Table of Contents
Domain reputation is one of the few assets on the web that can’t be bought outright. It accrues slowly as reputable sites link to it, content is crawled and archived, and its emails successfully pass through spam filters. When a site is no longer maintained and domain ownership lapses, the URL’s reputation doesn’t decay with its content. Whoever acquires the now-dormant domain inherits the backlinks, archive, and ranking for roughly the cost of a registration. This is parasite SEO, and the people-search variant is what we’ve been mapping.
Buying an expired domain to ride its reputation is a well-worn tactic. This technique is well understood by both bad actors and search engines themselves, but the people-search variant is unique in that it doesn’t look like an attack. It often targets mission-driven organizations, and rather than serving up phishing forms or illegal gambling sites, it serves up content from data broker websites. This form of reputation abuse not only inflicts brand damage on noble causes, it further compromises individual privacy and weaponizes stolen goodwill for profit.
Below are the steps we take to confirm when this happens, followed by a teardown of three live domains. Each runs the same model with small differences.
What’s actually being stolen?
- Inbound links. Links are one of the few ranking signals openly confirmed by Google. Decades of links continue pointing at the domain long after the original site goes dark, passing that authority to anything sitting at that address.
- An established track record. Years of crawled, legitimate content tell search engines a domain is real and stable. The new operator inherits a proven domain instead of starting cold.
- Human trust. A visitor who recognizes the name or is linked from another site sees content that persisted, lending an air of credibility.
When an operator takes over a domain, they inherit legitimacy for the price of a registration and exploit it until someone notices. Google now treats this as a named offense: its March 2024 policy update added “expired domain abuse” as a violation.
How we confirm a takeover

Registration records (WHOIS). Every domain has a public registration record set and maintained by the domain’s registry (a neutral third party), including the date it was first registered. This date cannot be backdated by the owner. Examining that record provides initial clues that a domain may have changed hands. This typically shows up one of two ways:
- A domain is purchased in a private sale or at an expired domain auction and the original registration date remains the same.
- Registration lapses and is purchased on the open market the moment it’s available (a “drop-catch”). The date resets to the purchase date while the reputation lives on.
Certificate transparency logs. Every TLS certificate issued for a domain is logged publicly and permanently by an independent third party. An active site typically renews certificates on a regular basis, but abandoned sites tend to let certificates lapse. When a period of inactivity is broken by a fresh certificate, combined with WHOIS and content changes, this can be another clue the site has changed ownership.
The Wayback Machine. The Internet Archive’s Wayback Machine allows us to see unaltered point-in-time snapshots of a site. This provides insight into any modifications made after an ownership change. In the case of parasite SEO, old snapshots may show preexisting blogs or academic research while the live site primarily exists as a people search funnel.
When the registrar record, the certificate, and the content all change inside the same window of time, evidence of a takeover piles up and deeper inspection is warranted.
Tracking a takeover spree
Confirming a single takeover is one thing, but proving several by the same operator is another. In this case, we fingerprint each site at the account level using identifiers a site must expose for basic functionality or monetization. A site’s private analytics and tag-manager IDs and the affiliate-reseller account its payout links carry can all be valuable indicators of the same operator. These attach to individual accounts, so when two otherwise-unrelated domains carry the same one, the same operator is behind both. We rely strictly on account-level indicator matches like these for precise detection and to prevent misattribution.
Finding these indicators turned seemingly separate takeovers into a single parasitic network. The sites nativeamericannetroots.net, clustal.org, and unite4heritage.org all share account-level identifiers tracing back to one operator.
Case 1: nativeamericannetroots.net
What it was. Native American Netroots is an organization founded by Neeta Lind, an organizer and longtime Daily Kos Director of Community. The community still publishes on Daily Kos; however, the original website nativeamericannetroots.net was taken over in August 2025. The organization is alive but its old web address was hijacked and turned into a data broker, riding on the reputation NAN built over nearly two decades.
The record switch. The domain was registered 2007‑07‑24 through GoDaddy. On 2025‑08‑22 the WHOIS registration logged a change of control while retaining its original registration date. An unchanged registration date under new control is a good indicator that the domain was acquired while still registered, either bought privately or won at an expired-domain auction. The certificate trail also shows a long, steady history abruptly giving way to new issuance at that same August date.
The content switch. About two months later the site began publishing templated SEO listicles (“10 Most Popular Native American Baby Names,” “Could You Have Native American Heritage? Here’s How to Find Out”) and an A‑to‑Z people‑search directory. The new posts run under a fabricated byline with no verifiable presence anywhere but this site.

