⚖️ Legal & Technical Rationale

Why We Report
Via Email Only

We provide registrars with complete evidence packages—doing their investigation work for free. Our reports follow legal channels because internal platform games cannot supersede international regulations.

24h Required response time under ICANN RAA §3.18
13,600+ Commits to destroylist
$0 Our profit. 100% non-profit.

Why This Matters

Phishing isn't just an inconvenience. It's a global criminal industry destroying lives and businesses every day.

$16.6B
Total cybercrime losses in 2024
FBI IC3 Report
$4.88M
Average cost per phishing breach
IBM Cost of Data Breach 2024
$2.77B
BEC losses in 2024 (USA only)
FBI IC3 Report
3.4B
Phishing emails sent daily
AAG IT Research

ICANN Is Taking Action

Since April 2024: 400 investigations, 4 formal breach notices, 20,000+ malicious domains suspended, and multiple registrar terminations including Mixun Ltd, Zoo Hosting, Nerd Origins, and others.

View ICANN Enforcement Notices →

The Legal Framework

ICANN RAA

Registrar Accreditation Agreement §3.18.1

"Registrar shall maintain an abuse contact to receive reports of abuse... Registrar shall publish an email address to receive such reports on the home page of Registrar's website."

Source: 2013 RAA, Section 3.18.1

ICANN RAA

24-Hour Monitoring Requirement

"Registrar shall establish and maintain a dedicated abuse point of contact, including a dedicated email address and telephone number that is monitored 24 hours a day, seven days a week."

Source: ICANN RAA §3.18.2

EU DSA

Digital Services Act - Article 16

"Providers of hosting services shall put mechanisms in place to allow any individual or entity to notify them of the presence on their service of specific items of information that the individual or entity considers to be illegal content."

Source: EU DSA, Article 16

ICANN DNS Abuse

2024 DNS Abuse Amendments

"To facilitate submission of reports from any party alleging abuse and/or Illegal Activity, the registrar must publish an email address or web form that is readily accessible... Web forms must not require a login to submit abuse reports."

Source: ICANN Advisory, Feb 2024

Why Web Forms Fail

01

Broken CAPTCHAs & Technical Barriers

Some registrars deploy unsolvable CAPTCHAs, rate limits, and technical barriers that make form submission impossible. When reports fail, they claim "technical issues" or "reports didn't arrive."

02

No Audit Trail

Web forms provide no verifiable proof of submission. Email creates a timestamped, legally admissible record that can be presented to ICANN Compliance if the registrar fails to act.

03

Deliberate Obstruction

Certain registrars intentionally complicate their forms to discourage reporting. This is a direct violation of the RAA requirement for "readily accessible" abuse contacts.

04

Auto-Response Absurdity

Some registrars send auto-responses that classify phishing as "plagiarism" or "copyright issues"—demonstrating willful ignorance of DNS Abuse definitions established by ICANN.

05

Login Requirements

ICANN explicitly states: "Web forms must not require a login to submit abuse reports." Requiring account creation violates contractual obligations.

06

Arbitrary Field Requirements

Mandatory fields for irrelevant information, character limits on evidence descriptions, and forced categorization into incorrect report types all serve to frustrate legitimate reporters.

What We Actually Send

Our reports are comprehensive evidence packages designed to make the abuse team's job as easy as possible. We do the investigation work—they just need to act.

📄 Sample Report PDF Evidence Package
Case Reference & Priority

Unique tracking ID and threat severity classification

Technical Evidence

Domain, IP address, detection timestamp, URLScan forensic links

Multi-Vendor Threat Intelligence

VirusTotal detections, threat engine analysis, blacklist status

Visual Confirmation

Automated screenshot proving phishing content

Policy & Legal Violations

Specific AUP/TOS violations and applicable laws

Remediation Steps

Clear action items for the abuse team

💯

100% Non-Profit

We receive zero donations, zero payments, zero profit. No contracts, no directors, no commercial interests. Our project is completely open-source and exists only to fight scams.

🎯

One Goal: Eliminate Threats

We're not protecting a specific victim or company. We're eliminating threats from the internet before they cause more damage. That's it. No hidden agenda.

📋

Complete From the Start

We front-load all available evidence in our initial report: domain, IP, URLScan analysis, screenshots (multiple, attached as files and in PDF), VirusTotal detections, and threat intel. There's simply nothing more we could add.

📎

Why We May Not Respond to Follow-Up Requests

Our initial email already contains everything we have: domain, IP, URLScan forensic links, VirusTotal detections, multiple screenshots (attached as files AND embedded in the PDF report), policy violations, and legal references. Requesting "additional screenshots" when 3+ are already attached, or asking for "more evidence" when a complete PDF is included, suggests the report wasn't fully reviewed.

Additionally, we've learned that some registrars' abuse forms redirect reports to unrelated parties—their partners, resellers, or entirely different domains than the one reported. To ensure proper handling, we follow ICANN's mandated procedure: sending reports to the official abuse email address published in WHOIS records.

🛡️

False Positive? We Want to Know

We take false positives seriously and actively work to prevent them. If you believe a domain was reported in error, please let us know through one of these channels:

  • Appeal Form (recommended) — anonymous, simple, with ticket tracking to monitor status
  • GitHub Issue — public, transparent, community-visible
  • appeal@phishdestroy.io — may be delayed due to spam from reported fraudsters

The appeal form is preferred because offended scammers frequently flood our email with spam, making legitimate appeals easy to miss. The form provides a ticket number for tracking and doesn't require any personal information.

Our Methodology

Complete Evidence Package

Every report includes comprehensive documentation: domain WHOIS data, screenshots, URLScan results, source code analysis, and PDF attachments. We provide everything needed for the registrar's abuse team to make an informed decision without additional investigation.

