A guide for non-technical readers on why the domain registrar, hosting provider, and infrastructure choices behind a website can tell you as much about an organization’s intentions as the content on the site itself.
Why This Page Exists
When you visit a website, you see content — text, images, logos. What you don’t see is the infrastructure underneath: who registered the domain, who hosts the server, what services sit between the visitor and the content, and what privacy or transparency choices were made along the way. These choices are not accidental. They are made by real people with real budgets and real reasons. The higher the effort to obscure, the more likely there is a reason worth investigating.
This does not mean that every privacy choice indicates wrongdoing. Journalists, activists, domestic violence survivors, and dissidents all have legitimate reasons to register domains anonymously. But when a network of entities connected by shared investors, shared officers, and shared financial flows ALSO shares infrastructure patterns — the same registrar, the same hosting platform, the same nameserver configuration — those patterns become investigative signals. They can indicate shared IT management, shared ownership, or a deliberate architectural choice to maintain a consistent level of opacity across otherwise “separate” organizations.
This page explains the categories of domain infrastructure, what each one reveals and conceals, and documents the specific domain patterns observed across the entities investigated on this site.
The Basics: How a Website Gets From Someone’s Computer to Yours
Before diving into the categories, here is how a website works at its simplest:
1. Domain Name: The address you type (e.g., “formation.bio” or “openresearchlab.org”). Someone has to register this with a registrar — a company authorized by ICANN (the Internet Corporation for Assigned Names and Numbers) to sell domain names.
2. WHOIS Record: When a domain is registered, the registrar creates a public record with the registrant’s name, address, email, and phone number. This record is called a WHOIS record. Since GDPR (2018), many registrars automatically redact personal details from public WHOIS queries — but the registrar still holds the unredacted data internally and must respond to court orders.
3. Nameservers / DNS: These are the road signs that tell your browser which server to connect to when you type the domain name. Nameservers can be operated by the registrar, by a third-party service like Cloudflare or AWS, or by the website owner themselves.
4. Hosting / Server: The actual computer that stores the website’s files and sends them to your browser. This can be a shared hosting account ($10/month), a dedicated server ($100+/month), or a cloud platform like Amazon Web Services (AWS), Google Cloud, or Microsoft Azure.
5. Content Delivery Network (CDN): An optional layer that caches copies of the website on servers around the world so it loads faster. CDNs like Cloudflare also hide the origin server’s IP address from public view, adding a layer of opacity.
Each of these layers can be configured for maximum transparency or maximum opacity. The choices made at each layer are the signals.
Domain Infrastructure Categories
Category 1: Standard Commercial Registrars
What they are: The most common way to register a domain. Companies like GoDaddy, Namecheap, Google Domains (now Squarespace Domains), and Porkbun sell domain names for $10-$20/year.
What they reveal: The registrant’s name, address, email, and phone number are recorded (though GDPR may redact public display). The registrar will respond to legal subpoenas. Domain registration and expiration dates are public. The registrar name itself is public.
What they conceal: Many registrars offer “WHOIS Privacy” as a free or cheap add-on that replaces the registrant’s personal information with the registrar’s contact proxy. This stops casual lookup but does not stop a court order — the registrar holds the real data and must produce it if legally compelled.
Legitimate uses: Standard for any business, organization, or individual who wants a web presence. No inherent suspicion.
Investigative signal: When multiple entities in a network use the SAME registrar, especially a less common one, that can indicate shared IT management. When domains are registered on dates that align with corporate events (rebrands, filings, announcements), the timing becomes a signal.
Cost: $10–$20/year.
Seen in this investigation:
| Domain | Registrar | Registered | Notable |
|---|---|---|---|
| formation.bio | GoDaddy | Apr 28, 2022 | 20 months before rebrand |
| openresearchlab.org | Squarespace Domains | Feb 6, 2020 | Altman nonprofit |
| hardcoretech.net | Squarespace Domains | Sep 14, 2023 | 82 days before Formation Bio rebrand |
| projectcovalence.com | Namecheap (registrar), Squarespace (DNS) | May 14, 2020 | COVID serology project |
Category 2: Platform-Hosted Domains (Website Builders)
What they are: Services like Squarespace, Wix, WordPress.com, and Weebly that combine domain registration, hosting, and website building in one package. When Squarespace acquired Google Domains in 2023, it became one of the largest registrars in the world.
