Top level domain hopping

 

What is Top-level domain hopping?

“Top-level domain hopping” is when a site (e.g., ‘anysite.ru’) keeps its second-level domain name/string (‘anysite’) but switches to a new (generic: g or country-code: cc) top-level domain (‘.ru’), in essence, creating a new instance of the original website, typically with different hosting details but retaining the site’s identifiable name or ‘brand’.

From an original domain e.g. ‘anysite.ru’, multiple additional instances of the site ‘anysite.ga’, ‘anysite.ml’ or ‘anysite.com’ could be created. This allows follow-on instances of an original domain to persist online long after the original site has been taken down. This ‘hack’ keeps the website recognisable and easy to follow by offenders consuming images hosted on each new instance of the site.

  • 222 second-level domains hopped at least once in 2023 resulting in a total of 300 individual hops.

At the extreme end of hopping abuse over the year:

  • Six sites were identified as hopping on six different occasions.
  • Three hopped 4 times.
  • Six hopped 3 times.
  • Most sites, however, were observed to have hopped one or two times in 2023.

It’s important to note that each site additionally has the potential to hop to a different TLD at some point in the future.

Given the proven criminal nature of these sites, more should and can be done to disrupt the way in which the criminal gangs seek to beat the system and recycle their sites of child rape and torture simply by re-registering them under a different TLD.

 

TLD Hopping Denial List:

Before a second-level domain is added to the IWF TLD denial list, it must have been encountered and assessed to be a dedicated child sexual abuse site which has hopped a minimum of two times, and therefore has an established a proven history of being used with criminal intent over a minimum of three different TLDs.

For a domain string to be classified as hopping, only exact replication of the original string is considered e.g. ‘anysite’ returning as ‘anysite1’, ‘anysites’, ‘anys1te’ would not count as a hop so would not be listed. Hundreds of domain string variants were identified during the assessment of domain strings in 2023 indicating that variants are additionally being used as a method to perpetuate the distribution of this criminal material.

The table below shows how hops are counted prior to being listed.

Instance Example String Example TLD Assessment Hop count Listing status
1 mybadsite .info Dedicated 0 Not listed
2 mybadsite .net Dedicated 1 Not listed
3 mybadsite .mobi Dedicated 2 Listed

 

 

The chart below shows the extracted top 10 abused TLDs used by second-level domains which were included in the TLD hopping list at the close of 2023 which contained 87 unique strings.

Top ten TLDs abused in domain hopping (by number of domains on IWF listed service)

 

TLD hopping abuse by hosting country frequency:

  • A total of 18 countries provided hosting to child sexual abuse sites involved in TLD hopping.

The top 10 most popular hosting locations are set out in below:

Top 10 hosting locations used by TLD hopping sites (by number of unique dedicated domains)

What can we do about this?

The IWF curates a Top-Level domain hopping denial list which can be used by Registries and Registry Service providers to help protect their TLD portfolio from being abused by criminals porting known child abuse sites onto TLDs under their control*.  (*Subject to contract agreements.)

 

 

 

Additionally, IWF and PIR have launched a fund to increase the opportunities to combat domain abuse. PIR is sponsoring other registry service providers to have access to two important IWF services, Domain Alerts and the TLD Hopping List. Increased access to these lists will allow for faster, more streamlined disruption to identified child sexual abuse imagery.