Share icon
Sign up for our newsletter
Close icon

    Enter your email below to receive a free e-newsletter with the latest IWF news, industry and parliamentary updates and events direct to your inbox.

    Domain analysis

    Domain Distribution: In addition to the increased number of reports actioned in 2022, we also observed an increase in the number of unique second-level domains hosting child sexual abuse material. 

    • The number of unique second-level domains increased by 17% from 4,614 as identified in 2021 to 5,416 in 2022, representing an increase of 802 domains. 
    • Of the 5,416 unique second level domains identified as carrying child sexual abuse material, over half (3,057 or 56%) were classified as being dedicated to the sale and/or distribution of child abuse images for financial gain.

    For clarity, the diagram below sets out the domain naming conventions used throughout this report.

    Download icon

    Websites containing child sexual abuse content were registered across:

    • 209 top level domains (an increase from the 162 TLDs identified in 2021)
    • 97 generic Top-Level Domains (gTLDs), and
    • 112 country code Top Level Domains.

    Domains were traced to hosting in 55 countries.

    For domain analysis purposes, the webpages of,, and are counted as one domain:

    Download icon

    New Generic Top-Level Domains, or gTLDs, continue to be released to meet the demand and consumer choice for new and exciting top level domain names, new TLDs will often spark interest and demand from specific sectors which seek to align their website or brand to a TLD e.g., .biz is an attractive alternative TLD choice for the business sector.

    Our monitoring of TLDs shows that there have been some significant changes in the top 10 listings this year. Notable changes include the .com TLD that has historically always appeared at the top of our most abused domain rankings, in 2022, it dropped to second position, a reduction of 63% representing 83,241 fewer reports than in the previous year.

    The .pw TLD was the most abused TLD in 2022 with 94,083 confirmed reports. It was previously listed 25th in 2021 when 294 child sexual abuse reports were identified. Its dramatic increase in abuse is directly related to several image host sites abusing the .pw TLD and accounted for 93% of all the child sexual abuse imagery identified on .pw.

    The country code TLD .yt (French region Mayotte) was previously unlisted in 2021, and subsequently rose to fourth position as a direct result of nefarious activity involving two image host sites. Ironically neither of the image host sites were hosted in France, but were traced to be hosted in the Netherlands, Russian Federation and Taiwan at various points in the year.

    What can we do about this abuse?

    Our Domain Alerts help our Members in the domain registration sector prevent the abuse of their service by preventing criminals registering websites with a known CSAM abuse history being reregistered on additional TLDs.

    Domain analysis by second-level domain

    “” – in this URL, the ‘.badsite’ is the second level domain of the website address.

    We have published data for the second consecutive year which gives additional insight into the scale and nature of domains abused to distribute child sexual abuse material across different TLDs.

    We are able to show the number of unique second-level domains found to be carrying child sexual abuse where they are grouped by the TLD on which they resided.

    Download icon

    Download icon

    Second-level TLDs specifically registered and used for the commercial distribution of child sexual abuse should rightly be a point of focus and we continue to research additional ways to locate and remove the sites and disrupt the registration of new sites. 

    What can we do about this?

    By understanding more about how second-level TLDs are specifically registered and used for the commercial distribution of child sexual abuse material, we can make them a point of focus for our work. We continue to research new ways to locate and remove these sites and disrupt the registration of new sites for this purpose.