Contents
Purpose
This audit maps the publicly indexed digital footprint of World Wildlife Fund, Inc. across IRS filings, foundation directories, federal grant databases, certificate transparency logs, the Wayback Machine, court records, environmental agencies, news media, and the entity's own web properties.
What can anyone with a search engine learn about your organization in 30 minutes?
Donor and grant transparency means your funding portfolio, tax filings, and program outcomes are publicly assembled in ways that shape how funders and the public perceive your organization. For the world's largest conservation nonprofit, the digital footprint extends far beyond what any single disclosure was intended to reveal.
Methodology
Data was collected exclusively from publicly indexed sources. No unauthorized access was performed or attempted. Sources queried include:
- Google advanced search operators (dorking) across 12 query patterns
- Wayback Machine CDX API (web.archive.org)
- Certificate Transparency logs (crt.sh)
- USASpending.gov (federal grants and contracts)
- ProPublica Nonprofit Explorer (IRS 990 filings)
- Candid / GuideStar (nonprofit profiles)
- DNS records (dig)
- HTTP security headers (curl)
- Court records (Justia, CourtListener)
- EPA, USGS, FEMA databases
- News coverage (2024-2026)
Governance & Sensitive Documents
Queries used:
"World Wildlife Fund" filetype:pdf "confidential" OR "internal" OR "not for distribution"
"World Wildlife Fund" filetype:pdf "agreement" OR "contract" OR "memorandum"
site:files.worldwildlife.org filetype:pdf "procurement" OR "policy" OR "procedures"| # | Document | Hosted On | Risk | Notes |
|---|---|---|---|---|
| 1 | Financial Procedures Agreement -- WWF & World Bank | worldbank.org | Medium | Financial procedures agreement referencing MOU with GEF Secretariat |
| 2 | WWF-Laos Employment Contract | slideshare.net | Medium-High | Internal employment contract uploaded to SlideShare by third party |
| 3 | WWF Procurement Policy (GCF) | files.worldwildlife.org | Low | Procurement policy published for Green Climate Fund accreditation |
| 4 | WWF Procurement Policy (general) | files.worldwildlife.org | Low | Procurement thresholds, sole-source rules. Own domain, intentional |
| 5 | FY20 Corporate Partnerships Report | worldwildlife.org | Low | Corporate partnership disclosures. Intentional publication |
| 6 | FIDIC-WWF MOU Announcement | fidic.org | Low | Public MOU announcement on partner site |
Assessment: Medium
Summary: No documents marked "confidential" or "not for distribution" were found indexed. However, a WWF-Laos employment contract was uploaded to SlideShare by a third party, representing uncontrolled disclosure of internal HR documents. Procurement policies and financial agreements are substantive operational documents but appear intentionally published.
Wayback Machine Archive
Queries used:
CDX API queries against worldwildlife.org/*
Filtered for statuscode:200, mimetype:application/pdf
Grep for admin, config, backup, .env, login paths| Metric | Value |
|---|---|
| Total unique pages archived | 40,515 |
| Total unique PDFs/documents archived | 724 |
| Earliest snapshot | 1998-12-05 |
| Most recent snapshot | 2025-08-20 |
| Hosting platform detected | ColdFusion (legacy) migrated to Ruby on Rails / custom CMS |
Notable archived paths:
| # | URL | Type | Notes |
|---|---|---|---|
| 1 | /api/verify_captcha.json?api_token=swimmingPandasInaPineTree | API endpoint | Hardcoded API token exposed in archived URL (2022, 2024) |
| 2 | /?function=call_user_func_array&vars[0]=phpinfo | Attack probe | Archived PHP injection attempt returned 200 |
| 3 | /cci/pubs/Draft_Structure_Roles_Jan06.pdf | Draft internal structure/roles document (2006) | |
| 4 | /arctic-refuge/board_resolution.pdf | Board resolution on Arctic Refuge | |
| 5 | /action/lite/action/seas.htm.bak.old | Backup file | Double-extension backup file on production server |
| 6 | /crossdomain.xml | Config | Flash cross-domain policy file |
| 7 | /about/contact?autologin=true | Auth param | Contact page with autologin parameter in email campaign links |
Assessment: Medium
Summary: A 27-year archive with 40,515 pages and 724 PDFs reveals extensive historical document exposure. The most significant finding is a hardcoded API token ("swimmingPandasInaPineTree") archived in a captcha verification endpoint as recently as September 2024. Additional findings include draft internal documents, backup files left on production, and an autologin parameter in email campaign URLs.
