6,242,647 domains · .icu · .bond · .cyou · .sbs · .cfd · .buzz · .qpon · PhishDestroy Research · 2026
Per-zone and cross-zone analysis. Each card links into the domain table pre-filtered by TLD or category.
chase.bond · bofa.bond · drainmebaby.bond registered openly. Wholesale $6.50/domain.kraken.cyou · uniswap.cyou.Loading…
Confirmed malicious indicators by type across all 7 zones. From ioc/indicators.csv — auto-updated daily.
ShortDot domains confirmed malicious by independent public threat intelligence sources. Cross-referenced daily against Spamhaus DBL, SURBL, URLScan.io, AlienVault OTX, and GitHub-hosted blocklists.
Top 10 days by new domain volume vs daily average. Spikes ≥5× flag coordinated bulk campaigns.
Populates after first daily fetch run.
Countries hosting IP-resolved domains across all 7 zones.
Loading…
Top targeted brand & abuse keywords across all domain labels — auto-updated daily.
Loading…
Daily new domain registrations across all 7 zones. Click any bar to download that day's domain list.
New domains registered each day across all 7 zones — auto-updated via GitHub Actions at 06:00 UTC. Each day links to a plain-text domain list.
51,670 domains with real brand names across all 7 zones via full-zone keyword scan. Top brands: Ally Bank 2,512 · Wise 2,249 · Charles Schwab 1,925 · MetaMask 1,847 · Facebook 1,641
Loading brand data…
Confirmed criminal infrastructure. Suitable for law enforcement intake.
ShortDot SA claims these zones serve "businesses, creators, and communities." We test this claim with data.
Find us a Fortune 500 company, government agency, licensed bank, or globally recognized institution that uses .icu, .sbs, .cfd, .cyou, .bond, .buzz, or .qpon as its primary operational domain. Not a test page. Not a redirect. An actual presence.
What ShortDot calls "zones for trusted brands":
The price of admission proves this is not an accident. No investor pays $227,000 per zone application to sell $0.99 domains to students.
This is not an unintended side effect. ShortDot creates the attack surface, then — through NameBlock — sells protection against it. Both legs of the same operation. The protection racket was the plan.
How 4.4 million never-activated domains inflate a public company's portfolio metrics, conceal a 2.8% real abuse rate behind a reported 0.83%, and generate $1.74M/year for ICANN — all while a stock trades at P/E 143×.
data/ioc/shared_ips.json and serial_registrants.json on each daily fetch.ShortDot operates under ICANN Registry Agreement — abuse mitigation required. Violations can result in termination of the right to operate TLD zones entirely.
ShortDot SA is a Luxembourg Société Anonyme. Luxembourg FIU (Cellule de Renseignement Financier) has jurisdiction. Collecting wholesale fees from confirmed fraud may constitute a reportable AML/CFT transaction.
All files updated daily. Full zone = all registered domains. Deployed = has hosting IP. Phantom = no IP (dead zones).
Full zone files by TLD:
Deployed (+IP) and Phantom (no IP) splits:
Open-source, independent. Evidence packages for law enforcement, brand protection, and ICANN compliance — published, reproducible, censorhip-resistant.
PhishDestroy is an independent open-source research project. We collect, analyze, and publish evidence of systemic domain abuse. Our investigations target registry operators, backend providers, and ICANN-accredited registrars whose operational models enable abuse at scale — not individual phishing pages.
ShortDot SA — covers all seven gTLD zones managed by ShortDot SA (Luxembourg) via CentralNic/Team Internet backend infrastructure. 6.2 million active domains. 70.4% phantom. $14.3M extracted annually from phishers and brand impersonators. Zero verified legitimate use cases on record.
Evidence collected from ICANN gTLD zone data (CZDS), OSINT, registrar portfolio analysis, IP clustering, WHOIS extraction, and threat-intel feeds. All data is reproducible from public sources. Every claim in this report cites its source. No extrapolation — raw counts from full zone enumeration.
ShortDot SA operates seven generic top-level domains from Luxembourg via CentralNic/Team Internet infrastructure. Seven zones with near-zero legitimate adoption — populated instead by phishing pages, crypto drain panels, carding infrastructure, and 4.4 million phantom domains that serve no purpose except generating registration fee income. ShortDot collects wholesale from all of it. Malicious or not.
The economics expose the intent. ShortDot paid $227,000 per zone application — non-refundable, paid to ICANN. Total entry cost: $1,589,000. That investment recovers only through volume: at $0.65/domain you need 2.4 million domains registered just to break even on application fees. The zones were not designed for legitimate use. They were designed for registration volume. Legitimacy was never a design criterion — it was a liability to be minimized. The zone names confirm this: .bond signals financial trust to phishing victims; .cfd is named after a leveraged financial derivative; .icu targets personal credentials. These names were not chosen for developers. They were chosen because they are credible to fraud targets.
ICANN is not a passive bystander. ICANN collects $0.25 per domain per year from every ShortDot zone — from every .icu phishing page, every .bond credential harvester, every .cfd fake investment platform, and every one of the 4,397,717 phantom domains that serves no function except generating fee income. ICANN also received $1,589,000 in application fees and collects $180,600/year in fixed zone fees. The regulator earns $1.74M annually from zones it is contractually obligated to police. Terminating ShortDot for abuse would cost ICANN $1.74M/year in recurring revenue. This is structural capture, not negligence. ICANN cannot enforce without forfeiting its own revenue stream.
NameBlock is not surprising. NameBlock — a ShortDot venture — sells brand protection services: blocking brand names from being registered in the zones ShortDot controls. JPMorgan Chase pays NameBlock to protect chase.* from being registered as a phishing domain. This is the second profit leg on the same asset. ShortDot collects wholesale when phishers register brand domains. ShortDot collects wholesale again when brands pay to defensively block them. NameBlock collects the service margin on top. The entity that manufactured the threat is paid twice to manage it. The fact that NameBlock was established before these zones reached abuse scale at all indicates this was the plan — not a response to abuse, but preparation for it.
This investigation asks three questions ICANN should have asked before delegating these zones: Who is the natural legitimate user of .icu, .sbs, .cfd, and .cyou? What purpose requires a dedicated TLD that .com or .net cannot serve? And if the answer is "no one with a legitimate business," why is ICANN collecting $1.74M per year from zones that exist to harvest registration revenue from phishing infrastructure — and why has enforcement not followed?