You are looking at an alert, and at the center of it is a suspicious IP address that means nothing to you yet. Maybe your SIEM flagged repeated failed logins from it. Maybe it turned up in a WAF log, hammering an endpoint a few hundred times a minute. Maybe a user forwarded a phishing email and that address is the one solid artifact you have. The clock is running, and the usual response is to open a fresh browser tab for each question you need answered, jumping between as many as five separate threat hunting tools, each with its own login, its own response format, and its own bill at the end of the month.
This is a faster way. It is a repeatable suspicious IP address investigation you can run the same way every time, by hand during triage or wired into a SOAR runbook. It leans on the APIFreaks IP Geolocation Lookup for the threat verdict, and on the APIFreaks WHOIS suite, the IP WHOIS, Domain WHOIS, Domain WHOIS Reverse Lookup, and ASN Lookup APIs, for everything about ownership and infrastructure. These are different products built for different jobs, but they live behind one account, one API key, and one predictable JSON style, so the whole chain runs without ever switching tools. One suspicious IP address goes in. A full picture of the host, its owner, and its related infrastructure comes out.
If your starting point is a phishing report rather than a log line, do one thing before Step 1. A phishing email hands you two artifacts worth checking: the sender's email address, and the raw message headers, the routing metadata at the top of the email that records every mail server it passed through. Run the sender address through the Email Checker API to see whether it is a real, deliverable mailbox or a throwaway, since a non-existent or disposable sender is a red flag in its own right. Then read the originating IP from the Received lines in those headers and feed that address into the playbook as your suspicious IP. From Step 1 on, the process is identical.
Throughout this playbook we investigate one real suspicious IP address, 178.175.131.194, as a running example. Every JSON block below is the actual response for that address, so you can fire the same calls with your own key and confirm the output for yourself.
TL;DR
One suspicious IP address in, a full threat-actor picture out, through five chained lookups under a single API key:
- Step 1, IP Geolocation Lookup with security: threat score, Tor, proxy, and known-attacker flags, plus the owning ASN.
- Step 2, IP WHOIS: the registered block, the announced route to block on, and the abuse contact.
- Step 3, Domain WHOIS: the registrant email from the owner's domain, your cleanest pivot key.
- Step 4, Domain WHOIS Reverse Lookup: pivot on that email to map every related domain.
- Step 5, ASN Lookup (optional): enumerate the whole network when the case warrants it.
Most threat hunting tools make you log into a separate product for each step. This playbook chains all five, and the copy-paste Python script at the end runs them for you.
Before You Start: The Four Questions a Good Investigation Answers
Network threat hunting is not about collecting data for its own sake. It is about answering specific questions in an order that lets each answer feed the next. A complete investigation of a suspicious IP address answers four:
- Is this address known-bad right now? Reputation, anonymization, and attack history. This is your block-or-keep-watching decision.
- Who owns the network it sits in? The registered block, the organization, and a contact you can actually report abuse to.
- What else does that owner control? The pivot from a single address to the wider footprint behind it.
- How large is their infrastructure? The full set of prefixes, only when the case justifies going that deep.
Each question maps to one step. You will often stop after Step 1 or Step 2, because the verdict is already clear. The later steps are there for the cases that earn them: targeted attacks, repeat offenders, and anything you need to write up for an intel report.
One scoping note: this playbook is for public, routable IP addresses. Private and reserved ranges (RFC 1918 space like 10.0.0.0/8 or 192.168.0.0/16, loopback, and unallocated blocks) have no public geolocation, WHOIS allocation, or reputation to look up, so they return nothing useful at any step. The script handles them gracefully, flagging a NO DATA verdict instead of erroring out.
Step 1: Threat Intelligence and Geolocation in One Call
This is the step that decides whether you act immediately or keep digging, so it is the one to get right first. A single call to the IP Geolocation Lookup with include=security returns the location, the owning network, and the security verdict in one response. No separate reputation service, no separate ASN query.
curl -X GET \
'https://api.apifreaks.com/v1.0/geolocation/lookup?ip=178.175.131.194&include=security&apiKey=API-KEY'
The complete response:
{
"ip": "178.175.131.194",
"location": {
"continent_code": "EU",
"continent_name": "Europe",
"country_code2": "MD",
"country_code3": "MDA",
"country_name": "Moldova",
"country_name_official": "Republic of Moldova",
"country_capital": "Chisinau",
"state_prov": "Chișinău Municipality",
"state_code": "MD-CU",
"district": "",
"city": "Chișinău",
"locality": "Chișinău",
"accuracy_radius": "17.144",
"confidence": "high",
"zipcode": "MD-2012",
"latitude": "47.02316",
"longitude": "28.83736",
"is_eu": false,
"country_flag": "https://ipgeolocation.io/static/flags/md_64.png",
"geoname_id": "9962667",
"country_emoji": "🇲🇩"
},
"country_metadata": {
"calling_code": "+373",
"tld": ".md",
"languages": [
"ro",
"ru",
"gag",
"tr"
]
},
"network": {
"asn": {
"as_number": "AS43289",
"organization": "Trabia SRL",
"country": "MD",
"asn_name": "TRABIA",
"type": "ISP",
"domain": "trabia.com",
"date_allocated": "2007-07-09",
"allocation_status": "ASSIGNED",
"num_of_ipv4_routes": "16",
"num_of_ipv6_routes": "4",
"rir": "RIPE"
},
"connection_type": "",
"company": {
"name": "Trabia SRL",
"type": "ISP",
"domain": "trabia.com"
}
},
"currency": {
"code": "MDL",
"name": "Moldovan Leu",
"symbol": "L"
},
"security": {
"threat_score": 80,
"is_tor": true,
"is_proxy": false,
"proxy_type": "",
"proxy_provider": "",
"is_anonymous": true,
"is_known_attacker": true,
"is_spam": false,
"is_bot": false,
"is_cloud_provider": true,
"cloud_provider": "Trabia SRL"
}
}
Read the security block first, because that is the verdict.
The threat_score is 80 on a scale to 100. On its own a high score tells you to pay attention, not what to do. The flag that settles it is is_known_attacker: true. That is not a heuristic about anonymization or hosting type. It means this address has been observed in real attack activity. Combined with a score of 80, that pairing is enough to block at the perimeter now and investigate afterward, rather than the other way around.
The rest of the block adds context. is_tor: true and is_anonymous: true tell you the traffic is coming through a Tor exit node, so the human behind it is hidden and source-IP attribution will not lead anywhere useful. Treat Tor as context, not a verdict, since plenty of legitimate traffic uses it and you would not block on is_tor alone. Here, though, it sits next to a known-attacker flag, which is a very different story: this is an exit node that has also been seen attacking. is_cloud_provider: true with cloud_provider: "Trabia SRL" tells you the address is hosted infrastructure, not a residential connection, which matters a great deal for how you block in the later steps.
The network.asn block hands you the three values you will reuse immediately: the ASN AS43289, the owning organization Trabia SRL, and its registered domain trabia.com. Hold onto all three. Network ownership and the abuse contact belong to the WHOIS step in this playbook, so they are not part of this call; the next lookup returns them in far more detail.
Decision point. Score plus is_known_attacker justifies an immediate block. If you only saw is_tor with a low score and no attacker history, you would keep watching instead of blocking. (When you need to run this same reputation check across a whole list rather than one address, the IP Threat Intelligence API takes up to 50,000 IPs in a single request and returns the same per-IP fields.)
Step 2: Identify the Network Owner with IP WHOIS
You have a verdict. Now answer the ownership question properly so you know what you are actually blocking. The IP WHOIS Lookup returns the full registered block, the organization record, the maintainers, and the specific route that carries your address.