Certificate Transparency
Queries used:
crt.sh query: worldwildlife.org (JSON output)| Property | Value |
|---|---|
| Total certificates found | 22 |
| Certificate issuer(s) | Let's Encrypt, Google Trust Services, DigiCert, Sectigo, Amazon, GeoTrust |
| Most recent certificate | 2026-04-02 |
| Wildcard certs? | Yes -- 6 wildcard certificates |
| Renewal pattern | Mixed: 90-day automated (Let's Encrypt) + annual (DigiCert/Amazon) |
Subdomains Discovered (22 unique):
| # | Subdomain | Purpose | Notes |
|---|---|---|---|
| 1 | files.worldwildlife.org | File hosting / CDN | Wildcard cert |
| 2 | gifts.worldwildlife.org | Gift catalog / symbolic adoption | Wildcard cert |
| 3 | athletics.worldwildlife.org | Athletic fundraising | |
| 4 | fundraise.worldwildlife.org | Peer-to-peer fundraising | |
| 5 | testdev.worldwildlife.org | Dev/testing environment | Wildcard -- dev infrastructure exposed |
| 6 | ogcstg.worldwildlife.org | Online Gift Center staging | Wildcard -- staging exposed |
| 7 | ogcdev.worldwildlife.org | Online Gift Center dev | SAN includes giftsdev |
| 8 | giftsdev.worldwildlife.org | Gifts dev environment | Bundled with ogcdev cert |
| 9 | talent.worldwildlife.org | HR / recruiting | |
| 10 | olm1.worldwildlife.org | Email marketing ops | Amazon-hosted |
| 11 | tsc.worldwildlife.org | Internal system | |
| 12 | protect.worldwildlife.org | Advocacy / action pages | |
| 13 | help.worldwildlife.org | Help desk / support | |
| 14 | qr.worldwildlife.org | QR code redirects | |
| 15 | execution-ci360.worldwildlife.org | SAS CI360 -- execution | Amazon-hosted |
| 16 | content-ci360.worldwildlife.org | SAS CI360 -- content | |
| 17 | delivery-ci360.worldwildlife.org | SAS CI360 -- delivery | Amazon-hosted |
| 18 | giveanhour.worldwildlife.org | Campaign microsite | |
| 19 | zstg-www-temp.worldwildlife.org | Temporary website staging | |
| 20 | beta-cms.worldwildlife.org | Beta CMS instance | CMS migration in progress |
| 21 | beta-cms2.worldwildlife.org | Second beta CMS instance | Parallel testing |
Assessment: Medium
Summary: 22 subdomains across 6 certificate authorities reveal a complex, multi-vendor infrastructure. Seven development/staging/beta subdomains are visible in public CT logs, revealing internal naming conventions and an active CMS migration. The SAS CI360 marketing stack (three subdomains) confirms enterprise-grade donor marketing operations.