What they reveal: The platform name is visible in the WHOIS record and often in the DNS records. The platform hosts the website, so the hosting provider is the platform itself.
What they conceal: The actual person or organization behind the website is hidden behind the platform’s WHOIS proxy. You see “Squarespace Domains LLC” as the registrar, not the person who paid for it. The platform handles all infrastructure, so there’s no independent server to trace.
Legitimate uses: Extremely common for small businesses, nonprofits, personal sites, and organizations that don’t have dedicated IT staff. Squarespace and Wix are designed for non-technical users. The vast majority of Squarespace sites have nothing to hide.
Investigative signal: When multiple entities in a network all use the same platform — especially when those entities are ostensibly independent of each other — the shared platform suggests shared IT decisions. Someone chose Squarespace for these sites, and if the same someone chose it for all of them, that implies coordination.
Cost: $16–$46/month (includes hosting, domain, and website builder).
Pattern observed in this investigation:
- openresearchlab.org — Squarespace registrar
- projectcovalence.com — Namecheap registrar but Squarespace DNS hosting
- hardcoretech.net — Squarespace registrar
Three entities in the investigation network use Squarespace infrastructure. OpenResearch is Altman’s nonprofit. Project Covalence was its COVID-era serology project. Hardcore Technology is the unregistered NJ-based SEO company at the center of a documented daisy chain leading to Formation Bio’s physical address. The shared platform does not prove shared ownership. It does suggest shared IT decision-making.
Category 3: CDN / Proxy Layers (Cloudflare, AWS CloudFront)
What they are: Content Delivery Networks that sit between the visitor and the actual web server. When you visit a Cloudflare-protected site, your browser connects to Cloudflare’s network, which then retrieves the content from the real server and passes it to you. The real server’s IP address is hidden behind Cloudflare’s infrastructure.
What they reveal: That the site uses Cloudflare (or another CDN) — this is visible in the DNS records and sometimes in HTTP headers. The CDN provider can see all traffic.
What they conceal: The origin server’s real IP address and physical location. Without the origin IP, you cannot determine where the actual website is hosted, what other sites share the same server, or who operates the server. Cloudflare also offers a “universal SSL” certificate that gives the site HTTPS encryption without the site owner needing to configure their own certificate.
Legitimate uses: Performance (faster loading), security (DDoS protection), and cost savings. Cloudflare’s free tier is used by millions of legitimate websites. Many enterprise companies require CDN protection.
Investigative signal: Cloudflare use alone is not suspicious — it’s extremely common. But when combined with other opacity layers (WHOIS privacy + Cloudflare + shared hosting), it creates a layered concealment structure where no single lookup reveals the person or organization behind the site. Each layer must be independently penetrated, and each requires a different legal process.
Cost: Free tier available. Pro tier $20/month. Enterprise pricing varies.
Seen in this investigation:
| Domain | CDN | Nameservers |
|---|---|---|
| hardcoretech.net | Cloudflare | grannbo.ns.cloudflare.com, jerome.ns.cloudflare.com |
| trialspark.com | Cloudflare (historical) | Appeared on 2013-2015 Cloudflare SSL list during domain parking era |
Category 4: Privacy-First / Anonymous Registrars
What they are: Specialized services designed to register domains with maximum anonymity. The most prominent are Njalla (Sweden/Nevis, founded by Pirate Bay co-founder Peter Sunde), OrangeWebsite (Iceland), and PRQ (Sweden). These services go beyond standard WHOIS privacy — they actually register the domain IN THEIR OWN NAME, acting as a legal shield between the registrant and the public record.
What they reveal: Almost nothing. The WHOIS record shows the privacy registrar’s information (Njalla’s address in Nevis, OrangeWebsite’s address in Iceland), not the actual registrant’s. Some accept cryptocurrency payments, eliminating the financial trail entirely.
