-level domains (e.g., “.net” or “.us”).

Accordingly, usjournal.us having a second-level domain name identical to Target Domain

usjournal.net suggests the two domains were registered by the same user(s).

95. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for usjournal.us was a subdomain of cloudflare.com, indicating that

usjournal.us utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for usjournal.us revealed user logins from Iran-based

IP addresses, including 5.160.10.154, 94.183.179.46, and 5.106.233.14.

96. Subscriber and transaction records from OnlineNIC revealed that usjournal.us is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

97. Target Domain twtoday.net. Open source research by the FBI revealed that

twtoday.net engaged in political activity by publishing content casting U.S. military actions in a

negative light as well as content in support of Iranian leaders and activists in an attempt to

influence a segment of the United States public to change the foreign policies of the United

States to favor Iran.

98. A search of publicly available WHOIS domain name registration records for

twtoday.net revealed a registrant name of “Abdur Raheem” and a registrant email of

“twtoday2019@gmail.com.” The registration records further revealed a registrant location of

Beirut, Lebanon.

41
99. Subscriber and transaction records from Google for registrant email

twtoday2019@gmail.com revealed an Iran-based terms of service IP address of 185.176.58.122

from Qom, Iran.

100. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for twtoday.net was a subdomain of cloudflare.com, indicating that

twtoday.net utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for twtoday.net revealed user logins from multiple Iran-

based IP addresses, including 2.179.129.116, 185.176.58.122, and 94.183.179.46.

101. Subscriber and transaction records from OnlineNIC revealed that twtoday.net is

one of 19 Target Domains that were registered by OnlineNIC account ID 595619 with account

name Ibrahim Hosein, indicating the 19 Target Domains are maintained in the same account.

, a number of domains were being operated on

or behalf of the IRGC. According to OFAC, the IRGC is a Specially Designated National

whose assets are blocked and with whom U.S. persons are prohibited from doing business. 4

The domains

4svideo.com, moqawemat.com, 3adalah.com, acilnews.com, aden-alyoum.com,

4
IEEPA is content-neutral and does not seek to prohibit or influence speech. It does, however, prohibit the
providing of services to sanctioned entities and individuals.

42
adentimes.net, afghanpulse.com, afghanwolas.com, aftruth.com, ageofpakistan.com, al-

sufia.com, alkhalijalyoum.com, almasirahpress.com, almasirahtv.com, alnujaba.com,

alraialqatari.com, alsudanalyoum.com, altanzil.net, alwarka.net, ansar-allah.com,

aynanewsagency.org, bashiqa.com, beritadunia.net, faktru.com, fatemyoun.com, foresight-

media.com, frpress24.com, haghighah.com, hindkhabar.com, imamiatarbiat.com,

iraqnewsservice.com, islahjo.com, iuvm.org, iuvmpress.com, iuvmtech.com, iuvmtv.com, j-

babel.com, jamekurdi.com, kashmirline.com, ksastudies.net, kurdestantimes.com,

libyaalmokhtar.com, maghrebiyon.com, marsadz.com, masralkenana.com,

mepanorama.net, naijafox.com, nilenetonline.com, nthnews.net, pakonlinenews.com,

pashtokhabar.com, pergiustizia.com, puketnews.com, qarura.com, qudspal.net,

raitunisia.com, risolattj.com, sachtimes.com, saghalein-ins.com, sayyidali.com,

sizinyol.com, syria-scope.com, tanincenter.com, theleadersnews.com, usjournal.net

(described above), whatsupic.com, yaqeenagency.net, and yemaniat.net are therefore subject

to seizure as property which constitutes or is derived from proceeds traceable to violations of

IEEPA.

103. Target Domain frpress24.com. Open source research by the FBI revealed that

frpress24.com is a French-language news website aimed at target audiences interested in France,

the Middle East, and/or the United States. The website’s homepage claimed a location of

“CA50932 Pasadena” and included the tagline “A coffee break in the United States and

elsewhere is a short rest period granted to employees in business and industry. An afternoon

coffee break, or afternoon tea, often occurs as well.” Open source research by the FBI revealed

43
that zip code 50932 is not a valid zip code in Pasadena, California or anywhere in the United

States. Furthermore, subscriber and transaction records for frpress24.com from Namecheap

revealed a registrant name and address of

104. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for frpress24.com was a subdomain of cloudflare.com, indicating that

frpress24.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for frpress24.com revealed user logins from

Iran-based IP address 5.160.10.72.

105. Subscriber and transaction records from Namecheap.com further revealed that IP

address 5.254.77.139 was used by frpress24.com and Target Domain newsstand7.com within

weeks of each other. Subscriber and transaction records also revealed that frpress24.com and

newsstand7.com were created and re-registered on the same days—March 11, 2019 and March

11, 2020, respectively—further indicating these Target Domains are operated by the same

user(s).

106. Target Domain whatsupic.com. According to FireEye, whatsupic.com

“describes itself as a news website, ‘primarily dedicated to news happening in western

Europe.’” FireEye identified social media accounts associated with the website on Twitter,

Facebook, Instagram, YouTube, Google+, and Telegram as having material “in line with Iranian

interests, for example, eulogies of Iranian ‘martyrs’ who died fighting in Syria.” FireEye

identified the servers on which whatsupic.com was hosted as Iranian nameservers

44
ns1.iranhost.com and ns2.iranhost.com.

107. A historical WHOIS analysis on whatsupic.com revealed Iran-based registrant

email migratedomain@iranhost.com and Iran-based fax number +98.10115876353, although

other registrant information stated other location information in Germany, which indicates the

registrant was attempting to obfuscate their Iran-based location.

108. Historical WHOIS records identified whatsupic2015@gmail.com as a registrant

email from 2016. Subscriber and transaction records from Google for email address

whatsupic2015@gmail.com revealed Iran-based IP address 5.160.10.140.

109. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for whatsupic.com was a subdomain of cloudflare.com, indicating that

whatsupic.com utilizes or has utilized Cloudflare for domain name resolution services. Legal

process returns from Cloudflare on whatsupic.com revealed user logins from multiple Iran-

based IP addresses, including 5.160.10.149, 185.212.192.209, and 185.212.192.195.

110. FireEye reported that IP address 78.46.102.123 was used by Target Domains

whatsupic.com, alsudanalyoum.com, raitunisia.com, nilenetonline.com, mepanorama.net,

haghighah.com, beritadunia.net, nthnews.net and pakonlinenews.com, as well as other

domains identified as part of the Liberty Front Press network. FireEye further reported that IP

address 5.9.200.236 was used by Target Domains whatsupic.com, beritadunia.net and

whatsupic.net, as well as other domains identified as part of the Liberty Front Press network. In

addition, IP address 67.205.99.12 hosted Target Domains whatsupic.com, nilenetonline.com

and haghighah.com. FireEye further reported that the email used in 2014 to register Target

45
Domain sachtimes.com—KelvinMiddelkoop@hotmail.com—was used to register

whatsupic.com. FBI investigation further identified historical administrative and

subscriber connections among whatsupic.com, afghanwolas.com, ansar-allah.com,

faktru.com, imamiatarbiat.com, jamekurdi.com, kashmir-news.com, nationvoices.com,

nilenetonline.com, qudspal.net, sachtimes.com and sayyidali.com.

111. FireEye reported that email address mahdi.center2020@gmail.com was used to

register Target Domains nilenetonline.com, afghanwolas.com, and whatsupic.com. A search

of historical WHOIS domain name registration records revealed that

mahdi.center2020@gmail.com was used to register Target Domain sayyidali.com in 2014.

112. Subscriber and transaction records from OnlineNIC revealed that whatsupic.com

is one of 43 Target Domains that were registered using OnlineNIC account ID number 319223,

which is associated with account name Amir Hossein Sadri, indicating the 43 Target Domains

were registered by the same user(s).

113. Target Domain mepanorama.net. According to FBI open source research and

a machine-based translation of mepanorama.net, the domain (which associates itself with

Lebanese Panorama Middle East) proclaims itself a news site that has been concerned with Arab

and international affairs for more than ten years and considers itself an important and resistant

voice regarding vulnerable and oppressed people of the region and scandalous plots against the

Islamic nation. The domain also claimed that it was subjected to a large number of cyber-attacks

that led to the blocking of some of its social media pages, including an attack that blocked its

page on Twitter, forcing the domain to create a new page. Open source research by the FBI

46
revealed that Twitter account @mepNewsAgency linked to mepanorama.net was suspended for

violating Twitter’s rules.

114. According to FireEye, IP address 78.46.102.123 was used by Target Domains

mepanorama.net, alsudanalyoum.com, raitunisia.com, whatsupic.com, nilenetonline.com,

haghighah.com, beritadunia.net, nthnews.net and pakonlinenews.com, as well as other

domains identified as part of the Liberty Front Press network. FireEye reported

that mepanorama.net was initially registered to an individual named “AL PANCHO” in Detroit,

Michigan on August 26, 2016. FireEye further reported that the domain’s associated Twitter

handle @mepNewsAgency was linked to a phone number with a +98 Iranian country code.

115. Subscriber and transaction records from Namecheap Inc. for mepanorama.net

confirmed a registrant name of “AL PANCHO” and a registrant address of “1434 DETROIT MI,

16456.” The registrant address does not follow standard conventional formatting for a physical

address in the United States, and open source research by the FBI confirmed that the registrant

address is not an authentic address. Law enforcement database queries by the FBI did not

identify any person by the name of “Al Pancho” or any similar name in the Detroit, Michigan

area. Historical WHOIS records showed that email address al.pancho@live.com was used as the

registrant email address for mepanorama.net from August 2014 through December 2014.

According to subpoena returns from Microsoft, the user of al.pancho@live.com identified their

country as Canada when registering the account, further indicating the use of a fake identity to

register mepanorama.net.

116. Subscriber and transaction records from Namecheap showed that an account

47
belonging to Shahidian and/or Payment24 was used to pay for a purchase of domain

mepanorama.com and the renewal of mepanorama.org and Target Domain mepanorama.net on

July 10, 2016. Additionally, on October 16, 2017, money was transferred to Namecheap via

Paypal to make payments on mepanorama.net from animation.pro.co@gmail.com. Subscriber

records from Google show that animation.pro.co@gmail.com was registered on May 2, 2017

using Iran-based phone number +98 9373562529.

117. Target Domain afghanpulse.com. According to open source research by the

FBI, English-language afghanpulse.com described itself as “an innovative online media base

committed to inform the world about the real Afghanistan regarding issues bordering on human

rights, conflict, politics, economics and other relating issues. However, presented not from a

typical viewpoint portrayed about Afghanistan in the last seventeen years. AfghanPulse works

independently to discover essential causes crucial in gaining a better and more honest

understanding of Afghanistan.” Several articles referenced Iran and portrayed it in a positive

light.

118. Subscriber and transaction records for afghanpulse.com from Namecheap

revealed a registrant name of “andishe salim” and a registrant address of Stockholm, Sweden.

119. Further analysis of the Namecheap returns identified a PayPal account linked to

email address ravadgroup@gmail.com that was used for payment of afghanpulse.com on

January 1, 2019. Open source research by the FBI revealed that email address

ravadgroup@gmail.com was affiliated with organization “Ravad Fooz Group LLC” and Iran

when Twitter account EXO Worldwide Union @WWEXOL tweeted on October 27, 2018

48
regarding a donation received by Ravad Fooz Group LLC, stating, “A huge thank you to Iranian

EXOLs and @ExoSupport_ir for donating $1,040 USD to our non-shipback albums project!” 5

120. Further, subscriber records from Google for ravadgroup@gmail.com revealed

Iran-based recovery SMS phone number +98 9373562529, indicating the registrant was

attempting to obfuscate their Iran-based location to procure the afghanpulse.com domain.

121. Target Domain 4svideo.com. According to a machine-based translation,

Arabic-language 4svideo.com claims to be a Syrian domain that monitors current events both

inside Syria and abroad.

122. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for 4svideo.com was a subdomain of cloudflare.com, indicating that

4svideo.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare revealed that Target Domains 4svideo.com and syria-

scope.com were both hosted on IP address 178.32.126.97, indicating they are hosted on the same

server and therefore under the control of the same user(s).

123. Target Domain sayyidali.com. Open source research by the FBI revealed that

sayyidali.com revealed that it is a website that consists of a “network of interested people in

Ayatollah Sayyid Ali Khamenei’s personality and thoughts” in addition to anti-U.S. and other

messaging in line with Iranian policies. For example, one of its posts stated, “Did you observe

the barbaric behavior of ISIS? The U.S. government is even more barbaric than ISIS. The U.S.

regime is the same system that created ISIS and the like.” A cybersecurity company Clearsky

5
According to https://twitter.com/wwexol/status/1056316749824516096.

49
report stated the content on sayyidali.com was copied from Iranian site khamenei.ir.

124. A search of publicly available WHOIS domain name registration records revealed

historical registration information showing a registrant first from Germany, then from Iran, and

then from the United Arab Emirates, likely evidencing an attempt by the registrant to obfuscate

their true location and identity.

125. Analysis by the FBI of historical administrative and subscriber information for

sayyidali.com revealed connections with Target Domains whatsupic.com, afghanwolas.com,

ansar-allah.com, faktru.com, imamiatarbiat.com, jamekurdi.com, kashmir-news.com,

nationvoices.com, nilenetonline.com, qudspal.net and sachtimes.com. Subscriber information

for sayyidali.com revealed registrant phone number +97 5873678, the same registrant phone

number used by Target Domains qudspal.com, sayyidali.com, iuvm.info, and sachtimes.com,

which indicates that these accounts are not independent domains as they purport to be.

126. Historical WHOIS records showed that on March 2, 2011, sayyidali.com

registrant “Morva” used email address bahger.nasiry@gmail.com, a location of Tehran, and Iran-

based phone +98 55827283, to register the domain. Further, WHOIS records showed that email

address madhi.center2020@gmail.com was used to register sayyidali.com in 2014. FireEye

reported that email address mahdi.center2020@gmail.com was used to register Target Domains

nilenetonline.com, afghanwolas.com and whatsupic.com.

127. Historical WHOIS records revealed seyyidalieditorial@gmail.com was used to

register sayyidali.com on September 30, 2020. Subscriber and transaction records from Google

for seyyidalieditorial@gmail.com revealed its association with Iran-based IP address 2.191.2.86

50
from Tehran.

128. Subscriber and transaction records from OnlineNIC revealed that sayyidali.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

129. Target Domain pergiustizia.com. Open source research by the FBI regarding

Target Domain pergiustizia.com revealed an Italian-language site with messaging in line with

Iranian interests. For example, the domain posted an article titled “Israeli regime complicit in

the Srebrenica genocide” (machine translated). In addition, Twitter account @Pergiustizia,

associated with pergiustizia.com, posted tweets sympathetic to the death of Iranian General

Suleimani.

130. Historical WHOIS records for pergiustizia.com from February 2, 2017 to May 4,

2018 listed the name Luca Brescia, located in Italy, and email address

brescia.luca15@gmail.com, as the registrant for the domain. According to subscriber records

from Google, brescia.luca15@gmail.com was registered on January 30, 2017 from Iran-based IP

address 78.158.161.153 and listed Iran-based phone number +98 9308290425 as the recovery

SMS number for the account.

131. Subscriber and transaction records from OnlineNIC revealed that

pergiustizia.com is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

51
132. Target Domain fatemyoun.com. Open source research by the FBI showed that

fatemyoun.com is a Persian-language site associated with Lashkar-e-Fatemiun, as stated by the

domain as a “force of Mujahideen and defenders of the Afghan sanctuary.”

