The Illusion of Control: How ICANN is Bankrolling Global Cybercrime
An OSINT investigation into the fee-driven incentive structure of the domain industry · 7.9M active domains · 7 abuse-heavy TLDs · A gross-fee / revenue-exposure model

The Conflict of Interest At The Center Of The Internet
ICANN presents itself as the supreme, independent regulator of the global domain market. It writes the rules, accredits the registrars, signs the contracts with the registries, and is supposed to police abuse across the entire namespace.
There is one detail that quietly breaks this picture: ICANN is paid by the very market it is supposed to police. Every domain that gets registered sends money upstream to ICANN. Imagine, for a moment, if the SEC literally owned a stake in Binance and collected a fee on every trade. That is the structural position the domain industry has built for itself.
The mechanics are not hidden. Launching a new top-level domain zone requires an application fee of $227,000. Once a zone is live, the registry pays an annual fee of $25,800. And once a zone crosses 50,000 registered domains, ICANN collects roughly $0.25 for every registered domain. The math is simple, and so is the incentive it creates: the more domains exist, the more money flows — whether those domains host a hospital or a wallet drainer.
A regulator paid per unit of the thing it regulates has no financial reason to want fewer units — even when a large share of those units are garbage registrations created for abuse.
This is a fee-intake model, not ICANN profit. The datasets contain active domains and abuse-triage signals but not exact transaction counts, registrar attribution, registry wholesale prices, or ICANN operating costs.
Throughout this report we use the framing fee intake, revenue exposure and gross fee model. We never claim “profitability.” Every figure below is a transparent calculation from public fee schedules applied to an active-domain count — an order-of-magnitude estimate of money flowing through the system, not a measured income statement.
The Scale: One Year, Less Than 10% Covered
On July 5th, the PhishDestroy public database (DestroyList) turns one year old. It is open, free, and used by researchers, wallets, and security vendors around the world.
And here is the uncomfortable truth from a full year of operation: in twelve months of continuous work, it has not been able to cover even 10% of the phishing avalanche. Not because the team stopped — because the supply of fresh malicious domains is effectively unlimited at the price point the system is built around. When a domain costs less than a cup of coffee and a regulator profits from each one minted, volume always wins.
The Numbers: A Fee-Intake Model
Across 7 of the most abuse-heavy new TLDs, our triage identified 7,945,325 active domains. From those domains alone, applying ICANN's own published fee schedule produces the model below.
Registry-Side ICANN Fee Model
Source: ICANN Base Registry Agreement, Article 6.1 — registry fixed fee of $6,250 per quarter per TLD, plus a registry transaction fee of $0.25 per annual increment after the 50,000-transaction threshold.
| Model line | Calculation | Estimate |
|---|---|---|
| Registry transaction fee | 7,945,325 × $0.25 | $1,986,331.25 |
| Registry fixed fee | 7 TLDs × $25,000/year | $175,000.00 |
| Registry-side ICANN fee model | transaction + fixed | $2,161,331.25 / year-model |
| Registry-side effective fee/domain | ÷ 7,945,325 | $0.27 |
Optional Registrar-Side Pass-Through Model
Source: ICANN Registrar Accreditation Agreement, Section 3.9. Note: the $0.18/domain-year figure is a modeling assumption, not a proven invoice. This layer is presented as a sensitivity scenario only.
| Model line | Calculation | Estimate |
|---|---|---|
| Registrar admin model | 7,945,325 × $0.18 | $1,430,158.50 |
| Combined variable model | 7,945,325 × $0.43 | $3,416,489.75 |
| Combined variable + registry fixed | — | $3,591,489.75 / year-model |
| Combined effective fee/domain | ÷ 7,945,325 | $0.45 |
The combined model (~$3.59M/year-model) is the upper bound of fees flowing through this 7-TLD slice. It is gross fee intake before any cost, refund, deletion, or wholesale split — an indicator of scale, not of anyone's bottom line.