Funding & Contract Records
Queries used:
site:usaspending.gov "World Wildlife Fund"
"World Wildlife Fund" 990 site:propublica.org
"World Wildlife Fund" site:candid.org OR site:guidestar.org
USASpending API: /api/v2/search/spending_by_award/USASpending Recipient Profile: WORLD WILDLIFE FUND, INC. -- 6 name variants indexed; 85+ grants and 10 contracts
IRS 990 Profile: World Wildlife Fund Inc -- EIN 52-1693387
| Metric | FY2024 |
|---|---|
| Total Revenue | $374,807,108 |
| Government Grants | $65,524,536 (14%) |
| Remaining Award Balances | $393,605,957 |
| Net Assets | $644,408,399 |
| CEO Compensation | $1,197,097 |
Top Federal Awards:
| # | Award | Amount | Agency | Period |
|---|---|---|---|---|
| 1 | Hariyo Ban Program (Nepal) | $34,980,825 | USAID | 2011-2016 |
| 2 | Biodiversity Conservation (Vietnam) | $31,322,095 | USAID | 2020-2025 |
| 3 | Coral Triangle | $28,837,172 | USAID | 2008-2013 |
| 4 | Consumer Recycling Education | $24,619,044 | EPA | 2025-2030 |
| 5 | Hariyo Ban II (Nepal) | $17,999,999 | USAID | 2016-2021 |
| 6 | Amazon Indigenous Rights | $17,962,505 | USAID | 2019-2024 |
| 7 | Central Africa Forest | $16,655,000 | USAID | 2013-2020 |
| 8 | Anti-Poaching (Southern Africa) | $16,000,000 | USAID | 2017-2023 |
Agency Distribution:
| Agency | Amount |
|---|---|
| USAID | ~$310M+ |
| EPA | $25,783,836 |
| Department of State (INL) | ~$18M+ |
| Department of the Interior (USFWS) | ~$17M+ |
| USDA | $1,658,137 |
| NOAA | $426,475 |
Subsidiary Entities:
| # | Entity | Relationship | Notes |
|---|---|---|---|
| 1 | 1250 24 Street LLC | Wholly-owned subsidiary | DC LLC; HQ building operations |
| 2 | WWF Impact LLC | Wholly-owned subsidiary | Delaware LLC; conservation investment |
| 3 | World Wildlife Fund International | Affiliate | Switzerland; coordinates global network |
| 4 | World Wildlife Fund Canada | Affiliate | Separate national organization |
Assessment: Medium-High
Summary: WWF is a deeply embedded federal grant recipient with $367M+ in visible USASpending awards, dominated by USAID cooperative agreements (~$310M). Two significant risk factors are active: the 2019 human rights abuse controversy that led to Interior Department funding suspensions, and the 2025 USAID freeze that threatens the single largest government funding source.
Legal & Regulatory Records
Queries used:
"World Wildlife Fund" site:law.justia.com
"World Wildlife Fund" site:courtlistener.com
"World Wildlife Fund" lawsuit OR litigation
"World Wildlife Fund" abuse OR allegations OR investigation
"World Wildlife Fund" "human rights" OR "indigenous" OR "rangers"Litigation / Court Records:
| # | Case | Source | Type | Notes |
|---|---|---|---|---|
| 1 | Holmes v. World Wildlife Fund (1995) | law.justia.com | Employment | Race discrimination under Title VII |
| 2 | WWF v. World Wrestling Federation (2001-2002) | casemine.com | Trademark | Landmark dispute; WWE rebranded 2002 |
| 3 | Belov v. World Wildlife Fund (2021) | law.justia.com | Employment | Pregnancy bias lawsuit |
| 4 | Valenzuela v. World Wildlife Fund (2023) | CourtListener | Intentional Torts | Filed in LA County Superior Court |
Human Rights Abuse Investigation (Major Finding):
| Year | Event | Source |
|---|---|---|
| 2019 | BuzzFeed News publishes investigation: WWF-funded rangers accused of beating, torturing, sexually assaulting, and murdering indigenous peoples | BuzzFeed News |
| 2019 | US Fish & Wildlife Service opens investigation into whether US government funds underwrote human rights violations | Animals 24-7 |
| 2020 | Independent panel (Judge Navi Pillay) finds WWF knew about abuses, failed to investigate or remedy | Panel Report (PDF) |
| 2021 | Congressional hearing: bipartisan condemnation; WWF accused of "deceit, cover-ups, dishonesty" | Survival International |
| 2022 | Bipartisan "Advancing Human Rights-Centered International Conservation Act" introduced | House Natural Resources |
Assessment: Medium-High
Summary: Domestic litigation is unremarkable for an organization of this size. However, the human rights abuse record is serious and well-documented: a multi-year BuzzFeed investigation, an independent review by a former UN High Commissioner, bipartisan Congressional condemnation, and a Department of Interior funding freeze collectively establish that WWF knew rangers it funded committed violence against Indigenous communities and failed to prevent or remedy the abuses.