133. Subscriber and transaction records from OnlineNIC revealed that fatemyoun.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

134. WHOIS domain name registration records for fatemyoun.com from August 30,

2017 to May 31, 2020 listed registrant name Mohammad Fazel and registrant email

mohammadfazel93@yahoo.com. The WHOIS domain name registration records listed a

registrant location of Herat, Afghanistan, but subscriber and transaction records from Yahoo for

mohammadfazel93@yahoo.com showed that the account was registered on November 4, 2012

from Iran-based IP address 188.158.100.1. Login records for this account show dozens of logins

from Iran-based IP addresses belonging to Irancell, an Iranian telecommunications company,

between September 8, 2019 and August 12, 2020. This indicates that the location information

provided to OnlineNIC was false.

135. Target Domain al-sufia.com. Target Domain al-sufia.com is an Arabic-

language site that, according to the domain, consists of a “group of researchers and investigators

in the field of Sufism.” Subscriber and transaction records from OnlineNIC revealed that al-

sufia.com is one of 43 Target Domains that were registered by OnlineNIC account ID 319223

with account name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the

same user(s).

52
136. Historical WHOIS records show that from June 2016 to June 2020, email address

karimzayed2010@hotmail.com was used as the registrant email for al-sufia.com. Subscriber

records from Microsoft showed that although the user stated their country location as Egypt, the

only login information is from Iran-based IP address 46.32.5.5.

137. Target Domain ksastudies.net. The domain ksastudies.net is an Arabic-

language site which included articles regarding Saudi Arabia and US relations. Articles include

messages in line with Iranian rhetoric, for example, an anti-Saudi Arabian report titled

“Circumstances around the Human Rights Watch report on prisoners without trial in the

Kingdom” and “American Policy Toward Saudi Arabia: Establishing Dependency.” In another

article, ksastudies.net states that the U.S. seeks changes in foreign policy which will “punish

Qatar and pressure Iran... and win millions.”

138. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for ksastudies.net was a subdomain of cloudflare.com, indicating that

ksastudies.net utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for ksastudies.com reveals login activity

from Iran-based IP address 2.179.167.46, 5.160.10.154, and 185.212.192.209.

139. Subscriber and transaction records from OnlineNIC revealed that ksastudies.net

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

140. Target Domain marsadz.com. According to FireEye, marsadz.com “is an

Arabic-language news site focusing on Algeria” and contains material in line with Iranian state

53
interests. Additionally, FireEye reported that IP address 78.46.126.234 was used by Target

Domains marsadz.com, raitunisia.com, and alsudanalyoum.com, which suggest these

accounts are not independent of each other. FireEye further reported that Target Domain

libyaalmokhtar.com listed a Facebook page associated with marsadz.com in its related pages

section, further suggesting these Target Domains are not independent of one another.

141. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for twtoday.net was a subdomain of cloudflare.com, indicating that

twtoday.net utilizes or has utilized Cloudflare for domain name resolution services. Legal

process returns from Cloudflare on marsadz.com reveals login activity from Iran-based IP

addresses which include, but are not limited to, 2.179.167.46, 5.160.10.11, and 5.160.10.154

142. Subscriber and transaction records from OnlineNIC revealed that marsadz.com is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

143. Target Domain saghalein-ins.com. Research by the FBI shows that domain

saghalein-ins.com is a Persian-based site heavily focused on the Qur’an and has images of

prominent Iranian leaders.

144. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for saghalein-ins.com was a subdomain of cloudflare.com, indicating that

saghalein-ins.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for saghalein-ins.com revealed user logins

from several Iran-based IP addresses, including 5.160.10.72, 5.113.16.102, and 5.114.176.54.

54
145. Subscriber and transaction records from OnlineNIC revealed that saghalein-

ins.com is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with

account name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the

same user(s).

146. Target Domain acilnews.com. Research by the FBI identifies acilnews.com

as a Turkish-language site that promotes pro-Iranian messaging. While it claims to be Turkish,

most of the posted articles pertain to Arab countries, including articles regarding the

relationships between Hamas and Hezbollah. In one article, a Turkish, Russian, and Iranian flag

are shown together.

147. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for acilnews.com was a subdomain of cloudflare.com, indicating that

acilnews.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare.com for acilnews.com revealed login activity

from Iran-based IP addresses 5.112.70.111, 5.160.10.11, and 5.114.176.54.

148. Subscriber and transaction records from OnlineNIC revealed that acilnews.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

149. Target Domain qudspal.net. According to FireEye, qudspal.net, previously

qudspal.com and qudspal.org, is a news site focused on Palestinian issues. The domain contains

material in line with Iranian interests, including anti-Israel, anti-Saudi, and anti-Current U.S.

President narratives. For example, FireEye noted an article on qudspal.net regarding criminal

55
charges against Saudi crown prince Mohammed bin Salman. FireEye reported that IP address

46.4.69.232 was used by Target Domains qudspal.com and libyaalmokhtar.com. Analysis by

the FBI of historical administrative and subscriber information for qudspal.net revealed

connections with Target Domains whatsupic.com, afghanwolas.com, ansar-allah.com,

faktru.com, imamiatarbiat.com, jamekurdi.com, kashmir-news.com, nationvoices.com,

nilenetonline.com, sachtimes.com and sayyidali.com.

150. A search of publicly available WHOIS domain name registration records revealed

historical registration information showing a registrant first from Germany, then from Iran, and

then from the United Arab Emirates, likely evidencing an attempt by the registrant to obfuscate

their true location and identity. Subscriber information for qudspal.net revealed registrant

phone number +97 5873678, the same registrant phone number used by Target Domains

sayyidali.com, iuvm.info, and sachtimes.com, which indicates that these accounts are not

independent domains as they purport to be.

151. Subscriber and transaction records from OnlineNIC revealed that qudspal.net is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

152. Historical WHOIS records for qudspal.net show that it was registered with

eb.erfani@gmail.com as the registrant email account in 2014. This email address was also used

to register Target Domains qudspal.com and imamiatarbiat.com. According to subscriber

records from Google, eb.erfani@gmail.com uses Iran-based phone number +98 9194046614 for

recovery SMS, sign in, and two-step verification phone numbers. Between December 17, 2019

56
and August 1, 2020, the user of this email account logged in from Iran-based IP addresses dozens

of times.

153. Legal process returns from Cloudflare on qudspal.net revealed user logins from

Iran-based IP addresses which include 185.212.192.209, 5.160.10.72, and 5.106.66.35.

154. Target Domain sachtimes.com. According to FireEye, sachtimes.com is an

Urdu-language news site focused on Pakistan. Open source research by the FBI revealed that the

domain shows anti-Israeli rhetoric in line with Iranian propaganda. For example, there is an

article titled “Poll | Most [sic] Israeli are unhappy with Netanyahu’s incompetence” and “Israel a

training ground for Indian police oppression over Muslims.” A search of the associated Twitter

account @SachTimesen revealed that the account was suspended by Twitter for violating Twitter

rules.

155. FireEye reported that the registrant email in 2014 for sachtimes.com

was KelvinMiddelkoop@hotmail.com, the same email address used to register Target Domain

whatsupic.com. Subscriber information for sachtimes.com revealed registrant phone number

+97 5873678, the same registrant phone number used by Target Domains

sayyidali.com, iuvm.info, and qudspal.com, indicating these accounts are not independent of

each other. Analysis by the FBI of historical administrative and subscriber information for

sachtimes.com revealed connections with Target Domains whatsupic.com, afghanwolas.com,

ansar-allah.com, faktru.com, imamiatarbiat.com, jamekurdi.com, kashmir-news.com,

nationvoices.com, nilenetonline.com, qudspal.net and sayyidali.com.

156. Publicly searchable WHOIS database queries on another Target Account

57
iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

157. Cybersecurity company Clearsky reporting revealed that the content on

sachtimes.com was copied from Iranian website khamenei.ir and Pakistani website samaa.tv,

demonstrating the inauthenticity of sachtimes.com.

158. Subscriber and transaction records from OnlineNIC revealed that sachtimes.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

159. WHOIS domain name registration records for sachtimes.com from August 13,

2012 to August 14, 2014 listed “Erfani” as the registrant using email account

erfan.20063@yahoo.com. Subscriber and transaction records for erfan.20063@yahoo.com from

Verizon show that the account was registered on August 14, 2008 using erfan.hamed@chmail.ir

as an alternate email address and listed the country of the subscriber as Iran.

160. According to historical WHOIS records, on May 7, 2015 sachtimes.com was

registered using email address mohammad.salim2015@hotmail.com. Subscriber records from

Microsoft showed that mohammad.salim2015@hotmail.com logged into the Microsoft Store

58
from Iran-based IP address 5.160.16.107 on March 31, 2015.

161. Historical WHOIS information for sachtimes.com showed that from August 2015

until February 2020, sachtimes.com used mrs.neelam@hotmail.com as the registration email

address. Subscriber records from Microsoft revealed that the user of this account logged into

Skype from Iran-based IP address 5.160.22.110 on June 20, 2015.

162. Target Domain theleadersnews.com. According to FireEye,

theleadersnews.com “focuses on India-related news” and presents messaging “in line with

Iranian interests, including anti-U.S., anti-Saudi, and anti-Israel material.” FireEye further

reported that theleadersnews.com also posted articles from International Union of Virtual Media

(“IUVM”) Press and the Iranian news outlet Mehr News and articles from the official state

media of Iran’s ally Syria.” According to FireEye, IUVM “is a network of websites and social

media accounts that appears to promote Iranian state messaging and other material directly in

line with Iranian interests.” FireEye further reported that the domain’s associated Twitter

account under name “The Leaders News” is linked to a phone number with an Iranian country

code.

163. Open source research by the FBI revealed that theleadersnews.com displayed

several articles in line with Iranian interests, including an article entitled “[Current U.S.

President] Doesn’t Scare Iran” and “Iran car tire production vol. Hits 27% growth in 5 months.”

The domain asserts on its “About Us” page that “‘The Leaders’ is an independent media project

not affiliated with any organization, government, or country.”

164. FBI analysis of historical WHOIS domain registration records revealed that email

59
address ashrafzaidi86@gmail.com, used to register theleadersnews.com in March 2017, was

also used to register domain iuvmindia.com, an IUVM network domain. This demonstrates that

theleadersnews.com and IUVM network sites are not independent from each other.

165. FireEye reported that registrant email address ashrafzaidi86@gmail.com was

associated with Twitter account @ashrafzaidi86, which “lists theleadersnews.com” in its bio and

material in line with Iranian interests. FireEye further reported that, among @ashrafzaidi86’s

early tweets, the user featured a photograph of people captioned “International Union of Virtual

Media” or IUVM. In addition, Twitter account @ashrafzaidi86 included links to Target Domain

sachtimes.com, demonstrating connections among theleadersnews.com, sachtimes.com and

the IUVM network domains.

166. According to subscriber records from Google, ashrafzaidi86@gmail.com uses

theleadersnews2017@gmail.com as a recovery email address. Although

ashrafzaidi86@gmail.com was registered with India-based phone number +91 9891942372, and

frequently logged in from India-based IP addresses between December 8, 2019 and August 17,

2020, on December 24, 2019, ashrafzaidi86@gmail.com logged in from Iran-based IP address

37.98.119.69.

167. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for theleadersnews.com was a subdomain of cloudflare.com, indicating that

theleadersnews.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for theleadersnews.com revealed user logins

from Iran-based IP addresses, including 5.160.10.11, 5.160.10.154, and 185.212.192.209.

60
168. Target Domain imamiatarbiat.com. Open source research by the FBI revealed

that imamiatarbiat.com is aimed at a Pakistani audience. Its associated Twitter account

@idaratarbiat has been suspended by Twitter for violating Twitter Rules. Subscriber and

transaction records from OnlineNIC revealed registrant email address

kavehkhaleghi@hotmail.com. Email address kavehkhaleghi@hotmail.com was also used to

register Target Domains iuvmpress.org, iuvmpress.net, and iuvmpress.com, which indicates

these domains are not independent of each other. Analysis by the FBI of historical WHOIS

information for imamiatarbiat.com revealed connections with Target Domains whatsupic.com,

afghanwolas.com, ansar-allah.com, faktru.com, jamekurdi.com, kashmir-news.com,

nationvoices.com, nilenetonline.com, qudspal.net, sachtimes.com and

sayyidali.com. Furthermore, cybersecurity company Clearsky reporting revealed that

imamiatarbiat.com content was copied from bbc.com/urdu, further indicating the inauthentic

nature of the domain.

169. Subscriber and transaction records from OnlineNIC revealed that

imamiatarbiat.com is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

170. Historical WHOIS records revealed that imamiatarbiat.com was registered with

email account eb.erfani@gmail.com in 2014. This email address was also used to register Target

Domains qudspal.net and qudspal.com. According to subscriber records from Google,

eb.erfani@gmail.com uses Iran-based phone number +98 9194046614 for recovery SMS, sign

61
in, and two-step verification phone numbers. Between December 17, 2019 and August 1, 2020,

the user of this email account logged in from Iran-based IP addresses dozens of times.

171. Target Domain maghrebiyon.com. Target Domain maghrebiyon.com is an

Arabic language site, which focuses on Moroccan, Arabic, and international issues. According

to FireEye, maghrebiyon.com describes itself as “an independent Moroccan news site.”

FireEye reported that maghrebiyon.com promotes material in line with Iranian political

interests. For example, the domain included a YouTube video entitled, “The storm against

[Current U.S. President] due to Iran” and a cartoon of “starving Yemeni child next to a spoon

with a bomb in it tagged ‘USA’ and ‘KSA’ (Kingdom of Saudi Arabia).” FireEye further

reported that a Twitter account associated with maghrebiyon.com—@maghreb24press—

was linked to a phone number with a “+98” Iranian country code.

172. A search of historical WHOIS domain registration records revealed registrant

email maghreb.press24@gmail.com. Legal process returns on the registrant email of

maghreb.press24@gmail.com revealed Iran-based recovery SMS phone number +98

9014226700, which indicates the registrant was attempting to obfuscate their Iran-based location

to procure this domain.

173. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for maghrebiyon.com was a subdomain of cloudflare.com, indicating that

maghrebiyon.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for maghrebiyon.com revealed user logins

from Iran-based IP addresses which include 185.212.192.209, 185.176.58.122, and

62
2.187.162.235.

174. Subscriber and transaction records from OnlineNIC revealed that

maghrebiyon.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 associated with account name Ibrahim Hosein, indicating the 19 Target Domains are

maintained in the same account.

175. Target Domain raitunisia.com. The domain raitunisia.com is an Arabic-

language site addressing issues surrounding Tunisia. According to FireEye, the material is

plagiarized from tunisiaonline.info and tunisianow.net.tn. FireEye also noted that the site

contained messaging in line with Iranian interests, for example, an article on Israel’s Mossad and

its alleged assassination of a Tunisian engineer.

176. According to FireEye, IP address 78.46.126.234 was used by Target Domains

marsadz.com, raitunisia.com, and alsudanalyoum.com, suggesting these accounts are

accessed by the same user(s). FireEye further reported that IP address 5.9.137.45 was used by

Target Domains libyaalmokhtar.com, raitunisia.com, and alsudanalyoum.com, suggesting

these accounts are accessed by the same user(s). FireEye further reported that IP address

78.46.102.123 was used by Target Domains alsudanalyoum.com, raitunisia.com,

whatsupic.com, nilenetonline.com, mepanorama.net, haghighah.com, beritadunia.net,

nthnews.net and pakonlinenews.com, as well as other domains identified by FireEye as part of

the Liberty Front Press network.

