Home / Blogs

What the i2Coalition Article Misses About DNS Abuse

This post was co-authored by Greg Aaron, Partner of Interisle Consulting Group.

We were pleased to read Christian Dawson’s recent article about our report, Malicious Registrations in the Domain Name Market. Mr. Dawson is Executive Director of the i2Coalition, a trade association representing companies in the domain name and Internet infrastructure industries. We welcome substantive engagement with our research, as we believe discussion is useful and productive. There are several points in the article we agree on, a common ground that is helpful and constructive. But it also mischaracterizes aspects of our research. It also frames the DNS abuse problem in ways that reinforce the status quo and minimize the scale of the problem and the harm it inflicts on individuals, businesses, and society.

Our recent research found that 10% of all gTLD domains registered in 2025 had already been identified as malicious by well-known security feeds and blocklists. Based on ongoing listings and associated domains, we projected that malicious actors likely registered 16.8 million gTLD domains last year—20% of all gTLD domains sold. These are deeply troubling numbers, pointing to an enormous amount of damage being done to the public.

Two themes run through Mr. Dawson’s article: a narrow view of what registries and registrars can reasonably address, and a limited focus on mitigation as the solution. Our findings point in a different direction. What policymakers should take away from our report is: the scale of the problem is large and real, registrars and registry operators can address the malicious activity documented in our report, and more prevention is needed.

The Data Shows What Is Actually Happening

Mr. Dawson’s article questions the use of threat intelligence feeds and blocklist data to measure abuse and suggests that those lists overstate the problem. The truth is, however, that this data is useful for the purpose, and tends to understate the problems.

Security feeds and blocklists are compiled by security professionals looking for malicious activity. They are built on a foundation of observed abuse and reliable abuse signals, not mere speculation. The lists we study are used operationally to protect billions of Internet users, and their providers are incentivized to use judicious listing criteria and minimize false-positive rates. Our paper explained the steps we took to use the data carefully, with its limitations in mind.

In short, these sources are where the world goes to find out about malicious activity. That’s why:

  • Many registrars and registry operators use blocklists and security feeds to help identify abuse and measure their performance.
  • ICANN itself distributes this data to registries and registrars to support their mitigation efforts, and to measure abuse in ICANN’s Domain Metrica system.
  • Researchers across academia, cybersecurity firms, and industry projects like PIR’s NetBeacon Institute use blocklist data as a core input.

It’s also notable that some i2 members operate and sell blocklists and security feeds of their own creation. Many other i2 members use blocklists to protect their users from abuse. They use some of the very same lists that we do and trust the data in operational practice.

Mr. Dawson’s article mischaracterizes our report as arguing that any domain appearing on a blocklist should automatically be taken down by a registry or registrar. We made no such statement, and our report does not imply it. We assume that registrars suspend domain names based on input they are comfortable acting upon. What we and others emphasize is that security feeds and blocklists are highly useful indicators of malicious activity, and they are sources that operators and defenders in the real world rely on.

More Sources Does Mean a Truer Picture

Mr. Dawson’s article argues that using more sources uncovers more domains but not a more accurate count of domains that might warrant action. To the contrary: using more good sources provides a much better picture.

The overlap between lists is relatively small, each has limited visibility (and may under-report abuse, especially in certain areas of the world), and the existence of this coverage problem has been confirmed by many studies. The scientific conclusion has been that as one examines additional, reputable lists a fuller picture emerges. The alternative is worse: relying on too few sources artificially minimizes the problems and minimizes accountability.

Similarly, his criticism of using “untagged” or “spam” inclusions on some blocklists does not reflect what types of malicious activity these domains may be used for. Security providers process enormous volumes of threat data in real time, and sometimes a domain doesn’t receive a precise threat type classification tag. Some domains are discovered in spam messages and are therefore marked as “spam” domains, but actually lead to phishing or malware sites. These entries generally don’t represent mere inconveniences like unwanted email; they usually represent substantial risk.

Malicious Domain Registrations are the Focus, and Are Actionable

Mr. Dawson concentrates on places where abuse takes place, but that registrars and registry operators can’t or shouldn’t act: on subdomains, in other parts of the Internet stack, and on compromised domains.

Our study didn’t count those things and focused instead on malicious registrations: domains apparently registered by bad actors, for the purpose of carrying out abusive activities. As is commonly acknowledged, malicious registrations can be safely suspended by a registrar or registry operator—the suspension will not harm anyone but the criminal. (A compromised domain is owned by a legitimate registrant, but a criminal has taken control of it, a situation that the hosting provider is in a better position to mitigate.)

In our report, we counted what appeared to be malicious registrations, and often excluded compromised domains, as we explained in our methodology section. Our research—and that of others—finds that domains on the lists we study mostly appear to be maliciously registered, not compromised. For example, we and other researchers (such the NetBeacon Institute and its service provider, Kor Labs) are finding that 85% to 90% of domain names listed for phishing are maliciously registered. We labeled our tables to make clear when we were counting only maliciously registered domains—places where registrars and registry operators can act.

