I thought this was done by DNS TXT record, but you're right, it accesses a file in the ".well-known" directory on a web server. That's awful!

Here's how I'd do it:

Create a wildcard DNS entry for the file server, with the server configured to accept any subdomain as valid. "*.example.com/.well-known/nostr.json" will always resolve, and the format of the subdomain will inform the server what JSON data to return (though it doesn't actually have to be valid, the point is just to leak an IP, which will happen regardless).

Then just DM people bait messages like "Hey, it's been a while" with a virgin account, and if they look at your profile, you'll have their IP.

If the subdomain string can be used to reference a npub, you'll have an IP/npub pair.