This dramatic rise in malicious activity is being fuelled in part by a subset of lax domain registrars who effectively serve as enablers – providing criminals easy access to the domain resources needed to launch scams, malware campaigns, and botnets. In the nine months since Excedo’ s 2024 exposé on “rogue” registrars, a handful of these companies have reportedly supplied threat actors with over 17,000 newly registered command-and-control (C2) domains for malware operations – despite the introduction of tighter industry rules and several headline-grabbing takedowns of criminal infrastructure. This report revisits the domain abuse landscape in 2025, exposing which registrars are still looking the other way and examining the global efforts to hold them accountable.


Rogue Registrars Fuelling Domain Abuse

Not all registrars are created equal when it comes to abuse prevention. Most registrars adhere to security best practices and cooperate with investigators, but a few “rogue” providers continue to ignore obviously malicious activity on their platforms. Recent studies confirm that cybercriminals deliberately flock to certain registrars that make bulk domain registrations cheap, fast, and anonymous. For example, an Interisle Consulting Group study identified four specific registrars where abusive domain registration activity is heavily concentrated.

These registrars offer bulk-buy packages and lax vetting, allowing attackers to acquire hundreds or thousands of domains in minutes. Criminals then rapidly cycle through these domains for spam runs, phishing pages, or as throwaway botnet controllers, confident that by the time one domain is flagged or suspended, they have many more waiting in reserve.

One egregious case is NICENIC (NiceNIC), an Asia-based registrar that has become a haven for bad actors. A 2024 phishing report revealed that a staggering 45% of NiceNIC’s ~100,000 gTLD domains under management had been reported for phishing. Academic research likewise found NameSilo and NiceNIC to be among the most abused registrars for newly registered phishing domains. Why are criminals drawn to these companies? A key factor is anonymity. Some rogue registrars accept payment via cryptocurrency and impose minimal identity checks. In the case of NiceNIC, researchers note that the ability to pay with Bitcoin provides pseudo-anonymity for registrants, making it a magnet for criminal use. Know Your Customer (KYC) processes are weak or non-existent at such registrars, enabling fraudsters to register domains under false names or shell entities with minor risk of exposure.

Another tactic is the use of privacy/proxy services and GDPR-related WHOIS redaction to hide registrant details. Professional threat actors exploit the post-GDPR privacy regime to mask their identities, knowing that investigators can no longer quickly query WHOIS to link domains to the same owner. The net effect is that these rogue domain providers supply criminals with a steady pipeline of disposable websites, from which phishing sites, malware download pages, and botnet C2 servers can operate until they are detected and shut down. As one security researcher lamented, losing the ability to attribute domains to their real owners has “irreparably eliminated” the capacity to warn about new abuses by known bad actors. In other words, the opacity created by certain registrars’ policies (or lack thereof) is directly aiding cybercriminals and impeding timely takedowns.


The Impact of "Tighter Rules" in 2024-2025

Industry and regulators have not been idle in the face of rising DNS abuse. In fact, 2024 saw important new rules and enforcement efforts aimed at reining in domain abuse. However, the effectiveness of these measures is being put to the test by the rogues.

ICANN’s DNS Abuse Amendments: In April 2024, the Internet Corporation for Assigned Names and Numbers (ICANN) implemented amendments to its standard Registrar Accreditation Agreement (RAA) and registry contracts, establishing explicit obligations for registrars and registries to act promptly on actionable reports of DNS abuse. This was a major policy shift – for the first time, accredited registrars must investigate and respond to reports of malware, phishing, botnet activity, and other DNS abuse in a timely manner, rather than ignoring them.

ICANN’s Contractual Compliance department has ramped up enforcement accordingly. In the first six months of the new rules being in effect (April–October 2024), ICANN Compliance initiated 192 DNS abuse-related investigations and reported resolving 154 of them, resulting in the suspension or deletion of over 2,700 malicious domain names (including more than 350 phishing sites that were taken down). While it is too early to declare victory, these numbers indicate a significant push toward cleaning up the domain ecosystem.

