BlackRock, Inc.

ACH scoring favors H2 (uneven posture) over H1 (uniformly mature) and H3 (systemic gaps). Indicators of a hardened core: separate Okta tenants for corporate, Aladdin US, and Aladdin EMEA with US/EU cluster split (ev_013–ev_015); active HackerOne bug-bounty program (ev_076); DNSSEC enabled across most .com portfolio domains; all four registry locks on blackrock.com. Indicators of peripheral gaps: ishares.nl has no SPF, DMARC p=none, and no DNSSEC (ev_106, ev_120); blackrock.com itself has no CAA records (ev_116) and SPF ~all SoftFail with DMARC p=quarantine (ev_117), each a step short of the strict -all/p=reject posture seen on FutureAdvisor (ev_006) and alts-iq.com (ev_041); MDN Observatory F (5/10) on the marketing surface (ev_062). The leading interpretation is very likely; H1 is unlikely, H3 very unlikely.

RDAP records (ev_105, ev_103) confirm iunits.com expiry 2026-07-12 and gachallenge.com expiry 2026-07-17 — a 5-day concentrated window starting 27 days after investigation. iunits.com is the oldest BlackRock-affiliated domain (registered 1999-07-12) and is the only surfaced domain in the portfolio without DNSSEC enabled. CSC auto-renewal is the standard control, but a single billing lapse, portal-credential compromise, or registrar outage would very likely result in temporary availability for hostile registration. The iUnits brand is investor-facing in the Canadian ETF context — a hostile registrant could weaponize it for phishing campaigns against Canadian retail/institutional investors. Confidence is high; the expiry dates are cryptographically attestable via RDAP and the absence of renewal would be observable.

SIDN RDAP (ev_007) confirms BlackRock, Inc. as registrant and DNRAdmin@Blackrock.com as both admin and tech contact. DNS mail-auth (ev_106) shows no SPF record published, DMARC v=DMARC1; p=none; rua=mailto:dmarc_agg@vali.email (monitoring only, zero enforcement), and delegationSigned: false (no DNSSEC). By contrast, futureadvisor.net (ev_043), alts-iq.com (ev_041, ev_091), and the blackrock.com cluster (ev_117) all run p=reject or stricter. The configuration drift makes ishares.nl very likely the highest-yield brand-impersonation pivot in the BlackRock surface for adversaries targeting Dutch investors. Confidence is high — the configuration is observable from multiple DNS queries and contradicts no other evidence.

certspotter enumeration (ev_004, ev_034) returned 189 unique SANs across 100 certs, including ~28 named-client tenant subdomains under *.blackrock.com. None resolve externally (ev_056 confirms NXDOMAIN as representative), but the names alone constitute a confidential customer disclosure. The baml.login.blackrock.com EV cert (ev_089) — issued by DigiCert EV RSA CA G2, distinct from the standard portfolio CA — likely reflects a BAML/Bank of America Merrill Lynch SSO partnership. The exposure does not enable direct compromise of Aladdin, but very likely enables targeted spear-phishing pretexts (e.g., pretending to be BlackRock support contacting an Aladdin admin at a named client). Confidence is high; the CT log evidence is cryptographic and unambiguous.

Certificate Transparency surfaces two Harbor container-registry clusters (EWD and HAL, with admin and preprod variants), JFrog Artifactory, an active SVN server, Azure DMZ wildcards (*.extdns.azblkdmz.blackrock.com), FIT zones (BLZ, TSZ), and internal codenames (torpedo). All return NXDOMAIN externally (ev_016, ev_017, ev_020, ev_044, ev_052). The names alone very likely facilitate targeted attacks once an adversary obtains an initial foothold (VPN credential, employee endpoint), but the passive Corvus methodology cannot test whether VPN/IP-allowlisting controls are in place. Confidence is moderate because the surface is enumerable but the exploitability depends on unobserved controls. H1 (mature posture, intentional NXDOMAIN gating) and H2 (mature core) are both consistent with this evidence; H3 (systemic gaps) is inconsistent absent independent reachability data.