curl -X GET \
'https://api.apifreaks.com/v1.0/ip/whois/live?ip=178.175.131.194&apiKey=API-KEY'
The complete response:
{
"status": true,
"ip_address": "178.175.131.194",
"query_time": "2026-06-12 11:29:28",
"whois_server": "whois.ripe.net",
"inet_nums": [
{
"start_ip": "178.175.128.0",
"end_ip": "178.175.175.255",
"cidr": [
"178.175.128.0/19",
"178.175.160.0/20"
],
"net_name": "MD-TRABIA-20100504",
"description": [
"Trabia"
],
"countries": [
"MD"
],
"latitude": 47.0232,
"longitude": 28.837413,
"status": "ALLOCATED PA",
"organization": "ORG-ITS10-RIPE",
"mnt_by": [
"RIPE-NCC-HM-MNT",
"TRABIA-MNT"
],
"mnt_irt": [
"IRT-TRABIA"
],
"date_created": "2022-12-02",
"date_updated": "2022-12-02",
"source": "RIPE"
}
],
"organization": {
"handle": "ORG-ITS10-RIPE",
"name": "Trabia SRL",
"type": "LIR",
"address": [
"str. V. Pircalab 52",
"2012",
"Chisinau",
"MOLDOVA, REPUBLIC OF"
],
"street": "Str. V. Pircalab",
"city": "Chisinau",
"zip_code": "2012",
"country": [
"MD"
],
"phone": [
"+373 22 994-994"
],
"admin_contacts": [
"TRAB"
],
"tech_contacts": [
"TRAB"
],
"abuse_contacts": [
"TRAB"
],
"remarks": [
"Contact us by:",
"https://www.trabia.com"
],
"mnt_ref": [
"RIPE-NCC-HM-MNT",
"TRABIA-MNT"
],
"mnt_by": [
"RIPE-NCC-HM-MNT",
"TRABIA-MNT"
],
"date_created": "2010-03-19",
"date_updated": "2026-05-13",
"source": "RIPE"
},
"administrative_contacts": [
{
"handle": "TRAB",
"name": "Trabia SRL",
"address": [
"str. V. Pircalab 52",
"2012 Chisinau",
"Moldova"
],
"street": "Str. V. Pircalab",
"city": "Chisinau",
"zip_code": "2012",
"country": "MOLDOVA",
"abuse_mailbox": [
"abuse@trabia.com"
],
"organizations": [
"ORG-ITS10-RIPE"
],
"admin_contacts": [
"TRAB1"
],
"tech_contacts": [
"TRAB1"
],
"remarks": [
"Contact us and abuse report:",
"https://www.trabia.com"
],
"mnt_by": [
"TRABIA-MNT"
],
"date_created": "2022-06-24",
"date_updated": "2022-09-23",
"source": "RIPE"
}
],
"technical_contacts": [
{
"handle": "TRAB",
"name": "Trabia SRL",
"address": [
"str. V. Pircalab 52",
"2012 Chisinau",
"Moldova"
],
"street": "Str. V. Pircalab",
"city": "Chisinau",
"zip_code": "2012",
"country": "MOLDOVA",
"abuse_mailbox": [
"abuse@trabia.com"
],
"organizations": [
"ORG-ITS10-RIPE"
],
"admin_contacts": [
"TRAB1"
],
"tech_contacts": [
"TRAB1"
],
"remarks": [
"Contact us and abuse report:",
"https://www.trabia.com"
],
"mnt_by": [
"TRABIA-MNT"
],
"date_created": "2022-06-24",
"date_updated": "2022-09-23",
"source": "RIPE"
}
],
"routes": [
{
"route": "178.175.131.0/24",
"origin": "AS43289",
"mnt_by": [
"TRABIA-MNT"
],
"date_created": "2020-10-29",
"date_updated": "2020-10-29",
"source": "RIPE"
}
],
"whois_raw_response": "% This is the RIPE Database query service.\n% The objects are in RPSL format.\n%\n% The RIPE Database is subject to Terms and Conditions.\n% See https://docs.db.ripe.net/terms-conditions.html\n\n% Note: this output has been filtered.\n% To receive output for a database update, use the \"-B\" flag.\n\n% Information related to '178.175.128.0 - 178.175.175.255'\n\n% Abuse contact for '178.175.128.0 - 178.175.175.255' is 'abuse@trabia.com'\n\ninetnum: 178.175.128.0 - 178.175.175.255\nnetname: MD-TRABIA-20100504\ndescr: Trabia\ncountry: MD\ngeoloc: 47.0232 28.837413\norg: ORG-ITS10-RIPE\nadmin-c: TRAB\ntech-c: TRAB\nstatus: ALLOCATED PA\nmnt-by: RIPE-NCC-HM-MNT\nmnt-by: TRABIA-MNT\nmnt-irt: IRT-TRABIA\ncreated: 2022-12-02T15:15:34Z\nlast-modified: 2022-12-02T15:15:34Z\nsource: RIPE\n\norganisation: ORG-ITS10-RIPE\norg-type: LIR\ncountry: MD\nreg-nr: 1005600060224\nremarks:\nremarks: Contact us by:\nremarks: https://www.trabia.com\nremarks:\norg-name: Trabia SRL\naddress: str. V. Pircalab 52\naddress: 2012\naddress: Chisinau\naddress: MOLDOVA, REPUBLIC OF\nphone: +373 22 994-994\nadmin-c: TRAB\ntech-c: TRAB\nabuse-c: TRAB\nmnt-ref: RIPE-NCC-HM-MNT\nmnt-ref: TRABIA-MNT\nmnt-by: RIPE-NCC-HM-MNT\nmnt-by: TRABIA-MNT\ncreated: 2010-03-19T14:54:05Z\nlast-modified: 2026-05-13T07:33:06Z\nsource: RIPE # Filtered\n\nrole: Trabia SRL\naddress: str. V. Pircalab 52\naddress: 2012 Chisinau\naddress: Moldova\nremarks:\nremarks: Contact us and abuse report:\nremarks: https://www.trabia.com\nremarks:\nabuse-mailbox: abuse@trabia.com\norg: ORG-ITS10-RIPE\nnic-hdl: TRAB\nadmin-c: TRAB1\ntech-c: TRAB1\nmnt-by: TRABIA-MNT\ncreated: 2022-06-24T19:11:58Z\nlast-modified: 2022-09-23T13:35:56Z\nsource: RIPE # Filtered\n\n% Information related to '178.175.131.0/24AS43289'\n\nroute: 178.175.131.0/24\norigin: AS43289\nmnt-by: TRABIA-MNT\ncreated: 2020-10-29T09:17:06Z\nlast-modified: 2020-10-29T09:17:06Z\nsource: RIPE\n\n% This query was served by the RIPE Database Query Service version 1.122.1 (SHETLAND)\n\n"
}
The single most important field for your blocking decision is in two different places, and they disagree on scale.
The inet_nums block shows the registered allocation: 178.175.128.0 to 178.175.175.255, expressed as 178.175.128.0/19 plus 178.175.160.0/20. That /19 alone is 8,192 addresses. The routes block, on the other hand, shows the actual BGP route that carries your suspicious address: 178.175.131.0/24, just 256 addresses, originated by AS43289.
That gap is the whole point of this step. Blocking the registered /19 punishes 8,000 addresses to stop one. Blocking the announced /24 is the tighter, defensible unit if you decide the abuse is spreading beyond the single host. For a lone bad address, block the /32 and move on. The CIDR ranges exist so you can choose deliberately instead of guessing.
The organization block tells you who you are dealing with. The type is LIR, a Local Internet Registry, which means Trabia is a hosting provider and ISP, not a single end user sitting behind a residential line. That reframes everything that follows: a bad address inside a hosting provider is almost always a tenant abusing the service, not the provider itself attacking you. The maintainers (RIPE-NCC-HM-MNT, TRABIA-MNT) and the dedicated incident response team (IRT-TRABIA) confirm an established, properly registered operator. And abuse_mailbox gives you abuse@trabia.com, a real desk you can send a report to with the offending address and timestamps.
Notice the response also surfaces the organization's own domain through the WHOIS remarks (https://www.trabia.com), and Step 1 already told you the ASN's registered domain is trabia.com. That domain is your bridge into the next step.
Step 3: Extract the Registrant Email with Domain WHOIS
This is the step that turns a decent investigation into a good one. IP WHOIS gave you an abuse desk address, but an abuse mailbox is shared, generic, and rarely reused as a domain registrant. To pivot cleanly you want the registrant email, the address the owner actually uses to register the things they own. You get it by running the owner's domain, trabia.com, through the Domain WHOIS Lookup.