ICANN has also shown a willingness to “name and shame” or even terminate repeat offenders. Notably, in August 2025, ICANN issued a public breach notice to the registrar WebNic (Web Commerce Communications Limited) after finding that the company failed to act on multiple abuse reports, particularly domains used in cryptocurrency phishing scams. According to ICANN, WebNic demonstrated a “concerning pattern” of dragging its feet – often only acting after ICANN itself became involved – and would stall complainants with repeated, irrelevant requests for “more evidence” instead of shutting down obvious abuse.

WebNic was given an ultimatum to improve or face termination of its accreditation. This case sent a clear signal that ignoring abuse can cost a registrar its license. Similarly, registry operators have come under scrutiny: Spamhaus reports that the .TOP top-level domain (frequently abused by scammers) received a formal letter from ICANN in late 2024 due to its “poor abuse handling performance”.

Major Botnet Takedowns: Meanwhile, law enforcement and industry partners have scored some wins by taking down criminal infrastructures. A headline example was the multinational operation against the Qakbot botnet in 2023, which involved seizure of malicious servers and dozens of botnet domains. The Qakbot takedown was widely publicized, and its impact was evident: the number of Qakbot-related command-and-control domains tracked in DNS blocklists plummeted by over 41% immediately thereafter. Such takedowns demonstrate the potential of coordinated action – but they also underscore the whack-a-mole challenge. When one botnet or phishing campaign is dismantled, attackers often regroup and register new domains through the same lax registrars, unless those registrars themselves are pressured to tighten up.

Are these efforts making a dent? Thus far, the data is mixed. On one hand, we see unprecedented enforcement and some reduction in specific abuse metrics following high-profile actions. On the other, overall domain abuse remains pervasive. In the October 2024 – March 2025 period alone, Spamhaus observed 2.9 million newly detected malicious domains (a slight increase over previous periods), suggesting that criminals are still finding plenty of new domain real estate for their schemes. The rogue registrars and registries have not all reformed; they continue to act as safe harbors (law) for illicit activities, even as the net tightens around them.


Global Policies and Laws: GDPR, NIS2 and More

Tackling domain abuse requires a global approach, and several international legal frameworks now shape how registrars must operate. It is a delicate balance between privacy, security, and accountability.

  • GDPR and WHOIS Privacy: The EU’s General Data Protection Regulation (GDPR) (in effect since 2018) revolutionized data privacy and had a profound effect on domain registration data. Under GDPR, registrars and registries redacted personal information in public WHOIS records to protect European users’ privacy. While this was a win for privacy, it created unintended consequences for cybersecurity.

    Investigators and anti-abuse teams suddenly lost quick access to ownership details that helped connect the dots between malicious domains. A survey of 327 cybersecurity professionals (conducted by M³AAWG and APWG) found that GDPR-driven WHOIS redactions “impede investigations of cybercrime”, eliminating crucial pre-emptive interventions and allowing criminals to hide behind anonymous domain registrations. Requests for non-public WHOIS data are often denied or delayed, even for legitimate security researchers.

    In short, GDPR introduced a privacy vs. security trade-off: it shielded law-abiding individuals’ data but also shielded bad actors from scrutiny. The domain community is still grappling with this challenge by exploring balanced solutions (such as accredited access for vetted investigators) to restore some visibility without violating privacy laws.

  • EU NIS2 Directive (2022/2023): The European Union’s NIS2 Directive – which member states are now implementing – directly targets some of the anonymity loopholes that cybercriminals exploit. NIS2 broadens the scope of cybersecurity regulation to include Domain Name Service providers (registries, registrars, DNS operators) as “essential” or “important” entities. Crucially, Article 28 of NIS2 imposes stringent “Know Your Customerrequirements on domain registrars. Registrars in the EU (or serving EU customers) must collect and maintain accurate and complete domain registration data and verify the identity of those registering domain names. False or bogus contact information should no longer be acceptable under this law. Furthermore, registrars will be obligated to provide timely access to registration data to legitimate requestors – for example, law enforcement or cybersecurity investigators – upon proper request. In effect, NIS2 seeks to diminish the anonymity that “rogue” registrations have enjoyed. A domain holder will need to be a real, verifiable person or organization, making it harder for criminals to simply vanish behind fake WHOIS details. This is a significant development: by enforcing KYC in domain registrations, the EU hopes to both deter abuse (fewer throwaway identities) and aid investigations (a reliable trail to the registrant). Registrars will have to adapt their processes to comply, by beefing up identity verification at purchase time and conducting periodic checks on their registrant data.

