IWF Domain Services

IWF and PIR logos

We are pleased to be able to offer free sponsored access to IWF’s word class domain abuse mitigation services. Through this unique arrangement supported by PIR, you can take advantage of two of our key services designed specifically to combat the misuse of g/cc TLDs used in the distribution of online child sexual abuse images. The services available through this arrangement are Domain Alerts and our TLD Hopping List. For further information on each of these services, please scroll down to the relevant sections. Applicants can opt into taking either or both services.

If you would like to register to take advantage of the services on offer, please complete the IWF Domain Services Application form.

When we have reviewed your application, and if it is successful, we will provide a Domain Services Licence for a representative of your organisation to sign.  

IWF Top-Level Domain Hopping List service

The TLD Hopping List allows you to pro-actively reserve known dedicated second-level domain strings that have been confirmed to move from TLD to TLD with the express purpose of selling or distributing child sexual abuse material.

Why has the IWF introduced this service? 

It has been proved without question that ‘bad actors’ profiting from the sale and or distribution of Child Sexual Abuse Material (CSAM) across the internet, do so by exploiting legitimate services and processes owned or under the control of legitimate business. The regular exploitation of Registry and Registrar services is part of the deception tool kit carried out by criminal actors.  Dedicated sites are registered and used to distribute, facilitate and or sell CSAM online and with a view to attaining a market share of traffic and revenue for the site owners.

When a domain is taken offline by the host or suspended by Registry/Registrar action, the site owners wish to retain their market position and will often seek to register the same familiar String under a different TLD suffix, making it easier for their users to find their site again after a takedown. IWF data shows that hundreds of sites seek to exploit this opportunity to hop domains to minimise the disruption to their site’s revenue stream and customer base. This IWF service is designed to disrupt and deter criminals from exploiting Registries, Registrars, and other stakeholders; this service will simultaneously protect children and the public from the distribution of criminal images and videos of child sexual abuse.

What are the criteria for domains to be added to the list?

For the string to be included in the list, the sites must meet all the tests set out below.

  • The site will have been visually verified, as being in breach of UK Law, namely the Protection of Children Act 1978 and/or Sexual Offences Act 2003. Content will be digitally captured with a date and timestamp record and saved for evidential and quality assurance purposes.
  • Sites must (in the opinion of an IWF analyst) have been produced primarily or exclusively for the sale, facilitation (Gateway sites and Referrers) and or distribution of Images of child sexual abuse; sites of this nature are referred to in this document as ‘dedicated’ domains.
  • The unique strings under the TLD will have been identified to have been registered and made live over a minimum of three different TLDs having ‘hopped’ a minimum of two times*. In each consecutive hop, the site must have been assessed to be dedicated to the distribution of CSAM.

*Hops and listing criteria are confirmed as follows.

Hops and listing criteria

** Regardless of listing status, all dedicated websites will be notified individually to the appropriate Sponsored service user via the standard Domain Alert Service* with a view to achieving the suspension of each individual website as it is encountered, regardless of whether the site has reached the required two hop status for inclusion on the TLD Hopping list and potential reservation by the IWF Member. * Only sponsored service users taking the IWF Domain Alert Service in addition to the Hopping list will receive the domain single alerts (See Domain Alerts Service).

Domain Hopping Listing notifications

The list will be sent via email in an encrypted Excel file format, to all list takers every two weeks. Participants should inform the IWF of the email addresses or distribution mailbox they wish to receive the notifications.

The password provided will be consistent across all takers of the list but is subject to change by IWF. If the access password is changed, IWF will notify list takers.

The security of the data included in the Domain Hopping List is the responsibility of all those involved. Please be aware of your organisation’s security policies. The Domain Hopping List data is to be treated with the utmost care to limit the chances of inadvertent access to its contents.

How often will the list be checked and quality assured?

All listed items will be checked to confirm that they meet the criteria set out above and that the domain has not been repurposed for use by a legitimate entity. It should be noted that strings which are listed, the sites may or may not be live during their inclusion on the list, unlike the IWF URL list, the list will purposely contain the strings of suspended and offline sites.

When new domains are detected by the IWF Reporting system (RMS), they are not automatically added to the list. Each domain will undergo an additional review by a Senior Analyst to ensure that the identified domain string meets the criteria for listing. Participants will retain the right to query and report any listings or associated listings for 'special escalation' back to the IWF for review if there is a concern about the status, complicity or otherwise of a listed domain string. All such queries should be sent to [email protected] with the subject line ‘TLD Special Escalation’. The sender should identify the string in question and provide any other relevant information that may be of value. The IWF will endeavour to respond to all such enquiries as a priority and will respond as soon as practicable.

