In this brief analysis, we show how examining historical DNS records can be a decisive step in de-anonymizing websites that disseminate illicit material.
A few months ago, several press sources described the activities of a website (camhub.to), whose domain was registered in the Kingdom of Tonga, on which video streams were unlawfully distributed after illicit access to surveillance cameras installed in private homes and sensitive locations, including healthcare facilities.
In this OSINT investigation, we arrive at the identification of a natural person in a position of potential control over the portal’s IT infrastructure.
From the time the analysis was initiated (September 2025), the site was no longer accessible; it therefore became necessary to proceed by relying primarily on historical data, namely:
- historical and current WHOIS records;
- historical DNS records (obtained by consulting “Passive DNS” databases);
- archived versions of the camhub.to domain available on archive.org (Wayback Machine);
- Telegram conversations;
- SSL encryption certificates.
From the acquisition of WHOIS records, we note that the domain was already registered in December 2022. However, until the first half of 2024, camhub.to was effectively unused and kept in a state of “hibernation.” The first archived versions of the site are only available starting from the second half of December 2024.
PHASE 1 – ANALYSIS OF SOCIAL CONVERSATIONS
Beyond consulting the “official” data relating to the domain’s registration, it can be observed that camhub.to and its twin domain camhub.vip were mentioned in certain conversations on the Telegram messaging platform. Today, these conversations can be accessed only through third-party aggregators that have archived messages exchanged by users in some chats that are no longer active.
The “Camhub Warning” channel—presumably attributable to a hacker collective—warned camhub.to users that a crackdown operation had been launched with the aim of dismantling its IT infrastructure. On 11 December 2024, the collective announced that the twin domain camhub.vip had been suspended:
On 17 December 2024, the collective announced that it had reached an agreement with Camhub, as a result of which the countermeasures were suspended, an agreement having been reached—presumably on monetary grounds:
The research continues with the analysis of additional conversations on Telegram. On 18 December 2024, the administrators of the “CamHubVIP” chat announced that they had restored camhub.vip’s functionality, as the aforementioned crackdown actions had in the meantime ceased.
In the same chat, another channel—named “Voy&Pub / @voy_pub_ua”—was also promoted, focused on the dissemination of voyeuristic content.
The channel (followed by more than 88,000 subscribers) appears to have plausible Ukrainian roots (as suggested by the Ukrainian flag displayed next to the channel name, as well as by the language of the content).
PHASE 2 – MAPPING THE WEB INFRASTRUCTURE
During the period in which the above-mentioned collective was countering the portal’s activities, Camhub’s DNS records were replaced with Cloudflare’s. This step was intended to secure the infrastructure against DDoS attacks.
The use of Cloudflare reverse proxies is often an obstacle to identifying the real IP address on which the infrastructure actually resides. Knowing the real IP address is essential in order to pursue complex investigative paths and ultimately identify correlated IT infrastructures.
In the case at hand, consulting “IoT” (“Internet of Things”) search engines allows us to bypass Cloudflare’s protections and identify at least three IP addresses, not belonging to Cloudflare’s network, that were used by Camhub before the configuration of the protection and anonymity layers.
The IP addresses in question are:
- 91.194.110.44
- 91.194.110.57
- 91.194.110.58
These IP addresses appear to have been in use by Camhub between December 2024 and September 2025 and therefore represent a valid pivot point that can be used to map any connected IT infrastructures.
First, it should be noted that the aforementioned IPs are all attributable to a Ukrainian hosting provider with IT infrastructures located in Europe and, specifically, in the Netherlands. The provider appears to be UA-Hosting SIA, a company legally based in Latvia but attributable to two individuals of plausible Ukrainian origin. The provider, of course, is not responsible for the illicit activities carried out on portals hosted on its servers, but it may be contacted by the judicial authorities to obtain identifying data regarding Camhub’s owner/operator.
Starting from the three IP addresses, we initiated an analysis cycle using software solutions and databases that make it possible to retrieve historical passive DNS records for each IP. Historical DNS records indicate which web domains/hostnames each IP address has previously been associated with.
The following image illustrates, in simplified form, the main IP → hostname relationships identified:
We immediately notice, in the relational diagram, the presence of several “outliers,” namely domain names that cannot be traced back to the Camhub network:
- i-t.kz (with the subdomain camhub.i-t.kz)
- vclub.vc
The domain vclub.vc appears to be registered in the name of “Oleg U Dominikan,” with the email address vclub.adm@gmail.com. In the domain’s WHOIS record, we also identify a mobile phone contact which, however, appears to belong to a woman of Russian nationality whose social network—reconstructed by aggregating data from the social networking platform Odnoklassniki—does not provide elements capable of confirming a link to Camhub or to vclub.vc.
Similarly, the name “Oleg U Dominikan” cannot be traced back to any actually identifiable natural person. In all likelihood, the administrator of vclub.vc used third-party data and fictitious names to register the domain.
In any event, the homepage of www.vclub.vc displays a forum devoted to voyeuristic topics, a circumstance fully consistent with the nature of Camhub’s content and of the aforementioned Telegram channel “Voy&Pub.”
Forum registrations, as indicated in a thread posted by the administrator (active under the username “gre”), are closed. As of the date of consultation, registered users numbered 69,307.
Further inquiries conducted into the domain vclub.vc allow us to ascertain an actual interoperability link with Camhub, given that the aforementioned “Voy&Pub” channel mentioned vclub.vc as the “best forum to discuss the topics of the [Voy&Pub] channel.”
Notwithstanding the significant information acquired, our research into the forum does not enable us to identify any natural person who can be concretely linked to Camhub. We therefore proceed to examine the second “outlier” domain: i-t.kz.
The domain appears to be registered in Kazakhstan by a company specializing in the provision of IT services, while the email address of the administrative contact appears to be r********o@gmail.com.
We note that the DNS records of the company’s website are the same as those previously used by camhub.vip before the migration to Cloudflare’s anonymization services (ns15.inhostedns.com, ns25.inhostedns.com, ns35.inhostedns.com).
As for the subdomain camhub.i-t.kz, we note the presence of a simple empty holding page (now removed, but nonetheless archived on the Wayback Machine) that unequivocally points back to the portal under investigation.
The email address r********o@gmail.com, as well as the company that registered the domain, point unambiguously to the same IT technician of Kazakh origin, Roman E. G., who is professionally active also in Russia but—at least apparently—resident in Ukraine (a circumstance therefore fully consistent with the use of a Ukrainian hosting provider—see above).
Have we identified Camhub’s owner? We cannot be certain. However, the indicators collected do allow us to hypothesize that R.G.E. was at least, to some extent, involved in the site’s technical and operational management.
The Italian Data Protection Authority (Garante per la protezione dei dati personali), after annulling—on its own initiative—the warning addressed to a U.S. company believed to be the site’s operator (a company that was in fact unrelated to camhub.to), would now have sufficient elements to proceed with a further report against the Kazakh company, perhaps with a higher likelihood of identifying the actual operator—assuming this is still necessary, given that camhub.to has been offline for months.