curl -X GET \
'https://api.apifreaks.com/v1.0/domain/whois/live?domainName=trabia.com&apiKey=API-KEY'
The complete response:
{
"status": true,
"domain_name": "trabia.com",
"query_time": "2026-06-12 11:29:22",
"whois_server": "https://rdap.verisign.com/com/v1/",
"domain_registered": "yes",
"create_date": "2003-06-10",
"update_date": "2026-02-09",
"expiry_date": "2035-12-20",
"domain_registrar": {
"iana_id": "151",
"registrar_name": "InterNetX GmbH",
"whois_server": "whois.registrar.internetx.com",
"website_url": "https://www.internetx.com/",
"email_address": "domain-abuse@internetx.com",
"phone_number": "+4994159559482"
},
"registrant_contact": {
"name": "Hostmaster Department",
"company": "Trabia SRL",
"street": "str. V. Pircalab 52",
"city": "Chisinau",
"state": "MD",
"zip_code": "2012",
"country_name": "Moldova",
"country_code": "MD",
"email_address": "hostmaster@trabia.com",
"phone": "+37322994994"
},
"administrative_contact": {
"name": "Hostmaster Department",
"company": "Trabia SRL",
"street": "str. V. Pircalab 52",
"city": "Chisinau",
"state": "MD",
"zip_code": "2012",
"country_name": "Moldova",
"country_code": "MD",
"email_address": "hostmaster@trabia.com",
"phone": "+37322994994"
},
"technical_contact": {
"name": "Hostmaster Department",
"company": "Trabia SRL",
"street": "str. V. Pircalab 52",
"city": "Chisinau",
"state": "MD",
"zip_code": "2012",
"country_name": "Moldova",
"country_code": "MD",
"email_address": "hostmaster@trabia.com",
"phone": "+37322994994"
},
"name_servers": [
"ns.auth-nameserver.org",
"ns.auth-nameserver.net",
"ns.auth-nameserver.com"
],
"domain_status": [
"clienttransferprohibited"
],
"registry_data": {
"domain_name": "trabia.com",
"query_time": "2026-06-12 11:29:21",
"whois_server": "https://rdap.verisign.com/com/v1/",
"domain_registered": "yes",
"create_date": "2002-12-20",
"update_date": "2025-12-23",
"expiry_date": "2035-12-20",
"domain_registrar": {
"iana_id": "151",
"registrar_name": "InterNetX GmbH",
"whois_server": "whois.registrar.internetx.com",
"email_address": "domain-abuse@internetx.com"
},
"name_servers": [
"ns.auth-nameserver.org",
"ns.auth-nameserver.net",
"ns.auth-nameserver.com"
],
"domain_status": [
"clienttransferprohibited"
]
}
}
The field you came for is in registrant_contact: hostmaster@trabia.com. That is a far better pivot key than the shared abuse mailbox, because owners tend to register everything under the same registrant address. Admin and technical contacts carry the same email, which is a good sign it is the canonical one.
Two other details are worth reading while you are here. The domain was created in 2002 and is paid out to 2035, with a clienttransferprohibited lock and a mainstream registrar. That profile says established business, not throwaway. It reinforces the Step 2 conclusion that you are looking at a real provider rather than a domain spun up last week for a campaign. And the name_servers (ns.auth-nameserver.org, .net, .com) are themselves owned artifacts you could pivot on later if the email pivot under-delivers.
So you now hold three distinct pivot keys, ranked by how clean a signal each gives you: the registrant email hostmaster@trabia.com (strongest), the organization name Trabia SRL (good), and the bare keyword trabia (noisy, and you will see why in a moment).
Step 4: Pivot to Related Infrastructure with Domain WHOIS Reverse Lookup
This is the move that earns the network threat hunting label. Up to now you have reacted to one address. Now you turn that single address into a map of everything the same owner has registered, which is what lets you get ahead of the next alert instead of waiting for it. The Domain WHOIS Reverse Lookup takes any of your three pivot keys and returns every domain tied to it. The three subsections below work through each key in order of how clean a signal it gives you.
Pivot 1: Registrant Email (the strongest key)
Start with the registrant email from Step 3, in mode=mini for compact results:
curl -X GET \
'https://api.apifreaks.com/v1.0/domain/whois/reverse?email=hostmaster@trabia.com&mode=mini&apiKey=API-KEY'
The complete response:
{
"total_Result": 18,
"total_Pages": 1,
"current_Page": 1,
"whois_domains_historical": [
{
"num": 1,
"domain_name": "trabia.net",
"create_date": "2008-03-10",
"update_date": "2025-10-27",
"expiry_date": "2026-09-06",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 2,
"domain_name": "trabia.com",
"create_date": "2003-06-10",
"update_date": "2026-02-09",
"expiry_date": "2035-12-20",
"name": "Hostmaster Department",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 3,
"domain_name": "trabia.us",
"create_date": "2019-01-26",
"update_date": "2025-03-12",
"expiry_date": "2026-01-26",
"name": "Hostmaster Department",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 4,
"domain_name": "trabia.org",
"create_date": "2012-02-10",
"update_date": "2026-03-27",
"expiry_date": "2027-02-10",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 5,
"domain_name": "as43289.org",
"create_date": "2016-01-21",
"update_date": "2026-03-07",
"expiry_date": "2027-01-21",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 6,
"domain_name": "kivix.net",
"create_date": "2014-10-19",
"update_date": "2025-12-08",
"expiry_date": "2026-10-19",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 7,
"domain_name": "as43289.net",
"create_date": "2009-05-26",
"update_date": "2025-07-15",
"expiry_date": "2026-05-26",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 8,
"domain_name": "sdlk.eu",
"create_date": "2011-04-30",
"email": "hostmaster@trabia.com",
"company_name": "Trabia BV"
},
{
"num": 9,
"domain_name": "trabia.eu",
"create_date": "2012-02-21",
"email": "hostmaster@trabia.com",
"company_name": "Trabia BV"
},
{
"num": 10,
"domain_name": "filatov.eu",
"create_date": "2014-01-23",
"email": "hostmaster@trabia.com",
"company_name": "Trabia BV"
},
{
"num": 11,
"domain_name": "lookin.glass",
"create_date": "2014-04-03",
"update_date": "2026-05-18",
"expiry_date": "2027-04-03",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 12,
"domain_name": "trabia.dev",
"create_date": "2019-03-03",
"update_date": "2026-04-17",
"expiry_date": "2027-03-03",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 13,
"domain_name": "domain-robot.info",
"create_date": "2008-03-04",
"update_date": "2026-04-18",
"expiry_date": "2027-03-04",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 14,
"domain_name": "trabia.info",
"create_date": "2013-04-03",
"update_date": "2026-05-18",
"expiry_date": "2027-04-03",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 15,
"domain_name": "hosteasy.eu",
"create_date": "2011-04-30",
"email": "hostmaster@trabia.com",
"company_name": "Trabia BV"
},
{
"num": 16,
"domain_name": "trabia.cm",
"create_date": "2016-01-21",
"update_date": "2026-01-22",
"expiry_date": "2027-01-21",
"name": "Hostmaster Department",
"email": "hostmaster@trabia.com"
},
{
"num": 17,
"domain_name": "trabia.cloud",
"create_date": "2016-06-09",
"update_date": "2025-07-24",
"expiry_date": "2026-06-09",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 18,
"domain_name": "as43289.com",
"create_date": "2016-01-21",
"update_date": "2026-03-12",
"expiry_date": "2027-01-21",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
}
]
}
Eighteen domains, and almost all of them are clearly the same operator's infrastructure. as43289.com, as43289.net, and as43289.org literally name the ASN you found in Step 1. lookin.glass is a looking glass, a network diagnostics tool that only network operators run. kivix.net points to an internet exchange. trabia.cloud, trabia.dev, and the country-code variants round out a hosting provider's normal domain spread.
The email pivot also caught something the others would have missed. Look at sdlk.eu, trabia.eu, filatov.eu, and hosteasy.eu: their company_name is Trabia BV, not Trabia SRL. That is a second legal entity, a Dutch one, registering domains under the same hostmaster mailbox. A pivot on the company name "Trabia SRL" alone would never have surfaced Trabia BV or hosteasy.eu. This is exactly why the registrant email is the pivot key you reach for first.
