Final Investigation Report

Following a comprehensive investigation and analysis, it has been determined that the platform initially concealed its infrastructure by registering domains through registrars based in China. These domains were subsequently connected to web servers located in various regions, including Hong Kong, South Africa, Singapore, South Korea, and multiple states across the United States of America (USA).

After this initial setup, the domains were routed through Cloudflare's Content Delivery Network (CDN) and Proxy services to further obfuscate their origin.

Following this masking process, a direct connection was manually established in Cloudflare between the domain names and the platform’s Original IPs via custom Proxy settings, utilizing a Dedicated IP connection. The domains were manually configured through the Cloudflare management panel to point directly to the platform’s original IP addresses. These IPs are hosted across various cloud services, including Amazon Web Services (AWS) in the United States, Google Cloud in Singapore, and Alibaba Cloud in both China and Hong Kong. Additionally, Fastly's CDN and Proxy services were employed to enhance speed and access security. The specific IP addresses and corresponding server details, configured with the intent of Original IP masking and Dedicated IP connectivity, are as follows:

This layered configuration strategy demonstrates the platform's attempt to obscure its true hosting locations by leveraging international domain registration, proxy services, and multi-region cloud service providers.

Furthermore, the domains were registered with administrative and elevated access by Alibaba Group and its business partners in the aforementioned countries. Before connecting to the Cloudflare service, all the domains were transferred to Dynadot registrar after being initially registered through Alibaba's own registrars and a network of Chinese companies in China, Singapore, South Korea, and Hong Kong.