177. FireEye also noted Twitter account @raitunisia2016 was maintained by

raitunisia.com and was linked to an Iran-based phone number with a +98 country code.

63
Additionally, FireEye noted that Twitter account @dreamforg—which promoted content on

raitunisia.com—as having an Iran-based phone that began with a +98 country code.

178. Subscriber and transaction records from OnlineNIC revealed that raitunisia.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

179. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for raitunisia.com was a subdomain of cloudflare.com, indicating that

raitunisia.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for raitunisia.com revealed user logins from

multiple Iran-based IP addresses, including 2.179.167.46, 5.160.10.72, and 185.212.192.209.

180. Target Domain 3adalah.com. Target Domain 3adalah.com claims to be a

newspaper which lists its contact information as “123 California St.,” and phone number with a

“650” area code, which purports to be from the San Francisco area. However, subscriber

information for 3adalah.com revealed that registrant “basem al-khamri" registered their location

as Beirut, Lebanon with Lebanon-based phone number +96 1153612312.

181. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for 3adalah.com was a subdomain of cloudflare.com, indicating that

3adalah.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for 3adalah.com revealed user logins from multiple

Iran-based IP addresses, including185.212.192.209, 2.179.128.138, and 5.160.10.11. The returns

64
also identified links from 3adalah.com to Target Domains yemaniat.net, alhiwaraldini.com,

and ageofpakistan.com.

182. Subscriber and transaction records from OnlineNIC revealed that 3adalah.com is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

183. Target Domain libyaalmokhtar.com. According to FireEye, IP address

46.4.69.232 was used by Target Domains libyaalmokhtar.com and qudspal.com, suggesting

these accounts are controlled by the same user(s). FireEye further reported that IP address

5.9.137.45 was used by Target Domains libyaalmokhtar.com, raitunisia.com, and

alsudanalyoum.com, suggesting these accounts are controlled by the same user(s). FireEye

further reported that IP address 46.4.69.232 was used by Target Domains qudspal.com and

libyaalmokhtar.com.

184. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for libyaalmokhtar.com was a subdomain of cloudflare.com, indicating that

libyaalmokhtar.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare on libyaalmokhtar.com revealed user logins

from multiple Iran-based IP addresses, including 5.160.10.72, 2.179.167.46, and

185.212.192.209.

185. Publicly searchable WHOIS database queries on Target Domain

iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

65
Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

186. Subscriber and transaction records from OnlineNIC revealed that

libyaalmokhtar.com is one of 43 Target Domains that were registered by OnlineNIC account

ID 319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

187. Target Domain aftruth.com. The domain aftruth.com is an English-language

domain that, according to FireEye, is a “news site focusing on Africa-related issues” that has

material “in line with Iranian state interests.” FireEye reported on social media

accounts associated with aftruth.com, one of which included a cartoon showing “Israeli Prime

Minister Benjamin Netanyahu drinking from a mug labeled ‘Gaza Blood.’” Another social

media account associated with aftruth.com, Twitter account @marsaddz, was linked to a phone

number with a “+98 Iranian country code” and has been viewed

“promoting AFTruth [aftruth.com] articles.”

188. Subscriber and transaction records from OnlineNIC revealed that aftruth.com is

one of 19 Target Domains that were registered by OnlineNIC account ID 595619, associated

with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in the same

account. According to these records, the email address used for WHOIS purposes is

aftruth.com@gmail.com.

66
189. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for aftruth.com was a subdomain of cloudflare.com, indicating that

aftruth.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for aftruth.com revealed user logins from Iran-based IP

addresses which include 185.212.192.209 and 185.176.58.122.

190. Subscriber records from Google showed that the sign-in phone number and

recovery SMS number for aftruth.com@gmail.com are Iran-based phone number +98

9362219619.

191. Target Domain alsudanalyoum.com. According to

FireEye, alsudanalyoum.com “focuses on news pertaining to Sudan” and “includes material in

line with Iranian interests, such as a piece stating that Saudi Arabia has failed to

pursue financiers of terrorism and an article reporting on ‘Saudi and Emirati anger at UN reports

on violations in Yemen.’” FireEye reported that IP address 78.46.126.234 was used by Target

Domains alsudanalyoum.com, marsadz.com and raitunisia.com, suggesting these accounts are

controlled by the same user(s). FireEye further reported that IP address 5.9.137.45 was used by

Target Domains alsudanalyoum.com, libyaalmokhtar.com and raitunisia.com, suggesting

these accounts are controlled by the same user(s). FireEye further reported that IP address

78.46.102.123 was used by Target Domains alsudanalyoum.com, raitunisia.com,

whatsupic.com, nilenetonline.com, mepanorama.net, haghighah.com, beritadunia.net,

nthnews.net and pakonlinenews.com, as well as other domains identified by FireEye as part of

the Liberty Front Press network.

67
192. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for alsudanalyoum.com was a subdomain of cloudflare.com, indicating that

alsudanalyoum.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for alsudanalyoum.com revealed user logins

from multiple Iran-based IP addresses, including 5.160.10.72, 185.212.192.209, and

5.114.176.54.

193. Subscriber and transaction records from OnlineNIC revealed that

alsudanalyoum.com is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

194. Target Domain beritadunia.net. According to FireEye, beritadunia.net is an

“Indonesian-language website that describes itself as providing ‘current news about world events

especially the Islamic world and the Middle East’” and contains Iranian propaganda content, to

include “anti-Saudi, anti-US, and anti-Israel narratives.” For example, FireEye reported that the

domain contained a portrayal the killing of a Shiite child by a Saudi Arabian

representative. FireEye further reported that IP address 46.4.132.228 was used by Target

Domains beritadunia.net and pakonlinenews.com. FireEye further reported that IP address

5.9.200.236 was used by Target Domains beritadunia.net, whatsupic.com and whatsupic.net,

as well as other domains identified by FireEye as part of the Liberty Front Press network.

FireEye further reported that IP address 78.46.102.123 was used by Target Domains

alsudanalyoum.com, raitunisia.com, whatsupic.com, nilenetonline.com, mepanorama.net,

68
haghighah.com, beritadunia.net, nthnews.net, pakonlinenews.com, as well as other domains

identified by FireEye as part of the Liberty Front Press network.

195. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for beritadunia.net was a subdomain of cloudflare.com, indicating that

beritadunia.net utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for beritadunia.net revealed user logins

from multiple Iran-based IP addresses, including 5.160.10.72, 185.212.192.209, and

2.179.134.109.

196. Publicly searchable WHOIS database queries for Target Domain

iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

197. Subscriber and transaction records from OnlineNIC revealed that beritadunia.net

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

198. Target Domain faktru.com. According to FireEye, faktru.com is a “Russian-

language news site” that has “material in line with Iranian interests.” For example, FireEye

report that the domain contained an article on Iranian President Hassan Rouhani who made a

69
statement about how the “killing of Jamal Khashoggi would have been ‘impossible’ without U.S.

backing.” FireEye further reported that a social media account associated with faktru.com—

Twitter account @RuFakt—was “linked to a phone number with the +98 Iranian country code.”

Analysis by the FBI of historical administrative and subscriber information for faktru.com

revealed connections with Target Domains whatsupic.com, afghanwolas.com, ansar-

allah.com, imamiatarbiat.com, jamekurdi.com, kashmir-news.com, nationvoices.com,

nilenetonline.com, qudspal.net, sachtimes.com and sayyidali.com.

199. FireEye further reported that Iranian name servers damavand.atenahost.ir and

alvand.atenahost.ir were used by Target Domains faktru.com and afghanwolas.com, later

confirmed by the FBI. FireEye noted that these domains were predecessor domains for

alhadathps.com and iuvmpress.com, respectively.

200. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for faktru.com was a subdomain of cloudflare.com, indicating that

faktru.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for faktru.com revealed user logins from Iran-based IP

addresses which include 5.160.10.11, 5.160.10.72, and 5.114.176.54.

201. Subscriber and transaction records from OnlineNIC revealed that faktru.com is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

202. Target Domain pakonlinenews.com. According to FireEye,

pakonlinenews.com is an “Urdu-language website focused on news pertaining to

70
Pakistan.” FireEye reported that a social media account associated with pakonlinenews.com—

Twitter account @PakOnlineNews—was linked to a phone number with the “+98 Iranian

country code.” FireEye reported that IP address 46.4.132.228 was used by Target Domains

pakonlinenews.com and beritadunia.net. FireEye further reported that IP address

78.46.102.123 was used by Target Domains alsudanalyoum.com, raitunisia.com,

whatsupic.com, nilenetonline.com, mepanorama.net, haghighah.com, beritadunia.net,

nthnews.net and pakonlinenews.com, as well as other domains identified by FireEye as part of

the Liberty Front Press network.

203. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for pakonlinenews.com was a subdomain of cloudflare.com, indicating that

pakonlinenews.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for pakonlinenews.com revealed user logins

from multiple Iran-based IP addresses, including 2.179.167.46, 5.160.10.11, and 5.114.176.54.

204. Subscriber and transaction records from OnlineNIC revealed that

pakonlinenews.com is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

205. Target Domain afghanwolas.com. According to FireEye, afghanwolas.com

“is a Pashto-language news site focusing on Afghanistan” whose content is “in line with Iranian

interests.” FireEye reported that the domain contained an article by an author who alleged that

the “war on terror” in Yemen was waged by Saudi Arabia and the U.S., which is rhetoric in line

71
with Iranian state interests. FireEye further reported that Iranian name servers

damavand.atenahost.ir and alvand.atenahost.ir were used by Target Domains afghanwolas.com

and faktru.com, later confirmed by the FBI. FireEye noted that predecessor domains for

alhadathps.com and iuvmpress.com, respectively. FireEye further reported that email

address mahdi.center2020@gmail.com was used to register Target Domains afghanwolas.com,

whatsupic.com, and nilenetonline.com. Further, WHOIS records show that

madhi.center2020@gmail.com was used to register sayyidali.com in 2014.

206. FBI analysis of historical WHOIS information revealed that when

afhanwolas.com was initially registered on June 24, 2015, the registrant “vahid gohariayan”

provided a registrant address of “tehran” although they listed the country location as

“Afghanistan.”

207. Subscriber and transaction records from Google for

mahdi.center2020@gmail.com revealed that it was accessed by Iran-based IP address

5.113.195.164 through Iran Cell Service and Communication Company, and it was registered

through Iran-based IP address 2.177.80.232.

208. Analysis by the FBI of historical administrative and subscriber information for

afghanwolas.com revealed connections with Target Domains whatsupic.com, faktru.com,

ansar-allah.com, imamiatarbiat.com, jamekurdi.com, kashmir-news.com,

nationvoices.com, nilenetonline.com, qudspal.net, sachtimes.com and sayyidali.com.

209. Subscriber and transaction records from OnlineNIC revealed that

afghanwolas.com is one of 43 Target Domains that were registered by OnlineNIC account ID

72
319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

210. Target Domain kurdestantimes.com. The domain kurdestantimes.com is a

Pashto and Persian-language site regarding issues related to Kurdistan. Articles include anti-

Western capitalism ideals.

211. Historical WHOIS records reveal that kurdestantimes.com utilized Iran-based

Internet Service Provider Noyan Abr Arvan Co. through name servers x.ns.arvancdn.com and

k.ns.arvancdn.com, although registrant information states that the domain is in Iraq.

212. Subscriber and transaction records from OnlineNIC revealed registrant email

address htmbayan@gmail.com, which was used to register Target Domains

kurdestantimes.com, bashiqa.com, alwarka.net, j-babel.com and qarura.com.

213. Subscriber and transaction records from Google for htmbayan@gmail.com

revealed Iran-based terms of service IP address 5.115.98.211.

214. Target Domain bashiqa.com. Research by the FBI showed that Target Domain

bashiqa.com is an Arabic-language site with pro-Jihadist messaging.

215. According to FireEye, an individual named Mohammed Hosein Al-Hakkak --

who was linked to Iranian phone number +98 9363796436 and was the registrant for Target

Domain iraqnewsservice.com, which promoted on Facebook “primarily posts from […]

bashiqa.com articles.” Subscriber and transaction records revealed registrant email address

htmbayan@gmail.com, which was used to register Target Domains bashiqa.com, alwarka.net,

j-babel.com, kurdestantimes.com, and qarura.com.

73
216. Subscriber and transaction records from Google on htmbayan@gmail.com

revealed use of an Iran-based IP address 5.115.98.211.

217. Publicly searchable WHOIS database queries on another Target Domain

iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

218. Subscriber and transaction records from OnlineNIC revealed that bashiqa.com is

one of 8 Target Domains that were registered by OnlineNIC account ID 590434 with account

name “hussein ali,” indicating the 8 Target Domains were created by the same user.

219. Target Domain j-babel.com. Subscriber and transaction records from

OnlineNIC revealed registrant email address htmbayan@gmail.com, which was used to register

Target Domains j-babel.com, kurdestantimes.com, bashiqa.com, alwarka.net, and

qarura.com. Subscriber and transaction records from Google for htmbayan@gmail.com

revealed an association with an Iran-based IP address 5.115.98.211.

220. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for j-babel.com was a subdomain of cloudflare.com, indicating that j-

babel.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for j-babel.com revealed user logins from multiple Iran-

74
based IP addresses, including 2.187.174.100, 5.160.10.72, and 185.212.192.209.

221. Publicly searchable WHOIS database queries on another Target Domain

iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

222. Subscriber and transaction records from OnlineNIC further revealed that j-

babel.com is one of 8 Target Domains that were registered by OnlineNIC account ID 590434

with account name “hussein ali,” indicating the 8 Target Domains were created by the same user.

223. Target Domain qarura.com. Subscriber and transaction records from

OnlineNIC revealed registrant email address htmbayan@gmail.com, which was used to register

Target Domains qarura.com, j-babel.com, kurdestantimes.com, bashiqa.com, and

alwarka.net.

224. Subscriber and transaction records from Google for htmbayan@gmail.com

revealed an association with Iran-based IP address 5.115.98.211.

225. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for qarura.com was a subdomain of cloudflare.com, indicating that

qarura.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for qarura.com revealed user logins from multiple Iran-

75
based IP addresses, including 2.187.174.100, 2.179.167.46, and 5.160.10.72.

226. Publicly searchable WHOIS database queries on another Target Account

iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

227. Subscriber and transaction records from OnlineNIC revealed that qarura.com is

one of 8 Target Domains that were registered by OnlineNIC account ID 590434 with account

name “hussein ali,” indicating the 8 Target Domains were created by the same user.

228. Target Domain alwarka.net. Subscriber and transaction records from

OnlineNIC revealed registrant email address htmbayan@gmail.com, which was used to register

Target Domains alwarka.net, qarura.com, j-babel.com, kurdestantimes.com and

bashiqa.com.

229. Subscriber and transaction records from Google for htmbayan@gmail.com

revealed an association with Iran-based IP address 5.115.98.211.

230. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for alwarka.net was a subdomain of cloudflare.com, indicating that

alwarka.net utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for alwarka.net revealed user logins from Iran-based IP

76
addresses which include 2.187.174.100, 2.179.167.46, and 5.160.10.72.

231. Subscriber and transaction records from OnlineNIC revealed that alwarka.net is

one of 8 Target Domains that were registered by OnlineNIC account ID 590434 with account

name “hussein ali,” indicating the 8 Target Domains were created by the same user.

