Menu

Domain analysis

Overview
Unique domain frequency
Abuse of top-level domains
Second-level domains
Top-level domain hopping

Overview

Unique domains by hosting country

In 2025, we continue to publish findings on the volume of URLs actioned per domain and the number of unique domains hosting child sexual abuse material. 

A domain is the unique website address used to identify a site on the internet. It is the core part of a web address that directs your browser to the correct website. The full web address (URL) points to a specific page on that website. One domain can host many different pages. 

For clarity, the diagram below sets out the domain naming conventions used throughout this report.

 

 

Our analysis covers distribution including by host country, abused top-level domains (TLDs), commerciality, and the return of content after takedown and suspension actions.

A small number of websites hosting large volumes of child sexual abuse material can rapidly place a country in our top 10 by URL volume. While this metric is important, the number of unique websites hosting such material provides a different perspective, as high report volumes may stem from one or two sites rather than widespread activity across a country.

In 2025, we assessed 310,437 URLs that showed or led to child sexual abuse content. These URLs were either reported to us, for example by the public or our Members, or found through our proactive searching. In the chart below we have grouped these URLs by unique domains and then highlighted the top 10 host countries responsible for hosting those unique domains.

Top 10 host countries by number of unique domains

The chart above shows the number of unique domains hosted in each country. Each domain is counted only once, regardless of how many actions were taken against it during the year. If a domain changed hosting location during the year, it is counted for each country where it was hosted.

  • Eight of the countries in the top 10 in 2025 remain unchanged from last year, the exceptions being Vietnam and the United Kingdom which are new entrants.
  • Of those countries in the top 10, Vietnam had the largest increase from 69 to 197 unique domains (up 186%) and Hong Kong had a significant decrease of 36% from 311 unique domains down to 198. 
  • The number of unique domains hosted in the UK has risen this year from 71 unique domains in 2024 to 121 in 2025, an increase of 70%. This has moved the UK from 14th in the list last year to 9th this year. 
  • 1,841 unique domains were hosted in the EU in 2025.

The US, Netherlands and Russian Federation continue to attract the highest volume of unique domains displaying child sexual abuse, with each country remaining in the top three based on overall hosting volume. 

The identified .onion domains cannot be linked to a specific hosting country and are included for transparency. The .onion domain is a special-use top-level domain for anonymous onion services.

Unique domain frequency

The overall number of unique domains increased in 2025. However, it is not possible to confirm whether the overall global availability of domains has increased without comprehensive data from non-IWF sources, such as other hotlines.

  • 7,268 actionable unique domains were identified in 2025. This is an increase of 1,192 (20%) unique domains actioned compared with the previous year.
  • Of the 7,268 unique domains, 6,310 unique second-level domains were identified as carrying child sexual abuse material, and of these 30% (1,876) were classified as being dedicated to the sale and/or distribution of child sexual abuse images for financial gain.

For clarity, the diagram below sets out the domain naming conventions used throughout this report.

 

 

Number of unique domains used to host child sexual abuse material

Abuse of top-level domains

This analysis looks at the distribution of child sexual abuse URLs found to be operating under each website’s top-level domain (TLD). Each recorded URL may relate to a single image or multiple images of child sexual abuse identified on URLs operating under a specified TLD.

We recorded 298 top-level domains as being abused as a method to share child sexual abuse material; this is just a small increase from 296 TLDs in 2024.

Tackling illegal hosting across TLDs is a collective effort, requiring coordination among registries, registrars, hosting providers and law enforcement. No single organisation can address it alone.

Top 10 TLDs by volume of actioned reports

Please note that when calculating the number of URLs, each of the following webpage reports would be counted as a separate instance of child sexual abuse associated with the identified TLD.

  • www.anywebsite.tld
  • www.anywebsite.tld/forum/page1 
  • www.anywebsite.tld/images/girls.html

 

What can we do about this abuse?

We urge all TLD stakeholders to protect their portfolio against the rise in this abuse, by taking advantage of the IWF domain services which can now be accessed for free. 

Our Domain Alerts support IWF Members in the domain registration sector by reducing and preventing abuse of their services. They provide early warnings of detected abuse and help stop criminals from re-registering sites with a known child sexual abuse history on other TLDs.

Second-level domains

Tracking the use of second-level domains as a distinct category provides further insight into how different domain strings are registered and used under different top-level domains (TLDs) in both commercial and non-commercial contexts.