Pivot 2: Organization Name (good corroboration)
For completeness, the organization-name pivot returns a slightly different, slightly larger set:
curl -X GET \
'https://api.apifreaks.com/v1.0/domain/whois/reverse?company=Trabia%20SRL&mode=mini&apiKey=API-KEY'
{
"total_Result": 23,
"total_Pages": 1,
"current_Page": 1,
"whois_domains_historical": [
{
"num": 1,
"domain_name": "trabia.net",
"create_date": "2008-03-10",
"update_date": "2025-10-27",
"expiry_date": "2026-09-06",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 2,
"domain_name": "trabia.com",
"create_date": "2003-06-10",
"update_date": "2026-02-09",
"expiry_date": "2035-12-20",
"name": "Hostmaster Department",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 3,
"domain_name": "trabia.us",
"create_date": "2019-01-26",
"update_date": "2025-03-12",
"expiry_date": "2026-01-26",
"name": "Hostmaster Department",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 4,
"domain_name": "trabia.org",
"create_date": "2012-02-10",
"update_date": "2026-03-27",
"expiry_date": "2027-02-10",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 5,
"domain_name": "trabia.link",
"create_date": "2016-02-08",
"update_date": "2024-02-08",
"expiry_date": "2025-02-08",
"name": "REDACTED FOR PRIVACY",
"email": "please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name.",
"company_name": "Trabia SRL"
},
{
"num": 6,
"domain_name": "trcdn.net",
"create_date": "2017-09-11",
"update_date": "2023-11-16",
"expiry_date": "2024-09-11",
"name": "REDACTED FOR PRIVACY",
"email": "https://whoispro.domain-robot.org/whois/trcdn.net",
"company_name": "Trabia SRL"
},
{
"num": 7,
"domain_name": "as43289.org",
"create_date": "2016-01-21",
"update_date": "2026-03-07",
"expiry_date": "2027-01-21",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 8,
"domain_name": "kivix.net",
"create_date": "2014-10-19",
"update_date": "2025-12-08",
"expiry_date": "2026-10-19",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 9,
"domain_name": "as43289.net",
"create_date": "2009-05-26",
"update_date": "2025-07-15",
"expiry_date": "2026-05-26",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 10,
"domain_name": "kiv-ix.net",
"create_date": "2014-10-19",
"update_date": "2023-11-16",
"expiry_date": "2024-10-19",
"name": "REDACTED FOR PRIVACY",
"email": "https://whoispro.domain-robot.org/whois/kiv-ix.net",
"company_name": "Trabia SRL"
},
{
"num": 11,
"domain_name": "trabia.network",
"create_date": "2014-12-10",
"update_date": "2023-12-16",
"expiry_date": "2023-12-10",
"name": "REDACTED FOR PRIVACY",
"email": "please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name.",
"company_name": "Trabia SRL"
},
{
"num": 12,
"domain_name": "trabia.biz",
"create_date": "2013-04-03",
"update_date": "2026-05-18",
"expiry_date": "2027-04-02",
"name": "REDACTED FOR PRIVACY",
"email": "please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name",
"company_name": "Trabia SRL"
},
{
"num": 13,
"domain_name": "filatov.eu",
"create_date": "2014-01-23",
"company_name": "Trabia SRL"
},
{
"num": 14,
"domain_name": "lookin.glass",
"create_date": "2014-04-03",
"update_date": "2026-05-18",
"expiry_date": "2027-04-03",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 15,
"domain_name": "trabia.dev",
"create_date": "2019-03-03",
"update_date": "2026-04-17",
"expiry_date": "2027-03-03",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 16,
"domain_name": "domain-robot.info",
"create_date": "2008-03-04",
"update_date": "2026-04-18",
"expiry_date": "2027-03-04",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 17,
"domain_name": "trabia.info",
"create_date": "2013-04-03",
"update_date": "2026-05-18",
"expiry_date": "2027-04-03",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 18,
"domain_name": "trabia.co",
"create_date": "2013-04-27",
"update_date": "2025-05-03",
"expiry_date": "2026-04-26",
"name": "REDACTED FOR PRIVACY",
"email": "please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name",
"company_name": "Trabia SRL"
},
{
"num": 19,
"domain_name": "trabia.cm",
"create_date": "2016-01-21",
"update_date": "2025-01-22",
"expiry_date": "2026-01-21",
"name": "Hostmaster Department",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 20,
"domain_name": "trabia.cloud",
"create_date": "2016-06-09",
"update_date": "2025-07-24",
"expiry_date": "2026-06-09",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 21,
"domain_name": "cdn.tl",
"create_date": "2018-03-15",
"update_date": "2024-03-02",
"expiry_date": "2025-03-15",
"name": "REDACTED FOR PRIVACY",
"email": "redacted for privacy",
"company_name": "Trabia SRL"
},
{
"num": 22,
"domain_name": "as43289.com",
"create_date": "2016-01-21",
"update_date": "2026-03-12",
"expiry_date": "2027-01-21",
"email": "hostmaster@trabia.com",
"company_name": "Trabia SRL"
},
{
"num": 23,
"domain_name": "trabia.love",
"create_date": "2019-01-26",
"update_date": "2024-02-26",
"expiry_date": "2024-01-26",
"name": "REDACTED FOR PRIVACY",
"email": "please query the rdds service of the registrar of record identified in this output for information on how to contact the registrant, admin, or tech contact of the queried domain name.",
"company_name": "Trabia SRL"
}
]
}
The company pivot picks up extras the email pivot did not, like trcdn.net (a CDN), kiv-ix.net (the internet exchange's other domain), and cdn.tl. In practice you run both and merge the results, because each catches a few the other misses. Together they give you a confident, deduplicated list of the owner's domains.
Pivot 3: Bare Keyword (the trap to avoid)
Now the cautionary tale. The bare keyword pivot is tempting and almost always wrong:
curl -X GET \
'https://api.apifreaks.com/v1.0/domain/whois/reverse?keyword=trabia&mode=mini&apiKey=API-KEY'
This returns 457 results across five pages. Here is the first page, which is all the proof you need that this pivot is the wrong one:
{
"total_Result": 457,
"total_Pages": 5,
"current_Page": 1,
"whois_domains_historical": [
{
"num": 1,
"domain_name": "petrabiancacaladivolpe.com",
"create_date": "2008-10-01",
"update_date": "2026-05-28",
"expiry_date": "2026-10-01",
"name": "REDACTED FOR PRIVACY",
"email": "https://tieredaccess.com/contact/f264da2d-7196-4bd9-b89f-ada5e9047d2d",
"company_name": "REDACTED FOR PRIVACY"
},
{
"num": 2,
"domain_name": "utrabia.com",
"create_date": "2019-02-05",
"update_date": "2022-03-19",
"expiry_date": "2022-02-05"
},
{
"num": 3,
"domain_name": "intrabia.com",
"create_date": "2009-09-01",
"expiry_date": "2014-09-01",
"company_name": "Int'l Group, Inc./CAI 334"
},
{
"num": 4,
"domain_name": "gegtrabia.com",
"create_date": "2012-04-26",
"expiry_date": "2015-04-26",
"name": "VistaPrint Technologies Ltd",
"email": "csadmin@vistaprint.com",
"company_name": "VistaPrint Technologies Ltd"
},
{
"num": 5,
"domain_name": "trabia.pro",
"create_date": "2013-04-26",
"expiry_date": "2014-04-26",
"name": "Domain Department",
"email": "info@trabia.net",
"company_name": "Trabia-Network Ltd."
},
{
"num": 6,
"domain_name": "trabiamedia.com",
"create_date": "2014-04-06",
"expiry_date": "2015-04-06",
"name": "DOMAIN PRIVACY SERVICE FBO REGISTRANT",
"email": "whois@bluehost.com"
},
{
"num": 7,
"domain_name": "trabia.asia",
"create_date": "2013-04-07",
"update_date": "2022-06-27",
"expiry_date": "2023-04-07",
"company_name": "trabia-network ltd."
