The Furry Fandom Vulnerability

How to De-Anonymize Scam/Knock-off Sites Hiding Behind CloudFlare

Update (2021-01-09): There’s a newer blog post that covers different CloudFlare deanonymization techniques (with a real world case study).

Furry Twitter is currently abuzz about a new site selling knock-off fursuits and illegally using photos from the owners of the actual fursuits without permission.

The website in question.

Understandably, the photographers and fursuiters whose work was ripped off by this website are upset and would like to exercise their legal recourse (i.e. DMCA takedown emails) of the scam site, but there’s a wrinkle:

Their contact info isn’t in DNS and their website is hosted behind CloudFlare.

Private DNS registration.

You might think this is a show-stopper, but I’m going to show you how to get their server’s real IP address in one easy step.

Ordering the Server’s IP Address by Mail

Most knock-off site operators will choose open source eCommerce platforms like Magento, WooCommerce, and OpenCart, which usually have a mechanism for customers to register for an account and login.

Usually this mechanism sends you an email when you authenticate.

(If it doesn’t, logout and use the “reset password” feature, which will almost certainly send you an email.)

Once you have an email from the scam site, you’re going to need to view the email headers.

With Gmail, can click the three dots on the right of an email then click “Show original”.

Account registration email.
Full email headers after clicking “Show original”.

And there you have it. The IP address of the server behind CloudFlare delivered piping hot to your inbox in 30 minutes or less, or your money back.

That’s a fairer deal than any of these knock-off fursuit sites will give you.

Black magic and piss-poor opsec.

What Can We Do With The Server IP?

You can identify who hosts their website. (In this case, it’s a company called Net Minders.)

With this knowledge in mind, you can send an email to their web hosting provider, citing the Digital Millennium Copyright Act.

One or two emails might get ignored, but discarding hundreds of distinct complaint emails from different people is bad for business. This (along with similar abuse complaints to the domain registrar, which isn’t obscured by DNS Privacy) should be enough to shut down these illicit websites.

The more you know!


The technique is simple, effective, and portable. Use it whenever someone tries to prop up another website to peddle knock-off goods and tries to hide behind CloudFlare.

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

5 replies on “How to De-Anonymize Scam/Knock-off Sites Hiding Behind CloudFlare”

Bark My Way

This site uses Akismet to reduce spam. Learn how your comment data is processed.