What they conceal: Everything. The registrant’s identity, location, payment method, and reason for registration. Legal discovery requires a court order in the registrar’s jurisdiction (Sweden, Iceland, Nevis), which is deliberately chosen because these jurisdictions have strong privacy laws and are expensive to litigate in from the United States.
Legitimate uses: Journalists protecting sources. Whistleblowers exposing corruption. Activists in authoritarian countries. Domestic violence survivors hiding from abusers. Dissidents avoiding state surveillance. These are important and legitimate use cases.
Investigative signal: When an entity that conducts public business — a company raising venture capital, a nonprofit receiving tax-deductible donations, or a healthcare organization collecting patient data — uses a privacy-first registrar, the question is why a public-facing entity needs the same anonymity tools designed for whistleblowers and dissidents. The answer may be legitimate (security best practices), or it may indicate a desire to prevent the kind of WHOIS-based investigation that this page describes.
Cost: $15–$30/year (domain only). Njalla and OrangeWebsite accept Bitcoin, Monero, and other cryptocurrencies.
Seen in this investigation: No entities in the current investigation have been documented using privacy-first registrars. This is itself a data point — the network uses standard commercial registrars and platform hosting, relying on structural complexity (multiple entities, multiple names, multiple addresses) rather than technical anonymity tools.
Category 5: Blockchain / Decentralized Domains
What they are: Domain names stored on blockchain networks (Ethereum, Polygon, Zilliqa) rather than traditional DNS servers. The three major providers are Ethereum Name Service (ENS, .eth domains), Unstoppable Domains (.crypto, .nft, .wallet), and Handshake (decentralized TLDs). These domains are purchased as NFTs and stored in the owner’s cryptocurrency wallet.
What they reveal: The blockchain address that owns the domain (a string like 0x1234…abcd). Blockchain transactions are public, so the purchase and any transfers are visible. However, the blockchain address does not identify a person unless they’ve linked it to a known identity.
What they conceal: The real-world identity behind the blockchain address. There is no registrar to subpoena. There is no central authority that can be compelled to disclose the owner’s identity. The domain cannot be seized, suspended, or taken down by any government or corporation — only the wallet holder can transfer or delete it.
Legitimate uses: Cryptocurrency payment addresses (send ETH to “yourname.eth” instead of a 42-character address). Censorship-resistant publishing. Decentralized application (dApp) identity. Political speech in authoritarian regimes.
Investigative signal: Blockchain domains are the highest-opacity option available. A public-facing entity using a blockchain domain would be making a deliberate choice to place itself beyond the reach of traditional legal discovery. If a company raising hundreds of millions in venture capital, or a nonprofit receiving tax-deductible donations, operated under a .crypto or .eth domain, that would be a significant investigative finding — it would mean the entity specifically chose to make its digital infrastructure immune to subpoena.
Cost: One-time purchase ($5–$100+ depending on name). No renewal fees for Unstoppable Domains. Annual renewal for ENS (~$5/year in ETH gas).
Seen in this investigation: No entities have been documented using blockchain domains. However, Daniel Buitrago (Speedy Sticks CEO, at the center of the daisy chain documented in this investigation) was previously CEO of Coinedge, a cryptocurrency company — placing blockchain domain technology within his documented skill set.
Category 6: Registry-Locked Domains (EPP Status Locks)
What they are: Domains with EPP (Extensible Provisioning Protocol) status codes that prevent specific actions. These are security flags set by the registrar that instruct the domain registry to reject certain requests — transfer, update, or deletion — unless the locks are explicitly removed by the domain holder. Think of them as deadbolts on a door: the door still works, but specific actions require a key that only the holder possesses.
The three main client-side locks are:
- clientTransferProhibited — prevents the domain from being transferred to a different registrar. Standard security practice, recommended for all domains.
- clientUpdateProhibited — prevents changes to the domain’s DNS settings, contact information, or nameservers without first removing the lock. An additional layer that goes beyond transfer protection.
- clientDeleteProhibited — prevents the domain from being deleted, even by the registrar, unless the lock is explicitly removed first.
Having all three simultaneously is called a “triple lock” — the maximum client-side security configuration. It is recommended for high-value domains and enterprise assets where unauthorized changes could cause significant damage.