},
{
"num": 8,
"domain_name": "fiorilandia-trabia.com",
"create_date": "2019-04-19",
"update_date": "2023-05-30",
"expiry_date": "2023-04-19"
},
{
"num": 9,
"domain_name": "trabiantrinkets.com",
"create_date": "2019-04-19",
"expiry_date": "2020-04-19"
},
{
"num": 10,
"domain_name": "pietrabiancamarzamemi.com",
"create_date": "2019-04-23",
"update_date": "2023-06-03",
"expiry_date": "2023-04-23"
},
{
"num": 11,
"domain_name": "ankaraecortrabia.com",
"create_date": "2013-08-28",
"expiry_date": "2014-08-28",
"name": "Isim Tescil.NET",
"email": "domain@isimtescil.net",
"company_name": "default contact"
},
{
"num": 12,
"domain_name": "trabiausstellung.com",
"create_date": "2013-08-08",
"update_date": "2024-09-21",
"expiry_date": "2024-08-08"
},
{
"num": 13,
"domain_name": "trabiand.com",
"create_date": "2018-12-06",
"expiry_date": "2019-12-06",
"email": "domaincontact@reg.xlink.net"
},
{
"num": 14,
"domain_name": "extrabianco.com",
"create_date": "2018-12-11",
"update_date": "2021-12-15",
"expiry_date": "2021-12-11",
"name": "redacted for privacy",
"email": "https://tieredaccess.com/contact/cff4a557-06f0-4530-b935-b3c2a06c910a",
"company_name": "redacted for privacy"
},
{
"num": 15,
"domain_name": "mehmetrabiahamade.com",
"create_date": "2013-12-06",
"expiry_date": "2014-12-06",
"name": "Mehmet HAMADE",
"email": "mehmethamade@hotmail.com",
"company_name": "Mehmet HAMADE CID1064548 stdfrr k658b3"
},
{
"num": 16,
"domain_name": "intrabianwe.com",
"create_date": "2017-12-05",
"expiry_date": "2018-12-05",
"name": "Trispecialist Trudemi",
"email": "mail@operainnologi.com"
},
{
"num": 17,
"domain_name": "trabia.date",
"create_date": "2018-02-11",
"expiry_date": "2019-02-11",
"name": "Domain Administrator",
"email": "pw-0f2772481f284233e1f949a0d9483875@privacyguardian.org",
"company_name": "See PrivacyGuardian.org"
},
{
"num": 18,
"domain_name": "trabia.review",
"create_date": "2018-02-11",
"expiry_date": "2019-02-11",
"name": "Domain Administrator",
"email": "pw-eda6b5c542dc22897ea53f43fee94308@privacyguardian.org",
"company_name": "See PrivacyGuardian.org"
},
{
"num": 19,
"domain_name": "hotelpietrabianca.com",
"create_date": "2018-02-23",
"update_date": "2026-01-24",
"expiry_date": "2027-02-23",
"name": "REDACTED FOR PRIVACY",
"email": "https://default.teamblue.domains/public/register/domain-contact",
"company_name": "REDACTED FOR PRIVACY"
},
{
"num": 20,
"domain_name": "epoxycitrabias.com",
"create_date": "2018-02-05",
"expiry_date": "2019-02-05",
"name": "Iqbal Sandira",
"email": "iqbalsandira2@gmail.com",
"company_name": "Personal"
},
{
"num": 21,
"domain_name": "attrabia.com",
"create_date": "2014-02-13",
"expiry_date": "2015-02-13",
"name": "Dario Fidora",
"email": "dario@fidora.it",
"company_name": "INFOPRESS srl"
},
{
"num": 22,
"domain_name": "trabial.com",
"create_date": "2016-02-11",
"expiry_date": "2017-02-11",
"name": "Luisa Maria Maestre Vaca",
"email": "calberlemus@gmail.com"
},
{
"num": 23,
"domain_name": "trabian.online",
"name": "tom gilard",
"email": "tomgilard5@mail.com"
},
{
"num": 24,
"domain_name": "psychiatrabialystok.com",
"create_date": "2017-02-07",
"expiry_date": "2018-02-07",
"name": "Aleksandra Buras",
"email": "buras_aleksandra@wp.pl",
"company_name": "Aleksandra Buras"
},
{
"num": 25,
"domain_name": "trabia.reisen",
"create_date": "2018-01-28",
"expiry_date": "2019-01-28",
"name": "Domain Administrator",
"email": "pw-f9b1128fc64b1340fcb2f27186b99cf4@privacyguardian.org",
"company_name": "See PrivacyGuardian.org"
}
]
}
It is mostly noise: Italian place names like pietrabianca and tonnaratrabia, personal names like robertrabiah, and unrelated businesses that simply contain the letters "trabia" as a substring. There is a real Trabia artifact buried in there (trabia.pro, registered to "Trabia-Network Ltd.", a former trading name), but it is surrounded by 450-plus false positives, and the remaining four pages are more of the same. No need to page through them. Keyword pivots are for the rare case where you suspect a naming convention and are prepared to filter hard. For attribution you can trust, pivot on the registrant email and the organization, never the bare keyword.
Acting on the Results
Operationalizing the pivot. Take the confident, merged list of owned domains and push it into your SIEM or EDR as a watchlist. Now if any host in your environment resolves or connects to one of those domains, you get an alert before it becomes an incident. That is the reactive-to-proactive turn at the heart of network threat hunting.
One honest caveat that most playbooks skip. Because this address belongs to a hosting provider, the domains you just mapped are the provider's own infrastructure, not necessarily the attacker's. The as43289.*, looking-glass, and internet-exchange domains confirm you are looking at a legitimate network operator whose service is being abused by a tenant. That is genuinely useful intelligence about the host. But if your goal is to map a specific threat actor rather than the provider hosting them, you would pivot on the WHOIS contacts of the malicious host or domain itself, not the provider's. When the bad IP is a dedicated server the actor registered directly, this same Reverse WHOIS pivot maps the actor's footprint instead. Knowing which situation you are in is the analyst's judgment call, and the WHOIS type: LIR from Step 2 is the tell.
Step 5 (Optional): Map the Full Network with ASN Lookup
You do not run this step every time. Reach for it when the case justifies the depth: a targeted attack, a repeat offender you keep seeing from different addresses in the same network, or a write-up that needs the full infrastructure picture. The ASN Lookup takes the AS number from Step 1 and returns every prefix the network announces, plus its upstreams, downstreams, and peers.
curl -X GET \
'https://api.apifreaks.com/v1.0/asn/whois/live?asn=AS43289&apiKey=API-KEY'
The complete response:
{
"asNumber": "43289",
"asName": "TRABIA",
"orgName": "Trabia SRL",
"description": "",
"orgHandle": "org-its10-ripe",
"country": "MD",
"domain": "trabia.com",
"website": "",
"allocationStatus": "ASSIGNED",
"numOfIPv4Routes": "16",
"numOfIPv6Routes": "4",
"whoisHost": "RIPE",
"dateAllocated": "2007-07-09",
"type": "ISP",
"routeObjects": [
{
"route": "92.243.67.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "EDIS Infrastructure in Moldova",
"numberOfIps": 256
},
{
"route": "188.190.12.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "EDIS Infrastructure in Moldova",
"numberOfIps": 256
},
{
"route": "178.175.168.0/22",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 1024
},
{
"route": "45.153.124.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "EDIS Infrastructure in Moldova",
"numberOfIps": 256
},
{
"route": "178.175.128.0/20",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 4096
},
{
"route": "2a00:1dc0:babe::/48",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 1.2089258196146292e+24
},
{
"route": "178.175.144.0/22",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 1024
},
{
"route": "2a00:1dc0::/29",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 6.338253001141147e+29
},
{
"route": "193.200.160.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 256
},
{
"route": "185.177.151.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "MD Cloud Hosting",
"numberOfIps": 256
},
{
"route": "178.175.148.0/23",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 512
},
{
"route": "188.190.30.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "EDIS Infrastructure in Moldova",
"numberOfIps": 256
},
{
"route": "178.175.131.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 256
},
{
"route": "178.175.149.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 256
},
{
"route": "192.121.87.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "EDIS GmbH",
"numberOfIps": 256
},
{
"route": "2a03:f80:373::/48",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "EDIS GmbH",
"numberOfIps": 1.2089258196146292e+24
},
{
"route": "103.197.148.0/22",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 1024
},
{
"route": "2a02:e00:ffe8::/48",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Bradler & Krantz GmbH & Co. KG",
"numberOfIps": 1.2089258196146292e+24
},
{
"route": "178.175.159.0/24",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 256
},
{
"route": "178.17.160.0/20",
"origin": "AS43289",
"originName": "Trabia SRL",
"isp": "Trabia SRL",
"numberOfIps": 4096
}
],
"whoisResponse": "% This is the RIPE Database query service.\n% The objects are in RPSL format.\n%\n% The RIPE Database is subject to Terms and Conditions.\n% See https://docs.db.ripe.net/terms-conditions.html\n\n% Note: this output has been filtered.\n% To receive output for a database update, use the \"-B\" flag.\n\n% Information related to 'AS43075 - AS44168'\n\nas-block: AS43075 - AS44168\ndescr: RIPE NCC ASN block\nremarks: These AS Numbers are assigned to network operators in the RIPE NCC service region.\nmnt-by: RIPE-NCC-HM-MNT\ncreated: 2023-12-11T15:09:58Z\nlast-modified: 2023-12-11T15:09:58Z\nsource: RIPE\n\n% Information related to 'AS43289'\n\n% Abuse contact for 'AS43289' is 'abuse@trabia.com'\n\naut-num: AS43289\nas-name: TRABIA\nmp-import: afi ipv4.unicast,ipv6.unicast from AS43289:AS-TRANSIT accept ANY\nmp-import: afi ipv4.unicast,ipv6.unicast from AS43289:AS-DDOS accept NOT ANY\nmp-import: afi ipv4.unicast,ipv6.unicast from AS43289:AS-PEERS accept PeerAS\nmp-import: afi ipv4.unicast,ipv6.unicast from AS43289:AS-CUSTOMERS accept PeerAS\nmp-export: afi ipv4.unicast,ipv6.unicast to AS43289:AS-TRANSIT announce AS43289:AS-EXPORT\nmp-export: afi ipv4.unicast,ipv6.unicast to AS43289:AS-DDOS announce AS43289:AS-EXPORT\nmp-export: afi ipv4.unicast,ipv6.unicast to AS43289:AS-PEERS announce AS43289:AS-EXPORT\nmp-export: afi ipv4.unicast,ipv6.unicast to AS43289:AS-CUSTOMERS announce ANY\norg: ORG-ITS10-RIPE\nadmin-c: TRAB\ntech-c: TRAB\nstatus: ASSIGNED\nmnt-by: TRABIA-MNT\nmnt-by: RIPE-NCC-END-MNT\ncreated: 2007-07-09T11:44:05Z\nlast-modified: 2022-06-24T19:50:38Z\nsource: RIPE\n\norganisation: ORG-ITS10-RIPE\norg-type: LIR\ncountry: MD\nreg-nr: 1005600060224\nremarks:\nremarks: Contact us by:\nremarks: https://www.trabia.com\nremarks:\norg-name: Trabia SRL\naddress: str. V. Pircalab 52\naddress: 2012\naddress: Chisinau\naddress: MOLDOVA, REPUBLIC OF\nphone: +373 22 994-994\nadmin-c: TRAB\ntech-c: TRAB\nabuse-c: TRAB\nmnt-ref: RIPE-NCC-HM-MNT\nmnt-ref: TRABIA-MNT\nmnt-by: RIPE-NCC-HM-MNT\nmnt-by: TRABIA-MNT\ncreated: 2010-03-19T14:54:05Z\nlast-modified: 2026-05-13T07:33:06Z\nsource: RIPE # Filtered\n\nrole: Trabia SRL\naddress: str. V. Pircalab 52\naddress: 2012 Chisinau\naddress: Moldova\nremarks:\nremarks: Contact us and abuse report:\nremarks: https://www.trabia.com\nremarks:\nabuse-mailbox: abuse@trabia.com\norg: ORG-ITS10-RIPE\nnic-hdl: TRAB\nadmin-c: TRAB1\ntech-c: TRAB1\nmnt-by: TRABIA-MNT\ncreated: 2022-06-24T19:11:58Z\nlast-modified: 2022-09-23T13:35:56Z\nsource: RIPE # Filtered\n\n% This query was served by the RIPE Database Query Service version 1.122.1 (DEXTER)\n\n",
"downstreams": [
{
"asNumber": "AS39798",
"description": "MivoCloud SRL",
"country": "MD"
},
{
"asNumber": "AS204213",
"description": "Netmihan Communication Company Ltd",
"country": "IR"
},
{
"asNumber": "AS3281",
"description": "2CLOUD SIA",
"country": "LV"
},
{
"asNumber": "AS210166",
"description": "YouTel Communications Ltd.",
"country": "BG"
},
{
"asNumber": "AS15836",
"description": "Arax Impex s.r.l.",
"country": "MD"
},
{
"asNumber": "AS48506",
"description": "Metical SRL",
"country": "MD"
}
],
"parsedWhoisResponse": {
"status": true,
"whois_server": "whois.ripe.net",
"as_blocks": [
{
"as_block": "AS43075 - AS44168",
"description": [
"RIPE NCC ASN block"
],
"remarks": [
"These AS Numbers are assigned to network operators in the RIPE NCC service region."