232. Target Domain iraqnewsservice.com. According to FireEye,

iraqnewsservice.com is an “English-language news site focusing on Iraq.” FireEye reported

that “[m]uch of the site's material appears to have been plagiarized, including from the Iranian

media outlet Press TV, a network affiliated with the Iranian state-owned Islamic Republic of Iran

Broadcasting (IRIB).” FireEye further reported that iraqnewsservice.com was registered by an

individual named Mohammed Hosein Al-Hakkak with Iranian phone number +98 9363796436

and whose Facebook posts “appear to promote primarily posts from […] bashiqa.com articles.”

FireEye further reported Al-Hakkak's registrant location to be Qom, Iran. FireEye further

reported that a social media account associated with iraqnewsservice.com—Twitter handle

@iraqnewsservice—was linked to a phone number with the +98 Iranian country code.

233. Historical WHOIS information revealed that the original registrant for

iraqnewsservice.com on May 30, 2017 used registrant name “Mohammed Hosein Al-Hakkak,”

email address mjavadsf72@gmail.com, Iran-based address “shahid mofatteh sq Qom, Iran,” and

Iran-based phone number +98 9363796436. Further, historical WHOIS revealed that former

iraqnewsservice.com registrant email majedfadi83@gmail.com was used to register several

IUVM network sites, including iuvmonline.com, iuvmonline.net, iuvmbook.net, iuvmbook.com,

iuvmtimes.org and others, linking iraqnewsservice.com to the IUVM network.

77
234. Publicly searchable WHOIS database queries for iraqnewsservice.com revealed

other registrant email address majedfadi83@gmail.com. Legal process from Cloudflare revealed

email address majedfadi83@gmail.com as the registrant email for Cloudflare services for Target

Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-babel.com, sachtimes.com,

yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com, beritadunia.net,

alraialqatari.com, and alhabda.net, indicating these domains are controlled by the same

user(s).

235. Subscriber and transaction records from Google for former registrant email

mjavadsf72@gmail.com revealed Iran-based sign-in and recovery SMS phone numbers +98

9356558631 and +98 9212091086. Further, mjavadsf72@gmail.com was logged into by Iran-

based IP 185.70.63.170 from Tehran.

236. Subscriber and transaction records from OnlineNIC revealed that

iraqnewsservice.com is one of 8 Target Domains that were registered by OnlineNIC account ID

590434 with account name “hussein ali,” indicating the 8 Target Domains were created by the

same user(s).

237. Target Domain nthnews.net. According to FireEye, nthnews.com is a news

site focused on Yemen. FireEye reported that a social media account associated with

nthnews.net—Twitter handle @NTHNEWS—has been suspended and was linked to a phone

number “with +98 Iranian country code.” FireEye further reported that IP address 78.46.102.123

was used by Target Domains nthnews.net, alsudanalyoum.com, raitunisia.com,

whatsupic.com, nilenetonline.com, mepanorama.net, haghighah.com, beritadunia.net, and

78
pakonlinenews.com, as well as other domains identified by FireEye as part of the Liberty Front

Press network.

238. Subscriber and transaction records from OnlineNIC revealed that nthnews.com is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

239. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for nthnews.com was a subdomain of cloudflare.com, indicating that

nthnews.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for nthnews.com revealed user logins from multiple

Iran-based IP addresses, including 5.160.10.72, 2.179.144.99, and 185.176.58.122.

240. Target Domain foresight-media.com. Target Domain foresight-media.com is

an Arabic-language site that focuses on Yemen issues in addition to anti-Current U.S. President

and anti-US messaging. Additionally, the site often displays articles that have pro-IRGC rhetoric

with specific quotes from Qods Force.

241. Subscriber and transaction records from OnlineNIC revealed registrant email

address y.tahan@dr.com, which was also used by nthnews.net.

242. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for foresight-media.com was a subdomain of cloudflare.com, indicating that

foresight-media.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for foresight-media.com revealed user

logins from Iran-based IP address 5.160.10.149.

79
243. Further, legal process returns from Google on foresitemedia2017@gmail.com—

identified as associated with foresight-media.com though legal process returns from

Cloudflare—revealed Iran-based recovery SMS phone number +98 9357226277.

244. Subscriber and transaction records from OnlineNIC further revealed that

foresight-media.com is one of 43 Target Domains that were registered by OnlineNIC account

ID 319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

245. Target Domain nilenetonline.com. According to FireEye, IP address

78.46.102.123 was used by Target Domains nilenetonline.com, alsudanalyoum.com,

raitunisia.com, whatsupic.com, mepanorama.net, haghighah.com, beritadunia.net,

nthnews.net and pakonlinenews.com, and other domains identified by FireEye as part of the

Liberty Front Press network. FireEye reported that email

address mahdi.center2020@gmail.com was used to register Target Domains nilenetonline.com,

afghanwolas.com, and whatsupic.com. Further, WHOIS records show that

madhi.center2020@gmail.com was used to register sayyidali.com in 2014. FireEye further

reported that IP address 67.205.99.12 was used by Target Domains nilenetonline.com,

whatsupic.com, and haghighah.com.

246. Subscriber and transaction records from OnlineNIC revealed that

nilenetonline.com is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

80
247. WHOIS domain name registration records for nilenetonline.com from May 15,

2012 to May 21, 2015 listed Richard Snaith as the registrant using email account

richard.snaith44@yahoo.com. Subscriber and transaction records for

richard.snaith44@yahoo.com showed that the account was registered on October 22, 2011 from

Iran-based IP address 84.241.38.118.

248. WHOIS domain name registration records for nilenetonline.com from March 6,

2016 to May 16, 2018 listed abdullatifmansour@hotmail.com as the registrant email address.

Subscriber records from Microsoft for abdullatifmansour@hotmail.com showed that the account

logged in to Skype from Iran-based IP address 46.38.139.67 on February 2, 2016.

249. Target Domain puketnews.com. The Puket News purports to be a Thai-

language news site that is aimed at distributing news to audiences throughout the world.

Although the domain targets generally the Thailand audience, registrant information is largely

Taiwanese using +886 phone number and location as in Chiayi County in Taiwan, which

indicates an inauthentic registrant identity to procure the domain. Further, FBI analysis

determined that puketnews.com appears to be an inauthentic domain mimicking a legitimate

domain thephuketnews.com.

250. Publicly available WHOIS records for puketnews.com revealed registrant email

saamealmana@gmail.com. Subscriber and transaction records from Google for

saamealmana@gmail.com revealed Iran-based terms of service IP address 185.176.58.122 from

Qom, Iran.

251. A search of historical WHOIS domain name registration records revealed that the

81
nameserver listed for puketnews.com was a subdomain of cloudflare.com, indicating that

puketnews.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for puketnews.com revealed user logins

from multiple Iran-based IP addresses, including 5.160.10.72, 185.176.58.122, and 2.179.144.99.

252. Subscriber and transaction records from OnlineNIC revealed that puketnews.com

is one of 19 Target Domains that were registered by OnlineNIC account ID 595619 with account

name Ibrahim Hosein, indicating the 19 Target Domains are maintained in the same account.

253. Target Domain naijafox.com. Research by the FBI revealed that naijafox.com

is an English-language site focused on African issues that displays pro-Iranian messaging.

254. Subscriber and transaction records from OnlineNIC revealed that naijafox.com is

one of 8 Target Domains that were registered by OnlineNIC account ID 590434 with account

name “hussein ali,” indicating the 8 Target Domains were created by the same user.

255. Historical WHOIS records for naijafox.com from April 18, 2019 to June 1, 2020

identified the registrant as Ammar AlMalki, located in Nigeria, and listed registrant email

address alwattabi@gmail.com. Subscriber records for alwattabi@gmail.com revealed Iran-based

phone number +98 9354914095 and log-ins from Iran-based IP addresses twenty times between

December 30, 2019 and August 10, 2020.

256. Target Domain masralkenana.com. The domain masralkenana.com is an

Arabic-language site dedicated to Middle Eastern politics. It demonstrates pro-Hezbollah

messaging, including an article that alludes to the current U.S. President seeking to open

communication with Hezbollah.

82
257. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for masralkenana.com was a subdomain of cloudflare.com, indicating that

masralkenana.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for masralkenana.com revealed user logins

from multiple Iran-based IP addresses, including 5.160.10.11, 2.179.141.247, and

185.212.192.209.

258. Subscriber and transaction records from OnlineNIC revealed that

masralkenana.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in

the same account.

259. Target Domain kashmirline.com. A search of historical WHOIS domain name

registration records revealed that the nameserver listed for kashmirline.com was a subdomain of

cloudflare.com, indicating that kashmirline.com utilizes or has utilized Cloudflare for domain

name resolution services. Subscriber and transaction records from Cloudflare for

kasmirline.com revealed user logins from multiple Iran-based IP addresses, including

5.160.10.72, 2.179.167.46, and 94.183.179.46.

260. Subscriber and transaction records from OnlineNIC revealed that

kashmirline.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in

the same account.

261. Target Domain hindkhabar.com. Target Domain hindkhabar.com is a

83
Hindi-languages site. It maintains a “foreign” section that casts Iran in a positive light, while

casting the UAE and Saudi Arabia in a negative light, which is in line with Iranian interests.

262. A search of publicly available WHOIS domain name registration records revealed

registration date November 05, 2015, registrant name “Yuva Soch,” registrant email address

“YuvaSoch2015@outlook.com,” and registrant location New Delhi, India.

263. However, historical WHOIS records queries showed that on November 7 and 8,

2015, hindkhabar.com was hosted by Iranian name servers damavand.atenahost.ir and

alvand.atenahost.ir before being hosted by a non-Iranian server, indicating that the registrant was

attempting to obfuscate their location in Iran. Furthermore, although the user of

YuvaSoch2015@outlook.com listed their country as India when creating the account, subscriber

information from Microsoft for YuvaSoch2015@outlook.com showed that on November 5, 2015

the user of this account logged into Skype from Iran-based IP address 46.32.5.5.

264. Publicly searchable WHOIS database queries on another Target Domain

iraqnewsservice.com revealed that its registrant email address was majedfadi83@gmail.com.

Legal process from Cloudflare revealed email address majedfadi83@gmail.com as the registrant

email for Cloudflare services for Target Domains bashiqa.com, alwarka.net,

iraqnewsservice.com, j-babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com,

libyaalmokhtar.com, beritadunia.net, alraialqatari.com, and alhabda.net, indicating these

domains are controlled by the same user(s).

265. Subscriber and transaction records from OnlineNIC revealed that

hindkhabar.com is one of 43 Target Domains that were registered by OnlineNIC account ID

84
319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

266. Target Domain pashtokhabar.com. A search of publicly available WHOIS

domain name registration records revealed registrant name “Muhammad Khan,” registrant email

pashtokhabar123@gmail.com, registrant location city “Peshawar” and registered country code

“PK” for Pakistan.

267. Subscriber records from Google for pashtokhabar123@gmail.com revealed Iran-

based recovery SMS phone number +98 9196158589, indicating the registrant was attempting to

obfuscate their Iran-based location to procure the pashtokhabar.com domain.

268. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for pashtokhabar.com was a subdomain of cloudflare.com, indicating that

pashtokhabar.com utilizes or has utilized Cloudflare for domain name resolution services.

Legal process returns from Cloudflare on pashtokhabar.com revealed user login from Iran-

based IP address 85.212.192.209.

269. Subscriber and transaction records from OnlineNIC revealed that

pashtokhabar.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in

the same account.

270. Target Domain altanzil.net. Target Domain altanzil.net is a Persian and Urdu-

language site that aimed at education of Qur’an-related studies.

271. A search of publicly available WHOIS domain name registration records revealed

85
the following information regarding Target Domain “altanzil.net.” The registration date was on

October 15, 2009. The registrar was listed as Onlinenic Inc. The WHOIS database revealed

registrant name “Altanzil Media” with registrant email “tanzeelmedia1@gmail.com.” The

WHOIS database revealed the registrant location city as “Lahore” and the registered country

code as “PK.”

272. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for altanzil.net was a subdomain of cloudflare.com, indicating that

altanzil.net utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for altanzil.net revealed user logins from multiple Iran-

based IP addresses, including 185.176.58.122, 185.212.192.195, and 2.179.144.99.

273. Subscriber and transaction records from Google for registrant email

altanziil.2019@gmail.com revealed login activity from Iran-based IP address 185.176.58.122.

274. Subscriber and transaction records from OnlineNIC revealed that altanzil.net is

one of 19 Target Domains that were registered by OnlineNIC account ID 595619 with account

name Ibrahim Hosein, indicating the 19 Target Domains are maintained in the same account.

275. Target Domain ageofpakistan.com. The domain ageofpakistan.com is an

Urdu-language site that displays pro-Iranian and anti-foreign influencing messages, including

anti-U.S. messaging, for example, an anti-Current U.S. President message displaying the current

U.S. President alongside an atomic bomb.

276. A search of publicly available WHOIS domain name registration records

revealed registrant email hanifzaidipk@gmail.com and registrant location Islamabad, Pakistan.

86
277. Subscriber records from Google for hanifzaidipk@gmail.com revealed Iran-based

recovery SMS phone number +98 9366070655.

278. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for ageofpakistan.com was a subdomain of cloudflare.com, indicating that

ageofpakistan.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for ageofpakistan.com revealed user logins

from multiple Iran-based IP addresses, including 5.160.10.131, 2.179.141.247, and

185.212.192.209.

279. Subscriber and transaction records from OnlineNIC revealed that

ageofpakistan.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in

the same account.

280. Target Domain moqawemat.com. Open source research by the FBI revealed

that moqawemat.com is a Persian-language site which refers to itself as the Resistance News

Agency and purports to be an independent and non-governmental media site, but one that often

references IRGC messaging. Open source research by the FBI revealed that this domain is

owned by Hezbollah. This site is also closely related to Iranian website moqawemat.ir, as

discussed below.

281. A search of publicly available WHOIS domain name registration records

revealed registration date November 13, 2017, registrant name “Najibulla Rasa,” registrant email

address Najeebrasa@yahoo.com, registrant location city “Karte 4” and the registered country

87
code “AF,” or Afghanistan.

282. Historical WHOIS records, however, revealed that on February 20, 2016,

registrant “syd yasr tghvy” using email address t.sedyaser@gmail.com registered

moqawemat.com with location “ghm” in Iran with Iran-based phone number +98 9196639396.

Further, email t.sedyaser@gmail.com was used to register similarly-named domain

moqawemat.ir and utilized Iran-based registrant address “pardisan. blv kochaki. mojtama helli.

b7. v 17, qom, qom, IR.”

283. Subscriber records from Google for t.sedyaser@gmail.com revealed recovery

email address sedyaser@chmail.ir. “.ir” is the internet country code top level domain for Iran.

The subscriber records also revealed that the email address is associated with Iran-based IP

address 95.38.45.3.

284. In addition, on August 10, 2016, the registrant information for moqawemat.com

changed to “andishe” with registrant location Tehran, Iran, email address

hamed5402@gmail.com, and Iranian phone number +98 9122579253. This email address was

used in domain registration information through August 12, 2017. Subscriber records for

hamed5402@gmail.com from Google showed that this email address was registered using Iran-

based IP address 89.165.74.92, Iran-based recovery SMS phone number +98 9127509232, and

had logged in from Iran-based IP addresses over a dozen times between December 10, 2019 and

August 10, 2020.

285. In November 2017, the registration location changed to Istanbul, indicating the

registrant was attempting to obfuscate their location in Iran.

