Interisle Study Presented to ICANN Government Advisory Committee
Dave Piscitello
On Wednesday, June 10, 2026, Karen Rose presented Interisle’s recently published study, Malicious Registrations in the Domain Name Market: An Analysis of 2025 gTLD Registrations and Cybercriminal Demand, to the ICANN GAC (Government Advisory Committee) at ICANN86 Seville Policy Forum. The GAC advises ICANN on public policy aspects of specific issues for which ICANN has responsibility, and DNS abuse has long been an issue of particular interest to the GAC.
Karen’s representation to the GAC follows:
Good morning. I’m Karen Rose of Interisle Consulting Group. I’m pleased to have the opportunity to share with you some findings from our most recent study.
Our work examined malicious domain name registrations made in 2025 in the gTLDs.
I’ll focus on two questions our research looked at: 1) how much cybercriminal demand drove new domain registrations last year, and 2) whether market incentives allow that demand to persist.
We used publicly and commercially available data for our research, including blocklists and domain registration data – and you can find our full methodology in our report.
Overall, our findings were sobering. We estimate that bad actors purchased 16.8 million gTLD domain names last year — That’s about 20 percent of all new registrations sold.
Put another way, as many as 1 out of every 5 domain names may have been purchased by bad actors to perpetrate phishing, malware, scams and other harmful attacks.
Imagine another industry where 1 out of every 5 products sold was being used to facilitate fraud, theft, or other serious crimes.
Few governments would consider that ordinary misuse. Policymakers would ask whether the rules, safeguards, and accountability mechanisms in that market were adequate to the scale of the problem – and if those measures were sufficiently protecting the public interest.
I think those same questions are relevant to DNS abuse policy discussions here, for the whole ICANN community.
Our study also found that abuse is highly concentrated among certain providers.
We found numerous registries and registrars where over half of all their registrations appeared to be purchased by bad actors.
At one registrar, 88 percent of its registrations were identified as malicious.
In one TLD we examined, nearly all of its registrations – some 100,000 – were associated with FUNNULL – a cybercriminal gang that powered scam farms across Southeast Asia.
Why does abuse exist at this scale? Economics and distorted incentives play a role.
Cybercriminals create sustained demand for domain names. They are high-volume, repeat buyers. And they buy millions of domains each year.
Fierce competition in the gTLD market has driven prices and profit margins down. Sales volume matters. Registrars provide tools that facilitate easy bulk registrations.
Some registries and registrars appear to derive commercial benefits from satisfying cybercriminal demand. Even when malicious registrations generate little revenue, tolerating abuse can still be commercially rational — especially when there are no obligations to prevent it.
While cybercriminals and some in the market may benefit from these transactions, the costs of cybercrime facilitated by domain abuse fall on victims, businesses, governments, and society at large.
In economic terms, this is a classic negative externality – a form of market failure that undermines the very benefits of competition.
Taken together, these findings make it hard to treat current levels of abuse as acceptable.
Importantly, our study also shows that abuse at this scale is not inevitable. Some registries and registrars managed to grow last year without attracting outsized levels of abuse, showing that provider practices and abuse choices make a difference.
And our case studies show that associated domain name checks can be a helpful mitigation step.
But we also need effective steps beyond mitigation. Steps that focus more on abuse prevention – and reducing the ability of bad actors to acquire domains in the first place.
This is especially urgent as ICANN prepares for the next round of new gTLDs. The introduction of new TLDs will further intensify competition and risks perpetuating current distortions in the market.
Measurably reducing DNS abuse needs to be our ultimate goal.
We look forward to engaging with the GAC and the community going forward.
Interisle appreciates the active engagement of the GAC and its members on domain name abuse issues and thanks the committee for the invitation to contribute our findings and analysis to this important discussion.