As we previously reported, Federal agents were thought to have seized the domain names of Onsmash.com, djaz1.com, RapGodFathers.com, and over 60 other websites over the holidays after users received a notice saying that the domain name had been seized by ICE through court-ordered warrants.

The notice also stated penalties for willful copyright infringement and trafficking in counterfeit goods.

The story spread across the web like wildfire, receiving coverage from Fox News, Wall Street Journal, and many other major news outlets.

Neither ICE nor Homeland Security responded to messages seeking comment. However, an ICE spokeswoman added fuel to the fire after she confirmed to the Wall Street Journal that the agency executed court-ordered seizure warrants against a number of domain names but declined additional comment.

“As this is an ongoing investigation, there are no additional details available at this time,” she told the newspaper.

Now that the dust has somewhat settled over the purported government seizure, keen eyes across the web have hinted that this may all be a malicious well-timed hoax.

Yesterday, poster Elun B. over at GrandGoods.com noted that the notices as well as the other domains thought to had been seized “are all fake sites put up to mimic (and not very well) the real ICE seizures.”

What a con game! None of these are ICE seizures. They are all fake sites put up to mimic (and not very well) the real ICE seizures. What’s the clues? All of these sites are hosted at carohosting, including the google analytics and piwik analytics that the creator wanted to track how well his viral news article was. Official seized sites are no more than a single 640×480 JPG (with no visitor tracking). Not knowing anything about the original site content of these fakes, perhaps the site owners are trying to bilk their subscribers and blame it on the Feds. For the real seizures (and for the con artists, the real graphic), visit: http://www.ice.gov/news/releases/1006/100630losangeles.htm

Another poster on Slashpot goes a bit more into detail:

Well, it looks fishy to me. Here are the questionable elements.

(1) The domain registration information information still lists a private domain owner and and admin contact.

(2) The name servers ns1.torrent-finder.com and ns2.torrent-finder.com, as well as the torrent-finder.com ALL redirect to addresses in a private hosting company (74.81.170.108, .109 and .110 respectively), physically in Charlotte, NC. The picture you’re greeted with is served from one of the hosting company’s addresses.

(3) Whois reports the registrar to be Go Daddy, but the name servers ns1 and ns2.seizedservers.com whose IP addresses aremanaged by a private company called “wild west domains”.

(4) The “seizedservers.com” domain is controlled by a company called “immixGroup IT solutions”. The registrar is network solutions and the registrant is using network solution’s privacy service to block his contact identity.

Notice what is missing here: any reference to a government controlled host, domain or name controller. All we have is a set of privately procured and managed name and web servers with anonymous administrative contacts. There is literally *nothing* to connect the picture you are seeing at the torrent-finders.com website to DHS, other than the picture’s *claim*.

A little googling shows this exact same picture shows up in similar “DHS seizure” cases, with the exact same pattern of private servers and domains leading back to some anonymity service and NO government ip addresses, domains or contacts involved, although the *private* domains and servers involved are different. If this were a DHS seizure program, wouldn’t the trail lead back to the same government contacts?

It looks to me like this is either a hoax or a case of private hijacking by a private individual or group who uses different domains and accounts to cover his tracks

We’ll keep you posted as this develops.