Skip to main content
Back to News
OSINT INVESTIGATION · THE DOMAIN ECONOMY

The Illusion of Control: How ICANN is Bankrolling Global Cybercrime

An OSINT investigation into the fee-driven incentive structure of the domain industry · 7.9M active domains · 7 abuse-heavy TLDs · A gross-fee / revenue-exposure model

The Illusion of Control - How ICANN is Bankrolling Global Cybercrime - PhishDestroy investigation hero
0
Active Domains In Scope (7 TLDs)
0
High-Confidence Abuse Leads
$0.27
Registry-Side Fee / Domain (model)
~$2.16M
Registry-Side Fee Intake / Year (model)

The Conflict of Interest At The Center Of The Internet

ICANN presents itself as the supreme, independent regulator of the global domain market. It writes the rules, accredits the registrars, signs the contracts with the registries, and is supposed to police abuse across the entire namespace.

There is one detail that quietly breaks this picture: ICANN is paid by the very market it is supposed to police. Every domain that gets registered sends money upstream to ICANN. Imagine, for a moment, if the SEC literally owned a stake in Binance and collected a fee on every trade. That is the structural position the domain industry has built for itself.

The mechanics are not hidden. Launching a new top-level domain zone requires an application fee of $227,000. Once a zone is live, the registry pays an annual fee of $25,800. And once a zone crosses 50,000 registered domains, ICANN collects roughly $0.25 for every registered domain. The math is simple, and so is the incentive it creates: the more domains exist, the more money flows — whether those domains host a hospital or a wallet drainer.

The incentive structure rewards mass registration, not safety.

A regulator paid per unit of the thing it regulates has no financial reason to want fewer units — even when a large share of those units are garbage registrations created for abuse.

Accuracy & Methodology Disclaimer

This is a fee-intake model, not ICANN profit. The datasets contain active domains and abuse-triage signals but not exact transaction counts, registrar attribution, registry wholesale prices, or ICANN operating costs.

Throughout this report we use the framing fee intake, revenue exposure and gross fee model. We never claim “profitability.” Every figure below is a transparent calculation from public fee schedules applied to an active-domain count — an order-of-magnitude estimate of money flowing through the system, not a measured income statement.

The Scale: One Year, Less Than 10% Covered

On July 5th, the PhishDestroy public database (DestroyList) turns one year old. It is open, free, and used by researchers, wallets, and security vendors around the world.

And here is the uncomfortable truth from a full year of operation: in twelve months of continuous work, it has not been able to cover even 10% of the phishing avalanche. Not because the team stopped — because the supply of fresh malicious domains is effectively unlimited at the price point the system is built around. When a domain costs less than a cup of coffee and a regulator profits from each one minted, volume always wins.

The Numbers: A Fee-Intake Model

Across 7 of the most abuse-heavy new TLDs, our triage identified 7,945,325 active domains. From those domains alone, applying ICANN's own published fee schedule produces the model below.

0
Domains With IP (38.35%)
0
Domains Without IP (61.65%)
0
Domains With Hostname (11.49%)
0
High-Confidence Abuse Leads (0.10%)

Registry-Side ICANN Fee Model

Source: ICANN Base Registry Agreement, Article 6.1 — registry fixed fee of $6,250 per quarter per TLD, plus a registry transaction fee of $0.25 per annual increment after the 50,000-transaction threshold.

Model lineCalculationEstimate
Registry transaction fee7,945,325 × $0.25$1,986,331.25
Registry fixed fee7 TLDs × $25,000/year$175,000.00
Registry-side ICANN fee modeltransaction + fixed$2,161,331.25 / year-model
Registry-side effective fee/domain÷ 7,945,325$0.27

Optional Registrar-Side Pass-Through Model

Source: ICANN Registrar Accreditation Agreement, Section 3.9. Note: the $0.18/domain-year figure is a modeling assumption, not a proven invoice. This layer is presented as a sensitivity scenario only.

Model lineCalculationEstimate
Registrar admin model7,945,325 × $0.18$1,430,158.50
Combined variable model7,945,325 × $0.43$3,416,489.75
Combined variable + registry fixed$3,591,489.75 / year-model
Combined effective fee/domain÷ 7,945,325$0.45
Read these as revenue exposure, not income.

The combined model (~$3.59M/year-model) is the upper bound of fees flowing through this 7-TLD slice. It is gross fee intake before any cost, refund, deletion, or wholesale split — an indicator of scale, not of anyone's bottom line.

Breakdown By TLD

The seven zones are not equal. Some are pure volume plays; others concentrate the abuse. The .vip and .icu zones alone account for the overwhelming majority of high-confidence abuse leads.