  • US CLOUD Act: On the other side of the Atlantic, the United States has leveraged legal tools like the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) to facilitate cross-border cybercrime investigations. Enacted in 2018, the U.S. CLOUD Act allows federal law enforcement to compel U.S.-based technology and service providers to hand over data in their possession regardless of where that data is storedarchtis.com. For domain registrars and DNS providers, this means that if they fall under U.S. jurisdiction (for instance, a company headquartered or with assets in the U.S.), they must comply with valid warrants or orders to disclose customer data or even execute domain seizures, even if the domains or users are outside the U.S.

    This has enabled more agile takedowns of criminal domains and content: U.S. agencies can demand a registrar or registry to pull the plug on a malicious domain without going through protracted mutual legal assistance processes. However, the CLOUD Act also raises jurisdictional and privacy concerns internationally. Other countries worry about U.S. overreach, while companies must navigate potentially conflicting laws (for example, complying with a U.S. data request without violating GDPR in Europe). To address this, the CLOUD Act framework includes provisions for bilateral agreements and “reciprocal” data sharing arrangements between the U.S. and trusted foreign governments. For cybersecurity professionals, the CLOUD Act is a double-edged sword: it streamlines evidence gathering and domain intervention across borders, but it also forces providers to carefully manage data governance and transparency, knowing that any data under U.S. influence can be obtained by authorities under certain conditions.

  • Other International Moves: Governments worldwide are waking up to the abuse of domain registration services and are proposing new laws to crack down. For example, the United Kingdom in early 2025 introduced legislation (the Crime and Policing Bill) that would empower British authorities to order domain takedowns globally for domains being used in serious crimes. If passed, this law would give UK police the unprecedented ability to compel any registry or registrar (even those outside the UK) to suspend or delete a domain name involved in, say, fraud, malware, or terrorism content – essentially asserting jurisdiction over domains that impact UK victims.

    This aggressive approach underscores the frustration of law enforcement agencies with the slower pace of voluntary action and international cooperation; it also foreshadows potential conflicts if other nations assert similar extraterritorial powers. On a multilateral level, frameworks like the Budapest Convention on Cybercrime and initiatives through Europol/Interpol continue to facilitate cross-border collaboration on domain abuse cases, but these operate through consensus and information sharing rather than binding law.

    The trend is clear: domain abuse is now squarely on the regulatory radar, and registrars must navigate an evolving matrix of laws – from data privacy to cybersecurity directives – or risk fines, legal bans, or loss of license.


Enforcement in Action: Holding Registrars Accountable

Real-world enforcement actions illustrate both progress and the challenges ahead in taming rogue registrars:

  • ICANN Compliance and Breach Notices: As noted, ICANN’s Contractual Compliance department has begun issuing breach notices to registrars that fail to meet abuse mitigation obligations. The 2025 WebNic case is a prime example. WebNic, an established registrar with over 800,000 domains under management, was publicly called out for “turning a blind eye” to abuse reports. Phishing domains under WebNic’s wing were reported by security researchers, but the registrar allegedly delayed action for weeks, repeatedly asking reporters for unnecessary evidence and failing to consider readily available information about the attacks. Only after ICANN intervened did WebNic suspend the offending domains – a pattern of behavior that ICANN found unacceptable. The breach notice gave WebNic until August 2025 to come into compliance or face termination. Such public enforcement is fresh territory for ICANN, which historically was criticized for a light-touch approach to registrar oversight. The message now is that registrars must proactively police abuse on their platforms or face profound consequences.