Infrastructure & Technical Surface
Queries used:
dig +short worldwildlife.org A/MX/NS/TXT
curl -sI https://worldwildlife.org (security headers)
crt.sh subdomain enumeration| Property | Value |
|---|---|
| Hosting platform | Cloudflare Enterprise (CDN/WAF/Bot Management) |
| Domain type | .org |
| Email provider | Microsoft 365 (Exchange Online) |
| CDN/Proxy | Cloudflare (full proxy, Bot Management active) |
| IPv6 | Enabled (dual-stack) |
| Subdomains discovered | 22 |
| Security headers | Comprehensive (COEP, COOP, CORP, Permissions-Policy, X-Frame-Options, X-Content-Type-Options) |
DNS Configuration:
| Record | Value | Significance |
|---|---|---|
| A | 104.18.3.107, 104.18.2.107 | Cloudflare anycast IPs |
| MX | worldwildlife-org.mail.protection.outlook.com | Microsoft 365 |
| NS | chip.ns.cloudflare.com, raina.ns.cloudflare.com | Cloudflare DNS |
| TXT (SPF) | v=spf1 include:spf.protection.outlook.com include:_spf.e-activist.com -all | Strict SPF with hard-fail; Engaging Networks integration |
Assessment: Low
Summary: Enterprise-grade infrastructure: Cloudflare Enterprise for CDN/WAF, Microsoft 365 for email, SAS CI360 for marketing automation, DigiCert enterprise certificates. Security posture is strong with comprehensive headers, bot management, and strict SPF. Primary risk surface is 7 exposed non-production subdomains visible in CT logs.
Disaster & Environmental
Queries used:
"World Wildlife Fund" site:epa.gov
"World Wildlife Fund" "environmental assessment" OR "environmental impact"
"World Wildlife Fund" site:usgs.gov
"World Wildlife Fund" EPA enforcement action violation| # | Record | Source | Notes |
|---|---|---|---|
| 1 | EPA Recycling Education Cooperative Agreement | EPA | Consumer Recycling Education & Outreach coalition grant |
| 2 | WWF Global 200 Ecoregions dataset | USGS ScienceBase | WWF ecoregion data hosted as USGS standard reference |
| 3 | USGS Polar Bear Collar Cam | USGS | Joint field research cooperative |
| 4 | Greenwashing accusations | PEFC | Brand lending to Shell, BP, Coca-Cola, Cargill, HSBC, Monsanto |
Assessment: Low
Summary: No EPA enforcement actions or environmental violations. WWF's environmental footprint is that of a respected research partner -- its ecoregion datasets are USGS standard references. Environmental risk centers on reputational concerns: greenwashing accusations for corporate partnerships with major polluters.
