
Domain seizure detection and monitoring tool for cyber threat intelligence
DarkWebInformer.com · @DarkWebInformer
FBI Watchdog is a multi-layered domain monitoring tool that detects law enforcement seizures, DNS changes, HTTP fingerprint shifts, WHOIS record mutations, and IP address changes across clearnet domains and Tor onion sites. Built for threat intelligence analysts, security researchers, and anyone tracking domain infrastructure changes in real time.
When a seizure signal is detected across any monitor, the tool triggers a cross-monitor escalation audit, captures a screenshot of the seized page, and sends consolidated alerts to Discord and Telegram with full evidence.

DNS Monitoring - Tracks A, AAAA, CNAME, MX, NS, and TXT records across all monitored domains. Detects never-before-seen record combinations and flags seizure-related DNS entries (e.g., fbi.seized, seized.gov, usssdomainseizure). SOA was taken out during testing because it was loud. Add it back in the script if you need it.
HTTP Fingerprint Monitoring - Fingerprints server headers, status codes, body content hashes, redirect chains, and page size. Detects seizure keywords in page content, redirect-to-government patterns, and simultaneous server + body changes that indicate infrastructure takeover.
WHOIS Monitoring - Tracks registrar, nameservers, registrant organization, status codes (EPP), and creation/expiration dates. Detects seizure indicators in WHOIS data including law enforcement registrar changes, server prohibition flags, and known LE Cloudflare nameservers.
IP Change Monitoring - Monitors A and AAAA record IP addresses with reverse DNS lookups. Classifies changes as CDN rotation, hosting migration, provider change, or seizure signal based on rDNS matching against known law enforcement infrastructure.
Onion Site Monitoring - Connects via Tor to monitor .onion sites for seizure banners. Supports automatic Tor circuit rotation on connection failures. Detects seizure keywords from FBI, Europol, BKA, AFP, Garda, RCMP, Polisen, and other international law enforcement agencies.
Cross-Monitor Seizure Escalation - When any single monitor detects a seizure signal, an escalation engine triggers a full audit across all monitors, captures a screenshot, and sends a consolidated multi-evidence alert.
Automated Screenshot Capture - Uses headless Chromium via Playwright to capture full-page screenshots of seized domains, attached to Discord and Telegram notifications.
Discord & Telegram Alerts - Real-time notifications with rich embeds (Discord) and formatted messages (Telegram). Screenshots are attached directly to seizure alerts.
Silent Mode - First scan cycle(s) can run silent to build a baseline state without triggering notifications. Prevents alert floods on first run or after a state reset.
Event Feed - Maintains a rolling JSON event feed of all detected changes, baselines, and seizure events for external consumption or dashboard integration.
Hot Reload - Monitored sites list is re-read from disk every scan cycle. Add or remove sites without restarting the watchdog.
SOCKS5 Proxy Support - Route all clearnet HTTP/WHOIS requests through a SOCKS5 proxy. Proxy exit IP is validated against your real IP on startup. Note: screenshot capture via Playwright does not support SOCKS5 proxies with authentication and will fall back to a direct connection if proxy auth is configured. All other requests (HTTP, WHOIS, DNS, IP) work normally with authenticated proxies.
![]() |
![]() |
Real notifications captured during the LeakBase domain forum seizure by law enforcement.
A live, continuously updated feed powered by this tool is available at darkwebinformer.com/fbi-watchdog-feed. The feed displays real-time seizure detections, DNS changes, HTTP fingerprint shifts, WHOIS mutations, and IP changes as they are detected across monitored domains and onion sites.
The live feed is available exclusively to paying subscribers of Dark Web Informer.
┌───────────────────────────────────────────────────────────────────────┐
│ FBI Watchdog v3.0.0 │
├─────────────┬──────────────┬───────────────┬───────────┬──────────────┤
│ DNS Monitor │ HTTP Monitor │ WHOIS Monitor │IP Monitor │Onion Monitor │
│ (dnspython) │ (requests) │(python-whois) │(dnspython)│ (Tor SOCKS) │
├─────────────┴──────────────┴───────────────┴───────────┴──────────────┤
│ Escalation Engine │
│ (Cross-monitor audit + screenshot capture) │
├───────────────────────────────────┬───────────────────────────────────┤
│ Discord Webhooks │ Telegram Bot API │
├─────────────────────┬─────────────┴─────────────┬─────────────────────┤
│ State Files (JSON) │ Event Feed (JSON) │ Screenshots (PNG) │
└─────────────────────┴───────────────────────────┴─────────────────────┘
1. Clone the repository
git clone https://github.com/DarkWebInformer/FBIWatchdog.git
cd FBIWatchdog
2. Install Python dependencies
pip install -r requirements.txt
3. Install Playwright browsers
playwright install chromium
4. Configure environment variables
cp .env.example .env
chmod 600 .env
Edit .env and add your Discord webhook URL, Telegram credentials, or both. All notification channels are optional - the watchdog runs without any configured.
5. Add sites to monitor
python3 fbi_watchdog.py --add example.com anothersite.org somehiddenservice.onion
Or edit monitored_sites.json directly (see monitored_sites.example.json for format).
6. Run
python3 fbi_watchdog.py
| Variable | Required | Description |
|---|---|---|
WEBHOOKFBIWATCHDOG |
No | Discord webhook URL (https://discord.com/api/webhooks/...) |
TELEGRAM_BOT_TOKEN |
No | Telegram bot token for alert delivery |
TELEGRAM_CHAT_ID |
No | Telegram chat/channel ID for alerts |
CLEARNET_PROXY |
No | SOCKS5 proxy for clearnet requests (e.g., socks5h://127.0.0.1:1080). When configured, startup validation makes two requests to api.ipify.org to verify the proxy exit IP differs from your real IP. |
All notification channels are optional. Configure Discord, Telegram, both, or neither. Without any notification channels, the watchdog still runs and logs all detections to the console and event feed JSON.
