Article

The Internet’s Continuous Crime Problem, and How the Domain Industry Is Profiting From It

By Shane Tews

June 8, 2026

The domain name registration market has a serious but solvable problem: An estimated one in five sales currently benefit criminal actors. New research puts that reality in sharp focus, and new tools point to ways that blocking and takedowns can enable concrete interventions that can fundamentally change those odds. With the right policy tools, industry accountability measures, and enforcement coordination, the reality of the domain name registration market today could change.

A new study by Interisle Consulting Group finds that cybercriminals purchased an estimated 20 percent of all new generic top-level domain (gTLD) registrations in 2025, roughly 16.8 million domain names, to conduct scams, phishing attacks, and other online crimes. At a minimum, 8.5 million of those domains had already been blocklisted for malicious activity as of May 2026. More are detected every day.

Domain names are the entry point for every phishing email, every pig-butchering scam, and every malware campaign. They are how cybercriminals build and run their attacks. And right now, they can acquire them in bulk, cheaply, and with minimal friction.

Criminal enterprises are registering domains by the millions. For example, FUNNULL purchased more than 100,000 domains in the small .LOAN domain space, increasing it by 1,880 percent in less than 24 months. Even after sanctions were imposed, it continued to acquire approximately 1 million domains across the market in 2025.

The study is direct about why this persists. Distorted market incentives make it commercially rational to tolerate, or actively court, cybercriminal sales. Domain registrations are a volume business. The costs, however, are borne not by the registrars or registries but by victims.

The Global Signal Exchange (GSE), operated by the DNS Research Federation, is a cross-industry URL-sharing platform that aggregates threat intelligence from across the technology and financial sectors. Google has integrated 11 of its products into the platform, contributing 1.26 billion signals.

Positive results demonstrate what is possible when signals are shared rather than siloed and when players with visibility into the supply chain, including registrars, registries, ad platforms, and financial intermediaries, are willing to share their insights. Google used signals that the UK National Crime Agency shared with them to identify a network of “made for abuse” accounts, intelligence that ultimately led to arrests. Microsoft also submitted supplemental referrals based on the shared data. Blocking and rapid takedowns are not only possible but also effective.

The domain name registration market sits at the beginning of the cybercrime supply chain. Before a phishing site goes live, before a pig butchering scam finds victims, and before a malware campaign executes, someone must register a domain. That moment of registration is one of the highest-leverage intervention points. Behavioral pattern detection,such aspayment methods and contact information, that follow detectable patterns. AI models trained on blocklist data could flag these patterns at the point of sale rather than weeks later, when victims are already being defrauded.

The Interisle study found that abuse is highly concentrated: A handful of registrars and registries account for a disproportionate share of criminal domain sales. That concentration is an advantage for enforcement. You don’t need to address every actor in the market to make a significant dent in the problem. Targeted account-level scrutiny of the worst offenders would go a long way.

The GSE model is directly applicable to cross-industry signal sharing. Registrars that participate in shared threat intelligence platforms would benefit from signals generated by ad platforms, financial institutions, and law enforcement; these are the same signals that are already producing arrests.

Not all domain registrations carry the same risk profile. Know Your Customer baselines for high-risk registrations, like financial sector standards, could be applied to bulk registrations, newly created registrar accounts, and registrations in TLDs with demonstrated concentrations of abuse. Registrations paid for through certain channels warrant heightened scrutiny. There is no principled reason the domain industry cannot do the same.

The Google and GSE examples demonstrate that the technical and institutional infrastructure for upstream scam prevention already exists. What is missing is the expectation, backed by enforceable policy, that domain industry participants will use these tools to stop criminal activity once it is identified.

ICANN’s upcoming gTLD expansion is an immediate pressure point. Releasing new top-level domains into a market that has already demonstrated 20 percent criminal penetration, without requiring registries and registrars to implement meaningful abuse prevention programs as a condition of operation, would be a policy failure of the first order.

What policymakers should take from this is that the domain name market is not beyond the reach of consumer protection, sanctions compliance, and financial transparency frameworks. The concentration of criminal sales among a small number of identifiable actors makes targeted enforcement entirely feasible. The tools exist, and the models work. What is needed now is a policy that requires the domain industry to use them.