Abuse of top-level domains (TLDs)

URL analysis

This analysis looks at the distribution of child sexual abuse URLs found to be operating under each website’s top-level domain (TLD).  Each recorded URL may relate to a single image or multiple images of child sexual abuse identified on URLs operating under a specified TLD.

  • We recorded 251 top-level domains as being abused as a method to share child sexual abuse material; this is an increase from 238 TLDs in the previous year, a rise of 5%.

The abuse of TLDs can be further broken down as follows:

  • 129 generic top-level domains (gTLDs) were abused, a decrease of 10% from the 143 gTLDs identified in 2023.
  • 122 country code top-level domains (ccTLDs) were abused, an increase of 28% from the 95 identified in 2023. Some ccTLDs operate second-level domains in a manner that operates functionally as separate TLDs, such as co.uk, com.au, com.in and many others. For the purpose of measuring, we include those second-level domains as individual ccTLDs.
  • We urge all country code stakeholders to protect their ccTLD portfolio against the rise in this abuse, by taking advantage of the IWF domain services which can now be accessed for free. 

For the calculation of volumes on a URL, webpage reports for www.anywebsite.tld, www.anywebsite.tld/forum/page1 and www.anywebsite.tld/images/girls.html would be counted as three separate instances of child sexual abuse attributable to the identified TLD.

Top 10 TLDs by volume of actioned reports

 

Case study of an image host site

How small platforms can systematically abuse hosting and registry providers

.com.ua has its origins under the ccTLD for Ukraine (UA). When investigating the abuse of .com.ua, our data shows that a single image host was responsible for abusing the site by sharing child sexual abuse material; there was one exception (a single website) which accounted for a single instance of child sexual abuse imagery being shared. Children identified on the image host site during the course of the year ranged from 0-2 years of age up to 14-15 years of age; the content covered the full spectrum of severity of abuse. The site in question is used by forums and chat sites as a repository for links to child sexual abuse material, and images were being shared between offenders.

Since discovering the site, the IWF has removed over 208,890 URLs showing criminal images of children directly from the site. 

  • In 2024 a total of 89,575 URL instances of child sexual abuse material were actioned on the image host site operating under .com.ua; this is an addition to 9,350 times in 2023 and a further 24,431 times in the same year operating under different abused TLDs. This demonstrates the mercurial way that abuse content travels across the internet.
  • The site changed hosting country eight times in 2024 to avoid permanent takedown. We identified it being hosted in the following countries Austria, Bulgaria, Czech Republic, Latvia, Moldova, Netherlands and Romania.
  • The site also ‘hopped’ or changed its TLD 10 times as an additional evasion technique to keep the site online; before migrating to .com.ua, the site was previously registered under .cc, .cloud, .de, .digital, .fun, .life, .link, .pics and .pro
  • The site re-registered under the .ai.in TLD and slightly modified its second-level domain string/name in a further bid to remain online; the intent being that consumers of the site would still be able to find it online even after the minor name modification.

Our excellent working partnerships with IWF registry Members and affiliates means we have been able to act quickly to bring domain suspension to the most problematic sites. Regardless of the site’s hosting location, domain suspension works in support of our takedown actions which are notified separately to hosting companies. When the image host began operating under the .pro gTLD, we were able to notify the registry in real-time, outlining the scale of abuse discovered in a single morning’s operations. Following IWF notifications to our partners at Identity Digital, the site was immediately suspended, halting the distribution and access to thousands of images of child sexual abuse. This single instance of abuse was the sole cause of .pro gTLD appearing in the top 10 listings.

This case study demonstrates the power of collaboration and proactive engagement. It is not always possible for service providers to fully protect themselves from the actions of bad actors, and child sexual abuse material in quantity can quickly and easily slip through the net. Having the tools, ability and desire to grip the issue as soon as it arises is vital; the fast response by Identity Digital underscores the strength of coordinated partnership in mitigating the distribution of child sexual abuse material. 

The continued expansion of our network of partner registries and registry service providers continues to shrink the spaces available for bad actors to distribute and view child sexual abuse imagery.

The top 10 listed TLDs in our analysis are subject to an expected level of fluctuation each year which is influenced by factors including high volume image hosts and forums as well as persistent recidivist child sexual abuse commercial sites which choose to register their domains under a particular TLD of choice. IWF reported volumes are also heavily influenced by proactive search resource availability which has to be counter balanced against growing demand from inbound public reporting.

Our analysis of child sexual abuse material domain abuse in 2024 additionally identified an increase in the abuse of the .shop gTLD. In 2023 we identified just six instances of child sexual abuse imagery across six different websites under .shop; in 2024 this rose to 43,614 instances across 118 different domains operating under a .shop registration. 99% were identified through proactive searching by our analysts. 31 of the sites registered were classified by the IWF as being dedicated commercial child sexual abuse sites. Site types identified included image host, banner, Invite Child Abuse Pyramid (ICAP) and cyberlocker sites.

What can we do about this abuse?

Our Domain Alerts help our Members  in the domain registration sector reduce and prevent the abuse of their service, providing early warning alerts to abuse detected on their sites as well as preventing criminals re-registering websites with a known child sexual abuse history on additional TLDs. In 2025 we aim to produce a ‘Red Watch' list, which IWF Members will be able to use as intelligence to mitigate the opportunities for child sexual abuse material, and links to such imagery, from being circulated across their services.