Campaign Narrative: Ken-Cluster Multi-Identity Email and Domain Network
This report details a cluster of 30 domains, 29 email addresses, and one phone number that have been identified as connected entities in a coordinated network of suspicious digital infrastructure. The central organizing characteristic of this cluster is the consistent use of the first name "Ken" as the local-part of email addresses across a wide range of domains, including ken@iris-inspection.com, ken@kabco.net, ken@keltonconstruction.com, ken@jcmfgonline.com, and ken@inagakis.com, among others. This pattern suggests a single actor or coordinated group operating under the persona of "Ken" across dozens of distinct domain identities, potentially to create the appearance of legitimacy through varied business names and web presences.
The infrastructure connections within this cluster are significant. The domain kabco.net serves as a central hub, having been reported together with impulse.net, kaustin.com, jcmfgonline.com, and kb8s.com, as well as the phone number 970-303-2685, all at a reported-together confidence level of 0.15. Separately, the domain kandcent.comcastbiz.net — notably hosted on a Comcast Business subdomain — has been co-reported with keltonconstruction.com, jnwhitedesigns.com, kc5mm.com, and kencowles.com, as well as with phone number 970-303-2685. The repeated co-appearance of 970-303-2685 alongside two distinct domain hubs, kabco.net and kandcent.comcastbiz.net, strongly suggests this phone number is a shared contact point used to unify otherwise disparate-appearing entities. Additional linkages connect email address ken@kb8s.com to domains kaustin.com, jcmfgonline.com, kencowles.com, and email ken@kenhead4thehills.com, further reinforcing that these assets are operated in coordination.
The domains in this cluster span a broad range of apparent business identities, including construction (keltonconstruction.com, kenhead4thehills.com), design (jnwhitedesigns.com), manufacturing (jcmfgonline.com), inspection services (iris-inspection.com), and generic personal or business name domains such as kencowles.com, kenchernoff.com, kenboula.com, kenhamady.com, kenduggan.com, kencrotts.com, and kenblair.com. This diversity of business personas is a common tactic used by scam operators to evade detection and appear credible to targets in different industries or geographic regions. The use of a Comcast Business subdomain (kandcent.comcastbiz.net) alongside independently registered domains suggests an attempt to blend legitimate-appearing infrastructure with purpose-built assets.
While the phone number 970-303-2685 carries zero formal FTC complaints in the data provided, the absence of complaints does not indicate safety, as many scam contacts go unreported or are reported through channels not yet reflected in available data. The area code 970 corresponds to western Colorado, including cities such as Fort Collins, Grand Junction, and Durango. The geographic targeting pattern, if any, cannot be fully established from the data provided, but the Colorado-linked phone number combined with domain names suggesting personal identities and regional businesses may indicate localized targeting of consumers or small businesses in the western United States. The low complaint count may also reflect a relatively early-stage or low-volume campaign that has not yet generated widespread consumer reports.
Consumers who are contacted by phone number 970-303-2685 or receive email from any of the "ken@" addresses identified in this cluster should treat such contact with caution. Do not click any links contained in unsolicited emails from these addresses, and do not provide personal, financial, or business information in response to outreach. If contacted by phone, hang up and do not call back. To verify whether a business is legitimate, check state business registration databases, look up the domain's registration history using publicly available WHOIS tools, and search the business name alongside terms such as "scam" or "complaint." Report suspicious phone contacts to the FCC at fcc.gov/consumers/guides/filing-informal-complaint and report fraudulent email or phone solicitations to the FTC at reportfraud.ftc.gov. Domain safety can be assessed using tools such as Google Safe Browsing, VirusTotal, or URLVoid before visiting any linked website.
Overall, this cluster represents a moderate threat level based on its breadth of infrastructure, the consistent cross-entity persona pattern, and the co-reporting relationships linking a single phone number to multiple domain hubs. Recommended next steps include monitoring kabco.net and kandcent.comcastbiz.net for additional associated domains or email addresses, flagging 970-303-2685 for further complaint tracking, and submitting the full domain list to relevant blocklist and abuse reporting services. Consumer protection agencies and internet service providers hosting any of these domains should be notified to investigate potential terms-of-service violations.