Introduction
Freenom, the domain name registrar and registry operator, received a great deal of attention in March 2023 when published reports noted that it had stopped allowing new registrations for the five country-code top level domains (ccTLDs) that it operated (.CF for the Central African Republic, .GA for Gabon, .GQ for Equatorial Guinea, .ML for Mali, and most notably .TK for Tokelau). While media outlets did not begin reporting on the (temporary) suspension of new registrations until March, there is evidence that Freenom suspended new registrations as early as January 2023.
Screenshot of a archived version of Freenom’s website on January 26, 2023 featuring a message that it is temporarily unable to accept new registrations
Freenom provided registry and registrar services from these ccTLDs, but they are owned by the country they represent. Freenom carved out its niche in the domain industry as it waived registration fees for these ccTLDs in order to attract business to its other services. In 2021, the population of the island of Tokelau was just over 2200, and by the end of the same year there appeared to be over 24 million .TK domains registered. It is fairly common to hear in domain industry circles that the unintended, but perhaps foreseeable, consequence of giving away domain names for free in a TLD is that the TLD becomes attractive to bad actors.
While this blog studies a number of ccTLDs which used Freenom as an operator, it should be noted that the decision to provide the domain names for free, and subsequently risk attracting abuse, was never one condoned or encouraged by those individual countries. For an investigative look at the situation in Tokelau, see this article.
Background: Available Data
Finding reliable and accurate data on the amount of abuse, or even the amount of domain names in .TK has been challenging. However, it appears that .TK, and other Freenom-operated TLDs have disproportionately high DUM compared to their local population and economy and also appear to contain high rates of DNS Abuse, scams, and other nefarious registrations. The DNS community is naturally curious to understand how the bad actors who were using Freenom-operated TLDs to commit DNS Abuse reacted when Freenom stopped taking new registrations in January 2023. Anecdotally, other ccLTDs have reported seeing an uptick of DNS Abuse in their zones during this time.
Measuring DNS Abuse, and any abuse, is difficult. NetBeacon MAP captured data in early 2023 just after Freenom stopped accepting new registrations. We don’t have a good picture of their abuse before this time, but using data available through MAP, the Institute is able to analyze the wider impact of Freenom’s actions in early 2023 and determine how the concentration of reported abuse changed in each ccTLD.
Analysis
Our analysis looked at the trends in DNS Abuse across the domain ecosystem during the first half of 2023. The data is clear: we noticed a significant change in abuse (phishing and malware) trends from February 2023 to March 2023. In terms of the change in unique domains observed as abusive (associated with phishing campaigns and malware distribution) for each of the five Freenom-operated ccTLDs from February 2023 to March 2023, NetBeacon MAP observed:
TLD | Decreased by | February 2023 | March 2023 |
.CF | 83.4% | 428 | 71 |
.GA | 84% | 445 | 71 |
.GQ | 87.4% | 390 | 49 |
.ML | 81.7% | 416 | 76 |
.TK | 94.8% | 1,981 | 104 |
These sharp drops are particularly significant as these five ccTLDs accounted for around 13% of all observed abusive domains in NetBeacon MAP (across gTLDs and ccTLDs) in February 2023, while the measurement dropped to around 1.4% in March 2023. While causation is inherently difficult, we clearly observed a dramatic decrease in abusive domains for Freenom’s ccTLDs in March 2023, which we suspect is related to Freenom’s suspension of new registrations.
Given that the abuse numbers for these ccTLDs decreased so dramatically, we would expect to see the total number of abusive domains decrease in March by an equivalent amount. The Freenom ccTLDs abusive domains collectively decreased by around 3,000 from February to March. However, the total number of observed abusive domains only decreased by just under 1,000 from February to March. That raises some questions: where did the abuse go? Was this just a natural fluctuation month to month, or did the abuse flow out of Freenom ccTLDs into other TLDs?