88
286. Target Domain alnujaba.com. Open source research by the FBI revealed that

alnujaba.com is an Arabic-language site that messages political news and claims to be the “The

Islamic Resistance” or the “Nujaba Movement.” Open source research by the FBI further

indicated that Al Nujaba TV is owned by Harakat Hezbollah al-Nujaba, which has links to the

IRGC. According to the Office of Foreign Assets Control, Al-Nujaba TV, also known as

Harakat Al-Nujaba, is a Specially Designated National whose assets are blocked and with whom

U.S. persons are prohibited from doing business.

287. A search of publicly available WHOIS domain name registration records revealed

registration date September 17, 2013, registrant name "SANA3A .COM", registrant email

mabood1401@gmail.com and registrant location Baghdad, Iraq. Currently, the registrant utilizes

nameservers x.ns.arvancdn.com and k.ns.arvancdn.com, which belong to AbrArvan, a Content

Delivery Network (“CDN”) and Infrastructure as a Service (“IaaS”) provider in Iran.

288. Historical WHOIS records revealed that the initial registration of alnujaba.com

in 2013 was through an Iranian registration service provider, Hyper Network Co. Ltd, which

utilized Iran-based phone number +98 9133132590. The email address used to register

alnujaba.com from October 13, 2013 through August 20, 2014 was ali.ms2001@gmail.com.

According to subscriber records from Google, this account was registered with Iran-based

recovery SMS number +98 9125513971.

289. Historical WHOIS records further revealed that former registrant email

taie20005@gmail.com was used to register alnujaba.com on March 12, 2015. Subscriber

records from Google for taie20005@gmail.com revealed Iran-based recovery SMS phone

89
number +98 9128171348, indicating that the registrant was attempting to obfuscate their Iran-

based location to register alnujaba.com. Further, the terms of service IP address is

80.191.91.249, an Iran-based IP from Tehran.

290. Subscriber and transaction records from OnlineNIC revealed that alnujaba.com

is one of 8 Target Domains that were registered by OnlineNIC account ID 590434 with account

name “hussein ali,” indicating the 8 Target Domains were registered by the same user. In

addition, OnlineNIC account 590434 was associated with Payment24 wire fraud schemes.

291. Target Domain alkhalijalyoum.com. Target Domain alkhalijalyoum.com is

an Arabic-language site that focuses on Arab Gulf region. The domain displays anti-Current

U.S. President and anti-Saudi messaging in line with Iranian rhetoric; for example, a negatively

depicted cartoon of the current U.S. President with the head of a Saudi figure coming out of his

mouth.

292. A search of publicly available WHOIS domain name registration records for

alkhalijalyoum.com revealed the registrant’s location as Muscat, Oman.

293. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for alkhalijalyoum.com was a subdomain of cloudflare.com, indicating that

alkhalijalyoum.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for alkhalijalyoum.com revealed login

activity from multiple Iran-based IP addresses, including 185.212.192.209, 151.235.35.1, and

185.119.241.113.

294. Subscriber and transaction records from OnlineNIC revealed that

90
alkhalijalyoum.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains were registered by

the same user(s).

295. Target Domain jamekurdi.com. Open source research by the FBI showed that

jamekurdi.com is a Persian-language news page focused on topics impacting the Middle East

and UAE.

296. A search of publicly available WHOIS domain name registration records for

jamekurdi.com revealed registrant name “jamekurdi,” registrant email

jamekurdi2014@gmail.com, and registrant country Iraq. However, a historical WHOIS search

revealed that when the site was originally registered in 2014, registrant “pariya shiri” registered

jamekurdi.com with email address pariya1420@yahoo.com, address “kasra st., mansobian al”

from Kermanshah, Iran, and Iran-based phone number +98 8317241188. The email address

pariya1420@yahoo.com was also associated with several other Iran-based sites. Subscriber and

transaction records for pariya1420@yahoo.com showed that the account was registered on

March 31, 2005 from Iran-based IP address 217.219.213.56 using Iran-based phone number +98

9189174583. Between September 23, 2019 and May 15, 2020, there were five logins to this

account from IP addresses belonging to Iranian internet service provider Pars Online. This

indicates that the registrant of jamekurdi.com attempted to obfuscate their location in Iran in

order to procure jamekurdi.com.

297. Subscriber records from Google for jamekurdi2014@gmail.com revealed Iran-

based recovery SMS phone number +98 9182312901.

91
298. The FBI identified historical administrative and subscriber connections for

jamekurdi.com with 12 other Target Domains.

299. Subscriber and transaction records from OnlineNIC revealed that jamekurdi.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

300. Target Domain yaqeenagency.net. Open source research by the FBI showed

that yaqeenagency.net is an Arabic-language site which highlights narratives against countries

like UAE, Israel and Saudi Arabia.

301. A search of publicly available WHOIS domain name registration records for

yaqeenagency.net revealed registrant name “kreem abdullah” with registrant email

yemencssr@gmail.com and registrant location Sanaa, Yemen. Subscriber records from Google

for yemencssr@gmail.com, however, revealed Iran-based terms of service IP address

5.160.10.140 from Tehran.

302. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for yaqeenagency.net was a subdomain of cloudflare.com, indicating that

yaqeenagency.net utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for yaqeenagency.net revealed user logins

from multiple Iran-based IP addresses, including 2.187.174.100, 5.160.10.72, and 5.114.176.54.

303. Publicly searchable WHOIS database queries on another Target Account

iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

92
from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

304. Subscriber and transaction records from OnlineNIC revealed that

yaqeenagency.net is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in

the same account.

305. Target Domain yemaniat.net. Open source research by the FBI showed

yemaniat.net is an Arabic language site focused on empowering women in countries where,

historically, their rights have not been equal.

306. A YouTube account associated with yemaniat.net was terminated by YouTube

for violating YouTube’s terms of service.

307. A search of publicly available WHOIS domain name registration records for

yemaniat.net revealed registrant name "ahmed", registrant email

yemenwar00967@gmail.com and registrant location Sanaa, Yemen.

308. Subscriber records from Google for yemenwar00967@gmail.com revealed Iran-

based terms of service IP address 185.119.241.113 and Iran-based recovery SMS phone number

+989334287751, indicating the registrant attempted to obfuscate their Iran-based location to

procure yemaniat.net.

93
309. Subscriber and transaction records from OnlineNIC revealed that yemeniat.net

and yaqeenagency.net used similar registrant information – both listing a police academy in

Sanaa – and similar registrant phone numbers.

310. Subscriber and transaction records from OnlineNIC revealed that yemaniat.net is

one of 19 Target Domains that were registered by OnlineNIC account ID 595619 with account

name Ibrahim Hosein, indicating the 19 Target Domains were registered by the same user(s).

311. Target Domain adentimes.net. Research by the FBI showed that domain

adentimes.net is an English and Persian-language site that targets a Yemeni audience. The

domain portrays anti-American messaging, and in particular, inauthentic messaging against a

current U.S. presidential candidate.

312. A search of publicly available WHOIS domain name registration records for

adentimes.net revealed registrant name “Mohammad Al Naamani,” registrant email address

timesaden@gmail.com, and registrant location Aden, Yemen.

313. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for adentimes.net was a subdomain of cloudflare.com, indicating that

adentimes.net utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for adentimes.net revealed user logins from

multiple Iran-based IP addresses, including 185.212.192.209, 5.160.10.72, and 2.179.144.99.

314. Subscriber and transaction records from OnlineNIC revealed that adentimes.net

is one of 19 Target Domains that were registered by OnlineNIC account ID 595619 with account

name Ibrahim Hosein, indicating the 19 Target Domains were registered by the same user(s).

94
315. Target Domain aden-alyoum.com. Research by the FBI showed that aden-

alyoum.com is an Arabic and English-language site that targets a Yemenis audience and

displays anti-U.S. messaging. Its associated Twitter account, @Adenalyoum_com, has been

suspended by Twitter for violating Twitter’s rules.

316. A search of publicly available WHOIS domain name registration records for

aden-alyoum.com revealed registrant name "Ali Mohammad," registrant email address

adenalyoum2017@gmail.com, and registrant location Aden, Yemen. However, according to

subscriber information from Google for adenalyoum2017@gmail.com, the account was

registered on May 16, 2017 from Iran-based IP address 5.160.10.140.

317. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for aden-alyoum.com was a subdomain of cloudflare.com, indicating that

aden-alyoum.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for aden-alyoum.com revealed user logins

from multiple Iran-based IP addresses, including 185.142.156.201 and 5.160.10.72.

318. Subscriber and transaction records from OnlineNIC revealed that aden-

alyoum.com is one of 19 Target Domains that were registered by OnlineNIC account ID 595619

with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in the same

account.

319. Target Domain almasirahpress.com. Open source research by the FBI

revealed that “Almasirah” is associated with the Houthi movement, which is an Iran-backed

95
militant organization in Yemen according to state.gov. 6

320. A search of publicly available WHOIS domain name registration records for

almasirahpress.com revealed registrant name “jamil zafer,” registrant email address

jamilzafer@yahoo.com, a registrant location city as “Yemenis” and registered country Yemen.

Historical WHOIS data showed that on June 8, 2015, almasirahpress.com utilized Iran-based

servers damavand.atenahost.ir and alvand.atenahost.ir while claiming a Yemen-based location.

The next day, registration records showed a non-Iranian server, indicating that the user was

attempting to obfuscate their Iran-based location in efforts to procure this domain.

321. The registrant email jamilzafer@yahoo.com was used for Target Domains

almasirahpress.com and almasirahtv.com. Open source research by the FBI revealed that

Target Domains almasirahpress.com and almasirahtv.com are directly related to

almasirah.net. In addition to having similar domain names, almasirahtv.com has the same

logo as almasirah.net, further evidencing the two sites are related.

322. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for almasirahpress.com was a subdomain of cloudflare.com, indicating that

almasirahpress.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for almasirahpress.com revealed user logins

from multiple Iran-based IP addresses, including 185.142.156.201, 185.142.156.255, and

5.160.10.72.

323. Subscriber and transaction records from OnlineNIC revealed that

6
https://www.state.gov/reports/country-reports-on-terrorism-2018.

96
almasirahpress.com is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

324. Target Domain almasirahtv.com. Open source research by the FBI revealed

that almasirahtv.com acts as a web video player for Target Domain almasirahpress.com,

which is associated with the Houthi movement.

325. Subscriber and transaction records from OnlineNIC revealed that

almasirahtv.com is one of 43 Target Domains that were registered by OnlineNIC account ID

319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

326. Target Domain haghighah.com. A search of publicly available WHOIS

domain name registration records for haghighah.com revealed an original registration date of

August 14, 2013, registrant name “Documentry [sic] Center Reality,” registrant email

haghighah@gmail.com, and registrant country United Arab Emirates. However, a historical

WHOIS record showed that on August 17, 2015, registrant Meghdad Montazeri Rad with email

address meghdad.mr@gmail.com from the Sherkate Tarh Va Naghshe Masiha organization

utilized registrant address P.152 Zange 5, Kh Enghelab Zire Pole Roshan Delan Kh Safi Alishah,

in Tehran, Iran and Iranian phone number +98 77522411 to register haghighah.com.

Furthermore, meghdad.mr@gmail.com was used for the registration of similar, Iranian domain

haghighah.ir and several other Iranian domains.

327. Subscriber records from Google for former registrant email

97
meghdad.mr@gmail.com revealed Iran-based account recovery phone number +98 9126058438

and Iran-based terms of service IP address 82.99.226.133. On several occasions, the email

address was logged into from Iran-based IP addresses 5.239.63.139, 86.55.225.16, and

188.229.35.49.

328. Subscriber and transaction records from OnlineNIC revealed that haghighah.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

329. Further, FireEye reported that IP address 78.46.102.123 was used by Target

Domains alsudanalyoum.com, raitunisia.com, whatsupic.com, nilenetonline.com,

mepanorama.net, haghighah.com, beritadunia.net, nthnews.net, pakonlinenews.com, and

other Iranian sites. FireEye further reported that IP address 5.9.29.230 was used by Target

Domains afghanwolas.com, iuvm.org, iuvmpress.com, risolattj.com, iuvmtech.com,

haghighah.com, and of note, Liberty Front Press domain libertyfrontpress.com. FireEye further

reported that IP address 67.205.99.12 was used by Target Domains

whatsupic.com, nilenetonline.com, and haghighah.com.

330. Target Domain sizinyol.com. Research by the FBI showed sizinyol.com is an

Azerbaijani-language site that contains many negative, sensational U.S. topics.

331. A search of publicly available WHOIS domain name registration records for

sizinyol.com revealed original registration date August 12, 2009, registrant name Seyed Ali Rez

Aleyasin, registrant email address pirooz33@yahoo.com, and registrant location Dubai, United

98
Arab Emirates. However, historical WHOIS domain name registration records for sizinyol.com

revealed that on October 25, 2009, registrant Seyed Ali Reza Aleyasin utilized inauthentic

address Qom, AL 0098, US. Qom is a large city in Iran which is 155 kilometers from Tehran.

332. Subscriber and transaction records from Yahoo for registrant email address

pirooz33@yahoo.com showed that the time zone for this account was set to “+3.5”. According

to timeanddate.com, Iran Standard Time is 3:30 ahead of Coordinated Universal Time, and Iran

is the only country that uses this time zone. Furthermore, login records for this account show

dozens of logins from Iran-based IP addresses between September 6, 2019 and September 4,

2020. This suggests the registrant was attempting to obfuscate their actual location in Iran in

order to procure the sizinyol.com domain.

333. Subscriber and transaction records from OnlineNIC revealed that sizinyol.com is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

334. Target Domain ansar-allah.com. According to a report by cybersecurity

company Clearsky, ansar-allah.com is associated with the Ansarallah (Houthi) movement,

which is an Iran-backed militant organization in Yemen according to state.gov. 7

335. A search of publicly available WHOIS domain name registration records for

ansar-allah.com revealed registrant email address abdullatifmansour@hotmail.com. Subscriber

records from Microsoft for abdullatifmansour@hotmail.com showed that the account logged in

7
https://www.state.gov/reports/country-reports-on-terrorism-2018.

99
to Skype from Iran-based IP address 46.38.139.67 on February 2, 2016.

336. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for ansar-allah.com was a subdomain of cloudflare.com, indicating that

ansar-allah.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for ansar-allah.com revealed user logins

from Iran-based IP addresses which include 185.176.58.122 and 5.160.10.72.

337. Research by the FBI identified historical, administrative and subscriber

connections for ansar-allah.com with 12 Target Domains.

338. Subscriber and transaction records from OnlineNIC revealed that ansar-

allah.com is one of 43 Target Domains that were registered by OnlineNIC account ID 319223

with account name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the

same user(s).

339. Target Domain alraialqatari.com. Research by the FBI showed that

alraialqatari.com generally displays messaging in line with Iranian rhetoric through anti-U.S.,

anti-Israel, and anti-Saudi messaging. For example, displayed on the main page is a cartoon of

an Israeli dove spitting on a Saudi character that is holding it.

340. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for alraialqatari.com was a subdomain of cloudflare.com, indicating that

alraialqatari.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for alraialqatari.com revealed user logins

from multiple Iran-based IP addresses, including 2.187.174.100, 5.160.10.72, and 5.114.176.54.

100
341. Publicly searchable WHOIS database queries on another Target Account

iraqnewsservice.com revealed registrant email address majedfadi83@gmail.com. Legal process

from Cloudflare revealed email address majedfadi83@gmail.com as the registrant email for

Cloudflare services for Target Domains bashiqa.com, alwarka.net, iraqnewsservice.com, j-

babel.com, sachtimes.com, yaqeenagency.net, hindkhabar.com, libyaalmokhtar.com,

beritadunia.net, alraialqatari.com, and alhabda.net, indicating these domains are controlled

by the same user(s).

