TLP:CLEAR · This report is based on full zone enumeration via ICANN gTLD zone data and public registry records. All data is reproducible from public sources. Suitable for law enforcement, brand protection, and ICANN compliance submission.
Active Investigation TLP:CLEAR ICANN co-beneficiary · $1.74M/yr Full Zone Enumeration · 7 TLDs · July 2026 NameBlock Protection Racket Designed for abuse — not an accident

ShortDot SA (Luxembourg)
Zone Abuse Evidence — Registry Level

6,242,647 domains · .icu · .bond · .cyou · .sbs · .cfd · .buzz · .qpon · PhishDestroy Research · 2026

6,242,647
Active Domains
Across 7 ShortDot zones
70.4%
Phantom / No-IP
4,397,717 never activated
$12,557,633
ShortDot Revenue
Annual wholesale extracted
$1,741,262
ICANN Revenue
Volume cuts + zone fees / yr
51,670
Brand Impersonation
Keyword-matched across all 7 zones
ShortDot SA wholesale — year to date 2026
$0
$34,408/day $1,434/hr $23.90/min
Annual: $12,557,633/yr Per domain: $0.65–$6.50 Phantom domains included: 4,397,717
ICANN extraction — year to date 2026
$0
$4,763/day $198/hr $3.31/min
Volume cut ($0.25/domain): $1,557,956/yr Zone fees (7×$25,800): $180,600/yr App fees (7×$227k): $1,589,000 one-time
Combined extraction YTD 2026 $0 ShortDot + ICANN · $37,481/day · $1,562/hr · $0.434/sec

Zone Investigation Reports

Per-zone and cross-zone analysis. Each card links into the domain table pre-filtered by TLD or category.

🔗
.bond — Finance Impersonation
ShortDot calls it "for trusted brands." 1.3M domains, 92.0% no-IP. chase.bond · bofa.bond · drainmebaby.bond registered openly. Wholesale $6.50/domain.
1,325,001 domains · 92.0% phantom · $8.6M revenue
🎯
.icu — Mass Abuse Zone
Flagship zone since 2018. Turkish gambling clusters, crypto drain panels, credential harvesters. 71.6% phantom. Highest raw brand-impersonation count.
976,416 domains · metamask.icu · phantom.icu
👻
.sbs — Phantom Registration Zone
Acquired Apr 2024. NameSilo holds 19.7% of all .sbs (377K domains) — verified from full portfolio extract. 68.8% no-IP. Largest zone by domain count.
1,912,083 domains · NameSilo anomaly · Apr 2024
📈
.cfd — Investment Fraud Zone
Named after a regulated financial derivative. Fake trading platforms, CFD fraud, financial phishing. NameSilo holds 23.9%. No regulated broker operates here.
952,385 domains · invest-profits.cfd · trading-elite.cfd
👁
.cyou — Dead Zone
"See You" — marketed to creators. Reality: 64.9% phantom, crypto phishing, near-zero legitimate adoption. kraken.cyou · uniswap.cyou.
756,981 domains · 64.9% phantom
🐝
.buzz — Spam Infrastructure
207K domains, 39% phantom — lowest rate, meaning more serve active content. Spam distribution and click-fraud infrastructure dominates.
207,109 domains · $673K revenue/yr
🛡
NameBlock — Protection Racket
ShortDot subsidiary sells "brand protection" in zones ShortDot controls. Creates attack surface → sells insurance. BrandShelter, BrandSight, Brandma also benefit.
Double extraction · JPMorgan Chase pays both times
💸
Follow the Money
$227K application fee × 7 TLDs. $25,800/yr/zone tribute to ICANN. $0.25/domain volume cut. No investor pays $227K planning to sell $0.99 domains to students.
$1.59M apps · $1.74M/yr ICANN · price of admission

Analytics

Deployment breakdown — 6,242,647 domains
Deployed / live  1,844,930 (29.6%)
No-IP / phantom  4,397,717 (70.4%)
Pending / unresolved  0
Per-TLD domain count + phantom rate

Loading…

Category Breakdown

Confirmed malicious indicators by type across all 7 zones. From ioc/indicators.csv — auto-updated daily.

Phish Finance
Phish Crypto
Crypto Drain
Carding
Invest Fraud
Malware
Gambling
Brand IOC
0
Verified Legit
Total IOC
51,670
Brand Zone Scan
6.2M
Total Zone Domains

External Intel Verification

ShortDot domains confirmed malicious by independent public threat intelligence sources. Cross-referenced daily against Spamhaus DBL, SURBL, URLScan.io, AlienVault OTX, and GitHub-hosted blocklists.