],
"mnt_by": [
"RIPE-NCC-HM-MNT"
],
"date_created": "2023-12-11",
"date_updated": "2023-12-11",
"source": "RIPE"
}
],
"aut_nums": [
{
"aut_num": "AS43289",
"as_name": "TRABIA",
"status": "ASSIGNED",
"mp_import": [
"afi ipv4.unicast,ipv6.unicast from AS43289:AS-TRANSIT accept ANY",
"afi ipv4.unicast,ipv6.unicast from AS43289:AS-DDOS accept NOT ANY",
"afi ipv4.unicast,ipv6.unicast from AS43289:AS-PEERS accept PeerAS",
"afi ipv4.unicast,ipv6.unicast from AS43289:AS-CUSTOMERS accept PeerAS"
],
"mp_export": [
"afi ipv4.unicast,ipv6.unicast to AS43289:AS-TRANSIT announce AS43289:AS-EXPORT",
"afi ipv4.unicast,ipv6.unicast to AS43289:AS-DDOS announce AS43289:AS-EXPORT",
"afi ipv4.unicast,ipv6.unicast to AS43289:AS-PEERS announce AS43289:AS-EXPORT",
"afi ipv4.unicast,ipv6.unicast to AS43289:AS-CUSTOMERS announce ANY"
],
"organization": "ORG-ITS10-RIPE",
"admin_contacts": [
"TRAB"
],
"tech_contacts": [
"TRAB"
],
"mnt_by": [
"TRABIA-MNT",
"RIPE-NCC-END-MNT"
],
"date_created": "2007-07-09",
"date_updated": "2022-06-24",
"source": "RIPE"
}
],
"organization": {
"handle": "ORG-ITS10-RIPE",
"name": "Trabia SRL",
"type": "LIR",
"address": [
"str. V. Pircalab 52",
"2012",
"Chisinau",
"MOLDOVA, REPUBLIC OF"
],
"street": "Str. V. Pircalab",
"city": "Chisinau",
"zip_code": "2012",
"country": [
"MD"
],
"phone": [
"+373 22 994-994"
],
"admin_contacts": [
"TRAB"
],
"tech_contacts": [
"TRAB"
],
"abuse_contacts": [
"TRAB"
],
"remarks": [
"Contact us by:",
"https://www.trabia.com"
],
"mnt_ref": [
"RIPE-NCC-HM-MNT",
"TRABIA-MNT"
],
"mnt_by": [
"RIPE-NCC-HM-MNT",
"TRABIA-MNT"
],
"date_created": "2010-03-19",
"date_updated": "2026-05-13",
"source": "RIPE",
"addressCountry": "MOLDOVA REPUBLIC OF"
},
"administrative_contacts": [
{
"handle": "TRAB",
"name": "Trabia SRL",
"address": [
"str. V. Pircalab 52",
"2012 Chisinau",
"Moldova"
],
"street": "Str. V. Pircalab",
"city": "Chisinau",
"zip_code": "2012",
"country": "MOLDOVA",
"abuse_mailbox": [
"abuse@trabia.com"
],
"organizations": [
"ORG-ITS10-RIPE"
],
"admin_contacts": [
"TRAB1"
],
"tech_contacts": [
"TRAB1"
],
"remarks": [
"Contact us and abuse report:",
"https://www.trabia.com"
],
"mnt_by": [
"TRABIA-MNT"
],
"date_created": "2022-06-24",
"date_updated": "2022-09-23",
"source": "RIPE",
"addressCountry": "MOLDOVA"
}
],
"technical_contacts": [
{
"handle": "TRAB",
"name": "Trabia SRL",
"address": [
"str. V. Pircalab 52",
"2012 Chisinau",
"Moldova"
],
"street": "Str. V. Pircalab",
"city": "Chisinau",
"zip_code": "2012",
"country": "MOLDOVA",
"abuse_mailbox": [
"abuse@trabia.com"
],
"organizations": [
"ORG-ITS10-RIPE"
],
"admin_contacts": [
"TRAB1"
],
"tech_contacts": [
"TRAB1"
],
"remarks": [
"Contact us and abuse report:",
"https://www.trabia.com"
],
"mnt_by": [
"TRABIA-MNT"
],
"date_created": "2022-06-24",
"date_updated": "2022-09-23",
"source": "RIPE",
"addressCountry": "MOLDOVA"
}
]
},
"upstreams": [
{
"asNumber": "AS50869",
"description": "IPng Networks GmbH",
"country": "CH"
},
{
"asNumber": "AS6762",
"description": "TELECOM ITALIA SPARKLE S.p.A.",
"country": "IT"
},
{
"asNumber": "AS58057",
"description": "Securebit AG",
"country": "CH"
},
{
"asNumber": "AS9002",
"description": "RETN Limited",
"country": "GB"
},
{
"asNumber": "AS6939",
"description": "Hurricane Electric LLC",
"country": "US"
},
{
"asNumber": "AS24961",
"description": "WIIT AG",
"country": "DE"
},
{
"asNumber": "AS57463",
"description": "NetIX Communications JSC",
"country": "BG"
},
{
"asNumber": "AS8298",
"description": "IPng Networks GmbH",
"country": "CH"
},
{
"asNumber": "AS48646",
"description": "SDRmedia Verwaltungs GmbH",
"country": "DE"
},
{
"asNumber": "AS174",
"description": "Cogent Communications, LLC",
"country": "US"
},
{
"asNumber": "AS12310",
"description": "iNES GROUP SRL",
"country": "RO"
},
{
"asNumber": "AS52055",
"description": "NetIX Communications JSC",
"country": "BG"
},
{
"asNumber": "AS34019",
"description": "Hivane Association",
"country": "FR"
},
{
"asNumber": "AS3223",
"description": "Voxility LLP",
"country": "GB"
},
{
"asNumber": "AS9044",
"description": "BSE Software GmbH",
"country": "CH"
},
{
"asNumber": "AS50673",
"description": "Serverius Holding B.V.",
"country": "NL"
},
{
"asNumber": "AS206499",
"description": "LOCIX LIMITED",
"country": "GB"
},
{
"asNumber": "AS137409",
"description": "GSL Networks Pty LTD",
"country": "AU"
},
{
"asNumber": "AS34549",
"description": "meerfarbig GmbH & Co. KG",
"country": "DE"
}
],
"contacts": {
"emailContacts": [],
"abuseContacts": [
"abuse@trabia.com"
]
},
"legacyRoutes": []
}
The routeObjects array is the deliverable: roughly twenty announced prefixes, mixing Trabia's own ranges with sub-allocations labeled "EDIS Infrastructure in Moldova", "EDIS GmbH", "MD Cloud Hosting", and "Bradler & Krantz GmbH & Co. KG". Your suspicious address lives in 178.175.131.0/24, and the broadest related allocation is 178.175.128.0/20 (4,096 addresses).