342. Subscriber and transaction records from OnlineNIC revealed that

alraialqatari.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains were registered by

the same user(s). While alraialqatari.com claims registration in Qatar, this domain was

registered on the same day—February 19, 2019—as Target Account alkhalijalyoum.com,

which is also a part of the 19 Target Domains and is reportedly registered in Oman.

343. Target Domain risolattj.com. According to FireEye, risolattj.com

presents “anti-Saudi, anti-Israeli, and anti-[current U.S. President] messaging.” FireEye noted a

cartoon on the domain showing a depiction of the current U.S. President “holding down a figure

labeled ‘Yemen’ while Soudi [sic.] Crown Prince Mohammad Bin Salman beheaded the figure.”

IP address 5.9.29.230 was used by Target Domains

afghanwolas.com, iuvm.org, iuvmpress.com, risolattj.com, iuvmtech.com, haghighah.com,

and of note, Liberty Front Press domain libertyfrontpress.com. FireEye further reported that IP

address 195.20.83.157 was used by risolattj.com and a subdomain of usjournal.net. FireEye

101
further reported that associated Twitter account @Risolat19 was linked to a phone number with

“+98 Iranian country code.”

344. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for risolattj.com was a subdomain of cloudflare.com, indicating that

risolattj.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for risolattj.com revealed user logins from multiple

Iran-based IP addresses, including 5.114.176.54, 5.160.10.72, and 185.212.192.209.

345. Subscriber and transaction records from OnlineNIC revealed that risolattj.com is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

346. Target Domain aynanewsagency.org. A search of publicly available WHOIS

domain name registration records for aynanewsagency.org revealed registrant location Ankara,

Turkey. However, despite claiming to be located in Turkey, subscriber and transaction records

from OnlineNIC revealed that aynanewsagency.org used Iranian nameservers

alvand.atenahost.ir and damavand.atenahost.ir. This indicates the user attempted to obfuscate

registrant location in Iran when procuring this domain.

347. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for aynanewsagency.com was a subdomain of cloudflare.com, indicating that

aynanewsagency.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for aynanewsagency.org revealed user

102
logins from multiple Iran-based IP addresses, including 5.160.10.11, 5.160.10.72, and

5.114.176.54.

348. Subscriber and transaction records from OnlineNIC revealed that

aynanewsagency.org is one of 43 Target Domains that were registered by OnlineNIC account

ID 319223 with account name Amir Hossein Sadri, indicating the 43 Target Domains were

registered by the same user(s).

349. Target Domain jihadalbina.org. Open source research by the FBI showed that

domain jihadalbina.org displays videos of sports, education and local news as well as images

that display Iranian leaders alongside Syrian leaders, indicating that this site is promoting Iranian

and Syrian relations.

350. A search of publicly available WHOIS domain name registration records for

jihadalbina.org revealed registrant country Great Britain.

351. Subscriber and transaction records from OnlineNIC showed that registrant Ali

Rishehri used email address rishehri@live.fr. WHOIS searches of rishehri@live.fr revealed that

the email address was used to register Iranian websites like toloohelp.ir and yogatruth.ir, which

have a registrant address in Qom, Iran. This indicates the registrant was attempting to obfuscate

their location in Iran in efforts to procure this domain.

352. Target Domain islahjo.com. A search of publicly available WHOIS domain

name registration records for islahjo.com revealed registrant email islahjo2015@gmail.com and

registrant location Beirut, Lebanon. Subscriber records from Google for

islahjo2015@gmail.com revealed Iran-based terms of service IP address 46.32.5.6 from Tehran.

103
353. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for islahjo.com was a subdomain of cloudflare.com, indicating that

islahjo.com utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records for Cloudflare from islahjo.com revealed user logins from multiple Iran-

based IP addresses, including 185.212.192.209, 5.160.10.11, and 2.179.141.247.

354. Target Domain syria-scope.com. According to open source research by the FBI,

syria-scope.com is an Arabic-language site focused on the Middle East.

355. A search of publicly available WHOIS domain name registration records for

syria-scope.com revealed registrant country Afghanistan. Subscriber and transaction records

from Cloudflare for syria-scope.com revealed user logins from multiple Iran-based IP addresses,

including 185.212.192.209 and 5.113.219.69.

356. Subscriber and transaction records from OnlineNIC revealed that islahjo.com is

one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

357. Target Domain tanincenter.com. Open source research by the FBI revealed

that tanincenter.com is an Arabic-language site that emphasizes information regarding the

Middle East. A report by cybersecurity company Clearsky—partly based on Liberty Front Press

reporting by FireEye—identified tanincenter.com as part of a global Iranian disinformation

operation.

358. Subscriber and transaction records from Cloudflare for other Target Domain

iuvm.net revealed that its Cloudflare account was accessed by the Cloudflare accounts for

104
Target Domains iuvmtech.com, iuvm.org, iuvm.info, iuvmpress.com, iuvmtv.com,

tanincenter.com, and various other Iranian domains ending in “.ir”.

359. Target Domain iuvmpress.com. According to FireEye, IUVM “is a network of

websites and social media accounts that appears to promote Iranian state messaging and other

material directly in line with Iranian interests.” FireEye reporting identified Target Domains

iuvmpress.com, iuvm.org, iuvmtech.com, and iuvmtv.com as part of the IUVM network. In

addition, FireEye reported that Target Domain iuvm.org stated that its “headquarters is in

Tehran.”

360. According to the Atlantic Council’s Digital Forensic Research Lab (“DFRLab”)

on atlaniccouncil.org, IUVM posted exclusively pro-Iranian content as it “laundered content

from Iranian state media, lending it an air of credibility by stripping the affiliation, thereby

enabling it to be passed to less discerning readers as (ostensibly) credible.” DFRLab reported

that IUVM offered links to dozens of “member” websites, all of which were clearinghouses for

Iranian propaganda. IUVM regularly tweaked and republished official Islamic Republic of Iran

Broadcasting (IRIB) stories, only to have its articles republished, in turn, by other Iranian

propaganda mills.

361. Subscriber and transaction records from OnlineNIC revealed that iuvmpress.com

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same

user(s).

362. FireEye reported that that IP address 5.9.29.230 was used by Target Domains

105
iuvmpress.com, afghanwolas.com, iuvm.org, risolattj.com, iuvmtech.com, haghighah.com

and, of note, Liberty Front Press domain libertyfrontpress.com.

363. Subscriber and transaction records for iuvmpress.com from OnlineNIC revealed

registered email address kavehkhaleghi@hotmail.com. Email address

kavehkhaleghi@hotmail.com was also used to register Target Domains iuvmpress.org,

iuvmpress.net, and imamiatarbiat.com. According to FireEye, email address

kavehkhaleghi@hotmail.com was used to register Liberty Front Press website yemenshia.com in

October 2014 and to register Persian-language website gahvare.com in August 2015. A search

of publicly available WHOIS domain name registration records revealed an admin organization

of “Persian Domain Provider,” indicating that the domain was created by an Iran-

based organization. Analysis by the FBI of historical administrative and subscriber information

for iuvmpress.com revealed connections with Target Domains whatsupic.com,

afghanwolas.com, ansar-allah.com, faktru.com, imamiatarbiat.com, jamekurdi.com,

kashmir-news.com, nationvoices.com, nilenetonline.com, qudspal.net, sachtimes.com and

sayyidali.com.

364. Target Domain iuvmtech.com. According to FireEye, IP address 5.9.29.230

was used by Target Domains afghanwolas.com, iuvm.org, iuvmpress.com, risolattj.com,

iuvmtech.com, haghighah.com, and of note, Liberty Front Press domain

libertyfrontpress.com. Subscriber and transaction records from OnlineNIC further revealed that

iuvmtv.com is one of 43 Target Domains that were registered by OnlineNIC account ID 319223

with account name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the

106
same user(s).

365. A search of publicly available WHOIS domain name registration records

foriuvmtech.com revealed registrant email address iuvmtech2013@gmail.com. Subscriber and

transaction records from Google for iuvmtech2013@gmail.com reveal it used Iran-based IP

address 5.160.10.246.

366. Target Domain iuvmtv.com. FireEye identified iuvmtv.com as part of the

overall IUVM network. Subscriber and transaction records from OnlineNIC revealed that

iuvmtv.com is one of 43 Target Domains that were registered by OnlineNIC account ID 319223

with account name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the

same user(s).

367. Historical WHOIS information for iuvmtv.com showed that email address

iuvmtv@hotmail.com was used as the registration email for iuvmtv.com from January through

June 2017. Subscriber records from Microsoft revealed that iuvmtv@hotmail.com was used to

log into Skype from Iran-based IP address 78.158.161.153 on January 18, 2017.

368. Target Domain iuvm.org. According to FireEye, iuvm.org belongs to the

larger IUVM network of websites and social media accounts. FireEye identified an IUVM

publication listed on iuvm.org/files/asas_EN.pdf, which states that the organization is

headquartered in Tehran. FireEye further reported that IP address 5.9.29.230 was used by Target

Domains iuvm.org, afghanwolas.com, iuvmpress.com, risolattj.com,

iuvmtech.com, haghighah.com and, of note, Liberty Front Press domain libertyfrontpress.com.

369. Subscriber and transaction records from OnlineNIC revealed that iuvm.org is one

107
of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account name

Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

the

following domains are being operated in violation of IEEPA. The domains alkuwaitonline.com,

bhpress24.com, iuvm.info, khabroona.com, ksatalks.com, and saudiuncovered.com are

therefore subject to seizure as property which constitutes or is derived from proceeds traceable to

violations of IEEPA.

371. Target Domain bhpress24.com. Arabic-language bhpress24.com describes

itself as an independent news site that seeks to convey facts with complete transparency and does

not belong to any particular party. The site claims to spread public awareness of issues of

concern to the community in Bahrain and promotes the citizen’s right to know the reality of what

is happening transparently.

372. Subscriber and transaction records for bhpress24.com from Namecheap revealed

a registrant name and address of Al Thumama, 450 St., Najima St., Qatar. Open source research

by the FBI, however, failed to identify the listed address as an authentic address. Subscriber and

transaction records further revealed that Target Domains bhpress24.com, alkuwaitonline.com,

and uaealyoum.com were accessed on the same IP address—206.123.146.222—within minutes


108
of each other—on June 30, 2019 between 03:27 AM and 3:30 AM, indicating these accounts

were accessed by the same user(s).

373. Subscriber and transaction records from Namecheap further revealed that Target

Domains ksatalks.com and bhpress24.com were created and re-registered within minutes of

each other on May 1, 2019. Additionally, ksatalks.com and bhpress24.com domains share

same similar log-in days within minutes of each other—May 2, 2020, May 4, 2019, and May 1,

2019—further indicating these are operated by the same user(s).

374. Target Domain alkuwaitonline.com. Open source research by the FBI revealed

that Arabic-language alkuwaitonline.com contains messaging attacking the current U.S.

President in line with Iranian interests. For example, the domain contained a cartoon image of a

virus with hair resembling that of the current U.S. President, captioned “TRUMPVIRUS.”

375. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for alkuwaitonline.com was a subdomain of cloudflare.com, indicating that

alkuwaitonline.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for alkuwaitonline.com revealed user logins

from Iran-based IP addresses which include 5.160.10.72, 5.112.55.202, and 37.129.175.246.

376. Subscriber and transaction records for alkuwaitonline.com from Namecheap

revealed that alkuwaitonline.com, bhpress24.com, and uaealyoum.com were accessed on the

same IP address. 206.123.146.222, within minutes of each other—on June 30, 2019 between

03:27 AM and 3:30 AM—indicating these accounts were accessed by the same user(s).

Furthermore, these records showed that alkuwaitonline.com was registered using email address

109
fajeralsalily@gmail.com. According to subscriber records obtained from Verizon,

fajeralsalily@gmail.com is the alternate email account for maya_alrashid@yahoo.com, which

was used to register Target Domain saudiuncovered.com. According to subscriber records from

Google, fajeralsalily@gmail.com was registered from Iran-based IP address 5.160.10.81.

377. Target Domain iuvm.info. Subscriber and transaction records for iuvm.info

from OnlineNIC revealed a registrant phone number of +97 5873678, the same registrant phone

number used for Target Domains qudspal.com, sayyidali.com, iuvm.info, and

sachtimes.com. Subscriber and transaction records from OnlineNIC further revealed that

iuvmtv.com is one of 43 Target Domains that were registered by OnlineNIC account ID 319223

with account name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the

same user(s).

378. Target Domain khabroona.com. Legal process returns from Namecheap on

khabroona.com reveals the website’s registrant location as Pakistan, but those same returns lists

a U.S.-based phone number, +1 9959981135 and India-based phone +91 9959981135, which are

the same number but with different country codes, indicating inauthenticity.

379. Target Domain ksatalks.com. According to FBI open source research and a

machine-based translation, ksatalks.com self-identifies as the voice of Saudi Arabia and covers

topics including world affairs, health, and technology.

380. Subscriber and transaction records for ksatalks.com from Namecheap revealed a

registrant location of Kuwait, and a registrant email address of majed.alnasser@yahoo.com.

Subscriber and transaction records further revealed that ksatalks.com and Target Domain

110
bhpress24.com were created and re-registered within minutes of each other on May 1, 2019. In

addition, the two Target Domains showed log-in activity within minutes of each other and on the

same days—May 2, 2020, May 4, 2019, and May 1, 2019—further indicating these domains are

operated by the same user(s).Subscriber and transaction records for majed.alnasser@yahoo.com

showed that the account was registered on April 28, 2019 from Iran-based IP address

5.160.10.81.

381. Target Domain saudiuncovered.com. Open source research by the FBI

revealed that saudiuncovered.com is a Saudi Arabian news site. Legal process for

saudiuncovered.com from Namecheap revealed that the domain was registered using email

address maya_alrashid@yahoo.com. Subscriber and transaction records for

maya_alrashid@yahoo.com obtained from Verizon show that the alternate address for this

account is fajeralsalily@gmail.com, the email address used to register target domain

alkuwaitonline.com. According to subscriber records from Google, fajeralsalily@gmail.com

was registered from Iran-based IP address 5.160.10.81.Legal process returns from Cloudflare on

saudiuncovered.com revealed user logins from Iran-based IP address 5.160.10.72, which is the

same IP that had been accessed by Target Domains yenihaber7.com, zonablanca.org,

dailymulk.com, svetpress.com and others.

Additional Domains Identified by the FBI as Used by the IRGC Covert Influence Campaign and
which are Property Constituting or Derived from Proceeds Traceable to Violations of IEEPA

382. Target Domain iuvmpress.net. Subscriber and transaction records for

iuvmpress.net from OnlineNIC revealed its registered email address as

kavehkhaleghi@hotmail.com. Email address kavehkhaleghi@hotmail.com was also used to

111
register Target Domains iuvmpress.org, iuvmpress.com and imamiatarbiat.com. A search of

publicly available WHOIS domain name registration records revealed an admin organization of

“Persian Domain Provider,” indicating that the domain was created by an Iran-

based organization.

383. Subscriber and transaction records from OnlineNIC revealed that iuvmpress.net

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

As this domain has overlapping subscriber information with other identified target domains and

engages in activities consistent with the IRGC covert influence campaign, the FBI assesses that

this domain is used on or behalf of the IRGC.

