ANNUAL REPORT
Our mission is to provide a world class, comprehensive free suite of tools to create a safer Internet.
2025
LETTERS FROM LEADERSHIP
A word from NetBeacon Institute Leadership. Click a name (+) to read their note.
Graeme Bunton, Executive Director
At the NetBeacon Institute, our mission is to make the Internet safer for everyone. As I look back on the past year, I am proud of the progress we’ve made, and our meaningful contributions towards this goal. We’ve made substantial impacts in abuse education, policy development, and enabling abuse disruption, a few of which I’d like to highlight below.
In May, the NetBeacon Institute released a white paper proposing Policy Development Processes (PDPs) for DNS Abuse to ICANN – narrowly scoped efforts with the potential for significant collective impact. The white paper catalyzed discussions within the ICANN community, and has helped drive the process further.
In 2025 NetBeacon Measurement and Analytics Platform (MAP) launched new individualized dashboards with more intuitive and customizable data, allowing users to move beyond simple monthly snapshots to grasp the underlying trends and context.
NetBeacon Reporter celebrated a major milestone in 2025, processing more than 250,000 reports and enabling the disruption of hundreds of thousands of malicious domains. We undertook a significant collaboration effort with RCMP (Royal Canadian Mounted Police) to translate reports received by law enforcement into large scale online disruption.
We continued our collaborative efforts to prevent and mitigate DNS Abuse. NetBeacon Institute is grateful for the continued trust and support of our 2025 partners in the Internet and security industries, including: CleanDNS, KOR Labs, GCA, topDNS, eco and i2c.
Special thanks to Public Interest Registry (PIR), who fully funds and operates the Institute, the NetBeacon Advisory Council, and the registries, registrars and hosting providers for your continued commitment to making the Internet a safer space.
Sincerely,
Graeme Bunton, Executive Director
Rowena Schoo, Senior Director, Industry Affairs & Policy
As the NetBeacon Institute celebrates five years, I am proud of the progress made to provide free tools, education and insight to combat threats such as phishing and malware.
In 2025 NetBeacon MAP advanced to domain-level analysis which significantly improved our ability to understand trends and campaigns.
A major theme emerging from our analysis is that malicious phishing campaigns are highly concentrated in a small handful of registrars. This was true for the spike in March – our highest month on record to date, and for our analysis of the August winter fuel campaign targeting vulnerable citizens by impersonating the UK Government.
Creating a safer Internet is a critical priority and shared responsibility that transcends individual sectors; collaboration beyond ICANN is crucial to achieving our mission.
Globally, we provided insight to the World Economic Forum’s (WEF) Partnership Against Cybercrime (PAC) in relation to cyber-enabled fraud. Closer to home, I was proud to see the work of the Institute flow through as recommended practice in security guidance for registrars created by the UK National Cyber Security Centre’s (NCSC).
Looking ahead, we are following the ICANN Policy Development Process (PDP) on Associated Domain Checks (ADC) and anticipate that this will be an important policy development to tackle large scale concentrated malicious campaigns.
Thank you to all our amazing collaborators especially our Advisory Council, delivery partners (KOR Labs and CleanDNS), and of course Public Interest Registry (PIR) for its ongoing support in creating and operating the NetBeacon Institute.
Rowena Schoo
Senior Director, Industry Affairs & Policy
2025
HIGHLIGHTS
2025 was a year of continued growth and impact for the NetBeacon Institute. We focused on strengthening our core products, deepening engagement across the DNS ecosystem, and improving how data, reporting, and insights are delivered to those working to mitigate DNS Abuse.
NetBeacon Reporter continued to scale, surpassing key reporting milestones and expanding integrations with registrars, registries, and ccTLDs. NetBeacon MAP advanced as a trusted measurement resource for phishing and malware. Monthly analysis, interactive charts, and individualized dashboards provided greater transparency into mitigation rates, trends, and outcomes. In 2025, we expanded dashboard functionality with improved data visualizations.
The Institute remained actively engaged with the global DNS, policy, and security communities. We participated in major industry events, policy discussions, and working groups, sharing data driven insights and practical perspectives on mitigating DNS Abuse. Our work continued to inform conversations across registries, registrars, and ccTLDs.
Throughout the year, we published blogs highlighting policy and campaigns impacting the industry.
OUR IMPACT:
Subdomain Cloaking
In August 2025, NetBeacon MAP identified 2,227 unique domain names that appear to be part of a coordinated phishing campaign targeting UK citizens eligible for government benefits by impersonating the UK Government. This technique uses ‘TLD-’ combinations in a subdomain to obscure the abuse from users and analysts. Industry should look out for TLD-combinations, for example: com-, uk-, gov-, de-, ca-, org-, pl- etc. or -uk, -com, -gov etc. Malicious phishing scams linked to the Winter Fuel Payment highlights the importance of tackling campaigns utilizing multiple domains in order to protect vulnerable groups from online fraud. We’ve written a joint blog with Nominet UK, highlighting the importance of collaboration in keeping the internet safe and secure.