There is also a higher tier: registry-level locks (serverTransferProhibited, serverUpdateProhibited, serverDeleteProhibited). These are set by the registry itself (not the registrar) and require manual multi-step verification — often including phone calls and identity confirmation — to remove. Registry locks cost $25–$100+/year and are typically used by Fortune 500 companies, banks, government agencies, and other entities where domain hijacking would be catastrophic.
What they reveal: EPP status codes are visible in any WHOIS lookup. You can see exactly which locks are active on any domain.
What they conceal: Nothing directly. Locks are a security mechanism, not an opacity mechanism. However, the LEVEL of locking chosen can reveal how the domain holder values the asset — and when that level is disproportionate to the apparent scale of the operation, it raises questions about why a small entity needs enterprise-grade domain security.
Legitimate uses: Every domain should have at least clientTransferProhibited enabled. Triple-locking is standard best practice for any domain the holder considers valuable. Enterprise and government domains routinely use registry-level locks.
Investigative signal: The signal is not in the locks themselves but in the mismatch between the lock level and the operation’s apparent scale. When a $10/month shared-hosting website operated by an unregistered company has the same triple-lock configuration as a Fortune 500 corporate domain, the security posture exceeds what the visible operation warrants. Either the domain is more valuable to its operator than it appears, or someone with enterprise IT knowledge configured it.
Cost: Client-side locks (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) are free at all ICANN-accredited registrars. Registry-level locks (serverTransferProhibited, etc.) cost $25–$100+/year.
Seen in this investigation:
| Domain | EPP Status | Scale Mismatch? |
|---|---|---|
| hardcoretech.net | Triple lock: clientDeleteProhibited, clientTransferProhibited, clientUpdateProhibited | YES — $10/month shared hosting, unregistered NJ company, PHP errors on the site, but enterprise-level domain security |
The hardcoretech.net triple lock is the most direct example of scale mismatch documented in this investigation. An entity operating on Squarespace hosting with exposed PHP errors and a “hardcor3” shared hosting account has the same domain lock configuration that cybersecurity guides recommend for bank websites and government portals. Someone configured this domain with deliberate care despite the apparent casualness of everything else about the operation.
Category 7: Backend Activity Behind a Static Surface
What it is: A website has two fundamental layers: the frontend (what you see in your browser — text, images, buttons, layout) and the backend (what runs on the server — databases, API calls, data processing, user tracking, transaction handling). These layers can operate independently. A website can appear completely static and unchanged to visitors while its backend processes data, communicates with external services, runs scripts, or executes transactions that are invisible from the outside.
This is not theoretical or exotic — it is how most modern websites work. When you visit a news article, the page looks the same to every visitor, but the backend is logging your IP address, browser type, location, time of visit, scroll depth, and click behavior. When you buy something online, the polished checkout page masks backend communication with payment processors, inventory systems, shipping APIs, and fraud detection services.
What can happen invisibly on the backend:
- Data collection: Tracking pixels, analytics scripts, and fingerprinting code can identify visitors and transmit that data to third-party servers without any visible indication. A website with no login form can still identify repeat visitors through browser fingerprinting.
- API communication: The website’s server can communicate with external services (databases, AI models, payment processors, government APIs, blockchain nodes) in real time. None of this communication is visible to the visitor.
- Smart contract execution: In cryptocurrency-integrated sites, a polished frontend can mask backend interactions with blockchain smart contracts. A website that looks like a simple healthcare portal could, on the backend, be processing cryptocurrency transactions, recording data on a blockchain, or interacting with decentralized finance (DeFi) protocols. The visitor sees a medical intake form; the backend records the submission on an immutable blockchain ledger.
- Token-gated access: Some websites use cryptocurrency wallet authentication to control access to hidden content or functionality. The public-facing site appears open and normal, but certain pages, data, or features are only accessible to visitors who connect a cryptocurrency wallet holding specific tokens. This creates a members-only layer that is invisible to anyone without the right wallet.
- Hidden administrative interfaces: Most websites have an administrative panel (like WordPress’s /wp-admin) that is not linked from the public site. Changes made through the admin panel — new users added, data exported, settings changed — happen invisibly to public visitors.
