URL analysis
The primary reason for tracking the use of second-level domains as a distinct category is to provide further insight into how different domain strings are registered and used under different top-level domains (TLDs) in both commercial and non-commercial contexts.
Tracking domain strings allows us to track the use and re-use of popular strings by bad actors. This information can additionally help registries and registry service providers understand and mitigate the risk of dedicated and commercial child sexual abuse sites being registered for nefarious reasons.
“www.anysite[.tld]” – in this example, the [anysite] name or ‘string’ is classed as the second-level domain of the website address.
The largest yearly increases were identified on the gTLD .shop and ccTLD .cc (Cocos – Keeling Islands) TLDs.
Second-level domains specifically registered and used for the commercial distribution of child sexual abuse images should rightly be a point of concern and focus, as they represent the deliberate abuse of the Domain Name System (DNS). Where registrars are alerted to the existence of dedicated commercial websites, we encourage the investigation, where possible, of any other domains that may have been registered by the same registrant. These additional checks have the potential to uncover additional sites that the IWF can then review under a ‘special escalations’ process, which is designed to check compliance of other domains potentially associated with an offending registrant’s portfolio of domains. This proactive approach could further disrupt the criminal abuse of the DNS by suspending previously unknown new sites.
We identified 719 instances of the .cc ccTLD in 2024 making it the most abused TLD by volume of unique dedicated commercial second-level domains, representing 28% of the overall global total (193% increase on what we saw in 2023).
The .cfd gTLD was seen for the first time in the top ten since recording this information, with 52 domains identified, accounting for 2% of the overall global total (767% increase on what we saw in 2023).
In total, 2,554 unique second-level domains were uncovered and actioned, and in every instance the websites openly displayed images and videos of child sexual abuse on their homepage. In 2023 we reported 3,143 domains abused in this way, so this represents a welcome reduction of 19%.
By understanding more about how second-level TLDs are specifically registered and used for the commercial distribution of child sexual abuse material, we hope that continued vigilance and engagement with stakeholders working across registry, registrar, hosting, filtering, search and other partners will shrink the opportunities for criminal entities to profit from the sale and distribution of this type of criminal imagery. Ultimately every positive detection and prevention supports the victims and survivors of abuse.