  • Legal Penalties and Lawsuits: In severe cases, government authorities can pursue legal action against registrars or their operators. While rare, there have been instances where a registrar’s management was implicated in facilitating crime (for instance, by wilfully aiding cybercriminals or refusing to take down criminal domains for profit). In one notable incident, a registrar that ignored court orders to remove terrorism-related content had its executives threatened with personal liability under anti-terror laws (this forced compliance). More commonly, though, the threat of losing accreditation or business is enough leverage. Large enterprise customers and brand protection firms avoid registrars known for abuse, meaning rogue registrars’ risk not only regulatory action but also reputational damage and loss of revenue if they do not clean up. We have also seen industry groups like the Anti-Phishing Working Group (APWG) and the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) officially naming problematic registrars in reports, which pressures those companies to respond or be shunned by partners.

  • Network Operator and Community Actions: The broader internet infrastructure community also plays a role. For instance, major web hosting providers and anti-spam blocklist maintainers (like Spamhaus) will flag or block domains from chronically abusive registrars. Spamhaus’ “10 Most Abused Registrars” rankings have historically drawn attention to registrars with high percentages of bad domains, embarrassing those companies into addressing the issues. In the extreme, an internet registry (which allocates IP addresses) or a domain registry could impose restrictions.

    A historical example is the collapse of Freenom’s business model – Freenom ran several free domain extensions (like .TK, .ML) that became so inundated with malware and scam sites that their upstream providers and partners cut ties, leading to a dramatic cleanup in 2023. It serves as a cautionary tale: if a registrar or registry becomes synonymous with abuse, the community can react in ways that put that business at risk (from technical blocking to loss of contracts).

  • Law Enforcement & International Operations: As mentioned, operations like the Qakbot botnet takedown, as well as others such as the Emotet botnet disruption and the seizure of hundreds of phishing domains by Europol’s European Cyber Crime Centre, demonstrate the growing muscle of law enforcement in the domain arena. These actions often involve court orders to registrars/registries to hand over or disable domains. In the U.S., federal agencies have leveraged the court system to seize dozens of malicious domains at once, particularly when the domains are in gTLDs like .COM or .ORG (which are operated by U.S.-based registries). In Europe, initiatives under the EU’s new Joint Cyber Units encourage member-state authorities to coordinate domain takedowns when they see infrastructure being abused at scale. However, criminals adapt facing pressure in certain TLDs or registrars, they migrate to others that are more offshore or obscure. This is why the focus is increasingly on the registrars themselves – to prevent the whack-a-mole, the registrars that enable repeated abuse must either change their practices or be driven out of the industry.

Towards a More Secure Domain Ecosystem

The battle against domain abuse and rogue registrars is far from over, but there are promising signs of change. Multistakeholder collaboration – involving industry groups, policymakers, law enforcement, and the registrars/registries – is coalescing around the idea that a safer internet starts at the DNS level. A key realization is that systemic problems require systemic solutions:

  • Stricter Entry Barriers for Bad Actors: Experts are advocating for widespread adoption of rigorous identity verification for domain registrations, especially bulk purchases. By making it harder for attackers to simply generate new identities and domains at will, the pool of “burner” domains can be reduced. The NIS2 KYC requirements are a step in this direction, and even outside the EU, many registrars are considering voluntary KYC to pre-empt abuse.

  • Abuse Reporting and Response Standards: The community is developing standards for abuse reporting – like a common abuse report format and ticketing system – so that registrars can more efficiently process complaints. Initiatives such as ICANN’s proposed Registration Data Request Service (RDRS) and industry “Trusted Reporterprograms aim to streamline how credible abuse notices are handled, enabling swift suspension of domains that are clearly engaged in cybercrime. The faster a malicious domain can be taken down, the less damage it can do.

  • Incentives and Penalties: There is growing consensus that mere voluntary guidelines are not enough – enforcement mechanisms are needed. This can include penalties for service providers that “consistently and disproportionately supply cybercriminals with attack resources.” In practice, this might mean financial sanctions, loss of accreditation, or civil liability for gross negligence by registrars. Conversely, positive incentives (like insurance benefits or public recognition) could reward those registrars who maintain exemplary anti-abuse track records.