Whitepaper: Proposal for PDPs on DNS Abuse
In June, leading up to ICANN Prague, we published a white paper proposing a number of potential PDPs that we felt would be impactful for reducing DNS Abuse. The ICANN community is now moving forwards with two PDPs. We’ve provided support to this process as an external expert and look forward to the multi-stakeholder community developing global policy to advance industry responses to DNS Abuse, such as phishing and malware. Our ideas were also picked up outside the industry and featured in the World Economic Forum’s Partnership against Cybercrime’s paper: Fighting Cyber-Enabled Fraud: A Systemic Defence Approach.
Malicious Phishing Concentration
In March 2025, a record spike in malicious phishing activity was observed by the NetBeacon Measurement and Analytics Platform (MAP). The majority of this was heavily concentrated among a small number of registrar credentials. One registrar, Dominet HK Limited, was responsible for registering over half of the unique phishing domains identified, despite managing a very small percentage of all Domains Under Management (DUM). Gname.com Pte. Ltd., also showed a high concentration. This spike appears to be linked to bulk malicious phishing campaigns that could be addressed by new policy approaches.
OUR PILLARS
At NetBeacon Institute, we are committed to driving outcomes-based initiatives that will create recommended practices, foster collaboration, and develop industry-shared solutions.
INNOVATION
The Institute drives innovation in combating DNS Abuse through providing recommended practices, offering practical, free solutions for registries and registrars of varying sizes and resources, and funding DNS-related cybersecurity research.
EDUCATION
The Institute drives innovation in combating DNS Abuse through providing recommended practices, offering practical, free solutions for registries and registrars of varying sizes and resources, and funding DNS-related cybersecurity research.
COLLABORATION
The Institute serves as a networking forum and central resource for all interested stakeholders, cultivating collaboration with technical, academic, and policy organizations, registries, registrars, governments, and security researchers. Our collaborative model enables all parties to be better equipped to fight DNS Abuse.
OUR PRODUCTS
NetBeacon Reporter is a free centralized reporting conduit that simplifies DNS Abuse reporting for individuals and organizations and provides domain registrars with the information and tools they need to act confidently.
2025 Highlights
NetBeacon Reporter continued strong growth and platform enhancement in 2025, receiving over 263,000 abuse reports. We have worked closely with registrars and reporters to onboard users, increase reporting, and improve the platform. NetBeacon Reporter introduced an enhanced feedback mechanism, thus allowing registrars, registries, and hosts to provide mitigation action, as well as flagging reports as false positives. We have enabled increased submission filters, reducing the number of unactionable reports.
64% of the ccTLD ecosystem is integrated and receiving reports. This includes some of the largest such as .de, .uk, .eu, .br, .nz, and .ca. If you’re a ccTLD operator interested in receiving abuse reports for your TLDs, please contact support@netbeacon.org.
We are grateful to CleanDNS for their ongoing development and maintenance of the platform, as well as to Abusix for access to their abuse contact database, which supports our mission of making the Internet safer.
In collaboration with our research partner KOR Labs, NetBeacon MAP provides an academically robust, sophisticated and transparent methodology to understand the use of the DNS for phishing attacks and malware distribution. NetBeacon MAP provides granular data, including registration type (malicious or compromised), mitigation rates, and mitigation speeds, to further understand and empower change.
2025 Highlights
The Institute published Monthly Analysis Reports covering aggregate trends and specific reporting by registry and registrar. Each month we identified registries and registrars with high and low rates of malicious phishing and malware per DUM and new registrations. In 2025, our methodology observed 329,670 maliciously registered and 61,347 compromised domains. 389,346 unique domains were associated with phishing attacks and 4,258 associated with malware distribution; however, this reflects a small proportion of domains registered at any given point in time, which is approximately 386 million. This distinction is particularly relevant to mitigation, as typically the registrar or registry is not the most appropriate actor to disrupt abuse related to a compromised website. Overall mitigation rates in 2025 were 91% for maliciously registered and 52% for compromised websites. Our mitigation measurement is agnostic to attribution; we’re looking for whether our observations indicate the harm has stopped. Mitigation includes a range of disruption actions that may have been executed by various actors across the Internet ecosystem.
NetBeacon MAP Launched the brand new Version 2.0.0 Individualized Dashboards in 2025; registrars can now see which are their most abused TLDs, and registries to see which of their registrars have the most abuse.