Attribution. The WHOIS registration is privacy masked and there are no other identifying markers on the site, so we don’t tie it to a person. nativeamericannetroots.net does, however, share an account‑level identifier with clustal.org, indicating it is run by the same operator as the other takeovers here.
Case 2: clustal.org
What it was. clustal.org was the longtime home of the ClustalW / Clustal Omega bioinformatics software written by Des Higgins at University College Dublin. The software is still widely used but the original domain has been taken over and turned into a people-search data broker. The prevalence of this software over such a long period of time means that the taken-over domain has inherited the citations and links of scientific papers that still point at the old address. A Google Scholar search shows approximately 5,000 references or citations.
The record switch. The domain was registered 2007‑12‑17 and ran for years through its academic owner’s registrar. The registration lapsed in December 2025 and was caught while still in its expiry window. WHOIS logged the change of control on 2026‑02‑09. The certificate issuing authority changed on 2026‑02‑09, the same day as the WHOIS control change.
The content switch. The software page was replaced by a people-search site. Via the Wayback Machine, we can see the old page linking to different versions of the scientific software. This site also adds a wrinkle by returning a different page to requests using a Google or Bing user-agent than what an individual sees when visiting directly. This allows the site to keep its ranking based on the previous academic reputation rather than what the site currently serves.


Attribution. The registration is once again privacy masked and the site lacks anything to tie it to an individual. But clustal.org ties this network together through account-level identifiers shared with both nativeamericannetroots.net and unite4heritage.org.
Case 3: unite4heritage.org
What it was. The official campaign domain for #Unite4Heritage, a UNESCO initiative launched in 2015 under Director-General Irina Bokova to protect cultural heritage from destruction. The site hosted genuine campaign content from 2015 to 2021.
The records switch. unite4heritage.org is slightly different from the other sites in this operator network in that the domain lapsed and was re-registered through a drop-catcher. This reset the creation date to 2025-06-14. On the same day a new certificate was issued after being dormant for over 3 years.
The content switch. The UNESCO campaign was replaced by a people-search site that uses language similar to the original campaign such as ‘digital heritage’ to maintain a veneer of legitimacy. It also kept the original campaign pages in place, republishing UNESCO’s articles word-for-word and rehosting the original images. The existing articles allow the site to maintain existing backlinks that push towards the now-monetized site while again hiding changes from Google and Bing.

Attribution. As we can expect by now, the registration is privacy masked and contains no individual identifiers. Strangely, unite4heritage.org does not have an affiliate funnel like the first two sites. It purports to offer reports directly but provides no mechanism for it. It does, however, share a technical fingerprint with clustal.org, helping us feel confident in the association.
Beyond people-search detection
This variant of parasite SEO poses risks, both to the credibility of otherwise upstanding initiatives and to the individuals whose aggregated personal data is listed for sale. There are at least two ways to help mitigate these risks. First, if you run a site that’s gone quiet, make sure to prevent the domain from lapsing and make a plan to hand it off when you can’t maintain it any longer. No one can take over a domain that you control. Second, your data is almost certainly on sites just like these, collected and sold without your consent. Removing your personally identifiable information on data broker websites protects your privacy and makes these tactics less lucrative at the same time.
VanishID continuously discovers and removes exposed personal data across data brokers and the open web. For the full evidence pack on any domain referenced here, reach us at [email protected].