Breakdown By TLD
The seven zones are not equal. Some are pure volume plays; others concentrate the abuse. The .vip and .icu zones alone account for the overwhelming majority of high-confidence abuse leads.
| TLD | Active domains | With IP | High-conf abuse leads | Registry-side model | Combined model |
|---|---|---|---|---|---|
.sbs | 1,900,628 | 632,352 | 243 | $500,157.00 | $842,270.04 |
.vip | 1,891,899 | 1,235,909 | 4,388 | $497,974.75 | $838,516.57 |
.bond | 1,333,658 | 104,650 | 134 | $358,414.50 | $598,472.94 |
.cfd | 936,860 | 402,780 | 242 | $259,215.00 | $427,849.80 |
.icu | 934,951 | 279,093 | 2,607 | $258,737.75 | $427,028.93 |
.cyou | 744,378 | 270,498 | 74 | $211,094.50 | $345,082.54 |
.buzz | 202,951 | 122,066 | 13 | $75,737.75 | $112,268.93 |
| TOTAL | 7,945,325 | 3,047,348 | 7,701 | $2,161,331.25 | $3,591,489.75 |
High-Confidence Abuse Leads By Reason
| Detection reason | Leads |
|---|---|
punycode_idn | 6,794 |
crypto_brand_plus_action_or_auth | 372 |
document_or_mail_brand_plus_auth_doc | 188 |
finance_brand_plus_auth_payment | 170 |
wallet_drainer_lure | 102 |
apple_icloud_plus_auth | 93 |
social_brand_plus_auth | 80 |
brand_auth_random_suffix | 23 |
cloudflare_plus_auth | 3 |
Leads By TLD
| TLD | Leads |
|---|---|
.vip | 4,388 |
.icu | 2,607 |
.sbs | 243 |
.cfd | 242 |
.bond | 134 |
.cyou | 74 |
.buzz | 13 |
Leads By IP Country
| Country | Leads |
|---|---|
| (blank / unresolved) | 5,166 |
| US | 940 |
| HK | 566 |
| CN | 375 |
| SG | 131 |
| MY | 87 |
| DE | 78 |
| IN | 69 |
| JP | 46 |
| GB | 40 |
| CA | 34 |
| BG | 28 |
A Precedent Of Inaction
The standard defense is that ICANN has a compliance arm that handles abuse. In practice, the compliance machine is a place where well-documented complaints go to be filed away.
Consider the “Artists vs. NameSilo” ICANN compliance case. A fully substantiated complaint about a registrar's handling of abuse was escalated through the official channel — and ICANN effectively washed its hands of it. The pattern is visible directly in the ICANN compliance dashboard: a steady intake of complaints, closed out as “resolved” with little observable change in registrar behavior.
ICANN Compliance Dashboard (04/2026): compliance-reports.icann.org/compliance/dashboard/2026/0426/report.html
The Players
ShortDot SA — The Volume Engine
Several of the zones in this report are operated by ShortDot SA (in which NameSilo reportedly holds a stake of around 11%). The ShortDot portfolio includes .icu, .bond, .cyou, .sbs, .cfd, .qpon and .buzz.
A fair question to put to anyone in the industry: when was the last time you saw a legitimate, well-known white-hat site on any of these extensions? The honest answer, for most people, is “never.” These zones live almost entirely in the long tail of throwaway registrations.
.bond was marketed as a premium destination for the financial sector. Real finance rejected it outright — no serious bank or asset manager moved its brand there. What it became instead is a goldmine for banking and crypto phishing: a financial-sounding extension with none of the financial-sector scrutiny.
TrustName — Bulletproof By Design
Then there is TrustName, a Belarusian company that configured what amounts to bulletproof DNS just two days after launch and has remained effectively unreachable by ICANN ever since. Abuse reports go nowhere; the “regulator” has no working lever to pull.
The most striking part is the geopolitics: sanctions appear to bypass the regulator entirely. An entity that would be off-limits in nearly any other regulated industry continues to operate inside the ICANN ecosystem because the fee keeps arriving and no one is incentivized to cut it off.
TrustName: bulletproof DNS configured two days after launch — read the full TrustName report →
Coming Before July 5th: The One-Year Report
Before the database hits its first birthday, PhishDestroy will publish a one-year report exposing the registrars — including TrustName, NiceNIC, NameSilo and others — that ignored fully justified abuse reports for 300+ days, until the offending domains simply expired on their own.
It will not be a summary. It will include the original report texts, the follow-ups, and the exact timestamps — a complete paper trail showing precisely how long a documented, actively-malicious domain can keep running while the people paid to police it look the other way.
When the only thing that finally takes a malicious domain offline is its own expiry date, the abuse-handling system has stopped being a safety mechanism and become a billing cycle.
Sources
Registry fixed fee + transaction fee schedule used in the registry-side model.
Yearly + variable accreditation fees used in the optional pass-through model.
Public record of complaint intake and resolution outcomes.
Documented compliance complaint (UNY-783-11184) and its outcome.
The Database Turns One On July 5th
DestroyList is open, free, and built by operators. In a year it has fought to keep up with a flood the fee structure keeps refilling. Use it, mirror it, build on it — and watch for the one-year registrar report dropping before July 5th.


