Second-level domain analysis

 

The primary reason for tracking the use of second level domains as a distinct category is to provide further insight on how different domain strings are registered and used under different TLDs in both commercial and non-commercial contexts.

Tracking domain strings additionally allows us to track the use and re-use of popular strings by bad actors. This information can additionally help Registries and Registry Service Providers understand and mitigate the risk of dedicated and commercial child sexual abuse sites from being registered for nefarious reasons.

“www.anysite[.com]” – in this example, the [anysite] name or ‘string’ is classed as the second level domain of the website address.

Top 10 TLDs used in the distribution of child sexual abuse material (Instances of unique second-level domains)

The largest yearly increases were identified on the .de (Germany) and .ws (Samoa) ccTLDs.

  • 802 unique domain strings were registered under .de representing a 1,995% increase.
  • Although in much lower volume, .ws saw an increase of 2,966% with 184 unique domain strings registered and subsequently actioned by the IWF for carrying CSAM.
  • Both the .xyz and .com TLDs saw a reduction of 37% and 10% respectively in identified abuse across unique second-level domains.

Commercial distribution at the second-level domain

Second-level TLDs specifically registered and used for the commercial distribution of child sexual abuse images should rightly be a point of concern and focus. We continue to research additional ways to locate and remove such sites as well as disrupting the registration of new sites. 

The large-scale abuse of the .de ccTLD in 2023 by commercial distributors of child sexual abuse was unprecedented; no commercial websites selling this criminal material through the .de ccTLD were detected by the IWF in 2022.

In 2023 abuse rose to an incredible 783 unique second-level domains being uncovered, and in every instance the websites openly displayed images and videos of child sexual abuse on the homepage of each site.

  • The abuse of the .de ccTLD accounted for 25% of all unique commercial sites across all identified TLDs assessed.

Top 10 TLDs used for dedicated commercial distribution of child sexual abuse material (Instances of unique second-level commercial domains)

What can we do about this?

By understanding more about how second-level TLDs are specifically registered and used for the commercial distribution of child sexual abuse material, we can make them a point of focus for our work. We continue to research new ways to locate and remove these sites and disrupt the registration of new sites for this purpose.