TL;DR — Your real name, address, and phone number are published in WHOIS every time you register a domain—unless you opt out. Stalkers, scammers, and competitors scrape this data daily, and the cost of exposure is asymmetric: they gain everything, you lose control.
A marketing executive registers a side-project domain for a new startup idea. Two weeks later, competitors cold-call her personal cell. A journalist registers a domain for investigative reporting. Within days, the subject of her investigation has her home address. An OnlyFans creator uses her real name on a domain. Stalkers show up at her apartment.
WHOIS is a public database. Every domain registration includes registrant contact details—name, email, phone, physical address. Unless you specifically opt out, this information is searchable by anyone with an internet connection. No warrant. No justification. Just a command-line query or a web form.
The Threat Model Isn't Criminals—It's Everyone Else
Most registrars sell WHOIS privacy protection as insurance against "cybercriminals." Wrong framing. The actual threat model is broader and more mundane:
Competitive intelligence firms scrape WHOIS to map out corporate infrastructure, identify side projects, and track acquisitions before they're announced. Your stealth-mode startup stops being stealthy the moment you register a domain.
Spear-phishing operations harvest registrant emails to send targeted attacks. An email from "your registrar" about EPP code verification is more believable when the attacker knows you registered a domain last Tuesday.
Doxxers and harassment campaigns use WHOIS as step one. Gaming communities, political activists, and sex workers are disproportionately targeted. One leaked domain ties your online identity to your legal name and physical location.
Sales prospecting bots auto-generate cold outreach the second a new domain appears in WHOIS feeds. You register cool-startup.com and receive fifty emails offering logo design, SEO services, and web hosting within 24 hours.
Legal threats and DMCA trolls use WHOIS to identify targets. Even if a claim is baseless, having your real contact info published means you're the one dealing with certified letters and settlement demands.
The common thread: none of these actors need to hack anything. The data is sitting there, normalized, machine-readable, refreshed daily.
"I Have Nothing to Hide" Is the Wrong Question
Privacy isn't about hiding wrongdoing. It's about controlling information asymmetry.
When you publish your contact details, you've made a unilateral disclosure. The other party—whoever they are—learns your legal name, location, email patterns, phone number, and organizational affiliations. You learn nothing about them. They can choose when and how to contact you. You can't opt out retroactively.
Consider the stakes:
| You Gain | They Gain |
|---|---|
| Nothing (data was already yours) | Full contact dossier for outreach, research, or targeting |
| Marginal "transparency" credibility (rarely valued) | Ability to correlate domain ownership across multiple projects |
| Compliance with outdated norms | Persistent identifier that survives email changes and pseudonyms |
The risk is asymmetric. Exposure costs you privacy, security, and leverage. The benefit is theoretical and mostly accrues to third parties.
Even if you're running a legitimate business with a public website, there's no reason to hand spammers and stalkers a structured dataset containing your personal phone number. List a contact email on your site if you want inbound communication. Don't publish your home address in a globally replicated database.
How WHOIS Privacy Actually Works
WHOIS privacy—also called domain privacy or proxy registration—replaces your personal details with the registrar's (or a proxy service's) contact info in the public WHOIS record. The registry still has your real data for compliance purposes, but it's not broadcast to the internet.
At bunkerdomains, WHOIS privacy is free and enabled by default. No upsell. No opt-in checkbox buried in account settings. You provide an email for account recovery and EPP codes. That email does not appear in WHOIS. If someone queries your domain, they see:
Registrant Organization: REDACTED FOR PRIVACY
Registrant Email: privacy@bunkerdomains.com
Registrant Phone: +000.0000000
Registrant Address: REDACTED FOR PRIVACY
If ICANN-mandated contact is required (rare), we handle it. You don't get doxxed because someone filed a bogus UDRP.
What Privacy Doesn't Protect Against
WHOIS privacy hides your details from public queries. It doesn't:
- Stop law enforcement with a valid subpoena (registrars keep real data for compliance)
- Prevent leaks if your registrar gets breached or sells customer lists
- Hide the fact that a domain exists or its nameservers/IP addresses
- Obscure information you publish elsewhere (SSL certs, DNS TXT records, website footers)
If your threat model includes state-level actors or you're violating laws in your jurisdiction, WHOIS privacy is necessary but insufficient. You also need anonymous payment (crypto), anonymous email (not Gmail), and a registrar that doesn't cooperate with extra-judicial requests.
We don't reply to DMCA notices. We don't hand over data without a court order in our jurisdiction. We don't require real names or ID verification.
Most Registrars Charge Extra—Or Leak Your Data Anyway
Big registrars treat WHOIS privacy as a profit center. They charge $10–20/year per domain for a service that costs them approximately zero to provide. Some "include" it in year one, then auto-renew at the higher rate. Others exclude it for certain TLDs (.us, .ca, .eu) where the registry prohibits proxy contact info.
