Top-level domain hopping

URL analysis

What is top-level domain hopping?

Top-level domain (TLD) hopping’ is when a site (e.g. ‘anysite.tld’) keeps its second-level domain name/string (‘anysite’) but switches to a new (generic: g or country-code: cc) top-level domain, in essence, creating a new instance of the original website, typically with different hosting details but retaining the site’s identifiable name or ‘brand’.

TLD hopping is a nefarious activity which unless addressed, can lead to the redistribution and persistence of online CSAM which supports the commercial distribution and sale of child sexual abuse content.

From an original domain e.g. ‘anysite.tld’, multiple additional instances of the site ‘anysite.ga’, ‘anysite.ml’ or ‘anysite.com’ could be created. This allows follow-on instances of an original domain to persist online long after the original site has been taken down. This ‘hack’ keeps the website recognisable and easy to follow by offenders who want to access images hosted on each new instance of the site.

 

TLD Hopping List:

  • At the end of 2024 the IWF Top-level Domain (TLD) Hopping List contained 104 unique second-level domains which between them have accounted for 296 individual historical hops.
  • 2,123 dedicated domain strings were added to the IWF monitoring list in anticipation of future hopping activity which may trigger the *‘two hop threshold’ and enable listing the string in the TLD Hopping List.
  • The most abused domain string currently in the list has a history of eight TLD hops in addition to its initial discovery.
  • 42 unique domain strings hopped at least once in 2024; the hop may have been the first hop or one of multiple previous hops recorded. 
  • Two sites were identified as hopping on six different occasions throughout the year. The majority of sites that hopped in 2024 hopped once (in addition to any previous year’s hops).

*Before a second-level domain is added to the IWF TLD Hopping List, it must have been encountered and assessed to be a dedicated child sexual abuse site and to have hopped a minimum of two times, previously. Therefore it will have an established, proven history of being used with criminal intent over a minimum of three different TLDs.

The table below shows how hops are counted prior to being listed.

 

Instance Example string Example TLD Assessment Hop count Listing status
1 mybadsite .info Dedicated 0 Not listed
2 mybadsite .net Dedicated 1 Not listed
3 mybadsite .mobi Dedicated 2 Listed

 

For a domain string to be classified as hopping, only exact replication of the original string is considered e.g. ‘anysite’ returning as ‘anysite1’, ‘anysites’, ‘anys1te’ would not count as a hop so would not be listed. A review of the data suggests that approximately 733** domain string variants were identified during the assessment of dedicated domain strings in 2024. This indicates that variants are increasingly being used as a method to perpetuate the distribution of this criminal material.

  • One forum site appeared to move between 11 iterations of the original site name over the course of the year.  Interestingly the site remained tied to its .al (Albania) ccTLD and so was not classified as an example of domain hopping.
  • A second site cycled through eight name modifications in the year; it also retained its registration under the .al ccTLD.
  • Both of the domain strings sites mentioned above were also subsequently found to have multiple (six and seven) identical or slightly modified registrations under the .shop gTLD in 2024, suggesting organised and systematic abuse of domain registrations.
  • .cfd, .cc, .cyou and .top were among other examples where we observed domain string modification taking place multiple times while the sites retained their original TLD registration.

**It was time prohibitive to confirm the visual identity of each and every site in the assessment of name variants to be conclusive but, based on known behaviours, the nature/classification of the sites and the manipulations made to the domain strings, we are confident that the numbers suggested are a reasonable representation of the scale of obfuscation taking place within the manipulation of domain registrations.

  

 

The chart below shows the extracted top 10 abused TLDs used by second-level domains which were included in the TLD Hopping List at the close of 2024; the list contained 104 unique strings. A total of 76 TLDs are represented in the live IWF TLD Hopping List.

Top ten TLDs abused in domain hopping (by number of domains on IWF listed service)

The numbers represented above relate to the list, which has been compiled over the past four years and is not an indication of performance or isolated abuse levels in 2024 alone. Despite .xyz presenting as the most abused gTLD over the four-year period, the bulk of the activity predates this year’s report; only four new xyz domains were added to the list this year. 

We are pleased to have worked alongside the xyz registry operator, an IWF Member, to reduce the instances of abuse. Our direct relationship with xyz has enabled us to ensure that dedicated domains are suspended with minimal delay, taking one day or less in 60% of all cases and 100% of these dedicated sites abusing the .xyz TLD were taken down completely. In a positive downward trend for xyz, domains sharing child sexual abuse material have reduced by 95% over the past four years of our partnership.

 

TLD hopping abuse by hosting country frequency:

  • A total of 18 countries provided hosting to child sexual abuse sites involved in TLD hopping.

Top 10 hosting locations used by TLD hopping sites (by number of unique dedicated domains)

What can we do about this?

The IWF curates a Top-Level Domain Hopping List which can be used by registries and registry service providers to help protect their TLD portfolio from being abused by criminals porting known child abuse sites onto TLDs under their control.

 

Additionally, the IWF and Public Interest Registry (PIR), the US non-profit that operates the .ORG Top-Level Domain, have launched a fund to increase the opportunities to combat domain abuse. PIR is sponsoring registries to have access to two important IWF services - Domain Alerts and the TLD Hopping List.

The increased access to these lists will allow for faster, more streamlined disruption of child sexual abuse imagery. With strong support from PIR, we continue to expand our reach within the registry sector; we currently work with a growing list of 37 registries, across 524 TLDs, covering an estimated 275,661,818 domains.

With easy and free access to IWF domain services still available in 2025, we ardently encourage stakeholders of ccTLDs and gTLDs to join the network of registries that are taking an active stand in the fight against online child sexual abuse.