384. Target Domain iuvmpress.org. Subscriber and transaction records for

iuvmpress.org from OnlineNIC revealed registrant email address kavehkhaleghi@hotmail.com.

Email address kavehkhaleghi@hotmail.com was also used to register Target Domains

iuvmpress.net, iuvmpress.com and imamiatarbiat.com. A search of publicly available

WHOIS domain name registration records revealed an admin organization of “Persian Domain

Provider,” indicating that the domain was created by an Iran-based organization.

385. Subscriber and transaction records from OnlineNIC revealed that iuvmpress.org

is one of 43 Target Domains that were registered by OnlineNIC account ID 319223 with account

name Amir Hossein Sadri, indicating the 43 Target Domains were registered by the same user(s).

As this domain has overlapping subscriber information with other identified target domains and

engages in activities consistent with the IRGC covert influence campaign, the FBI assesses that

112
this domain is used on or behalf of the IRGC.

386. Target Domain arbaeenpress.com. Open source research by the FBI revealed

that arbaeenpress.com is a registrant site for the Arbaeen March. “Arba’een” is a Shiite

pilgrimage where millions of Iranians and other Shiites from abroad march to Iraq to

commemorate the “40th day following the death of a Shiite saint in the 7th century,” which is

also a national holiday in Iran according to officeholidays.com.

387. Open source research by the FBI revealed that arbaeenpress.com displayed a

banner at the top of its homepage that read “Islamic Radios & Television Union” (“IRTVU”) and

was accompanied by an IRTVU logo.

388. A search of publicly available WHOIS domain name registration records revealed

registrant name “arbaeen,” registrant email arbaeenpress@gmail.com, a registrant location city

as “Baghdad” and the registered country code as "IQ" for Iraq. However, subscriber and

transaction records for arbaeenpress@gmail.com revealed account recovery and sign-in, Iran-

based phone number +98 9057263864, indicating the registrant attempted to obfuscate their Iran-

based location in order to procure arbaeenpress.com.

389. Subscriber and transaction records from OnlineNIC revealed that

arbaeenpress.com is one of 8 Target Domains that were registered by OnlineNIC account ID

590434 with account name “hussein ali,” indicating the 8 Target Domains were created by the

same user. As this domain has overlapping subscriber information with other identified target

domains and engages in activities consistent with the IRGC covert influence campaign, the FBI

assesses that this domain is used on or behalf of the IRGC.

113
390. Target Domain iuvm.net. A search of historical WHOIS domain name

registration records revealed that the nameserver listed for iuvm.net was a subdomain of

cloudflare.com, indicating that iuvm.net utilizes or has utilized Cloudflare for domain name

resolution services. Subscriber and transaction records from Cloudflare for iuvm.net revealed

logins from Iran-based IP addresses, including 5.160.10.154, 5.160.10.11, and 185.212.192.225.

The Cloudflare records further indicated that the Cloudflare account for iuvm.net was accessible

by the Cloudflare accounts for Target Domains iuvmtech.com, iuvm.org, iuvm.info,

iuvmpress.com, iuvmtv.com, tanincenter.com, and other domains ending in “.ir”, the internet

country code top-level domain for Iran. As this domain has overlapping subscriber information

with other identified target domains and engages in activities consistent with the IRGC covert

influence campaign, the FBI assesses that this domain is used on or behalf of the IRGC.

391. Target Domain uaealyoum.com. Open source research by the FBI revealed that

uaealyoum.com is a United Arab Emirates news site that provides sensational news stories

regarding world and Middle East events. Particularly, the domain provides a negative depiction

of the Middle East.

392. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for uaealyoum.com was a subdomain of cloudflare.com, indicating that

uaealyoum.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for uaealyoum.com revealed a user login

from Iran-based IP address 5.160.10.72, which is the same IP address to access Target Domains

yenihaber7.com, zonablanca.org, dailymulk.com, svetpress.com and others.

114
393. Subscriber and transaction records for uaealyoum.com from Namecheap revealed

that alkuwaitonline.com, bhpress24.com and uaealyoum.com were accessed on the same IP

address, 206.123.146.222, within minutes of each other—on June 30, 2019 between 03:27 AM

and 3:30 AM—indicating these accounts were accessed by the same user(s). As this domain has

overlapping subscriber information with other identified target domains and engages in activities

consistent with the IRGC covert influence campaign, the FBI assesses that this domain is used on

or behalf of the IRGC.

394. Target Domain svetpress.com. The domain svetpress.com is a Russian-

language site that focuses on Middle East issues.

395. Legal process returns from Cloudflare on svetpress.com revealed user logins from

Iran-based IP address 5.160.10.72, which is the same IP as accessed by Target Domains saudi-

uncovered.com, yenihaber7.com, zonablanca.org, dailymulk.com and others.

396. Legal process returns from Google on Cloudflare registrant email for

svetpress.com revealed Iran-based IP address 5.112.137.53. As this domain has overlapping

subscriber information with other identified target domains and engages in activities consistent

with the IRGC covert influence campaign, the FBI assesses that this domain is used on or behalf

of the IRGC.

397. Target Domain dailymulk.com. The domain dailymulk.com is an Arabic and

Urdu-language site that reports anti-U.S. and rhetoric attacking the current U.S. President which

is consistent with Iranian foreign policy and also consistent with IRGC disinformation tradecraft.

398. Legal process returns from Cloudflare on dailymulk.com revealed user logins

115
from Iran-based IP address 5.160.10.72, which is the same IP as accessed from Target Domains

svetpress.com, saudi-uncovered.com, yenihaber7.com, zonablanca.org, and others. As this

domain has overlapping subscriber information with other identified target domains and engages

in activities consistent with the IRGC covert influence campaign, the FBI assesses that this

domain is used on or behalf of the IRGC.

399. Target Domain yenihaber7.com. The domain yenihaber7.com is a Turkish-

language site that had phrases like “US Killer,” “US Confesses: Iran Shoots Our Soldiers,” “Iran

Islamic Revolution” and an article on Navvab Safavi as being a martyr. The FBI assesses that

the content of this domain is consistent with Iranian foreign policy and IRGC overt

disinformation campaigns.

400. Legal process returns from Namecheap on yenihaber7.com reveal that the

registrant used Iran-based IP address as 5.160.10.72 to register the domain on December 14,

2019, which is the same IP as accessed by Target Domains zonablanca.org, dailymulk.com,

svetpress.com, saudi-uncovered.com, and others.

401. Legal process returns from Google for yenihaber7.com registrant email

nayefalfaisal10@gmail.com reveal Estonia-based number +37259966163, which is substantially

similar to that of reflejo24.com registrant email alrashedahmed35@gmail.com which also has

Estonia-based number +37259966426, indicating these numbers were systematically generated

by the same user(s) for an inauthentic purpose. As this domain has overlapping subscriber

information with other identified target domains and engages in activities consistent with the

IRGC covert influence campaign, the FBI assesses that this domain is used on or behalf of the

116
IRGC.

402. Target Domain reflejo24.com. Target Domain reflejo24.com is a Spanish-

language site focused on topics affecting Spain and international issues.

403. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for reflejo24.com was a subdomain of cloudflare.com, indicating that

reflejo24.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare revealed that Target Domains

iuvmpress.com, alhiwaraldini.com, ansar-allah.com, nthnews.net, afghanpulse.com,

yemaniat.net, and reflejo24.com were hosted at similar IP addresses—176.9.98.52,

176.9.98.53, 176.9.98.53, 176.9.98.53, 176.9.98.54, 176.9.98.58, and 176.9.98.59,

respectively—varying only in the fourth octet by minor value variations, indicating the domains

are hosted on the same server, and therefore under the control of the same user(s).

404. Subscriber and transaction records from Google for yenihaber7.com registrant

email nayefalfaisal10@gmail.com revealed Estonia-based number +37259966163, which is

substantially similar to that of reflejo24.com registrant email alrashedahmed35@gmail.com,

which used Estonia-based number +37259966426, indicating these numbers were systematically

generated by the same user(s) for an inauthentic purpose. In addition, the registrant locations for

reflejo24.com and yenihaber7.com are in different countries despite being located on the same

servers, further indicating the registrant’s desire to obfuscate their true location. As this domain

has overlapping subscriber information with other identified target domains and engages in

activities consistent with the IRGC covert influence campaign, the FBI assesses that this domain

117
is used on or behalf of the IRGC.

405. Target Domain soleimanquran.com. Target Domain soleimanquran.com is an

Arabic-language site that states, according to a machine-based translation, that it is a domain of

Solomon Radio for the Holy Quran, offering recitations, hymns, muwashahat and invocations,

Islam and qur'anic teachings.

406. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for soleimanquran.com was a subdomain of cloudflare.com, indicating that

soleimanquran.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for soleimanquran.com revealed a login

from IP address 104.250.174.94. Subscriber and transaction records for several other accounts

revealed that IP address 104.250.174.94 was used to access Target Domains newsstand7.com,

almasirahtv.com, iuvmnews.com, yemaniat.net, nilenetonline.net, and several others. As this

domain has overlapping subscriber information with other identified target domains and engages

in activities consistent with the IRGC covert influence campaign, the FBI assesses that this

domain is used on or behalf of the IRGC.

407. Target Domain zonablanca.org. Open source research by the FBI revealed that

zonablanca.org is a Spanish-language site. According to a machine-based translation, tabs at

the top of the homepage were labeled: News, North America, Latin America, Culture, World,

Economy, and Gallery.

408. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for zonablanca.org was a subdomain of cloudflare.com, indicating that

118
zonablanca.org utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for zonablanca.org revealed a user login

from Iran-based IP address 5.160.10.72, which is the same IP as accessed from Target Domains

svetpress.com, saudi-uncovered.com, yenihaber7.com, and several others. As this domain has

overlapping subscriber information with other identified target domains and engages in activities

consistent with the IRGC covert influence campaign, the FBI assesses that this domain is used on

or behalf of the IRGC.

409. Target Domain qudspal.com. As discussed above regarding qudspal.net,

qudspal.com is a domain used by Qudspal News. Qudspal News focused on Palestinian issues

and contained material in line with Iranian interests, including anti-Israel, anti-Saudi, and anti-

Current U.S. President narratives. For example, articles posted on Qudspal News included a

piece describing the “Israeli enemy’s” building of infrastructure for a new settlement south of

Al-Aqsa Mosque and a piece on Argentinian prosecutors considering criminal charges against

Saudi crown prince Mohammed bin Salman. FireEye reported that domain registrant

information linked qudspal.com and qudspal.net.

410. Subscriber records from OnlineNIC revealed a subscriber location for

qudspal.com of Dubai, United Arab Emirates. Open source queries and additional legal

process, however, suggest an Iran-based subscriber. Historical WHOIS records for qudspal.com

show that the domain was registered with eb.erfani@gmail.com as the registrant email account in

2014 and 2015. This email address was also used to register Target Domains qudspal.net and

imamiatarbiat.com. According to subscriber records from Google, eb.erfani@gmail.com uses

119
Iran-based phone number +98 9194046614 for recovery SMS, sign in, and two-step verification

phone numbers. Between December 17, 2019 and August 1, 2020, the user of this email

account logged in from Iran-based IP addresses dozens of times.

411. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for qudspal.net was a subdomain of cloudflare.com, indicating that

qudspal.net utilizes or has utilized Cloudflare for domain name resolution services. Subscriber

and transaction records from Cloudflare for qudspal.net revealed user logins from Iran-based IP

addresses which include 5.160.10.11, 5.160.10.72, and 2.179.144.99. As this domain has

overlapping subscriber information with other identified target domains and engages in activities

consistent with the IRGC covert influence campaign, the FBI assesses that this domain is used on

or behalf of the IRGC.

412. Target Domain alsudanalyoum.org. Subscriber information for

alsudanalyoum.org revealed the same registrant—“ahmed anwar mohammed”— and registrant

information as alsudanalyoum.com. As such, subscriber and transaction records from

OnlineNIC revealed that alsudanalyoum.org is one of 43 Target Domains that were registered

by OnlineNIC account ID 319223 with account name Amir Hossein Sadri, indicating the 43

Target Domains were registered by the same user(s). As this domain has overlapping subscriber

information with other identified target domains and engages in activities consistent with the

IRGC covert influence campaign, the FBI assesses that this domain is used on or behalf of the

IRGC.

413. Target Domain foresight-media.net. Similar to foresight-media.com in its

120
name, Target Domain foresight-media.net used the same registrant email y.tahan@dr.com,

indicating it is controlled by the same user. WHOIS records showed that the user registered in

Yemen; however, legal process on related domain foresight-media.com revealed user logins

from Iran-based IP address 5.160.10.149. As this domain has overlapping subscriber

information with other identified target domains and engages in activities consistent with the

IRGC covert influence campaign, the FBI assesses that this domain is used on or behalf of the

IRGC.

414. Target Domain islamipolitics.com. The domain islamipolitics.com is a

Bengali-language site centered on Middle East issues.

415. A search of publicly available WHOIS domain name registration records revealed

current registrant name “Md salim ali,” registrant email “fedorimelna@gmail.com,” registrant

location city “dhalipara” and registered country code “IN,” or India. However, historical

WHOIS records revealed that registrant “hashemi” registered islamipolitics.com through

organization “qaemsoftwere” from location “Qom, IR” using Iran-based phone number +98

7785164 and email address walasr5@yahoo.com. Subscriber records for walasr5@yahoo.com

showed that the verified phone number for the account is Iran-based phone number +98

9122536496. Login records for this account showed dozens of logins from Iran-based IP

addresses located in Qom, Iran or registered to Irancell between October 13, 2019 and August

26, 2020.

416. Historical WHOIS records from May 2019 through May 2020 revealed a

registrant email address of fedorimelna@gmail.com. Subscriber records from Google for

121
fedorimelna@gmail.com showed that the account was registered from Iran-based IP address

185.142.156.201.

417. Subscriber and transaction records from OnlineNIC revealed that

islamipolitics.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in

the same account. As this domain has overlapping subscriber information with other identified

target domains and engages in activities consistent with the IRGC covert influence campaign, the

FBI assesses that this domain is used on or behalf of the IRGC.

418. Target Domain kashmir-news.com. A search of publicly available WHOIS

domain name registration records revealed this domain’s association with registrant email

namcorechi32@gmail.com, and registrant location Naran, Pakistan.

419. Subscriber and transaction records from Google for email address

namcorechi32@gmail.com, however, revealed multiple recovery email login activities from

Iran-based IP address 185.176.58.122 through ISP Ebtekar Andishan Sabz Co. Ltd., which is

located in Qom, Iran, indicating the user was attempting to obfuscate their Iran-based location.

420. The FBI identified historical administrative and subscriber connections between

kashmir-news.com and 12 Target Domains.

421. Subscriber and transaction records from OnlineNIC revealed that kashmir-

news.com is one of 19 Target Domains that were registered by OnlineNIC account ID 595619

with account name Ibrahim Hosein, indicating the 19 Target Domains are maintained in the same

account. As this domain has overlapping subscriber information with other identified target

122
domains and engages in activities consistent with the IRGC covert influence campaign, the FBI

assesses that this domain is used on or behalf of the IRGC.

422. Target Domain nationvoices.com. Open source research by the FBI revealed

that nationvoices.com is a Hindi-language site which claims to be made of “independent

journalists, writers and students.” The domain includes American news that portrays the U.S. in

a negative light. Much of the messaging is pro-Iranian in addition to vengeful sentiments

regarding former Iranian General Qasim Sulaimani’s death.

423. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for nationvoices.com was a subdomain of cloudflare.com, indicating that

nationvoices.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for nationvoices.com revealed user logins

from Iran-based IP address 185.142.156.201.

