Time seems to move incredibly quickly at the Institute, most likely a function of the volume of activity we’re engaged in. As 2025 winds down and we catch our breath, we wanted to take a moment to highlight some of what we’ve accomplished this year. 

2025 Highlights:

Subdomain Cloaking: In August 2025, NetBeacon MAP identified 2,227 unique domain names that appear to be part of a coordinated phishing campaign targeting UK citizens eligible for government benefits by impersonating the UK Government. This technique uses ‘TLD-’ combinations in a subdomain to obscure the abuse. Industry should look out for these combinations, for example: com-, uk-, gov-, de-, ca-, org-, pl- etc. or -uk, -com, -gov etc.  The rise in phishing scams linked to the Winter Fuel Payment shows how difficult it is to protect vulnerable groups from online fraud. We’ve written a joint blog with Nominet UK, highlighting the importance of collaboration in keeping the internet safe and secure.

White Paper: Proposal for PDPs on DNS Abuse: In June, leading up to ICANN Prague, we published a white paper proposing a number of potential PDPs that we felt would be impactful for reducing DNS Abuse. The ICANN community is now moving forwards with two PDPs. We’ve offered support to this process as an external expert and look forward to the multi-stakeholder community developing global policy to advance industry responses to DNS Abuse, such as phishing and malware. Our ideas were also picked up outside the industry and featured in the 

World Economic Forum’s Partnership against Cybercrime’s paper: Fighting Cyber-Enabled Fraud: A Systemic Defence Approach.

NetBeacon Reporter crosses 250,000 Reports: NetBeacon Reporter saw a substantial increase in throughput over the course of 2025, crossing more than 250,000 reports year to date. 250,000 reports is a material percentage of the abusive domains we believe to exist. 

NetBeacon Reporter Enhancements:

We made a number of key enhancements to NetBeacon Reporter this year, including:

• An enhanced feedback mechanism, allowing registrars, registries, and hosts to tell us if they took mitigation action, and what type,  or if they believed the report to be a false positive.
• Rebuilt some of the underlying processes to accommodate increased usage
• Reduced the sending of unactionable reports be enabling more filtering of submissions
• Enabled the URL Monitor API end point so that abuse reporters can automate checking mitigation
• ccTLD integration went from 24 (56% of the ecosystem based on DUM) to 41 (64%)
  • https://netbeacon.org/cctld-partners/ 

NetBeacon MAP 

In 2025 we published 12 Monthly Analysis reports providing a snapshot of aggregate data and tables detailing registrar credentials and TLDs with high and low rates of malicious abuse compared to their DUM and new registrations. 

We saw a peak of malicious phishing over the year in March 2025: the highest number of unique domain names associated with phishing (47,613) and the largest month-on-month increase in unique domain names associated with phishing (63%). This spike of malicious phishing was highly concentrated in a small handful of registrars. 

Overall, we saw more domains used for phishing attacks (31,704, 98%) than malware delivery (523, 2%). Typically we saw more maliciously registered domains (26,749, 82%)  than compromised websites associated with benign domains (5,486.25, 18%). 

Typically we saw fast mitigation across the year with most (184,997, 44%) associated with registrar credential with a median mitigation time of (0-24 hours). 

The following TLDs and Registrar Credentials featured most consistently in our low abuse tables across the year: 

Registrar Credentials:

small

• Register SPA
• Dreamscape Networks International
• CSL Computer Service Langenbach GmbH
• Dreamhost, LLC

large

• GoDaddy.com, LLC
• OVH SAS
• Squarespace Domains II LLC
• Network Solutions, LLC
• Porkbun LLC
  

TLDs

• gTLDs
  • Small: .company, .services, .bet, .group
  • Large: .dev, .org, .net, .mobi
• ccTLDs
  • Small: .uy, .pe, .ng, .py
  • Large: .nl, .it, .ca, .ch

Version 2.0.0 Individualized Dashboards 

In 2025, we launched a new and improved version of our NetBeacon MAP Individualized Dashboards for registrars and registries. This included a substantial re-build of the dataset and resulted in key enhancements, including: 

• Abuse rates correlated to DUM and new registration trends
• Connecting registry – registrar data to provide more insight into where abuse is concentrated
• Improved insight into mitigation speed
• Customizable peer groups and trends over time
• Additional explanatory text and interactive elements 

Events 

We attended events virtually and across the world to collaboratively work together to create a safer Internet for everyone. Engagements included: 

• State of the DNS in 2025 Workshop, Brussels, Belgium. Hosted by eco – Association of the Internet Industry 
• ICANN82, Seattle, United States 
• Nordic Domain Days, Stockholm, Sweden 
• Contracted Parties Summit, Hanoi, Vietnam 
• CENTR Jamboree, Lyon, France
• ICANN83, Prague, Czech Republic 
• VNNIC Internet Conference 2025 – Virtual  
• LAC DNS Forum – Virtual 
• Montevideo DNS Forum – Virtual 
• How is DNS Abuse actually measured? topDNS Webinar, Virtual
• Baltic Domain Days, Tallinn, Estonia 
• ICANN84, Dublin, Ireland 
• Maple Disruption 2025, Ottawa, Canada. Led by the RCMP’s National Cybercrime Coordination Centre (NC3) and the Canadian Anti-Fraud Centre (CAFC)

The NetBeacon Institute provides a suite of free tools and services to enable a safer Internet for everyone. 

Thank you to everyone who has supported the work of the NetBeacon Institute throughout the year. In particular, our delivery partners: Clean DNS and KOR Labs, and our Advisory Council.