Size of the List

The number of strings on the list will fluctuate over time and has no set maximum or minimum number of entries, however, this will be kept under review and will be made available for as long as participants express that the list has value. If the list expands or reduces to impractical levels, then a review may be requested by the IWF or list subscribers to consider increasing or reducing the size of the list by considering factors not limited to, but including the number of Hops encountered before listing, or the dormancy period of a string before it is delisted.

IWF Domain Alerts

Domain Alerts can help registry operators stop or minimise the distribution and proliferation of child sexual abuse images taking place under their portfolio of top-level domains.

Here’s what you need to know about how Domain Alerts can benefit you and your users.

Our expertise

More than 2.7 million reports of suspected child sexual abuse imagery have been investigated by our human analysts since IWF was created. In 2023 alone, we identified more than a quarter of a million (275,655) webpages of confirmed child sexual abuse – an 8% rise (from 255,570) on what we detected the year before. Each webpage can contain hundreds, or even thousands, of individual images or videos of child sexual abuse.

How Domain Alerts work for you

Our alerts notify registries in real-time when confirmed criminal child sexual abuse pictures and videos are identified. This allows registries to take immediate and appropriate action to suspend a dedicated or commercial (complicit) child sexual abuse domain, or simply be alerted of the fact that significant volumes of child sexual abuse images are being shared on a registered domain.

Unchecked or unchallenged child sexual abuse can be damaging to the reputation and brand of the registry as well as the specific Generic or Country Code TLD.

In addition to notifying the registry, our Hotline analysts will take action to have the content removed at source by the hosting provider and their customer. However, without the Domain Alert service, both types of abuse typically remain undetected by the registrar.

Our services help registry operators stand out as ‘best in class’ and demonstrates a commitment to tackling online child sexual abuse imagery wherever and whenever it is found online and across the different but related layers of the internet and the DNS. 

In 2023, our Hotline identified:

  • 238 top-level domains as being abused to serve child sexual abuse material over the year. This represents an increase from 209 TLDs identified in 2022; an increase of 14%.
  • 143 Generic Top-Level Domains (gTLDs) being abused; an increase of 47% from the 97 gTLDs identified in 2022, and
  • 95 country code Top-Level domains (ccTLDs) being abused.


How do we apply to receive the Domain Alerts?

Thanks to a sponsorship from PIR, IWF’s Domain Alerts are available to ICANN/IANA registered registries*. Please apply here.

If you would like to apply for full IWF paid membership with additional services and benefits, you can apply here*Terms and conditions apply.

Can I trust the quality of the Domain Alerts sent by the IWF?

Before a Domain Alert is sent, every website is subjected to human review with an ‘eyes on’ assessment by our trained internet content analysts. The content of the site is captured and downloaded for evidence and the criminal images are hashed, graded and uploaded into the UK police national Child Abuse Image Database (CAID). All IWF analysts are content-assessment certified and IWF assessments are accepted by UK law enforcement as having trusted vote status.

How are Domain Alerts received by registries from the IWF?

Domain Alerts will be sent via email, in real-time, whenever we see child sexual abuse images on one of your top-level domains.

We suggest providing a dedicated or distribution group email mailbox rather than a named individuals email for us to notify you on. IMPORTANT: Alerts are sent with offending webpage URL(s), however, to avoid creating any live clickable links, we ‘defang’ the URL, so it starts “hxxp://”, and is therefore not a clickable link.

Registries have limited ability to remove content, is dealing with them the right approach?

Removing content at source, via the host working with the site owner is the standard method for removal; we understand registries cannot remove individual images - only suspend entire domains. Suspending an entire domain when it is appropriate to do so is, however, a powerful tool available to registries. For instances where domain suspension is not appropriate, notifications on TLD domain abuse can act as a valuable due diligence and monitoring tool to be kept abreast of illegal activity on TLDs. The volume and regularity of child abuse content being hosted on a particular domain may well be the determining factor and insight that a registry requires in order to make an informed decision about the acceptability of continuing to allow a website to operate under a particular TLD.

How should we act on receiving a Domain Alert from the IWF?

The Alert is there to advise that we have identified content on the domain and we will be working with the host to get it removed. If we notified on a dedicated or commercial domain, then the registry may seek to move quickly to suspend the continued operation of that domain. Suspension will prevent the domain from simply changing hosting provider in a bid to remain online.

What about innocent actors, like hacked sites or filesharing sites?

We would not seek the suspension of a domain unless the domain owner refused to remove the content (assuming the host did not suspend connection first), which is unlikely.

Will PIR also receive the Alerts?

No. The only people who will see the Alerts are the IWF and the registry concerned. We are very proud of this partnership with PIR, but they will not be involved in the operation of the Alerts at all.