424. The FBI identified historical administrative and subscriber connections for

nationvoices.com with 12 Target Domains.

425. Subscriber and transaction records from OnlineNIC revealed that

nationvoices.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains were registered by

the same user(s). As this domain has overlapping subscriber information with other identified

target domains and engages in activities consistent with the IRGC covert influence campaign, the

FBI assesses that this domain is used on or behalf of the IRGC.

426. Target Domain alhadathps.com. FireEye identified alhadathps.com as part of

123
the Liberty Front Press campaign. FireEye reported that alhadathps.com (formerly al-

hadath24.com) is an Arabic-language site that describes itself as “a news site concerned with the

dissemination and analysis of political news and events in the Palestinian field, developments in

the Arab and international arenas, and exposure of the violations of the Zionist occupation

against the rights of the Palestinian people.” Alhadathps.com publishes primarily political news

stories and has plagiarized articles from Arabic-language mainstream media outlets such as Al-

Araby Al-Jadeed (alaraby.co.uk) and Al Jadeed (aljadeed.tv). Many articles promote anti-Israel,

pro-Palestine, and anti-Current U.S. President narratives.

427. According to FireEye, alhadathps.com’s predecessor al-hadath24.com was

registered on Aug. 3, 2015 to an individual named “ahmed saleh” using the email address

alhadath24@outlook.com and claiming to be located in Baghdad. Consistent with FireEye’s

findings, the FBI searched a publicly available WHOIS database and identified alhadathps.com

registrant email address alhadath24.af@gmail.com, which closely resembles predecessor domain

name al-hadath24.com. Further, FireEye found that al-hadath24.com used Iranian name servers

damavand.atenahost.ir and alvand.atenahost.ir, which was later confirmed by the FBI to have

happened when the domain first registered on August 3, 2015, according to historical WHOIS

records. FireEye further reported that alhadathps.com maintains social media accounts on

Twitter, Facebook, Instagram, and YouTube. One such account, Twitter account

@alhadathps, was linked to a phone number with the +98 Iranian country code. In

addition, a Facebook account for a persona whose name was listed on registrant

information for Target Domain usjournal.net, promoted alhadathps.com material.

124
428. A search of historical WHOIS domain name registration records revealed that the

nameserver listed for alhadathps.com was a subdomain of cloudflare.com, indicating that

alhadathps.com utilizes or has utilized Cloudflare for domain name resolution services.

Subscriber and transaction records from Cloudflare for alhadathps.com revealed user logins

from multiple Iran-based IP addresses, including 185.212.192.209, 5.160.10.11, and

5.114.176.54.

429. Subscriber and transaction records from OnlineNIC revealed that

alhadathps.com is one of 19 Target Domains that were registered by OnlineNIC account ID

595619 with account name Ibrahim Hosein, indicating the 19 Target Domains were registered by

the same user(s). As this domain has overlapping subscriber information with other identified

target domains and engages in activities consistent with the IRGC covert influence campaign, the

FBI assesses that this domain is used on or behalf of the IRGC.

Conclusion

430. As described throughout, there is probable cause to believe that the Target

Accounts are being used by or on behalf of the Government of Iran and the IRGC to conduct a

covert influence and disinformation campaign both within and without the United States to the

benefit of the Government of Iran. The services provided by U.S. internet service providers by

hosting each of the Target Domains is a violation of IEEPA because the services provided are

prohibited by U.S. sanctions targeting Iran and the IRGC. As described above, each of the

domains was fraudulently registered because each is being used by or on behalf of the IRGC and

this critical information was omitted from the registration if any of the U.S. service providers had

125
known that the domains were to be used by or on behalf of the IRGC, they would not have been

able to provide the hosting service due to U.S. sanctions. Additionally, Target Domains

newsstand7.com, usjournal.net, usjournal.us, and twtoday.net are also subject to seizure as

they are property that constitutes or is derived from proceeds traceable to violations of FARA.

As a result, there is probable cause to believe that the Target Domains are subject to civil and

criminal forfeiture because they constitute or are derived from proceeds traceable to a violation

of the Subject Offenses, namely, the payment of U.S. domain registration services in violation of

IEEPA and FARA.

SEIZURE PROCEDURE

431. As detailed in Attachment A, upon execution of the seizure warrant, the registrar

for Target Domain theleadersnews.com, GoDaddy Inc., headquartered at 14455 N. Hayden Rd.,

Ste. 226, Scottsdale, Arizona, shall be directed to restrain and lock the relevant Target Domain

pending transfer of all right, title, and interest in the Target Domain to the United States upon

completion of forfeiture proceedings, to ensure that changes to the Target Domain cannot be

made absent court order or, if forfeited to the United States, without prior consultation with the

U.S. Department of Justice.

432. As detailed in Attachment B, upon execution of the seizure warrant, the registrar

for Target Domains 4svideo.com, afghanpulse.com, alkuwaitonline.com, bhpress24.com,

dailymulk.com, frpress24.com, khabroona.com, ksatalks.com, mepanorama.net,

newsstand7.com, reflejo24.com, saudiuncovered.com, soleimanquran.com, svetpress.com,

uaealyoum.com, yenihaber7.com and zonablanca.org, Namecheap, Inc., headquartered at

126
4600 East Washington Street, Suite 305, Phoenix, Arizona 85034, shall be directed to restrain

and lock the relevant Target Domains pending transfer of all right, title, and interest in the

relevant Target Domains to the United States upon completion of forfeiture proceedings, to

ensure that changes to the relevant Target Domains cannot be made absent court order or, if

forfeited to the United States, without prior consultation with the U.S. Department of Justice.

433. As detailed in Attachment C, upon execution of the seizure warrant, the registrar

for Target Domains 3adalah.com, acilnews.com, aden-alyoum.com, adentimes.net,

afghanwolas.com, aftruth.com, ageofpakistan.com, al-sufia.com, alhadathps.com,

alkhalijalyoum.com, almasirahpress.com, almasirahtv.com, alnujaba.com,

alraialqatari.com, alsudanalyoum.com, alsudanalyoum.org, altanzil.net, alwarka.net,

ansar-allah.com, arbaeenpress.com, aynanewsagency.org, bashiqa.com, beritadunia.net,

faktru.com, fatemyoun.com, foresight-media.com, foresight-media.net, haghighah.com,

hindkhabar.com, imamiatarbiat.com, iraqnewsservice.com, islahjo.com, islamipolitics.com,

iuvm.info, iuvm.net, iuvm.org, iuvmpress.com, iuvmpress.net, iuvmpress.org,

iuvmtech.com, iuvmtv.com, j-babel.com, jamekurdi.com, jihadalbina.org, kashmir-

news.com, kashmirline.com, ksastudies.net, kurdestantimes.com, libyaalmokhtar.com,

maghrebiyon.com, marsadz.com, masralkenana.com, moqawemat.com, naijafox.com,

nationvoices.com, nilenetonline.com, nthnews.net, pakonlinenews.com, pashtokhabar.com,

pergiustizia.com, puketnews.com, qarura.com, qudspal.com, qudspal.net, raitunisia.com,

risolattj.com, sachtimes.com, saghalein-ins.com, sayyidali.com, sizinyol.com, syria-

scope.com, tanincenter.com, twtoday.net, usjournal.net, usjournal.us, whatsupic.com,

127
yaqeenagency.net and yemaniat.net, OnlineNIC Inc., headquartered at 3027 Teagarden Street,

San Leandro, California 94577, shall be directed to restrain and lock the relevant Target

Domains pending transfer of all right, title, and interest in the relevant Target Domains to the

United States upon completion of forfeiture proceedings, to ensure that changes to the relevant

Target Domains cannot be made absent court order or, if forfeited to the United States, without

prior consultation with the U.S. Department of Justice.

CONCLUSION

434. For the foregoing reasons, I submit that there is probable cause to believe that the

Target Domains are used in and/or intended to be used in facilitating and/or committing the

Subject Offenses. Accordingly, the Target Domains are subject to forfeiture to the United States

pursuant to 21 U.S.C. § 853, and 18 U.S.C. § 981, as incorporated by 28 U.S.C. § 2461(c), and I

respectfully request that the Court issue seizure warrants for the Target Domains. Because the

warrant will be served on GoDaddy, Namecheap, and OnlineNIC, which control the Target

Domains and, thereafter, at a time convenient, will transfer control of the Target Domains to the

government, there exists reasonable cause to permit the execution of the requested warrant at any

time in the day or night. Finally, and in order to protect the ongoing investigation and in

consideration that much of the information set forth above is not otherwise publicly available, I

respectfully request that this Affidavit be filed and kept under seal until further order of this

Court.

128
ATTACHMENT A

With respect to SUBJECT DOMAIN NAME theleadersnews.com, GODADDY, who is

the domain registrar for the SUBJECT DOMAIN NAME, shall take the following actions to

effectuate the seizure of SUBJECT DOMAIN NAME:

1) Take all reasonable measures to redirect the domain names to a substitute server

at the direction of the U.S. GOVERNMENT LAW ENFORCEMENT, by updating the

authoritative nameservers for the SUBJECT DOMAIN NAME to any new authoritative name

server or IP address to be designated by a law enforcement agent in writing, including e-mail, to

the Registrar.

2) Prevent any further modification to, or transfer of, SUBJECT DOMAIN NAME

pending transfer of all right, title, and interest in SUBJECT DOMAIN NAME to the United

States upon completion of forfeiture proceedings, to ensure that changes to the SUBJECT

DOMAIN NAME cannot be made absent court order or, if forfeited to the United States, without

prior consultation with U.S. GOVERNMENT LAW ENFORCEMENT.

3) Take all reasonable measures to propagate the necessary changes through the

Domain Name System as quickly as practicable.

4) Provide reasonable assistance in implementing the Terms of this Order and take

no unreasonable action to frustrate the implementation of this Order.

5) The Government will display a notice on the website to which the SUBJECT

DOMAIN NAME will resolve. That notice will consist of law enforcement emblems and the

following, or similar, text:

129
“The domain for SUBJECT DOMAIN NAME has been seized by the United States Government

in accordance with a seizure warrant issued pursuant to 18 U.S.C. §§ 981, 982, and 50 U.S.C.

1701-1705 as part of a law enforcement action by the U.S. Department of Justice.”

130
ATTACHMENT B

With respect to SUBJECT DOMAIN NAME 4svideo.com, afghanpulse.com,

alkuwaitonline.com, bhpress24.com, dailymulk.com, frpress24.com, khabroona.com,

ksatalks.com, mepanorama.net, newsstand7.com, reflejo24.com, saudiuncovered.com,

soleimanquran.com, svetpress.com, uaealyoum.com, yenihaber7.com and zonablanca.org,

NAMECHEAP, who is the domain registrar for the SUBJECT DOMAIN NAME, shall take the

following actions to effectuate the seizure of SUBJECT DOMAIN NAME:

1) Take all reasonable measures to redirect the domain names to a substitute server

at the direction of the U.S. GOVERNMENT LAW ENFORCEMENT, by updating the

authoritative nameservers for the SUBJECT DOMAIN NAME to any new authoritative name

server or IP address to be designated by a law enforcement agent in writing, including e-mail, to

the Registrar.

2) Prevent any further modification to, or transfer of, SUBJECT DOMAIN NAME

pending transfer of all right, title, and interest in SUBJECT DOMAIN NAME to the United

States upon completion of forfeiture proceedings, to ensure that changes to the SUBJECT

DOMAIN NAME cannot be made absent court order or, if forfeited to the United States, without

prior consultation with U.S. GOVERNMENT LAW ENFORCEMENT.

3) Take all reasonable measures to propagate the necessary changes through the

Domain Name System as quickly as practicable.

4) Provide reasonable assistance in implementing the Terms of this Order and take

no unreasonable action to frustrate the implementation of this Order.

131
5) The Government will display a notice on the website to which the SUBJECT

DOMAIN NAME will resolve. That notice will consist of law enforcement emblems and the

following, or similar, text:

“The domain for SUBJECT DOMAIN NAME has been seized by the United States Government

in accordance with a seizure warrant issued pursuant to 18 U.S.C. §§ 981, 982, and 50 U.S.C.

1701-1705 as part of a law enforcement action by the U.S. Department of Justice.”

132
ATTACHMENT C

With respect to SUBJECT DOMAIN NAME 3adalah.com, acilnews.com, aden-

alyoum.com, adentimes.net, afghanwolas.com, aftruth.com, ageofpakistan.com, al-

sufia.com, alhadathps.com, alkhalijalyoum.com, almasirahpress.com, almasirahtv.com,

alnujaba.com, alraialqatari.com, alsudanalyoum.com, alsudanalyoum.org, altanzil.net,

alwarka.net, ansar-allah.com, arbaeenpress.com, aynanewsagency.org, bashiqa.com,

beritadunia.net, faktru.com, fatemyoun.com, foresight-media.com, foresight-media.net,

haghighah.com, hindkhabar.com, imamiatarbiat.com, iraqnewsservice.com, islahjo.com,

islamipolitics.com, iuvm.info, iuvm.net, iuvm.org, iuvmpress.com, iuvmpress.net,

iuvmpress.org, iuvmtech.com, iuvmtv.com, j-babel.com, jamekurdi.com, jihadalbina.org,

kashmir-news.com, kashmirline.com, ksastudies.net, kurdestantimes.com,

libyaalmokhtar.com, maghrebiyon.com, marsadz.com, masralkenana.com,

moqawemat.com, naijafox.com, nationvoices.com, nilenetonline.com, nthnews.net,

pakonlinenews.com, pashtokhabar.com, pergiustizia.com, puketnews.com, qarura.com,

qudspal.com, qudspal.net, raitunisia.com, risolattj.com, sachtimes.com, saghalein-ins.com,

sayyidali.com, sizinyol.com, syria-scope.com, tanincenter.com, twtoday.net, usjournal.net,

usjournal.us, whatsupic.com, yaqeenagency.net and yemaniat.net, ONLINENIC, who is the

domain registrar for the SUBJECT DOMAIN NAMES, shall take the following actions to

effectuate the seizure of SUBJECT DOMAIN NAMES:

1) Take all reasonable measures to redirect the domain names to a substitute server at the

direction of the U.S. GOVERNMENT LAW ENFORCEMENT, by updating the

133
authoritative nameservers for the SUBJECT DOMAIN NAMES to any new authoritative

name server or IP address to be designated by a law enforcement agent in writing,

including e-mail, to the Registrar.

2) Prevent any further modification to, or transfer of, SUBJECT DOMAIN NAMES

pending transfer of all right, title, and interest in SUBJECT DOMAIN NAMES to the

United States upon completion of forfeiture proceedings, to ensure that changes to the

SUBJECT DOMAIN NAMES cannot be made absent court order or, if forfeited to the

United States, without prior consultation with U.S. GOVERNMENT LAW

ENFORCEMENT.

3) Take all reasonable measures to propagate the necessary changes through the Domain

Name System as quickly as practicable.

4) Provide reasonable assistance in implementing the Terms of this Order and take no

unreasonable action to frustrate the implementation of this Order.

5) The Government will display a notice on the website to which the SUBJECT DOMAIN

NAME will resolve. That notice will consist of law enforcement emblems and the

following, or similar, text:

“The domain for SUBJECT DOMAIN NAME has been seized by the United States

Government in accordance with a seizure warrant issued pursuant to 18 U.S.C. §§ 981,

982, and 50 U.S.C. 1701-1705 as part of a law enforcement action by the U.S.

Department of Justice.”

134

Оценить