We continue to offer free Individual Dashboards for registrars and TLD operators, providing zone-specific data and peer comparisons. All TLDs and ICANN-accredited registrars have access to a customized dashboard. For more information, contact support@netbeacon.org.
MAP REPORTS
ENGAGEMENT
HIGHLIGHTS
Throughout 2025, NetBeacon engaged and partnered with DNS Abuse stakeholders, industry experts, lawmakers, governments, registries and registrars. Together, we work to make the Internet a safer space for everyone.
Policy Impact
The gTLD contractual amendments have influenced DNS abuse mitigation, particularly in combating phishing and malware. The amendments create obligations for registrars and registries to mitigate DNS Abuse. NetBeacon Institute shared insights from NetBeacon Measurement and Analytics Platform (MAP) suggesting a promising trend of higher mitigation rates among 20 selected registrar credentials at the course of the “State of the DNS 2025” and the Contracted Parties Summit, Hanoi..
Informative Sessions
NetBeacon highlighted the importance of looking for patterns of abuse at Baltic Domain Days and Contracted Parties Summit Hanoi. There is an overlap in malicious registration and payment fraud, the primary source being stolen credit cards. Fraudulent registrations are one of the deceptive practices that at first glance appear legitimate. Are there alpha-numeric similarities in the string of the domain name (‘com-’ or ‘gov-’)? Perhaps there are patterns in the time, date or method of registrations. Looking for payment methods, like crypto-currency, and credit-card chargebacks can also reveal patterns in abuse. NetBeacon shared valuable insight on how it leverages Reporter and MAP to catch and disrupt these malicious practices.
Disruption
Partners from financial institutions, tech and telecom industries, government agencies and non-profit organizations came together for RCMP (Royal Canadian Mounted Police) Maple Disruption to coordinate over 3,000 disruptive actions of fraud. In one day alone, NetBeacon Reporter received 680 reports, nearly 300 of which were already disrupted, and 40% of the remainder were offline the same day. Beyond NetBeacon work, financial institutions discovered $4.7 million dollars in funds related to fraud or scams as part of Maple Disruption. This 3- day event proved to be valuable not only in the discovery and shutting down of fraudulent accounts and websites, but highlighted the impact of collaboration
2026 AND
BEYOND
In 2026, we are focused on ensuring we have the resources to expand and improve our two flagship initiatives with additional features: NetBeacon MAP and NetBeacon Reporter. We continuously look for ways to deepen our engagement with stakeholders and ensure we progress with feedback and input from users of our products and the wider Internet community.
ACKNOWLEDGEMENTS
NetBeacon Advisory Council
The NetBeacon Advisory Council is composed of passionate experts and leaders from across the Internet industry, including registrars, registries, researchers and DNS Abuse specialists. The Council, sharing our vision of A Safer Internet for Everyone, provides valuable input to help NetBeacon innovate and share resources with the DNS Community. Additional member details are available on our website.
Alissa Starzak | Ashley Heineman | Bertrand de la Chapelle | Bruce Tonkin | Bruna Martins Dos Santos | Chris Disspain | Crystal Ondo | Drew Bagley | Jeff Bedser | John Crain | Keith Drazek | Maciej Korczynski | Mike Silber | Nick Wenban-Smith | Owen Smigelski | Reg Levy | Rod Rasmussen | Tobias Knecht
Public Interest Registry
The commitment, trust and generous support and operations provided by Public Interest Registry have been instrumental in our growth and success. PIR continues to champion the Institute’s growth, providing infrastructure and free tools to report, measure and take action on DNS Abuse. NetBeacon Institute is proud to reinforce the mission to make meaningful change and proud to be a part of PIR.
PARTNERSHIPS & COLLABORATIONS
The NetBeacon Institute relies on the ongoing support of our valued delivery partners.
The Institute partnered with the cybersecurity and investigative professionals at CleanDNS to develop the NetBeacon Reporter platform.
The Institute partners with KOR Labs for the delivery of NetBeacon MAP.
KOR Labs is led by Dr Maciej Korczynski, a professor at Grenoble Alpes University in France.
The Institute also collaborates informally with a number of organizations working to make the Internet safer for all by helping to reduce DNS Abuse. Including:
Asia Pacific Network Information Centre (APNIC) | Asia Pacific Top Level Domain Association (APTLD) | Africa Top Level Domains Organization (AfTLD) | Latin American and Caribbean Country Code Top-Level Domain Association (LACTLD) | Anti-Phishing Working Group (APWG) | European country code top-level domain (ccTLD) registries (CENTR) | Global AntiScam Alliance (GASA) | Global Cyber Alliance (GCA) | ECO Top DNS | ICANN | Internet & Jurisdiction Policy Network | Internet Infrastructure Association | Nominet | Abusix, Inc | Internet Watch Foundation (IWF)