Sites are stored in monitored_sites.json and can be managed via CLI flags or the interactive menu:
{
"domains": [
"example.com",
"anotherdomain.org"
],
"onion_sites": [
"exampleonion1234.onion"
]
}
Sites are validated on add and reload. Invalid entries (malformed domains, path traversal attempts) are rejected.
The sites file is hot-reloaded every scan cycle - you can edit it while the watchdog is running.
python3 fbi_watchdog.py
Launches an interactive menu where you can start monitoring, manage sites, toggle individual monitors, view state stats, reset state files, and see the CLI reference.

# Start with 1 silent baseline cycle (default)
python3 fbi_watchdog.py --no-menu --silent
# Start with notifications active from cycle 1
python3 fbi_watchdog.py --no-menu --loud
# Reset all state and start fresh
python3 fbi_watchdog.py --no-menu --reset
# Disable specific monitors
python3 fbi_watchdog.py --no-menu --silent --no-whois --no-ip
# Route clearnet requests through a proxy
python3 fbi_watchdog.py --no-menu --silent --proxy socks5h://127.0.0.1:1080
# Standard deployment
pm2 start fbi_watchdog.py --interpreter python3 -- --no-menu --silent
# Notifications hot from cycle 1
pm2 start fbi_watchdog.py --interpreter python3 -- --no-menu --loud
# Full reset and restart
pm2 start fbi_watchdog.py --interpreter python3 -- --no-menu --reset
# DNS and onion monitoring only
pm2 start fbi_watchdog.py --interpreter python3 -- --no-menu --silent --no-http --no-whois --no-ip
# Add sites
python3 fbi_watchdog.py --add newsite.cc somemarket.onion
# Remove sites
python3 fbi_watchdog.py --remove oldsite.cc
# List all monitored sites
python3 fbi_watchdog.py --list-sites
| Flag | Description |
|---|---|
--silent [N] |
Run N silent cycles before enabling notifications (default: 1) |
--loud |
Start with notifications active immediately |
--no-menu |
Skip interactive menu (for PM2/systemd/daemon usage) |
--reset |
Wipe all state files before starting (implies --silent) |
--add SITE [...] |
Add one or more sites to monitoring |
--remove SITE [...] |
Remove one or more sites from monitoring |
--list-sites |
List all monitored sites and exit |
--no-dns |
Disable DNS monitoring |
--no-http |
Disable HTTP fingerprint monitoring |
--no-whois |
Disable WHOIS monitoring |
--no-ip |
Disable IP change monitoring |
--no-onion |
Disable onion site monitoring |
--proxy URL |
SOCKS5 proxy for clearnet requests (overrides CLEARNET_PROXY env var) |
Queries A, AAAA, CNAME, MX, NS, and TXT records for each clearnet domain. Maintains a history of up to 10 unique record sets per domain/record type. Fires an alert when a never-before-seen record combination appears.
Seizure-specific DNS indicators (e.g., fbi.seized, seized.gov, europol, usssdomainseizure) trigger immediate seizure alerts with screenshot capture.
Fetches each domain over HTTPS (falling back to HTTP) and fingerprints tracked response headers (server, x-powered-by, strict-transport-security, via, x-cdn, etc.), status code, final URL after redirects, and a SHA-256 hash of the response body.
Change detection filters out noise from transient HTTP errors (502-524), Cloudflare/DDoS-Guard challenge pages, and minor body fluctuations (under 35% size change). Runs fetches in parallel (10 concurrent by default).
Seizure signals include government domain redirects, seizure keywords in page content, simultaneous server header + body changes, and status code changes to 403/451.
Queries WHOIS data for each clearnet domain and tracks registrar, nameservers, registrant organization, registrant country, EPP status codes, and key dates. Runs lookups in parallel (5 concurrent by default).
Normalizes registrar names (e.g., "Tucows Domains Inc." → "tucows"), strips ICANN EPP URL prefixes from status codes, deduplicates compound EPP tokens, and filters out privacy-service org changes to reduce false positives. Includes a state migration system that re-normalizes stored records when normalization logic changes between versions.
Seizure indicators include law enforcement keywords in WHOIS data, known LE Cloudflare nameservers paired with server prohibition flags, and registrar changes to government entities.
Resolves A and AAAA records and tracks IP address changes across scan cycles. Performs reverse DNS on new IPs and classifies changes into categories: CDN rotation (same provider, different IP pool), hosting migration (complete IP replacement), provider change (CDN swap or CDN removal), and seizure signal (rDNS matching known law enforcement infrastructure like fbi.gov, justice.gov, europol, etc.).
Connects to each .onion site via Tor SOCKS proxy, downloads page content (capped at 5MB), and scans for seizure keywords from international law enforcement agencies. Supports automatic Tor circuit rotation on connection failures or timeouts, with a single retry on a fresh circuit.
When any monitor detects a seizure signal (not just a change - a signal with seizure-specific indicators), the escalation engine triggers a full cross-monitor audit:
This ensures that a single seizure indicator triggers comprehensive evidence collection rather than a piecemeal alert.
The watchdog maintains separate state files for each monitor:
| File | Contents |
|---|---|
fbi_watchdog_results.json |
DNS record history per domain |
http_watchdog_results.json |
HTTP fingerprints per domain |
whois_watchdog_results.json |
WHOIS records and seizure indicators |
ip_watchdog_results.json |
Current A/AAAA records per domain |
$ claude mcp add FBI_Watchdog \
-- python -m otcore.mcp_server <graph>