Menu

Domain analysis

Draft status

Overview
Unique Domain Frequency
Abuse of Top-Level Domains
Second-Level Domains
Top-Level Domain Hopping

Overview

DO NOT REVIEW UNTIL FRIDAY 6th FEB

Unique domains by hosting country

In 2025, we continue to publish findings on the volume of URLs actioned per domain and the number of unique domains hosting child sexual abuse material. 

Our analysis covers distribution across classification groups, including host country, abused top-level domains (TLDs), commerciality, and the return of content after takedown and suspension actions.

A small number of websites hosting large volumes of child sexual abuse material can rapidly place a country in our top 10 by URL volume. While this metric is important, the number of unique websites hosting such material provides a different perspective, as high report volumes may stem from one or two sites rather than widespread activity across a country.

The diagram below illustrates the domain naming conventions we use. 

 

 

Top 10 unique domains by host country

The chart above shows the number of unique domains hosted in each country. Each domain is counted only once, regardless of how many actions were taken against it during the year. If a domain changed hosting location during the year, it is counted for each country where it was hosted.

  • Eight of the countries reappearing in the top 10 hosting countries in 2025 remain unchanged, the exceptions being Vietnam and Moldova which are new entrants.
  • Japan saw the largest increase from 45 to 160 unique domains (up 256%) and the Netherlands saw a significant decrease of 26% from 1,285 unique domains down to 954. The increase in the numbers for Japan was largely driven by the distribution of commercial child sexual abuse sites which all appear to have been produced by the same distributer.
  • The number of unique domains hosted in the UK remained practically unchanged, with a reduction from 72 domains in 2023 to 71 domains in 2024. The UK was 14th in our global data ranking.

The US, Netherlands, and Russian Federation, continue to attract the highest volume of domains displaying child sexual abuse, with each country remaining in the top three based on overall hosting volume. 

The identified .onion domains cannot be linked to a specific hosting country and are included for transparency. The .onion domain is a special-use top-level domain for anonymous onion services.

Unique Domain Frequency

The overall number of unique domains saw an increase in 2024. However, it is not possible to confirm whether the overall global availability of domains has increased without comprehensive data from non-IWF sources, such as other hotlines.

  • 6,076 actionable unique domains were identified in 2024. This is an increase of 220 (4%) domains being actioned compared to the previous year.
  • Of the 6,076 unique domains, 5,743 unique second-level domains were identified as carrying child sexual abuse material, and 43% (2,480) were classified as being dedicated to the sale and/or distribution of child sexual abuse images for financial gain.

For clarity, the diagram below sets out the domain naming conventions used throughout this report.

 

 

GRAPH OF DOMAINS OVER THE YEARS TO BE ADDED

Abuse of Top-Level Domains

This analysis looks at the distribution of child sexual abuse URLs found to be operating under each website’s top-level domain (TLD).  Each recorded URL may relate to a single image or multiple images of child sexual abuse identified on URLs operating under a specified TLD.

  • We recorded 296 top-level domains as being abused as a method to share child sexual abuse material; this is an increase from 251 TLDs in 2024, a rise of 18%.

The abuse of TLDs can be further broken down as follows:

  • 129 generic top-level domains (gTLDs) were abused, a decrease of 10% from the 143 gTLDs identified in 2023.
  • 122 country code top-level domains (ccTLDs) were abused, an increase of 28% from the 95 identified in 2023. Some ccTLDs operate second-level domains in a manner that operates functionally as separate TLDs, such as co.uk, com.au, com.in and many others. For the purpose of measuring, we include those second-level domains as individual ccTLDs.
  • We urge all country code stakeholders to protect their ccTLD portfolio against the rise in this abuse, by taking advantage of the IWF domain services which can now be accessed for free. 

For the calculation of volumes on a URL, webpage reports for www.anywebsite.tld, www.anywebsite.tld/forum/page1 and www.anywebsite.tld/images/girls.html would be counted as three separate instances of child sexual abuse attributable to the identified TLD.

Top 10 TLDs by volume of actioned reports

What can we do about this abuse?

Our Domain Alerts support Members in the domain registration sector by reducing and preventing abuse of their services. They provide early warnings of detected abuse and help stop criminals from re-registering sites with a known child sexual abuse history on other TLDs.

Second-Level Domains

Tracking the use of second-level domains as a distinct category provides further insight into how different domain strings are registered and used under different top-level domains (TLDs) in both commercial and non-commercial contexts.

Monitoring domain strings helps identify when bad actors repeatedly register popular names. This insight also enables registries and service providers to reduce the risk of sites being deliberately created for commercial child sexual abuse.

www.anysite[.tld]” – in this example, the [anysite] name or ‘string’ is classed as the second-level domain of the website address.

The largest yearly increases were identified on the gTLD .shop and ccTLD .cc (Cocos – Keeling Islands) TLDs.

  • 118 unique domain strings were registered under .shop, 2% of overall global total.
  • .cc saw an increase of 137% with 880 unique domain strings registered and subsequently actioned by the IWF for carrying images of child sexual abuse (15% of overall global total).
  • Both the .de and .ru ccTLDs saw a welcome reduction of 45% and 50% respectively in identified abuse across unique second-level domains.

Commercial distribution at the second-level domain

Second-level domains created for the commercial distribution of child sexual abuse material are a serious concern, representing deliberate abuse of the Domain Name System (DNS). When registrars are alerted to such sites, we encourage investigating other domains registered by the same entity. This can uncover additional sites for IWF review under a ‘special escalations’ process, designed to assess potential links across a registrant’s domain portfolio. Taking this proactive approach helps disrupt criminal abuse by identifying and suspending previously unknown sites.


We identified 719 instances of the .cc ccTLD in 2024 making it the most abused TLD by volume of unique dedicated commercial second-level domains, representing 28% of the overall global total (193% increase on what we saw in 2023).

The .cfd gTLD was seen for the first time in the top ten since recording this information, with 52 domains identified, accounting for 2% of the overall global total (767% increase on what we saw in 2023).

In total, 2,554 unique second-level domains were uncovered and actioned, and in every instance the websites openly displayed images and videos of child sexual abuse on their homepage. In 2023 we reported 3,143 domains abused in this way, so this represents a welcome reduction of 19%. 

What can we do about this?

Gaining insight into how second-level TLD's are registered and exploited for the commercial distribution of child sexual abuse material allows us to work with registries, registrars, hosts, filtering providers, search engines, and other partners to reduce opportunities for criminal activity. Every successful detection and prevention ultimately supports victims and survivors of abuse.

Top-Level Domain Hopping