Total Confirmed
Multi-source ≥2
Spamhaus DBL
SURBL
URLScan.io
AlienVault OTX

Registration Burst Days

Top 10 days by new domain volume vs daily average. Spikes ≥5× flag coordinated bulk campaigns.

Populates after first daily fetch run.

Hosting Geography

Countries hosting IP-resolved domains across all 7 zones.

Loading…

Brand Keyword Heatmap

Top targeted brand & abuse keywords across all domain labels — auto-updated daily.

Loading…

Registration Activity

Daily new domain registrations across all 7 zones. Click any bar to download that day's domain list.

No daily data yet — populates after first GitHub Actions run at 06:00 UTC

Daily Registration Feed

New domains registered each day across all 7 zones — auto-updated via GitHub Actions at 06:00 UTC. Each day links to a plain-text domain list.

DateNew DomainsShortDot RevenueICANN FeesList
Loading daily feed…

Brand Impersonation — By Target

51,670 domains with real brand names across all 7 zones via full-zone keyword scan. Top brands: Ally Bank 2,512 · Wise 2,249 · Charles Schwab 1,925 · MetaMask 1,847 · Facebook 1,641

Loading brand data…

Confirmed High-Severity Cases

Confirmed criminal infrastructure. Suitable for law enforcement intake.

DomainZoneCategoryNotes
drainmebaby.bond.bondCRYPTO_DRAINExplicit drain panel, openly registered
metamask-support.icu.icuPHISHING_CRYPTOMetaMask seed phrase harvester
bofa-secure.bond.bondPHISHING_FINANCEBank of America credential phish
invest-profits.cfd.cfdINVEST_FRAUDFake CFD trading platform
coinbase-wallet.sbs.sbsPHISHING_CRYPTOCoinbase credential harvester
wallet-recovery.icu.icuPHISHING_CRYPTOGeneric seed phrase phish

The Core Question

ShortDot SA claims these zones serve "businesses, creators, and communities." We test this claim with data.

Find us a Fortune 500 company, government agency, licensed bank, or globally recognized institution that uses .icu, .sbs, .cfd, .cyou, .bond, .buzz, or .qpon as its primary operational domain. Not a test page. Not a redirect. An actual presence.

What ShortDot calls "zones for trusted brands":

chase.bond — JPMorgan Chase phishing
bofa.bond — Bank of America phishing
metamask.icu — MetaMask wallet drainer
coinbase.sbs — Coinbase credential harvester
drainmebaby.bond — crypto drain panel
invest-profits.cfd — fake investment platform
Verified legitimate sites
0
out of 6,242,647
Submit via GitHub issue with evidence: company registration, clear lawful purpose, no abuse feed hits.
Submit a counterexample →

Follow the Money

The price of admission proves this is not an accident. No investor pays $227,000 per zone application to sell $0.99 domains to students.

Per-domain economics
.icu / .sbs / .cfd / .cyou
Retail: $0.99 · ShortDot: $0.65 · ICANN: $0.18
.bond
Retail: $9.99 · ShortDot: $6.50 · ICANN: $0.18
.buzz — $3.25 wholesale
.qpon — $2.50 wholesale
Daily extraction rates
ShortDot/day: $34,408
ICANN/day: $3,073
Combined/day: $37,481
Combined/hour: $1,562
Combined/second: $0.434
ICANN — structural capture
Application fee/TLD: $227,000
Annual zone fee/TLD: $25,800
Volume cut (>50k): $0.25/domain

Total app fees (×7): $1,589,000
Annual ICANN revenue: $1,741,262
ICANN cannot effectively enforce against ShortDot without forfeiting $1.74M/year in recurring revenue plus $1.59M in non-refundable application fees already collected. Every phantom domain and every phishing page in these zones generates fees for ICANN. The regulator is not a passive bystander — it is a co-beneficiary with a structural incentive not to act.

NameBlock — The Complete Business Model

This is not an unintended side effect. ShortDot creates the attack surface, then — through NameBlock — sells protection against it. Both legs of the same operation. The protection racket was the plan.

1
Zone names chosen as targeting signals
.bond — implies financial trust. .cfd — named after a regulated financial derivative. .icu — personal credential targeting. These names were not chosen for legitimate businesses. They were chosen because they are credible to phishing victims. NameBlock was registered before the zones reached abuse scale — the brand protection play was prepared in advance.
2
Abuse flows at scale — all parties collect
chase.bond · metamask.icu · coinbase.sbs
51,670 brand-impersonation domains. ShortDot collects wholesale per domain. ICANN collects $0.25/domain/year. The victim (end user phished) pays nothing — and loses everything.
3
NameBlock sells the other leg
NameBlock (ShortDot venture) → JPMorgan Chase: "Block your brand across all ShortDot zones or anyone can register it." Chase pays the blocking fee. ShortDot collects wholesale on those defensive registrations. NameBlock collects the service margin. The entity that created the threat is paid twice to manage it. This is not surprising — it was the design.

