Challenges When Measuring Criminal Abuse of ccTLD Registrars
Colin Strutt
Analyzing the data from the Cybercrime Information Center, we regularly report on the top-level domains (TLDs), gTLD Registrars, and Hosting Providers. In this article, we look at the registrars associated with domain names registered in ccTLDs. But this is not without significant limitations.
Measuring Criminal Abuse of gTLD Registrars is Straightforward
gTLD registries are contractually required to provide access to domain registration data, though as we have noted, access to that information is neither uniform or complete, and may not always be timely. gTLD registrars are identified by a unique identifier in registry domain registration data: their ICANN-assigned Reqistrar ID. This identifier persists even when registrars change their name in domain registration data; for example, IANA ID 3775 used to be named ‘ALIBABA.COM SINGAPORE E-COMMERCE PRIVATE LIMITED’ and as of August 2024 is now called ‘Dominet (HK) Limited’. With the IANA ID, we have a reliable identifier to use to associate a domain reported for cybercrime activity with the registrar a criminal used to register a domain.
Measuring ccTLD Registrars Poses Challenges
The first challenge that we face is that ccTLD operations and policies are determined individually, by sovereign governments. Some governments prohibit public access to domain registration data. This limits our ability to identify the registrars used by criminals to register a ccTLD domain. In the December 2024 to February 2025 spam data, we were not able to collect domain registration data from 133 of the 210.
The second problem is that ccTLDs do not have to use ICANN-accredited registrars so the IANA ID is not always available. Typically, only registrar names are provided. Registrar names are not consistent; in fact, we see a lot of slop in the registrar names that are used. Periods or commas may or may not be included. Capitalization can vary. A ‘Tag’ or a URL is appended to the registrar name. Forms of incorporation may be inconsistently appended; for example, d/b/a, dba, t/a, or s.r.o., LTD, Inc, LLC, B.V, AG, GmbH, Pty., or SRL may be used. The values may also change over time, so normalizing the numerous variations requires constant vigilance if we want to achieve the best possible accuracy in our reporting.
Some examples of registrar names that could refer to the same registrar follow:
For Dynadot, we see
‘Dynadot’, ‘Dynadot INC’, ‘Dynadot Inc ( https://nic.at/registrar/650 )’, ‘Dynadot Inc.’, ‘Dynadot LLC’, and ‘Dynadot, LLC t/a Dynadot’.
For EuroDNS, we see
‘EuroDNS S.A’, ‘EuroDNS S.A.’, ‘EuroDNS SA [Tag = EURODNS]’, and ‘Eurodns S.A.’.
For MarkMonitor, we see
‘MarkMonitor’, ‘MarkMonitor Corporate Services Inc’, ‘MarkMonitor Inc’, ‘MarkMonitor Inc.’, ‘MarkMonitor International Canada Ltd.’, ‘MarkMonitor International Limited’, ‘MarkMonitor, Inc.’, ‘Markmonitor’, and ‘Markmonitor Inc.’.
For Tool Domains, we see
‘Tool Domains EOOD t/a Edoms.com’, ‘Tool Domains EOOD t/a Salestrar.com’, ‘Tool Domains EOOD [Tag = TOOLDOMAINS]’, ‘Tool Domains Ltd’, ‘Tool Domains OOD’, ‘ToolDomainsOOD’, and ‘Salestrar Ltd’.
In addition, there are different registrar names that appear with multiple suffixes: -RU, -RF, and -SU, including: OPENPROV-RU, OPENPROV-RF, REGRU-RU, EGRU-SU, ACTIVE-RU, ACTIVE-RF, ACTIVE-SU, ARDIS-RU, ARDIS-RF, and ARDIS-SU.
Spam Domains Associated with ccTLD Registrars
We were able to obtain registrar names for 40% of the 733k ccTLD domains reported for spam activity in the December 2024 to February 2025 period. Working with this partial data, we determined that 11 registrars accounted for 63% of the spam activity that we could associate with a ccTLD registrar where only registrar name was available:
Which ccTLDs Provided No Registrar Information
There were 133 ccTLDs that provided no Registrar information for their spam domains in the December 2024 to February 2025 quarter. The following list of those ccTLDs had between10,000 and 1,000 spam records:
.sx - Sint Maarten
.de – Germany
.cz – Czech Republic
.my – Malaysia
.eu – European Union
.st – São Tomé and Príncipe
.jp – Japan
.tr – Turkey
.ge – Georgia
.es – Spain
.lc – Saint Lucia
.ee – Estonia
.cm – Cameroon
By not providing RDDS, these ccTLDs are allowing the identity and extent of registrars’ contributions to cybercrime to be hidden from view.
Summary
Access to domain registration data is generally important for cybercrime or abuse investigations and for research as well. The identity of the domain registrar, a business, should always be made available to facilitate or expedite inquiries from investigators, researchers or other businesses.
Access to domain name registration data can be most beneficial if the services are timely, uniform, and complete. We encourage ccTLD operators to support the industry standard RDDS protocols to help identify those registrars that are complicit in registering large numbers of cybercrime domains in their TLDs.
The ICANN Country Code Names Supporting Organization (ccNSO) should consider adopting an RDDS policy for ccTLD operators. Additionally, the ccNSO could work to provide a means to have a unique identity code associated with each registrar (as is done with the unique ICANN-assigned Reqistrar ID for gTLD registrars) to ensure that ccTLD registrars can be readily identified even where variants of the registrar name are used.