343,107 domains scanned · Complete registrar zone · IANA #3765 · China · PhishDestroy Research · June 2026
Drill-down pages by abuse category. Each card links into the searchable domain table with the category filter pre-applied.
Quantitative summary of the registrar's zone health, written for ICANN compliance, abuse desks, and law-enforcement intake.
NICENIC INTERNATIONAL GROUP CO., LIMITED is an ICANN-accredited domain registrar based in China (IANA registrar ID #3765). This report presents the results of a complete zone scan of all 343,107 domains under registrar management, conducted in June 2026 using automated HTTP fingerprinting, headless browser analysis, and AI-assisted classification.
With 343,107 domains — making NICENIC one of the largest single registrar zones examined by PhishDestroy — the scale of potential abuse infrastructure is correspondingly significant. Preliminary analysis identifies patterns consistent with financial phishing, crypto drains, carding infrastructure, malware distribution, illegal drug markets, and unlicensed gambling. This report is structured as a complete evidence package for law enforcement and financial intelligence units — enriched IOC CSV, AI-classified domain descriptions suitable for warrant applications and regulatory referrals.
Why ICANN is a paper trail, not enforcement — and which agencies actually carry jurisdiction over the financial and criminal layers of this operation.
ICANN was created in 1998 when the internet was an academic project, not a battlefield. Its mandate is technical stability — DNS resolution, IP allocation, protocol standards. Without ICANN the internet fragments. That is why it exists.
Not to police fraud. Not to protect victims. Not to investigate money laundering.
Violating RAA §3.18 is breach of contract, not a crime. ICANN's ultimate sanction — accreditation revocation — takes years, creates precedent the organization fears, and leaves hundreds of thousands of domains in limbo.
An ICANN complaint is a paper trail, not a solution. File it — but don't mistake it for action.
NICENIC collects registration fees from operators running wire fraud, carding, and crypto drains — a participant in the money flow.
ICANN accreditation is a technical credential, not a shield. Criminal liability does not require ICANN to act first. This report is structured as a complete evidence package for law enforcement and financial intelligence units — enriched IOC CSV, AI-classified domain descriptions suitable for warrant applications and regulatory referrals.
Confirmed criminal infrastructure and registrar liability indicators.
This report is prepared as evidence for an ICANN Registrar Accreditation Agreement (RAA) complaint
against NICENIC INTERNATIONAL GROUP CO., LIMITED under §3.18 (Abuse Prevention) and §3.7.7 (Accuracy of WHOIS).
All findings are TLP:CLEAR and may be shared with ICANN, national cybercrime units (Europol EC3,
FBI IC3, Interpol IGCI), and threat intelligence platforms.
SHA-256 checksums of all published data files are in SHA256SUMS.txt.
Raw scan data: data/enriched.csv (86,114 rows) · pkg/raw_data/ (compressed originals).
Distribution of malicious domains by abuse category and severity across the 37,844 alive domains in the NICENIC zone.
Domain counts per abuse category. Colour coding: red = phishing/carding (HIGH), orange = scam/malware (HIGH), violet = brand abuse / adult, cyan = benign / dead.
64,296 classified domains with HTTP fingerprints, favicon MurmurHash3, server fingerprints, threat intel tags, registration dates, AI descriptions. Searchable and filterable.
Domains grouped by shared technical fingerprints — identical favicon MurmurHash3 or HTTP response stack — confirming coordinated infrastructure rather than independent registrants.
Four-stage technical pipeline. Every domain processed end-to-end; no sampling. Full procedural detail in README §4.
Source datasets, IOC blocklists, raw scan output, and cryptographic provenance. All artefacts content-addressed by SHA-256.
Independent anti-phishing and anti-fraud research collective publishing public evidence packages, IOC feeds, and threat-actor attribution dossiers.
Complete-zone scans of accused-bulletproof registrars. Real-time IOC publication. Operator attribution via corporate-registry forensics, payment-rail tracing, and infrastructure clustering.
Every dataset is TLP:CLEAR and MIT-licensed. Designed for ICANN compliance, law-enforcement intake, regulatory referral, and academic citation. SHA-256-anchored chain of custody.
🌐 phishdestroy.io — main site & investigation archive
🐙 github.com/phishdestroy — code & datasets
🔍 Previous: Trustname Investigation
This is not a complaint to ICANN. ICANN is a technical body — it standardises DNS resolution and allocates IP space. It was not designed to stop wire fraud. The RAA §3.18 acknowledgement requirement exists on paper. In practice, enforcement is a multi-year process of letters and reviews, measured in months while victims are measured in dollars lost per hour. That is the wrong regulator for this problem.
This is about money flows. Every domain in this dataset generated a registration fee. Every renewal generated another. Every day an abuse report sat unanswered, the registrar collected revenue from an active fraud operation. That is not a compliance gap — that is a business model.