It is extremely difficult to track how bad actors move across TLDs so we cannot determine for certain if an increase in abusive domains in March for a particular TLD is due to the migration of DNS Abuse from the Freenom ccTLDs. However, we can see if the total increase from other TLDs in March equals around the total decrease from the Freenom ccTLDs to determine the movement of DNS Abuse across TLDs.
From looking at the data, almost all TLDs experienced an increase in abusive domains from February to March, but the abuse increase appears to have been concentrated in several TLDs. This list includes 4 gTLDs and 4 ccTLDs. While the number of abusive domains in each of these TLDs was within the expected range (within one standard deviation away from their average abuse rates), the total increase in these TLDs in March accounts for the majority of the decrease from the Freenom ccTLDs.
However, the data also reveals that in almost all of the TLDs that experienced a dramatic increase in March there was also a dramatic decrease in abusive domains in April that brought abusive domain numbers lower than their February levels. From March to April, the total number of abusive domains from all TLDs dropped by around 3,500 as can be seen in the chart below.
Chart depicting the total number of observed unique abusive domains in February 2023, March 2023, and April 2023
While we cannot determine causation, we can’t help but wonder if the decrease in the aggregate level in April and the increase individual TLDs experienced in March are both linked to Freenom no longer taking (free) registrations. Could it be that bad actors who regularly used Freenom’s ccTLDs for abuse attempted to switch to different TLDs in March? This could explain the increase that individual TLDs experienced in March. Is it possible that these bad actors did not find a warm welcome, resulting in them scaling back their DNS Abuse activities which resulted in the aggregate decrease in April? Or perhaps more likely, moved to areas that are even more difficult for us to measure, such as subdomains? Or even changed their tactics to be less focused on registering new domains?
Conclusion
This case study has been a fascinating attempt to understand the impact of Freenom closing their TLDs to new registrations. It also demonstrates the challenges of trying to stamp out abuse in one part of the domain ecosystem.
There has long been speculation about pricing and how this impacts abuse, while the topic of pricing is always strictly limited in industry circles to ensure there is no chance of running afoul of competition regulations, there is a conversation to be had about the relationship of pricing and abuse. This conversation can take place in the context of considering registry incentive programmes, is it worth providing discounts to registrars with low levels of abuse? This recognises the fact that preventing and addressing abuse requires real life resources from registrars and registries. For example, dedicated employees, time spent investigating reports, and external tools or information.
We could also understand this from an academic perspective, and we look forward to the results of the ICANN-funded research on this topic: INFERMAL, a KOR Labs collaboration. INFERMAL seeks to understand the preferences of cybercriminals and contribute evidence-based research to the conversation of why malicious actors favor certain spaces in the DNS Ecosystem and not others which is very relevant to this analysis of Freenom.
This issue also demonstrates the importance of examining the month-to-month changes in abusive domains at the registrar/TLD level, not just the aggregate. Even though the industry-wide total number of abusive domains can be down from the month before, that does not mean that individual registrars/TLDs are not experiencing increased levels of DNS Abuse. The opposite can also be true: the industry-wide total may be up in one month, while an individual registrar or TLD might have made great strides in reducing DNS Abuse. Understanding where and how DNS Abuse shifts in the ecosystem is critical in the never-ending fight to make the Internet a safer place.
Additional Information
NetBeacon MAP is a collaboration with the Institute and KOR Labs, led by Dr. Maciej Korczynski a professor at Grenoble Alpes University in France. Our methodology uses reputation block lists (RBLs) to extract phishing and malware abuse data from across the Internet and measure where it is coming from. While we are unable to catalog all harm on the Internet, our data allows us to make significant strides in identifying prevalent and persistent DNS Abuse in a way that is consistent, independent and academically robust.
The Institute is committed to providing registrars and registries the data they need to fight DNS Abuse. It is with this in mind that we are constantly looking to improve NetBeacon MAP so that we can continue to actualize our mission of reducing DNS Abuse and empowering the DNS community. Registries and registrar can access their own individualized dashboard, a service the Institute provides completely free of charge. Requests for access can be made to support@netbeacon.org.