Direct Email Communication

We use the abuse email addresses published in WHOIS records and on registrar websites, exactly as mandated by ICANN RAA §3.18.1. This creates a legal audit trail and ensures our reports reach the designated abuse handling contacts.

Clear DNS Abuse Classification

Our reports explicitly identify the type of DNS Abuse (phishing, malware, botnets, pharming) using ICANN's official definitions from SAC115. We do not use vague terms that allow registrars to deflect responsibility.

ICANN Escalation Path

When registrars fail to respond appropriately, we escalate to ICANN Contractual Compliance with full documentation of our reports and the registrar's failure to comply with RAA §3.18.

✓ Bottom Line

Internal platform policies, proprietary forms, and custom procedures do not supersede ICANN contractual obligations or EU regulations. A registrar cannot invent obstacles to avoid their legal duty to investigate and respond to well-founded abuse reports.

What the Law Actually Says

📋

Registrars Must Investigate

"Registrar shall take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse." The RAA does not say "investigate only if submitted through our preferred form" or "respond only if it's convenient."

⏱️

Time-Sensitive Obligations

Under the 2024 DNS Abuse Amendments, registrars must "promptly take the appropriate mitigation action(s) that are reasonably necessary to stop, or otherwise disrupt, the Registered Name from being used for DNS Abuse." Phishing domains require immediate action—not bureaucratic delays.

📧

Email Is the Legal Standard

ICANN explicitly requires registrars to publish and monitor an abuse email address. While web forms are permitted as an additional option, they cannot be the only method, and they cannot create barriers to reporting. Email remains the legally mandated baseline.

⚠️

Non-Compliance Has Consequences

Registrars who fail to comply with RAA §3.18 face breach notices from ICANN Contractual Compliance. Continued non-compliance can result in termination of accreditation. We document everything and escalate when necessary.

Recommendations for Registrars

When you receive our report, here's what we recommend beyond just suspending the single domain:

01
🔍

Audit the Client

If a domain is compromised or malicious, check all domains owned by this client. There's a high probability their other domains also contain malicious content—either because the account is compromised, or because the "client" is actually a fraudster using your infrastructure systematically.

02
⚖️

Blocking ≠ Justice

Simply suspending one domain doesn't stop the criminal. If the client is a scammer, they'll register new domains and continue. Consider whether this warrants a full account termination and potential referral to law enforcement in your jurisdiction.

03
📁

Preserve Evidence

Depending on your jurisdiction, after receiving our report you may be required to retain logs and client data for potential law enforcement requests. You've been formally notified that this resource is likely malicious—act accordingly with data preservation.

04
🏛️

Consider Legal Obligations

In many jurisdictions, knowingly hosting criminal infrastructure after notification creates liability. Our report serves as formal notice. Consult your legal team about reporting obligations to authorities and evidence retention requirements.

⚠️

Compromised vs. Malicious Registration

We report what we find—we don't determine intent. It's your job to investigate whether the domain was compromised (legitimate client, hacked account) or maliciously registered (fraudster using your service). Either way, the threat must be neutralized, but your follow-up actions may differ.

Compliance or Complicity.
Your Choice.

We provide comprehensive evidence of criminal activity. We follow legal reporting channels. We do your abuse team's job for free. After that, the decision is yours: protect internet users, or enable fraud.

Be Law-Abiding

  • Investigate reports promptly
  • Suspend confirmed phishing domains
  • Comply with ICANN RAA §3.18
  • Protect your reputation

Be Complicit

  • Ignore documented abuse
  • Request endless "clarifications"
  • Face ICANN breach notices
  • Risk accreditation termination
🤝

We're not your enemy. We're doing your abuse department a service by identifying threats on your infrastructure before they result in regulatory action, reputation damage, or legal liability. Work with us, not against us.

🔥 View Our Destroylist on GitHub

On False Positives

🙏

We're Sorry When It Happens

Yes, false positives happen. And we're genuinely sorry when they do. We're volunteers constantly improving our detection logic and verification systems. Every false positive is embarrassing to us, and we do everything possible to minimize them.

📊

Our Track Record

Since July 2025, our false positive rate is less than 1 per 1,000 correctly identified threats. Our repository is fully open—you can verify every report, every removal, every correction we've made.

View our open repository →
⚠️

Don't Use Our Mistakes to Justify Yours

Our occasional errors don't excuse ignoring legitimate reports or treating every notification as a false positive. We're unpaid volunteers with no legal protection and no obligation to defend fraudsters. We simply hope you'll comply with legal standards and maintain a competent abuse department.

Full Transparency & Open Data

📜 MIT LICENSE

Everything we send is open. Everything we do is public. No secrets, no hidden agendas.

📤

Forward Our Reports

You may forward our reports to the domain owner, the alleged scammer, third parties, law enforcement, or anyone else. We explicitly permit this.

📧

Disclose Our Email

Our email address [email protected] is public. Feel free to share it with anyone, including the reported party.

📋

Share Report Contents

The full contents of our reports, including all attachments and PDF files, can be shared, copied, or published without restriction.

🏛️

Provide to Authorities

You may provide our reports and all associated data to law enforcement, regulatory bodies, or legal proceedings. We encourage this.

No Confidential Information

Our reports contain no confidential or private information. Everything we provide—domains, IPs, screenshots, analysis—is either publicly available or generated by us under MIT license. We don't require privacy, non-disclosure, or any non-transparent handling of our communications.

PhishDestroy Threat Intelligence [email protected]
💚

Thank You

To all registrars, hosting providers, and abuse teams who follow the rules, investigate reports fairly, and act to protect internet users—thank you. You make the internet safer for everyone.

We're all on the same side. Let's keep it that way.