TLDActive domainsWith IPHigh-conf abuse leadsRegistry-side modelCombined model
.sbs1,900,628632,352243$500,157.00$842,270.04
.vip1,891,8991,235,9094,388$497,974.75$838,516.57
.bond1,333,658104,650134$358,414.50$598,472.94
.cfd936,860402,780242$259,215.00$427,849.80
.icu934,951279,0932,607$258,737.75$427,028.93
.cyou744,378270,49874$211,094.50$345,082.54
.buzz202,951122,06613$75,737.75$112,268.93
TOTAL7,945,3253,047,3487,701$2,161,331.25$3,591,489.75

High-Confidence Abuse Leads By Reason

Detection reasonLeads
punycode_idn6,794
crypto_brand_plus_action_or_auth372
document_or_mail_brand_plus_auth_doc188
finance_brand_plus_auth_payment170
wallet_drainer_lure102
apple_icloud_plus_auth93
social_brand_plus_auth80
brand_auth_random_suffix23
cloudflare_plus_auth3

Leads By TLD

TLDLeads
.vip4,388
.icu2,607
.sbs243
.cfd242
.bond134
.cyou74
.buzz13

Leads By IP Country

CountryLeads
(blank / unresolved)5,166
US940
HK566
CN375
SG131
MY87
DE78
IN69
JP46
GB40
CA34
BG28

A Precedent Of Inaction

The standard defense is that ICANN has a compliance arm that handles abuse. In practice, the compliance machine is a place where well-documented complaints go to be filed away.

Consider the “Artists vs. NameSilo” ICANN compliance case. A fully substantiated complaint about a registrar's handling of abuse was escalated through the official channel — and ICANN effectively washed its hands of it. The pattern is visible directly in the ICANN compliance dashboard: a steady intake of complaints, closed out as “resolved” with little observable change in registrar behavior.

Public record

ICANN Compliance Dashboard (04/2026): compliance-reports.icann.org/compliance/dashboard/2026/0426/report.html

The Players

ShortDot SA — The Volume Engine

Several of the zones in this report are operated by ShortDot SA (in which NameSilo reportedly holds a stake of around 11%). The ShortDot portfolio includes .icu, .bond, .cyou, .sbs, .cfd, .qpon and .buzz.

A fair question to put to anyone in the industry: when was the last time you saw a legitimate, well-known white-hat site on any of these extensions? The honest answer, for most people, is “never.” These zones live almost entirely in the long tail of throwaway registrations.

The .bond hypocrisy.

.bond was marketed as a premium destination for the financial sector. Real finance rejected it outright — no serious bank or asset manager moved its brand there. What it became instead is a goldmine for banking and crypto phishing: a financial-sounding extension with none of the financial-sector scrutiny.

TrustName — Bulletproof By Design

Then there is TrustName, a Belarusian company that configured what amounts to bulletproof DNS just two days after launch and has remained effectively unreachable by ICANN ever since. Abuse reports go nowhere; the “regulator” has no working lever to pull.

The most striking part is the geopolitics: sanctions appear to bypass the regulator entirely. An entity that would be off-limits in nearly any other regulated industry continues to operate inside the ICANN ecosystem because the fee keeps arriving and no one is incentivized to cut it off.

Related investigation

TrustName: bulletproof DNS configured two days after launch — read the full TrustName report →

Coming Before July 5th: The One-Year Report

Before the database hits its first birthday, PhishDestroy will publish a one-year report exposing the registrars — including TrustName, NiceNIC, NameSilo and others — that ignored fully justified abuse reports for 300+ days, until the offending domains simply expired on their own.

It will not be a summary. It will include the original report texts, the follow-ups, and the exact timestamps — a complete paper trail showing precisely how long a documented, actively-malicious domain can keep running while the people paid to police it look the other way.

300+ days of silence is not a backlog. It is a business model.

When the only thing that finally takes a malicious domain offline is its own expiry date, the abuse-handling system has stopped being a safety mechanism and become a billing cycle.

Sources

ICANN Base Registry Agreement, Art. 6.1

Registry fixed fee + transaction fee schedule used in the registry-side model.

ICANN RAA, Section 3.9

Yearly + variable accreditation fees used in the optional pass-through model.

ICANN Compliance Dashboard 04/2026

Public record of complaint intake and resolution outcomes.

Artists vs. NameSilo Compliance Case

Documented compliance complaint (UNY-783-11184) and its outcome.

The Database Turns One On July 5th

DestroyList is open, free, and built by operators. In a year it has fought to keep up with a flood the fee structure keeps refilling. Use it, mirror it, build on it — and watch for the one-year registrar report dropping before July 5th.

Open The Public Database Report a Domain More Investigations
#ICANN#DomainAbuse#OSINT#PhishingEconomy#RegistryFees

Related Investigations

TrustName: Bulletproof DNS Configured Two Days After Launch
DEEP INVESTIGATION
TrustName: The Bulletproof Registrar ICANN Can't Reach
The End of xmrwallet.com: NameSilo Exposed
DEEP INVESTIGATION
The End of xmrwallet.com: NameSilo Exposed
NameSilo, Webnic, NiceNic: Registrars Enabling Scams
INVESTIGATION
Registrars Enabling Global Scams
Transparency notice. PhishDestroy is a non-commercial, independent project. The financial figures in this report are a transparent fee-intake / revenue-exposure model derived from public ICANN fee schedules — not a measurement of ICANN profit or income. Our research may reflect an inherent bias against scam infrastructure and the services that enable it. We encourage readers to evaluate all material critically and independently. Read our full transparency statement →