The downstreams and upstreams are exactly why you do not blanket-block this ASN. The network has its own downstream customers, including ASes in Moldova, Latvia, Bulgaria, and Iran, and it buys transit from major carriers like Cogent and Hurricane Electric. Null-routing all of AS43289 would knock out unrelated downstream networks and every legitimate hosting tenant in the process.
From prefixes to firewall rules. Block the specific announced /24 that carries the bad address. If you are seeing distributed abuse from across the allocation, the /20 is the broadest unit you can justify, and even then you are accepting collateral damage against legitimate tenants. ASN-wide blocking is for the rare case of an ASN that exists only to host abuse, which a network with real upstreams, downstreams, and a decade of clean registration is plainly not. Match the blast radius of your block to the evidence.
The Verdict: What We Learned About This Suspicious IP Address
Run end to end, the playbook turns 178.175.131.194 from an anonymous line in a log into a complete, defensible writeup. Here is the case summary an analyst would paste into the ticket, with each finding tied back to the step that produced it.
What it is. A Tor exit node running on hosted infrastructure inside Trabia SRL, a legitimate Moldovan hosting provider and RIPE Local Internet Registry. The Step 1 combination of is_tor, is_known_attacker, and is_cloud_provider, confirmed by the type: LIR in Step 2, is the tell: this is not a residential machine and not a purpose-built attack network. It is a tenant abusing a real provider's service to push attack traffic out through Tor.
The verdict. Block. A threat score of 80 sitting next to a confirmed is_known_attacker flag clears the bar to act now and document afterward, rather than the other way around.
What to block. The single address, or at most the announced 178.175.131.0/24 from Step 2 if the abuse is spreading across that block. Not the registered /19, and never the whole of AS43289, which Step 5 showed carries legitimate downstream networks and hosting tenants across several countries.
Who to tell. Send the offending address and your timestamps to abuse@trabia.com, the abuse desk that appears in both the IP WHOIS record and the ASN registration. A real registry member with a dedicated incident response team, IRT-TRABIA, is the kind of provider that may actually action a report and pull the tenant.
What it connects to. The Step 4 reverse WHOIS pivot mapped the provider's own footprint, the as43289.* domains, the looking glass, the internet exchange, rather than an attacker's. That is the honest read: you have characterized the host, not unmasked an operator. Had this address been a dedicated server the attacker registered directly, the same pivot would have drawn the actor's infrastructure map instead, and that distinction is the analyst's call to make, not the tool's.
What to do next. Push the block or prefix to your firewall, file the abuse report, and add the address to your watchlist so a repeat from elsewhere in AS43289 surfaces straight away. If the same network keeps reappearing, that is your cue to run the full pivot in earnest and treat it as a pattern rather than a one-off.
In one sitting, you moved from an unknown address in an alert to a blocking decision, a reporting contact, a scoped firewall rule, and a note for the next analyst. That is the whole point of a repeatable playbook: the suspicious IP address that arrived as a question leaves as a closed, documented finding.
The Full Playbook as One Script
Here is the entire chain in one commented Python script. It takes a suspicious IP address as an argument, runs all five lookups against a single API key, and prints a structured investigation report you can paste into a ticket. Each step fails soft: if one lookup has no data for a given address, a private IP, an address with no WHOIS record, a redacted registrant, the script notes it and carries on rather than aborting the run. It is built to drop straight into a SOAR runbook.
#!/usr/bin/env python3
"""
ip_investigation.py
One suspicious IP in, a full threat-actor picture out.
Chains five APIFreaks endpoints under a single API key.
Each step degrades gracefully: if one lookup has no data for a given
address (private IP, no WHOIS record, redacted registrant, etc.), the
script notes it and keeps going instead of aborting the whole run.
Usage:
python3 ip_investigation.py 178.175.131.194
"""
import re
import sys
import requests
API_KEY = "YOUR_API_KEY" # https://apifreaks.com/signup
BASE = "https://api.apifreaks.com/v1.0"
HEADERS = {"X-apiKey": API_KEY}
EMAIL_RE = re.compile(r"^[^@\s]+@[^@\s]+\.[^@\s]+$")
def fetch(path, params):
"""GET helper that never raises. Returns parsed JSON, or None on any
HTTP error, network failure, or non-JSON body, with a short warning."""
try:
r = requests.get(f"{BASE}/{path}", headers=HEADERS, params=params, timeout=30)
except requests.RequestException as e:
print(f" [warn] /{path} request failed: {e}")
return None
if r.status_code != 200:
print(f" [warn] /{path} returned HTTP {r.status_code} (no data for this input)")
return None
try:
data = r.json()
except ValueError:
print(f" [warn] /{path} returned a non-JSON body")
return None
# Some endpoints signal "nothing found" with status: false rather than a 4xx
if isinstance(data, dict) and data.get("status") is False:
return None
return data
def is_email(value):
"""True only for a clean, non-redacted registrant email worth pivoting on."""
s = str(value or "")
if not EMAIL_RE.match(s):
return False
return not any(bad in s.lower() for bad in ("privacy", "redacted", "rdds", "query"))
def investigate(ip):
report = {"ip": ip, "related_domains": [], "verdict": "NO DATA"}
# Step 1: threat verdict + geolocation + owning ASN, in one call.
# If this fails there is nothing to investigate, so return early.
geo = fetch("geolocation/lookup", {"ip": ip, "include": "security"})
if not geo:
return report
sec = geo.get("security") or {}
asn = (geo.get("network") or {}).get("asn") or {}
report["country"] = (geo.get("location") or {}).get("country_name")
report["threat_score"] = sec.get("threat_score")
report["is_known_attacker"] = sec.get("is_known_attacker")
report["is_tor"] = sec.get("is_tor")
report["is_proxy"] = sec.get("is_proxy")
report["asn"] = asn.get("as_number")
report["org"] = asn.get("organization")
report["org_domain"] = asn.get("domain") or None # many ASNs have none
report["verdict"] = (
"BLOCK" if (sec.get("is_known_attacker") or (sec.get("threat_score") or 0) >= 75)
else "MONITOR"
)
# Step 2: network owner, registered block, announced route.
ipw = fetch("ip/whois/live", {"ip": ip})
if ipw:
inet = (ipw.get("inet_nums") or [{}])[0]
routes = ipw.get("routes") or []
report["registered_block"] = inet.get("cidr")
report["announced_route"] = routes[0].get("route") if routes else None
report["owner_type"] = (ipw.get("organization") or {}).get("type")
report["abuse_email"] = (ipw.get("administrative_contacts") or [{}])[0].get("abuse_mailbox")
# If Step 1 had no org/domain, recover them from the WHOIS org record.
report["org"] = report.get("org") or (ipw.get("organization") or {}).get("name")
# Step 3: registrant email from the owner's domain (the clean pivot key).
pivot_email = None
if report.get("org_domain"):
dw = fetch("domain/whois/live", {"domainName": report["org_domain"]})
if dw:
pivot_email = (dw.get("registrant_contact") or {}).get("email_address")
report["registrant_email"] = pivot_email if is_email(pivot_email) else None
# Step 4: pivot to related domains. Email first, fall back to org name.
pivot = None
if is_email(pivot_email):
pivot = {"email": pivot_email, "mode": "mini"}
elif report.get("org"):
pivot = {"company": report["org"], "mode": "mini"}
if pivot:
rev = fetch("domain/whois/reverse", pivot)
if rev:
report["related_domains"] = [
d.get("domain_name")
for d in (rev.get("whois_domains_historical") or [])
if d.get("domain_name")
]
# Step 5 (optional): full network map. Only when warranted and possible.
if report["verdict"] == "BLOCK" and report.get("asn"):
asnw = fetch("asn/whois/live", {"asn": report["asn"]})
if asnw:
report["announced_prefixes"] = [
r.get("route") for r in (asnw.get("routeObjects") or []) if r.get("route")
]
report["downstream_count"] = len(asnw.get("downstreams") or [])
return report
def main():
if len(sys.argv) != 2:
print("Usage: python3 ip_investigation.py <ip>")
sys.exit(1)
r = investigate(sys.argv[1])
def show(value):
return value if value not in (None, "", []) else "n/a"
print("=" * 56)
print(f" IP INVESTIGATION REPORT: {r['ip']}")
print("=" * 56)
print(f" Verdict : {show(r.get('verdict'))}")
if r.get("verdict") == "NO DATA":
print(" No geolocation/security data returned for this address.")