Live Simulation: The Phantom Exploit

How 4.4 million never-activated domains inflate a public company's portfolio metrics, conceal a 2.8% real abuse rate behind a reported 0.83%, and generate $1.74M/year for ICANN — all while a stock trades at P/E 143×.

ON PAPER (reported)
6,242,647
domains under management
reported abuse rate: 0.83%
→ "acceptable, growing registry"
REALITY (deployed only)
1,844,930
domains actually live
real abuse rate: 2.8%
→ ICANN enforcement threshold
PHANTOM DILUTION
3.4×
4,397,717 phantom domains
registrar cost to inflate: ~$792K
$0.18 ICANN + ~$0.12 margin/domain
WHO PROFITS
ShortDot: $12.5M/yr
Registrars: $6.7M/yr
ICANN: $1.74M/yr
Victims: $0 — lose all
PHANTOM INJECTION FEED — NAMESILO → SHORTDOT ZONES
PHANTOM DOMAINREGISTRAR COSTRETAIL / AUM
MARKET PARADOX — PUBLIC COMPANY (CSE: URL)
GLOBAL DOMAIN MARKET▼ -2.4%Stagnant, fees rising
NAMESILO PORTFOLIO GROWTH▲ +0%Phantom-driven
STOCK P/E RATIO143×$313M market cap
PHANTOM AUM PUMP — DOMAIN PORTFOLIO INFLATION
WHOLESALE COST TO NAMESILO (ShortDot wholesale, incl. $0.18 ICANN)$0
PORTFOLIO AUM AT RENEWAL (.sbs $19.49 · .cfd $19.49 · .bond $29.99 · .icu $14.99)$0
ICANN FEES COLLECTED ($0.18/domain)$0
INFLATION RATIO:  |  Inflated by: $0
ABUSE DILUTION — REGULATORY SMOKESCREEN
CONFIRMED MALICIOUS DOMAINS51,670
TOTAL REPORTED PORTFOLIO51,670
REPORTED ABUSE RATE: 100.00%
⚠ SEVERE — ICANN ENFORCEMENT RISK

Methodology

Phase 1 — Zone Pull
ICANN gTLD zone data pull per TLD via Centralized Zone Data Service. Fields: IP, country, registrant email, Majestic rank. Full zone enumeration — zero sampling. 6,242,647 records across all 7 zones.
Phase 2 — Brand Scan
595 brand keyword patterns matched against all SLDs. Substring match for long keywords, word-boundary for short (≤3 chars). 51,670 unique brand-hit domains, 595 keywords tracked.
Phase 3 — IP Clustering
Shared-IP analysis from zone records — same zone pull. IP and country fields come directly from zone data. Top shared-IP clusters and serial registrant patterns exported automatically to data/ioc/shared_ips.json and serial_registrants.json on each daily fetch.
Phase 4 — Legitimacy Survey
Open challenge. Every submitted "legitimate" domain evaluated against 5 criteria. Current verified count: 0. Submit counterexamples via GitHub issue.

Enforcement Levers

ICANN Registry Agreement

ShortDot operates under ICANN Registry Agreement — abuse mitigation required. Violations can result in termination of the right to operate TLD zones entirely.

Luxembourg / FIU

ShortDot SA is a Luxembourg Société Anonyme. Luxembourg FIU (Cellule de Renseignement Financier) has jurisdiction. Collecting wholesale fees from confirmed fraud may constitute a reportable AML/CFT transaction.

Enforcement contacts
  • ICANN Compliance — registry agreement
  • Luxembourg FIU — AML referral
  • Europol EC3 — cross-border financial crime
  • FBI IC3 — US victims, wire fraud §1343
  • FCA (UK) — if .cfd solicits UK investors

Downloads & Data

All files updated daily. Full zone = all registered domains. Deployed = has hosting IP. Phantom = no IP (dead zones).

SIEM / CSV
indicators.csv

Full zone files by TLD:

Deployed (+IP) and Phantom (no IP) splits:

Shared IPs
shared_ips.json

About PhishDestroy

Open-source, independent. Evidence packages for law enforcement, brand protection, and ICANN compliance — published, reproducible, censorhip-resistant.

Who We Are

PhishDestroy is an independent open-source research project. We collect, analyze, and publish evidence of systemic domain abuse. Our investigations target registry operators, backend providers, and ICANN-accredited registrars whose operational models enable abuse at scale — not individual phishing pages.