- Metadata and schema changes: A website’s underlying code can change (new tracking scripts added, new API connections established, new data collection enabled) without any change to the visible content. Web archives like the Wayback Machine sometimes capture these backend code changes even when the visual appearance remains identical between snapshots.
Legitimate uses: This is how all modern websites work. Backend processing is not inherently suspicious — it is the fundamental architecture of the web. E-commerce, healthcare portals, banking websites, and government services all rely on extensive backend processing behind clean user interfaces.
Investigative signal: The signal emerges when a website’s visible content does not explain its backend behavior. When a simple blog (no user accounts, no e-commerce, no login) has multiple third-party tracking scripts, API calls to unexpected services, or cryptocurrency wallet integration, the backend activity exceeds what the visible site requires. When a website’s Wayback Machine snapshots show code changes on dates that align with network events despite no visible content changes, someone was modifying the backend on a timeline that matches the broader investigation.
Seen in this investigation: The Hardcore Technology website (hardcoretech.net) has blog pages that return PHP errors exposing server paths (/home/hardcor3/public_html/), suggesting server-side code execution behind pages that present as simple blog posts. The blog content was “permanently taken down” according to the site, yet the sitemap still lists the pages and some individual URLs still partially load — suggesting the backend structure persists even when the frontend content has been removed. The site also processes a booking system (booking.php) and a mailing list subscription, both of which require backend data handling that is not visible to casual visitors.
What to Look For: Investigative Signals in Domain Infrastructure
Beyond the category of registrar, several patterns become investigative signals when observed across a network of related entities:
Signal 1: Matching Registrars Across “Independent” Entities
When entities that publicly present as independent from each other share the same registrar, the same DNS provider, or the same hosting platform, that shared infrastructure suggests shared IT decision-making. Someone selected the platform for all of them. That someone may be the same person, the same IT contractor, or the same organizational leadership making infrastructure choices across entities that are supposed to be separate.
Observed: Squarespace infrastructure across openresearchlab.org, projectcovalence.com (DNS), and hardcoretech.net.
Signal 2: Registration Timing Aligned With Corporate Events
When a domain is registered days, weeks, or months before a corporate event (rebrand, product launch, regulatory filing), the registration date tells you when the event was PLANNED, not when it was announced. A domain registered 20 months before a rebrand tells you the rebrand was in motion nearly two years before the public knew.
Observed: formation.bio registered April 28, 2022 — 20 months before the December 5, 2023 public rebrand. hardcoretech.net registered September 14, 2023 — 82 days before the Formation Bio rebrand and the same-day 23andMe blog post.
Signal 3: Dead Domains Maintained on Live Pages
When a website operated by an SEO professional contains links to dead domains (domains that resolve to nothing), and those dead links remain on the page for months or years, the maintenance is deliberate. Dead links hurt SEO rankings — an SEO professional knows this. If the links stay, they serve a purpose other than search engine optimization: navigation for people who know to follow them, breadcrumbs in a linking structure, or placeholders for future activation.
Observed: lightyearseo.com and founderdaniel.com both linked from hardcoretech.net, both dead, both maintained on a live page operated by an SEO company.
Signal 4: Domains Registered But No Business Registration
When a domain is registered and a website is actively operating in a state, but the company behind the domain has no business registration in that state, the entity is conducting business without the legal authorization required by state law. This is a compliance gap that, at minimum, exposes the operator to fines and inability to enforce contracts in state courts.
Observed: Hardcore Technology LLC is registered in New Jersey but operates with a Google Maps listing in New York, serves clients in New York, and maintains a New York phone number — without New York business registration.
Signal 5: Platform Opacity vs. Technical Opacity
The entities in this investigation do not use high-end anonymity tools (blockchain domains, Njalla, cryptocurrency payments). Instead, they achieve opacity through structural complexity: multiple entity names for one company (LabNook → TrialSpark → Formation Bio), multiple DBAs, multiple addresses, and platform hosting that bundles infrastructure behind a single provider’s proxy. This is notable because it suggests the opacity is architectural rather than technical — the entities are not hiding from the internet, they are hiding within it.
