The Graph

A single scan tells you what a domain looks like. The graph tells you what it's connected to.

Behind every result page is a property graph. Domains, IPs, SSL certificates, regulator warnings and other forensic signals are stored as nodes and connected by typed edges. When you open the Network tab on a scan result, you're looking at a slice of that graph centred on the domain you scanned.

Why a graph

Scammers reuse things. A single individual or operation typically runs many domains, but they share:

• The same hosting IP or nameserver
• The same SSL certificate fingerprint
• The same analytics or AdSense ID
• The same favicon, the same build hash, the same image set
• The same registrant email, phone, or crypto wallet

In a relational database, surfacing those reuse patterns means stitching joins together every time you ask a question. In a graph, the relationships are first-class. "Show me every domain sharing this IP" is a one-hop traversal, not a query plan negotiation.

The model

Nodes

Edges

Edges are typed by why two nodes are connected. The colour you see on the network graph reflects the family:

• Code / Content (cyan): content_hash, build_hash, similar_content, same_images, favicon_hash
• Infrastructure (mint): ip_address, nameserver, ssl_fingerprint
• Identity (gold): email, registrant, registrar, analytics_id, adsense_id, tracking_id
• Financial (white): phone_number, crypto_wallet
• Regulator warning (magenta): co-listing in the same warning by a non-dragnet regulator
• Manual link (fuchsia): operator-curated connections that the automated signals missed

A connection between two domains can come from any of these, and a forensic cluster is almost always a stack of several signals on top of each other.

How the graph powers a scan

When you scan a domain, here's what happens behind the bubble graph:

1. The scan extracts every signal it can (IPs, certificates, identifiers, hashes) and writes them as nodes
2. The domain is linked to each signal it touched
3. The query that builds the Network tab asks: "give me every other domain reachable in one or two hops from here"
4. Those neighbours and their edges are rendered as the force-directed bubble map

Bubble colour reflects trust score. The ring around a node reflects uptime. Edge colour reflects the signal family. Filtering by signal in the UI is a graph traversal, not a recomputation.

What it does not do

• No private data. Every signal in the graph comes from a scan we ran or a public regulator publication. There is no purchased dataset, no user PII, no scraped social profiles.
• No predictive verdicts. The graph surfaces structural reuse. It is evidence, not a verdict. Two domains sharing a CDN IP is much weaker signal than two domains sharing a favicon hash, a tracking ID, and a registrant email.
• No infinite expansion. Each network view is bounded to a sensible neighbourhood. Otherwise a single hosting provider IP would pull in millions of unrelated sites.

Reading a cluster honestly

A few practical rules when you look at a connected component:

• Infrastructure links alone are weak. Shared Cloudflare IPs mean almost nothing on their own.
• Identity + content links are strong. A shared analytics ID and a shared favicon hash mean the same operator built both sites.
• Regulator warnings are direct evidence. A magenta edge means a named authority publicly co-listed the two domains in the same warning.

The Network tab on a scan result labels each edge so you can see what kind of evidence you're looking at, not just a line on a screen.

Related

• See the graph in action on any scan result page under the Network tab
• Read about the trust score we attach to each domain node
• Submit a community report. Confirmed reports become first-class nodes too