Different Data, Same Warnings

Focusing on individual feed, classification, and measurement choices obscures a more important point: studies using different data and methods repeatedly identify the same problems.

Research by an array of cybersecurity companies, ICANN’s security research team, academics, and ourselves have consistently found that:

  • abuse is highly concentrated at certain registrars and registries,
  • bulk registration is highly exploited by cybercriminals,
  • low prices and low registration friction attract malicious demand; and
  • suspicious registration patterns stand out and are detectable.

The studies differ in their choices of data and methods, but their findings are remarkably consistent.

Mr. Dawson acknowledges that our analysis of bulk registration and other relationships between registration processes, business choices, and abuse contributes “to what the industry already knows about how malicious actors operate.” That is important common ground. It recognizes that the industry has problems that are known and understood, that the warning signs of malicious registrations are often recognizable, and that industry practices can materially affect levels of abuse.

The i2Coalition’s “Definition Question” Reveals a Real-World Reality Gap

The i2Coalition article questions our study for counting domains used in ways that may fall outside ICANN’s contractual definition of “DNS abuse.” That definition is narrow, and we understand why the domain industry wishes to focus on it. Unfortunately, that view artificially minimizes the scale of cybercriminal exploitation of the DNS and the public harm it currently enables.

ICANN’s definition is narrower than the range of domain-based criminal abuse that victims and security defenders confront every day. It is also narrower than what governments commonly recognize as cybercrime. The ICANN definition makes little sense to people outside the ICANN process.

A stark example are scam and fraud sites, which are outside of ICANN’s definition. Our report examined activity by FUNNULL, an infrastructure provider to Southeast Asia’s cybercriminal economy. FUNNULL registered perhaps a million domain names in 2025, accounting for most of the domains sold in some gTLDs. Its domains were used to support large-scale “pig butchering” scams, phishing, and other cybercrimes. FUNNULL used human trafficking and forced labor camps and inflicted hundreds of millions of dollars in financial harm on victims in the U.S. alone. FUNNULL was even sanctioned by the U.S. government over a year ago. Yet FUNNULL continues to register domain names.

Discounting that kind of activity because it falls outside ICANN’s definition of abuse woefully misses the point. Scams and fraud are illegal, cause immense public harm, and are routinely identified by the security community through threat intelligence feeds. Ignoring them ignores the scale and reality of how cybercriminals are exploiting the domain name market.

Where current policy fails to capture obvious, industrial-scale abuse, the answer is to strengthen the policy—not to dismiss the harm as out of scope. We believe our research more realistically reflects the scale of abuse, provides a sounder basis for policy discussions, and is more in touch with the public interest.

Prevention, Not Just Mitigation, Is Needed

Mr. Dawson and others focus on mitigation and prefer to measure metrics such as time to takedown. That shifts attention away from the stark reality of the situation. To be sure, mitigation will always be necessary. But mitigation is inherently reactive. It usually begins after victims have already suffered harm.

What we and others have documented is how criminals simply churn through large numbers of domains and then buy more, staying ahead of response. A system centered principally on complaints, investigation, and eventual action will always be behind, and that’s the way criminals like it. The industrial scale of the problems cannot be addressed through mitigation alone.

Worse, the current market apparently incentivizes repeat sales to bad actors, especially at certain places, as our report discusses. Registries and registrars are paid when malicious domains are registered—and they don’t have to refund to cybercriminals if the names are suspended. For some, accepting suspicious registrations makes more sense than stopping them up front.

To be clear, this does not mean that every provider ignores abusive registrations. Our findings show that some registrars and registries grew without attracting anything close to the abuse levels seen elsewhere in the market. That is precisely the point: abuse at the current scale is not inevitable. Registrars and registry operators make choices and affect the outcomes. Ways to safely perform sales and marketing programs, execute risk screening, and measures to prevent malicious bulk registrations are known, and are especially practiced by some ccTLD operators.

Prevention will not identify every malicious registration, nor will it eliminate the need for effective mitigation. But industrial-scale abuse cannot be addressed as it is currently. The aim should be fewer malicious domains sold in the first place—not simply faster cleanup after the damage is done.

What Policymakers Should Take from This

The next round of new gTLDs will bring more supply, more competitors, and greater pressure to grow, in a market where some providers already experience extraordinary levels of abuse. The patterns we documented will continue to shift costs onto victims and the broader Internet.

We are not asking ICANN or industry to be responsible for issues outside their control or remit. We have documented that domain names are resources that criminals acquire with low friction to perpetrate abuse at scale. A significant share of the gTLD market is being sold to cybercriminals, and obvious, preventable patterns of abuse persist. This raises serious questions about whether the current obligations and approaches are appropriate to the scale of the problem and the harm being caused.

We welcome continued discussion with the i2 Coalition, policymakers, the ICANN community, and other stakeholders. We have offered to brief the ICANN Board of Directors on the study’s findings and methodology and hope there will be an opportunity to do so.

Real progress will come from open conversations about the true scale of malicious registration activity and the harms it imposes on ordinary people and public trust.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By Karen Rose, Partner, Interisle Consulting Group

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS Security

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com