Signal 6: Security Posture Exceeding Apparent Scale
When a domain’s EPP lock configuration, hosting security, or infrastructure investment significantly exceeds what the visible operation warrants, the mismatch is a signal. A personal blog with a registry lock. A $10/month website with a triple-lock domain. An unregistered company with enterprise-grade domain security. The question is not whether locks are good (they are), but whether the operator’s evident concern for domain security is consistent with the casualness of everything else about their operation — or whether the domain is more valuable to them than the visible website suggests.
Observed: hardcoretech.net has triple EPP locks (clientDeleteProhibited + clientTransferProhibited + clientUpdateProhibited) on a Squarespace-registered, Cloudflare-proxied domain running a website with exposed PHP errors on $10/month shared hosting. The security of the domain name itself is enterprise-grade. Everything else about the operation is not.
Signal 7: Backend Changes Without Frontend Changes
When web archive snapshots show changes to a website’s underlying code (scripts, metadata, tracking, API connections) on dates that align with network events, but the visible content of the site has not changed, the backend activity is the signal. Someone modified the infrastructure behind the polished surface on a specific date for a specific reason. The Wayback Machine captures both what visitors see (HTML/CSS) and what runs invisibly (JavaScript, tracking pixels, API calls). Comparing these layers across snapshots can reveal activity that was never meant to be publicly noticed.
Domain Comparison Table
The following table documents every domain investigated on this site, categorized by registrar type, hosting infrastructure, and investigative signals observed:
| Domain | Registrar | Category | DNS / CDN | Registered | EPP Locks | Key Signal |
|---|---|---|---|---|---|---|
| openresearchlab.org | Squarespace Domains | Platform | AWS DNS | Feb 6, 2020 | Unknown | Squarespace pattern; Altman nonprofit |
| projectcovalence.com | Namecheap | Standard (Squarespace DNS) | Squarespace DNS | May 14, 2020 | Unknown | Mixed registrar/DNS; still paid through 2027 |
| formation.bio | GoDaddy | Standard | AWS DNS | Apr 28, 2022 | Unknown | 20 months before public rebrand |
| hardcoretech.net | Squarespace Domains | Platform | Cloudflare | Sep 14, 2023 | Triple lock | Squarespace pattern; 82 days pre-rebrand; NJ registrant; enterprise locks on budget site |
| lightyearseo.com | Unknown | Dead | — | Unknown | — | Dead domain linked from live SEO company page |
| founderdaniel.com | Unknown | Dead | — | Unknown | — | Dead domain; LightyearSEO redirects here |
| trialspark.com | Unknown (current) | Standard | Cloudflare (historical) | Pre-2017 | Unknown | Redirects to formation.bio |
| formation.bio (site) | GoDaddy | Standard | AWS | Apr 28, 2022 | Unknown | DBA website for 3.5 years before legal name change |
What This Means for Readers
Domain infrastructure analysis is not a conspiracy theory. It is standard practice in corporate due diligence, investigative journalism, cybersecurity, and law enforcement. WHOIS records are public by design. Registrar and hosting choices are documented in DNS records that anyone can query. The tools used in this analysis — WHOIS lookups, DNS queries, and registrar searches — are free, legal, and widely used by professionals.
When a network of entities shares infrastructure patterns, those patterns don’t prove wrongdoing. They prove connection. And when the entities involved are supposed to be independent — when a nonprofit is supposed to be independent from the for-profit company it funds, when a charity is supposed to be independent from the corporation whose employees govern it, when an SEO company is supposed to be independent from the clinical trial company whose building it lists on Google Maps — shared infrastructure becomes a question worth asking.
The question is not “why do they use Squarespace?” The question is “why do three entities that are supposed to have no connection all use Squarespace, and who made that decision for all of them?”
Disclaimer
This page provides educational information about web domain infrastructure and documents patterns observed during independent investigative analysis. Domain registration choices, hosting decisions, and infrastructure configurations are not inherently evidence of wrongdoing. Many individuals and organizations use privacy-preserving tools for entirely legitimate purposes. The patterns documented here are presented as investigative observations, not as conclusions of illegal activity. Readers are encouraged to verify the domain information independently using free public tools such as WHOIS lookup services and DNS query tools.