  • Enhanced Threat Intelligence Sharing: Cybersecurity teams are increasingly sharing data on bad domains and their registrar sources. Projects like ICANN’s Domain Abuse Activity Reporting (DAAR) and the APWG eCrime Exchange provide dashboards of abuse trends by registrar and TLD. By shining a light on the problem, these reports push registrars to act or face market pressure. Additionally, advances in AI and machine learning are being employed to detect malicious domain registrations even before they are used, by analysing naming patterns and other risk signals. While not foolproof, such tools can help registrars flag suspicious orders for manual review (especially from customers with no prior history).


Conclusion

As we navigate 2025, the domain abuse fight is at an inflection point. Regulators in Europe, America, and Asia are upping the ante with laws that insist on greater accountability from registrars. ICANN and industry bodies have made it clear that “business as usual” is over – security can no longer be an afterthought in the domain name industry. The rogue actors are being called out by name, and their window for inaction is closing. Yet, lasting change will only occur if there is broad commitment across all stakeholders – registrars, registries, hosting providers, CERTs, and law enforcement – to prioritize the safety and integrity of the DNS. This means not only reacting to abuse but proactively reducing the opportunities for abuse.

For cybersecurity professionals, the takeaway is to stay informed about which providers tolerate abuse and to apply pressure (through corporate policies or client advice) to avoid them. It is also crucial to support and utilize the emerging tools for data sharing and identity verification in the domain space. The 2025 outlook gives reasons for cautious optimism: with stronger rules and heightened awareness, we expect to see the worst registrars either reform or exit the stage. The internet’s bad actors will undoubtedly look for new loopholes, but the community is more prepared than ever to close the door on them. By combining technical solutions with enforceable policies and global cooperation, we can finally put the “rogue registrar” on notice and curb the domain abuse that has plagued the internet’s underbelly for too long.

References:

  • Interisle Consulting Group, Cybercrime Supply Chain 2024 – documenting a 54% YoY increase in cyberattacks and 8.6M domains used in 2023.
  • Interisle Consulting Group, Criminal Abuse of Domain Names – identifying four registrars with concentrated abusive registrations and confirming bulk registration as a tool for cybercrime.
  • Domain Name Wire – reporting that 45% of domains at NiceNIC were blacklisted for phishing.
  • Academic study (UCL, 2025) – finding NameSilo and NiceNIC as the most abused registrars for new phishing domains and noting criminals exploit registrars offering anonymous crypto payments.
  • M3AAWG/APWG joint survey – describing how GDPR-driven WHOIS privacy impedes cybercrime investigations, reducing investigators’ ability to identify bad actors.
  • Excedo Networks – Navigating NIS2 (2024) outlining new EU requirements for KYC in domain registrations (Article 28 of NIS2).
  • ICANN Blog / Nominet (2024) – detailing ICANN’s 2024 contract amendments on DNS abuse and the first 6 months of enforcement: 192 compliance actions, 2,700 domains suspended.
  • Domain Incite (Aug 2025) – Registrar shamed for alleged crypto abuse neglect, re: ICANN breach notice to WebNic for failing to act on phishing abuse reports.
  • Spamhaus Intelligence – Domain Reputation Update (Oct 2024–Mar 2025) observing 2.9M new malicious domains in 6 months, and letter to .TOP registry over abuse handling; Botnet Threat Update noting a 41% drop in Qakbot C2s post-takedown.
  • Domain Incite (Feb 2025) – UK intros global domain takedown law, on proposed UK powers for extraterritorial domain seizures.
  • ArchTIS Blog (May 2025) – explaining the U.S. CLOUD Act’s provision for cross-border data access by law enforcement, compelling U.S. providers to comply regardless of data location.
  • Interisle/Anti-Abuse Working Groups – recommendations to penalize providers that disproportionately enable cybercrime and calls for broad stakeholder action.