More insidious: even registrars offering "free" WHOIS privacy have leaked customer data via:
- Email forwarding services that preserve
Received:headers containing your real address - WHOIS history databases that archive records before privacy was enabled
- Affiliate partnerships where your registration triggers data-sharing agreements for "partner offers"
- GDPR loopholes where "legitimate interest" is used to justify exposing contact details to trademark complainants
Every time a registrar asks for your real name, phone number, and physical address during checkout, ask: why? The registry doesn't care. ICANN's requirements are satisfied by keeping records, not publishing them. The registrar wants the data for CRM, upselling, and resale.
At bunkerdomains:
- No real name required (alias is fine)
- No phone verification (unless you choose SMS 2FA)
- No physical address collection (not even for billing—crypto only)
- No forwarding that leaks metadata
- Free WHOIS privacy on every TLD we support
Practical Threat Scenarios
Scenario 1: Journalist registers investigation domain
A reporter working on corporate malfeasance registers mega-corp-investigation.com to organize source documents and set up a secure drop. She uses her real name at a mainstream registrar. WHOIS is public.
Within a week, the target company's law firm sends a pre-publication legal threat to her personal email, CCing her editor. The domain name itself tips them off. Her physical address—listed in WHOIS—appears in discovery requests months later when the company sues.
Fix: Register anonymously. Use a registrar that doesn't fold on first contact. Don't use a domain name that signals your investigation prematurely (or use it as a canary).
Scenario 2: Crypto founder pivots to new project
A developer exits a DeFi protocol and starts building a competitor. He registers new-protocol.io under his real name. Investors and the old team scrape WHOIS, identify him, and preemptively pitch or threaten legal action over non-competes.
The project isn't secret—it's in GitHub. But revealing ownership before a public launch hands competitors strategic intel and changes negotiation dynamics.
Fix: Anonymous registration. Use an organization name or alias. Control the timing of public disclosure.
Scenario 3: Adult content creator uses real identity
An independent adult performer registers a domain for paid content. Her real legal name and home address appear in WHOIS. A subscriber reverse-searches the domain, finds her info, and begins showing up at her home.
This is not hypothetical. It happens. WHOIS-based stalking is common in industries where performers use pseudonyms professionally but register domains under legal names because "that's what the form asked for."
Fix: Never use your legal identity for domains tied to work where you're pseudonymous. Anonymous registrar. Crypto payment. Alias everywhere.
The EPP Code Is the Only Secret That Matters
WHOIS privacy hides your contact info. But domain ownership is controlled by the EPP code (authorization code, transfer key). This is the password that lets you move a domain between registrars.
Most registrars email the EPP code to the registrant address on file. If WHOIS is public and someone socially engineers your registrar, they can request a transfer and intercept the code. Even if WHOIS is private, a registrar that requires your real email for "verification" creates a single point of compromise.
At bunkerdomains, EPP codes go to your account email. Not published. Not shared. You can regenerate codes from the dashboard. No support ticket, no ID verification, no phone call to "confirm your identity."
If you lose access to your account email and don't have 2FA recovery codes, your domain is gone. We can't help you. That's the trade-off for not collecting real identity data. Opsec is your responsibility.
When Anonymous Registration Is Required, Not Optional
You need anonymous domain registration if:
- Your threat model includes harassment or doxxing. Activists, journalists, whistleblowers, sex workers, controversial artists, streamers who've pissed off the wrong community.
- You're building stealth-mode infrastructure. Startups, research projects, crypto protocols, dark markets (legal jurisdictions vary—we're not your lawyer).
- You're in a jurisdiction with unstable rule of law. Publishing your real name and address in a globally accessible database is an invitation for state or non-state actors to apply pressure.
- You're operating in grey-market spaces. Adult content, CBD, nootropics, prediction markets, privacy tools—industries where payment processors and platforms deplatform arbitrarily.
- You're just tired of spam. Seriously. Registering a domain shouldn't mean your phone number ends up on fifty lead-gen lists.
You don't need to justify your privacy to us. We don't ask. We don't judge. We don't reply to angry emails from people who think your domain shouldn't exist.
WHOIS databases were designed in an era when the internet was a few hundred academic institutions. Publishing contact details made sense for a small, high-trust community. That world is gone. Today, WHOIS is a doxxing tool with a standards body. The question isn't "why register anonymously"—it's "why would you ever publish your home address in a database designed for bulk scraping?" We already know the answer: because your registrar didn't offer you a choice, or charged extra, or made it complicated. Skip the bank, pay with crypto, and stop handing out your contact info to strangers.