RDAP across the portfolio (ev_005, ev_006, ev_037, ev_082, ev_090, ev_096, ev_097, ev_102, ev_103, ev_104, ev_105, ev_107) consistently lists DNRAdmin@Blackrock.com as the admin/tech contact and CSC Corporate Domains (IANA 299) as registrar. Codex-baseline reference (ev_121) flags this as the CSC portal credential. While blackrock.com carries all four registry locks (transfer/delete/update prohibited at both client and server), an admin who has authenticated to CSC's portal can likely request locks be removed. Confidence is moderate — the credential's existence is confirmed but its specific authentication posture (MFA, IP allowlisting, hardware-key requirements) is not observable from passive recon. KAC: this judgment assumes BlackRock does not segregate portal access across multiple admins; if shared-account discipline is loose, exposure grows.

DNS TXT enumeration (ev_002, ev_032, ev_060, ev_066, ev_113) of blackrock.com surfaces 44+ vendor-verification tokens across 30+ products. The dual LLM verifications (openai-domain-verification and anthropic-domain-verification-p2md8z) confirm enterprise LLM workflows on both major frontier-model vendors. Three Okta tenants (corporate, Aladdin US, Aladdin EMEA) plus two Duo SSO tenants suggest authentication-stack segmentation. The 6+ Atlassian tokens likely reflect distinct Jira/Confluence instances per business unit. Active HackerOne (ev_076) gives a structured channel for vulnerability disclosure. Each vendor is a separate supply-chain pivot; the breadth materially raises third-party risk-management overhead and the probability that any one vendor's breach has BlackRock blast radius.

Hunter (ev_022, ev_051) reports 15,910 emails on the domain with the pattern {first}.{last}@blackrock.com and accept_all=true (catch-all configured). Department-scoped queries (ev_087: 2,755 IT mailboxes; ev_098: 3,112 executive mailboxes) confirm the pattern across the org. Combined with the corporate login.blackrock.com Okta endpoint and the Aladdin SSO portals, the surface likely supports both targeted spear-phishing (using the named employees Hunter returned) and broad credential-stuffing against Okta. Confidence is moderate — Hunter's sample of 10-23 returned mailboxes is a tiny fraction of 15,910 and the broader list is not in evidence; the surfaced names are concrete spear-phish targets but the rest of the population is inferred from pattern.

DNS CAA query for blackrock.com returned NODATA (ev_116, ev_002) — no CAA records published. The Authority SOA confirms the zone exists; the absence is a configuration gap, not a query failure. Under CA/Browser Forum baseline, any trusted CA may issue a cert without a CAA check, removing one defense-in-depth control against rogue issuance. The risk is unlikely to materialize absent a separate CA compromise, but likely warrants a fix given that all four registry locks and DNSSEC are already deployed — CAA is the smaller, easier complementary control.

The leadership section (ent_151–ent_160), the 2024 acquisition narratives (ent_162, ent_163, ent_164, ent_210), and several technology entities (Aladdin profile, iShares profile) draw on analyst training knowledge with a stated cutoff of August 2025 (ev_024, ev_064, ev_067–ev_075, ev_077). These claims are likely still accurate at the investigation date (2026-06-15) — public-company executive rosters and announced M&A close dates are stable on this timeframe — but they are not cryptographically attestable from the passive evidence base. Premortem: if Salim Ramji (ent_160) departed BlackRock in 2024, the recon entity is stale-but-not-wrong; if any of the 2024-announced deals failed to close, the narrative would need correction. KAC tagged this as MOD-sensitivity + MOD-confidence; the dependent judgments (kj_004's BAML cert framing, anything personnel-dependent) carry the calibration.

Evidence ev_110 records that all 10 brave_web_search calls returned HTTP 402 USAGE_LIMIT_EXCEEDED. The Codex-baseline pivot ev_121 explicitly queues a check on DNRAdmin@Blackrock.com against HaveIBeenPwned / DarkNet dumps that did not execute this wave. The collection gap is roughly even chance material — leak-corpus exposure of DNRAdmin would materially change kj_006's confidence. Premortem-relevant: a future recon pass with the breach dimension funded should re-test the kj_006 surface.