Share icon
Sign up for our newsletter
Close icon

    Enter your email below to receive a free e-newsletter with the latest IWF news, industry and parliamentary updates and events direct to your inbox.

    Top-level domain hopping

    What is Top-level domain hopping?

    “Top-level domain hopping” is when a site (e.g., ‘badsite.ru’) keeps its second-level domain name (‘badsite’) but changes its top-level domain (‘.ru’), in essence, creating a new website typically with different hosting details but retaining the sites identifiable ‘name brand’. From ‘badsite.ru’, multiple additional sites ‘badsite.ga’, ‘badsite.ml’ or ‘badsite.tk’ could be created. This allows instances of a website to persist online after the original has been taken down while keeping the website recognisable and easy to find by followers of the site.

    • 319 dedicated commercial second-level domains were identified to have hopped domain at least once in 2022.

    Please note that no TLD instances from previous years were counted in this analysis, meaning that to be included in the statistics, the sites had to exist on a minimum of two different TLDs in 2022.

    Download icon

    Download icon

    • 125 second-level domains were found to have hopped once; 
    • 14 hopped twice; 
    • four hopped three times; 
    • one hopped five times in a bid to remain online and active in the 12-month monitoring period. 
    • 19 countries were identified as hosting domain hopping sites.

    We first work with partners to ensure that the site is removed from the internet. Every subsequent hop, however, then requires a new action by our analysts to re-enforce the previous take down(s) by actioning the site again on the new TLD.

    When tracking the hosting country, we noted that some sites often changed TLD but remained hosted in the original host country; other sites showed a preference to change hosting country after each TLD domain change, sometimes returning to the originally identified hosting country after a period of hosting elsewhere under a different TLD.

    What can we do about this?

    Domains are allocated and managed by internet registries and registrars. Our ongoing work in this area will enable us to identify domains exploiting the legitimate TLD marketplace. We continue to work with Members to not only identify and remove criminal sites but offer new preventative measures to guard against domains hopping to unsuspecting TLDs. 

    We hope to involve more registrars and registries in the fight against this exploitative practice in 2023, and to this end we have started a service for Members which provides an active ‘Watch list’ of second level domain strings which can be used to pre-warn registries and registrars of domains that have a proven history of domain hopping exclusively in the sale and or distribution of child sexual abuse material. The new list service is live and available to Members wishing to access this new important data set.