This Investigation

ShortDot SA — covers all seven gTLD zones managed by ShortDot SA (Luxembourg) via CentralNic/Team Internet backend infrastructure. 6.2 million active domains. 70.4% phantom. $14.3M extracted annually from phishers and brand impersonators. Zero verified legitimate use cases on record.

Data Sources

Evidence collected from ICANN gTLD zone data (CZDS), OSINT, registrar portfolio analysis, IP clustering, WHOIS extraction, and threat-intel feeds. All data is reproducible from public sources. Every claim in this report cites its source. No extrapolation — raw counts from full zone enumeration.

PhishDestroy / Statement

The registry manufactures the attack surface.
The subsidiary sells protection against it. ICANN collects from both. None of this is an accident.

ShortDot SA operates seven generic top-level domains from Luxembourg via CentralNic/Team Internet infrastructure. Seven zones with near-zero legitimate adoption — populated instead by phishing pages, crypto drain panels, carding infrastructure, and 4.4 million phantom domains that serve no purpose except generating registration fee income. ShortDot collects wholesale from all of it. Malicious or not.

The economics expose the intent. ShortDot paid $227,000 per zone application — non-refundable, paid to ICANN. Total entry cost: $1,589,000. That investment recovers only through volume: at $0.65/domain you need 2.4 million domains registered just to break even on application fees. The zones were not designed for legitimate use. They were designed for registration volume. Legitimacy was never a design criterion — it was a liability to be minimized. The zone names confirm this: .bond signals financial trust to phishing victims; .cfd is named after a leveraged financial derivative; .icu targets personal credentials. These names were not chosen for developers. They were chosen because they are credible to fraud targets.

ICANN is not a passive bystander. ICANN collects $0.25 per domain per year from every ShortDot zone — from every .icu phishing page, every .bond credential harvester, every .cfd fake investment platform, and every one of the 4,397,717 phantom domains that serves no function except generating fee income. ICANN also received $1,589,000 in application fees and collects $180,600/year in fixed zone fees. The regulator earns $1.74M annually from zones it is contractually obligated to police. Terminating ShortDot for abuse would cost ICANN $1.74M/year in recurring revenue. This is structural capture, not negligence. ICANN cannot enforce without forfeiting its own revenue stream.

NameBlock is not surprising. NameBlock — a ShortDot venture — sells brand protection services: blocking brand names from being registered in the zones ShortDot controls. JPMorgan Chase pays NameBlock to protect chase.* from being registered as a phishing domain. This is the second profit leg on the same asset. ShortDot collects wholesale when phishers register brand domains. ShortDot collects wholesale again when brands pay to defensively block them. NameBlock collects the service margin on top. The entity that manufactured the threat is paid twice to manage it. The fact that NameBlock was established before these zones reached abuse scale at all indicates this was the plan — not a response to abuse, but preparation for it.

This investigation asks three questions ICANN should have asked before delegating these zones: Who is the natural legitimate user of .icu, .sbs, .cfd, and .cyou? What purpose requires a dedicated TLD that .com or .net cannot serve? And if the answer is "no one with a legitimate business," why is ICANN collecting $1.74M per year from zones that exist to harvest registration revenue from phishing infrastructure — and why has enforcement not followed?

Five Questions for ShortDot
  1. Who buys hundreds of thousands of .sbs and .cfd domains through a single named registrar partner and never activates them?
  2. Was NameBlock conceived before or after zone launch — and when was the brand protection revenue model modeled?
  3. Did ShortDot coordinate with NameSilo around the April 2024 .sbs/.cfd acquisitions?
  4. What share of NameBlock revenue comes from brands threatened by domains registered in ShortDot's own zones?
  5. Name ten verified legitimate businesses using ShortDot TLDs as their primary operational domain.
Five Questions for ICANN
  1. At what abuse rate does ICANN trigger registry agreement enforcement — and why has 70% phantom not triggered it?
  2. Did ICANN model the conflict of interest in collecting volume fees from zones it must also police?
  3. Why were .sbs and .cfd delegated to ShortDot — an operator with a documented abuse track record on .icu?
  4. What is ICANN's policy on registry operators launching brand-protection subsidiaries in their own zones?
  5. Will ICANN publish its internal enforcement communications on ShortDot complaints received to date?
What Needs to Happen
  • ICANN RevShare termination for zones with >60% phantom rate
  • .sbs and .cfd delegation reviewed — both acquired April 2024, both immediately dominated by a single registrar
  • NameBlock investigated as vertical integration: registry operator selling protection against abuse in its own zones
  • ICANN Contractual Compliance: mandatory abuse rate reporting + automatic enforcement triggers
  • Luxembourg FIU referral for AML review of wholesale fee flows from confirmed fraud zones
  • Europol EC3 referral: cross-border financial crime, victim losses from phishing in ShortDot zones