Media & Public Narrative
Queries used:
"World Wildlife Fund" news 2025 2026
"World Wildlife Fund" CEO OR president OR "executive director"
"World Wildlife Fund" scandal OR controversy 2024 2025 2026
"World Wildlife Fund" "human rights" OR abuse OR rangersKey Coverage:
| # | Article | Date | Publication | Key Points |
|---|---|---|---|---|
| 1 | WWF Responds to Day One Executive Actions | 2025-01 | WWF | Carter Roberts: "today's executive actions put nature at risk" |
| 2 | Conservation projects reel after US funding cuts | 2025-02 | Mongabay | USAID shutdown halts anti-poaching and wildlife crime programs |
| 3 | Chris Packham hits out at WWF on polar bear fur trade | 2025-02 | The Canary | Guardian investigation: WWF lobbied against CITES protections |
| 4 | WWF leader promises change from fortress conservation | 2025-07 | Resilience.org | DG Schuijt announces pivot; grievance mechanisms, Indigenous board member |
| 5 | COP30: WWF demands trillion-dollar climate finance | 2025-11 | EnviroNews | $1T/year minimum for Africa climate finance |
Leadership:
| # | Name | Role | Source |
|---|---|---|---|
| 1 | Carter Roberts | President & CEO, WWF-US (since 2005) | WWF |
| 2 | Dr. Kirsten Schuijt | Director General, WWF International (since 2022) | Benzinga |
| 3 | Ginette Hemley | SVP Wildlife Conservation, WWF-US | Mongabay |
| 4 | Amanda Paulson | Board Co-Chair, WWF-US | WWF |
| 5 | Neeraj Mistry | Board Co-Chair, WWF-US | CPHIA |
Assessment: Medium-High
Summary: The dominant narrative is institutional reform under sustained external pressure. The human rights abuse scandal (2019-present), polar bear lobbying controversy (2025), and USAID funding freeze create a multi-front reputational challenge. DG Schuijt has acknowledged failures and announced reforms, but the gap between public brand and documented practices remains the central tension.
Risk Summary
Risk Scorecard
| Category | Assessment |
|---|---|
| Governance & Documents | Medium |
| Wayback Archive | Medium |
| Certificate Transparency | Medium |
| Funding & Contracts | Medium-High |
| Legal & Regulatory | Medium-High |
| Infrastructure | Low |
| Disaster & Environmental | Low |
| Media & Narrative | Medium-High |
World Wildlife Fund, Inc. has one of the most documented digital footprints of any nonprofit organization. With $374M in annual revenue, $367M+ in indexed federal awards, 40,515 archived web pages, 22 subdomains, and a 27-year web archive, its public exposure is comprehensive. The organization's most significant vulnerabilities are not technical (infrastructure is enterprise-grade) but institutional: the human rights abuse crisis, concentrated USAID funding exposure, and active reputational management challenges.
Recommendations
Immediate Actions
- Rotate the exposed API token ("swimmingPandasInaPineTree") found in the archived captcha endpoint. Verify whether this token is still in production use.
- Request removal of the WWF-Laos employment contract from SlideShare -- this is an uncontrolled disclosure of internal HR documents.
- Audit non-production subdomains visible in CT logs (testdev, ogcstg, ogcdev, giftsdev, beta-cms, beta-cms2, zstg-www-temp) -- ensure these are access-restricted.
- Migrate legacy asset server (assets.worldwildlife.org) from HTTP to HTTPS.
- Review archived backup file (/action/lite/action/seas.htm.bak.old) to ensure no sensitive data was exposed.
Ongoing Monitoring
- Monitor Certificate Transparency logs for new subdomain certificates.
- Track USASpending for new award activity as USAID funding status evolves.
- Monitor ProPublica Nonprofit Explorer for updated 990 filings.
Strategic Considerations
- The human rights abuse record has created a permanent searchable footprint that will surface in due diligence for any prospective partner, funder, or regulator.
- The concentration of federal funding in USAID (~$310M of $367M) creates significant single-source dependency risk.
- The CMS migration (indicated by beta-cms subdomains) represents both a modernization opportunity and a transitional risk window.
What This Means
Donor and grant transparency means your funding portfolio, tax filings, and program outcomes are publicly assembled in ways that shape how funders and the public perceive your organization. For WWF, the digital footprint reveals not just financial scale ($374M revenue, $367M+ in federal awards) but institutional challenges that are now permanently indexed: human rights controversies, funding freezes, and the gap between conservation brand and field operations. Any prospective partner, regulator, or journalist can reconstruct this picture in under an hour using only a search engine and public databases.