Registrars are not passive infrastructure. They are the first and only chokepoint that can kill a fraud domain in 24 hours — no court order required. Their choice not to act is a decision with a revenue motive attached. The "not our jurisdiction" defence does not survive contact with one question: then why are you cashing the check?
Exclude the newcomers — the inexperienced operator who found a registrar via a Google ad or picked the cheapest option. Organised scam teams don't pick registrars by price. They pick by track record: which registrar ignores abuse reports, which privacy shield survives a takedown attempt, which reseller delivers domains fast with no questions asked.
In CIS-language fraud forums and Telegram channels, registrar recommendations circulate as operational intelligence. There are black-market resellers — "bulletproof domain" brokers — who specifically source from NICENIC, NameSilo, and similar registrars and sell to scam teams pre-configured. These resellers exist because these registrars reliably do not act on abuse reports. That is the product being sold.
When the same operator fingerprints — email clusters, favicon hashes, server stacks — appear across hundreds of domains registered at the same registrar over months: that is not coincidence. That registrar's non-enforcement is documented institutional knowledge in the criminal ecosystem. The question is not why scammers keep buying from NICENIC or NameSilo. The question is why NICENIC and NameSilo keep selling to them.
PhishDestroy is not the only source. Every major registrar receives abuse reports from APWG, PhishTank, national CERTs, ISACs, brand protection teams, and individual researchers — continuously, in volume. There is no global centralised body that audits whether those reports are actually processed, no mandatory disclosure requirement, no independent verification. A registrar can claim to have received nothing, and there is currently no mechanism to prove otherwise at speed.
NameSilo received documented abuse reports from PhishDestroy alone — more than 20, with full evidence packages, timestamped, on record. Their public position was that they had received nothing. That is not a miscommunication. That is a lie.
The same pattern is predictable across Russian-connected registrars: when confronted, the default response will be "we never received any reports." It is the only legally useful position — because receiving a report and ignoring it is not the same as never receiving one.
Receiving an abuse report and ignoring it is not negligence. Negligence is an accident. Receiving documented evidence of an active fraud domain, taking no action, and collecting the renewal fee is a choice. That choice has a name: complicity.
There is a measurable difference between registrars that treat abuse as a compliance checkbox and those that treat it as a business policy. Responsible registrars — the ones that do not want fraud operators as clients — respond to a confirmed abuse report by suspending the entire account: every domain registered by that operator, in one action. They have seen the account. They know what it is.
The registrars documented in this investigation respond differently. A complaint arrives. One domain — the reported one — may eventually be suspended. The other 200, 500, or 1,000 domains on the same account continue operating. The operator registers new ones the same day. The registrar has seen the pattern. They have chosen to look away.
KYC and reseller vetting requirements exist on paper. In practice they are either absent or trivially bypassed — a formality that provides legal cover without creating any actual barrier to a fraud operator opening an account and registering domains at scale. Our non-public investigation into registrar intake processes, conducted prior to this report, found no meaningful friction at the account-creation stage for the registrars examined here.
When NameSilo responded to documented abuse of xmrwallet[.]com —
a Monero drainer with $10–20M in confirmed victim losses —
by offering to clear its VirusTotal detections
rather than suspending the domain: that was not a mistake. That was a choice.
Every domain in this dataset is a receipt.
The receipt exists whether the registrar acknowledges the transaction or not.
Daily and monthly new domain registrations. Click any bar to download that day’s list.
New domains registered daily — auto-fetched from registrar zone data every 6h. Download any day as a plain-text blocklist.
How long operators register domains for. Longer registration = greater investment = more serious/organised campaign.
Domain zone distribution with average registration period per TLD. Cheap short-reg TLDs signal bulk throwaway infrastructure.
Whether domains had an IP at time of fetch. No IP = registered but not yet deployed (parked, pre-staged, or bulk spam).
Estimated registration fees based on public TLD pricing. Does not include renewals or promo rates.
⚠️ Estimates use average public TLD prices. Actual revenue will differ.
IP country at time of domain registration. No IP means domain was not yet deployed when fetched.
IP addresses hosting the most phishing domains. High-count IPs indicate bulletproof hosting infrastructure shared across campaigns.
Estimated registration revenue split by TLD. Shows which zones generate most income for the registrar from phishing operators.
How old were domains at time of first fetch. Same-day and within-week catches indicate early warning capability.
Days with abnormally high registration volume — likely campaign start dates. Multiple-of-average spikes indicate coordinated bulk registration events.
Email addresses and phone numbers used to register phishing domains. Repeated contacts across hundreds of domains identify serial abuse operators — direct IOCs for attribution.
Brand names and phishing keywords found in domain labels. Shows which ecosystems are most targeted: crypto wallets, exchanges, DeFi protocols, and support scams.
Registrant emails appearing across multiple phishing domains — direct operator fingerprints. High repeat count = organised, sustained campaign. Import into SIEM/EDR for attribution.
Cross-reference with the main Destroylist blocklist. Confirmed phishing domains validated by independent verification pipeline. Unranked % = new infrastructure with no prior web presence.