print(" (It may be private, reserved, or unallocated.)")
print("=" * 56)
return
print(f" Threat score : {show(r.get('threat_score'))}")
print(f" Known attacker : {show(r.get('is_known_attacker'))}")
print(f" Tor / proxy : {show(r.get('is_tor'))} / {show(r.get('is_proxy'))}")
print(f" Country : {show(r.get('country'))}")
print(f" Owner : {show(r.get('org'))} ({show(r.get('owner_type'))})")
print(f" ASN : {show(r.get('asn'))}")
print(f" Announced route : {show(r.get('announced_route'))} <- block on this")
print(f" Abuse contact : {show(r.get('abuse_email'))}")
print(f" Registrant email : {show(r.get('registrant_email'))}")
print(f" Related domains : {len(r['related_domains'])} found")
for d in r["related_domains"]:
print(f" - {d}")
if "announced_prefixes" in r:
print(f" Network prefixes : {len(r['announced_prefixes'])} "
f"announced, {r.get('downstream_count', 0)} downstreams")
print("=" * 56)
if __name__ == "__main__":
main()
How to Run It
The script needs Python 3.7 or newer and one dependency, requests. Save it as ip_investigation.py, set your own API key in the API_KEY line, and run it against any address:
# 1. Install the one dependency (use a virtualenv to keep it isolated)
python3 -m venv venv && source venv/bin/activate # Windows: venv\Scripts\activate
pip install requests
# 2. Edit ip_investigation.py and set API_KEY = "your-key"
# Get a key at https://apifreaks.com/signup
# 3. Run the investigation
python3 ip_investigation.py 178.175.131.194
The Step 1 call with include=security costs 6 credits, the WHOIS calls are billed at their own per-lookup rates, and a full five-step run stays comfortably within the 10,000 free credits, so there is plenty of room to test. Step 5 only fires when the verdict is BLOCK, so a clean address skips the ASN enumeration on its own. If you hit a 401, the key is missing or out of credits; if Python cannot find requests, install it against the same interpreter you are calling with python3 -m pip install requests. Once it runs, browse the rest of the API catalogue to extend the chain with DNS or SSL lookups.
How the Script Decides
The script is not just plumbing that prints raw fields. It encodes the same judgment calls you would make by hand in Steps 1 through 5, so the report comes out with a recommendation already attached. Four rules drive it.
The verdict. The verdict is BLOCK when is_known_attacker is true or the threat_score is 75 or higher, and MONITOR otherwise. This is the Step 1 decision point turned into code: confirmed attack history or a high score is enough to act on, while a moderate score on its own, the kind a lone Tor or proxy flag produces, keeps the address under watch rather than blocking it. The flags are read in combination, never in isolation, which is why is_tor alone never forces a block.
What to block on. When the script does say BLOCK, it surfaces the announced_route from Step 2, the specific /24 the address actually routes through, and labels it as the unit to block, not the much larger registered allocation. That keeps the blast radius tight by default and stops you from null-routing thousands of innocent neighbors.
Which pivot to trust. For the Step 4 pivot the script prefers the registrant email, but only after the is_email() check confirms it is a real address and not a GDPR redaction string like "please query the rdds service." If the email is missing or redacted, it falls back to the organization name. It never pivots on a bare keyword, because, as the keyword example showed, that path is almost all noise. The report shows n/a for the registrant email rather than echoing a redaction placeholder.
When to go deep. Step 5 runs only when the verdict is BLOCK and an ASN is present. A clean address never triggers a full network enumeration, which keeps it the deliberate escalation path it should be rather than something that fires on every lookup. And because each step fails soft, an address with partial data still returns a useful report with the gaps marked, instead of an exception.
Read together, those rules are why the output is a decision and not just a data dump: it tells you whether to block, exactly what to block, who to report it to, and what else the same owner runs.
Threat Hunting Tools Compared: One API Key vs. a Drawer Full of Logins
The standalone threat hunting tools are good at what they do, and this is not an argument that they are not. Shodan and AbuseIPDB give you deep reputation and exposure data. The regional registries, ARIN and RIPE, are the authoritative source for WHOIS. DomainTools and similar services have enormous reverse-WHOIS databases. BGPView is a fine free way to read ASN routing.
The problem is not any single one of them. The problem is that a complete IP address investigation needs all of them at once, and stitching them together mid-incident is where the time goes.
| Investigation step | Typical standalone tool | APIFreaks endpoint |
|---|---|---|
| Threat flags and geolocation | Shodan or AbuseIPDB | IP Geolocation Lookup |
| Network ownership | ARIN or RIPE | IP WHOIS API |
| Registrant pivot key | DomainTools or WhoisXML | Domain WHOIS API |
| Pivot to related domains | DomainTools or WhoisXML | Domain WHOIS Reverse Lookup |
| Network mapping | BGPView | ASN Lookup API |
| Logins and keys to manage | Five | One |
Run the investigation across five separate products and you pay for it in friction, not just dollars. Five auth flows to keep current. Five response schemas to normalize before you can correlate anything, because one calls it as_number, the next asn, the next autonomous_system. Five rate-limit policies and five billing relationships. And the constant context-switching between tabs and formats while the alert is still live and the attacker is still working. Consolidating the chain under one key with one consistent JSON shape is not about saving a few subscription fees. It is about being able to script the whole investigation, which is the difference between a runbook that runs itself and a sequence of manual copy-paste steps you do under pressure at 2 a.m.
If your evaluation is specifically about geolocation accuracy and the depth of these security fields rather than the full investigation chain, our side-by-side test of the best IP geolocation APIs in 2026 compares five providers field by field.
Conclusion
A suspicious IP address does not have to mean a row of browser tabs and an hour of manual correlation. Following the same steps every time, under one API key, turns it into a repeatable process you can run by hand during triage or script straight into a runbook, which is exactly what makes these threat hunting tools worth consolidating instead of juggling. Start with the IP Geolocation Lookup documentation, grab a free key, and turn the next alert into a finished report instead of an open question.
Frequently Asked Questions
How do I check if an IP address is malicious?
Query the IP against a threat intelligence source that returns reputation and behavior signals. With the APIFreaks IP Geolocation Lookup you add include=security to the request and get back a threat score, plus boolean flags for Tor, proxy, known-attacker, spam, and bot activity, in the same response as the location and network owner. A high score combined with a known-attacker flag is your strongest signal to block.
How do I check a suspicious IP?
Score its reputation first, then trace its ownership. One call to an IP geolocation endpoint with security fields returns a threat score and flags for Tor, proxy, and known-attacker activity; if those raise concern, follow up with WHOIS and reverse WHOIS to map the owning network and any related infrastructure. The five-step playbook in this guide runs that whole sequence under one API key, taking you from a single suspicious IP to a block decision, a reporting contact, and a list of related domains.
What does a high threat score mean?
A threat score rates how risky an address is on a scale to 100, based on its observed behavior and reputation. A high score on its own means investigate, not necessarily block. Read it alongside the specific flags: a high score plus is_known_attacker: true is a confident block, while a high score driven only by is_tor is context that usually warrants monitoring rather than an immediate block.
How do you find out who an IP address belongs to?
Run the address through a WHOIS lookup. IP WHOIS returns the registered network block, the organization that owns it, and an abuse contact, while the ASN tied to the address identifies the network operator that announces it. Read the organization type and the announced route together: they tell you whether the address sits inside a hosting provider, an ISP, or a corporate network, and they give you a contact you can actually send an abuse report to. The country alone is not ownership.
Can I investigate a suspicious IP address for free?
Yes. APIFreaks includes 10,000 free credits with signup and no credit card, which is enough to run this entire five-step chain on many addresses while you evaluate it. You can work through the full playbook, geolocation through ASN mapping, on the free tier.
What is reverse WHOIS used for?
Reverse WHOIS finds every domain registered by a given owner, email, organization, or keyword. In threat hunting it is the pivot that turns a single indicator into a map of related infrastructure: you take the registrant email from a malicious host's WHOIS record and discover every other domain registered under it, then feed that list into your SIEM or EDR as a watchlist.
Should I block an entire ASN?
Almost never. Most ASNs that show up in alerts belong to legitimate hosting providers and ISPs with thousands of innocent tenants and downstream customers. Block the specific announced prefix that carries the bad address, usually a /24, rather than the whole network. Reserve ASN-wide blocks for the rare networks that exist purely to host abuse, which you can identify by the absence of legitimate upstreams, downstreams, and registration history.