When Ardan Michael Blum commented on my previous article asking for harder evidence on scale, takedown speed, and where registrar response is weakest, I took it seriously. Not because the argument needed defending, but because he was right. The core case was persuasive. The numbers would make it harder to ignore.

So here they are.

The Takedown Problem Is Worse Than Most People Know

The most striking data point in recent DNS abuse research is not how many fake domains exist. It is how long they stay up.

According to the DNS Research Federation, which has been tracking the impact of ICANN’s 2024 amendments to the Registrar Accreditation Agreement, only 13% of abusive domains were mitigated within 24 hours as of September 2024. By early 2025, that number had risen to 20%. That improvement sounds meaningful until you consider what it actually means: eight out of ten malicious domains are still active beyond the first day, the window during which most victims encounter them and most damage is done.

For a young person in Uttar Pradesh or Bihar, clicking a link shared in a WhatsApp group promising a government scheme registration, that 24-hour window is the entire story. By the time a domain gets flagged, reviewed, and taken down, the data has already moved.

The Registrar Concentration Problem

The second piece of data that matters is where abusive domains are being registered. A Forescout analysis of 11,894 domains observed in malware communication between December 2024 and June 2025 found that the top 10 registrars accounted for 54% of all malicious domains. The top 100 accounted for over 90%.

This is not a long tail problem. DNS abuse is concentrated. A relatively small number of registrars are hosting the overwhelming majority of malicious infrastructure, which means targeted enforcement and stronger registrar accountability policies would have a disproportionate impact. The technical capacity to act exists. What has been missing is the regulatory pressure to use it consistently.

ICANN’s 2024 amendments to the Registrar Accreditation Agreement were a step in the right direction, creating explicit mitigation obligations for registrars and registries. The launch of Domain Metrica in February 2025, a platform that tracks abuse concentrations across registries and registrars, gives the community better visibility than it has ever had. These are real improvements. The 20% 24 hour mitigation rate tells you how far there is still to go.

Why India Is Particularly Exposed

Global DNS abuse statistics do not capture the specific vulnerability of India’s context. Two things make the situation here structurally worse than the numbers alone suggest.

The first is scale. India has over 900 million internet users, a significant proportion of whom are first-generation users with limited experience evaluating domain names. The job-seeking population alone, young people between 18 and 25 navigating a digital-first job market, numbers in the hundreds of millions. That is an enormous pool of potential victims who have no framework for identifying a typosquatted domain.

The second is the DPI overlap. India’s Digital Public Infrastructure has moved essential government services online at speed. Every scheme with a digital registration portal is a high-value impersonation target. Fake Ayushman Bharat portals, fake government job notification sites, fake Aadhaar update pages. These are not random targets. They are chosen specifically because the people searching for them are desperate, moving fast, and trusting that a government service would not deceive them.

The combination of a large vulnerable population and a high-value DPI target surface is what makes India’s DNS abuse problem different in kind, not just degree, from what the global statistics describe.

What the Data Actually Demands

Ardan asked where registrar or registry response is weakest. The honest answer is: everywhere that concentrated enforcement pressure does not exist. The 20% 24 hour mitigation rate is a global average. For less prominent ccTLDs, for registrars operating in lower regulatory environments, for domains targeting populations that generate fewer formal abuse reports because the victims do not know how to file one, the number is almost certainly worse.

India’s CERT-In handles cybercrime reporting, but the reporting infrastructure assumes a level of digital literacy that the most vulnerable users do not have. Someone who just lost money through a fake government portal is not filing an abuse report with a domain registrar. They are trying to figure out what happened and who to call.

This is the enforcement gap that statistics cannot fully capture. The people generating the most harm are the least represented in the data. And the registrars hosting the infrastructure that harms them face the least accountability pressure because their victims are invisible in the numbers.

The data Ardan asked for points in one direction. Better mitigation rates, stronger registrar accountability, and enforcement infrastructure that accounts for populations who cannot advocate for themselves. Not as a technical exercise. As a rights question.