Monitoring domain strings helps identify when bad actors repeatedly register popular names. This insight also enables registries and service providers to reduce the risk of sites being deliberately created for commercial child sexual abuse.

www.anysite[.tld]” – in this example, the [anysite] name or ‘string’ is classed as the second-level domain of the website address.

Of those in the top 10, the largest yearly increases were identified on the .best and .top TLDs.

  • 166 unique domain strings were registered under .best in 2025 (3% of overall global total) which is up from just four in 2024. 
  • .top saw an increase of 119% with 505 unique domain strings registered and subsequently actioned by the IWF for carrying images of child sexual abuse (11% of overall global total).
  • Both the .cc and .de TLDs saw a welcome reduction of 75% and 57% respectively in identified abuse across unique second-level domains.

Instances of unique second-level domains by top 10 TLDs used in the distribution of child sexual abuse material

Commercial distribution at the second-level domain

Second-level domains created for the commercial distribution of child sexual abuse material are a serious concern, representing deliberate abuse of the Domain Name System (DNS) . When registrars are alerted to such sites, we encourage investigating other domains registered by the same entity. This can uncover additional sites for IWF review under a ‘special escalations’ process, designed to assess potential links across a registrant’s domain portfolio. Taking this proactive approach helps disrupt criminal abuse by identifying and suspending previously unknown sites.

We identified 351 instances of the .onion TLD in 2025 making it the most abused TLD by volume of unique dedicated commercial second-level domains, representing 19% of the overall global total.

The .cc TLD saw a significant decrease in the number of commercial unique second-level domains. 34 were recorded in 2025 compared to 2024 where it featured at the top of the list with 719 domains. This is a welcome 95% decrease that has seen them drop out of the top 10 this year. 

The .best TLD is seen for the first time in the top 10 since recording this information. In 2025 we identified 124 domains on the .best TLD (7% of the global total), which is more than 40 times last year’s total of just three.

In total, 1,876 unique second-level domains were detected, each openly featuring child sexual abuse imagery and videos on their main landing pages. This marks a 27% reduction compared with the 2,554 similarly abused domains reported in 2024.

Instances of unique second-level domains by top 10 TLDs – used for commercial distribution

What can we do about this?

Gaining insight into how second-level TLD’s are registered and exploited for the commercial distribution of child sexual abuse material allows us to work with registries, registrars, hosts, filtering providers, search engines and other partners to reduce opportunities for criminal activity. Every successful detection and prevention ultimately supports victims and survivors of abuse.

Top-level domain hopping

What is top-level domain hopping?

Top-level domain (TLD) hopping occurs when a website keeps the same second-level name (e.g. ‘anysite.tld’) but shifts to a different TLD, typically with different hosting details, creating a new instance of the site while retaining its brand identity.

TLD hopping is a malicious activity that, if left unchecked, enables the continued spread and availability of online child sexual abuse material, fueling its commercial distribution and sale.

Starting from an original domain (for example, anysite.tld), operators can generate multiple new versions such as anysite.ga, anysite.ml, or anysite.com. Even after the original site is removed, these successor domains allow the content to remain online. This tactic preserves the site’s recognisable identity, making it easy for offenders to track and access images across each new iteration.

TLD Hopping List:

  • At the end of 2025 the IWF Top-level Domain (TLD) Hopping List contained 133 unique second-level domains (28% more than last year) which between them have accounted for 514 individual historical hops (74% more than last year).
  • 1,447 dedicated domain strings were added to the IWF monitoring list in anticipation of future hopping activity which may trigger the *‘two hop threshold’ and enable listing the string in the TLD Hopping List.
  • The top three most abused domain strings on the list each have a history of eight TLD hops in addition to their initial discovery.

*Before a second-level domain is added to the IWF TLD Hopping List, it must have been encountered and assessed to be a dedicated child sexual abuse site and to have hopped a minimum of two times, previously. Therefore it will have an established, proven history of being used with criminal intent over a minimum of three different TLDs.

The table below shows how hops are counted prior to being listed.

Instance Example string Example TLD Assessment Hop count Listing status
1 mybadsite .info Dedicated 0 Not listed
2 mybadsite .net Dedicated 1 Not listed
3 mybadsite .mobi Dedicated 2 Listed

A domain string is only classified as hopping when the original string is reused exactly. Variations such as “anysite1,” “anysites,” or “anys1te” are not considered hops and are therefore excluded.

Slight variants are increasingly being used as a method to perpetuate the distribution of this criminal material. This is something we currently do not record but our analysts see it regularly in their work. 

The chart below shows the extracted top 10 abused TLDs used by second-level domains which were included in the TLD Hopping List at the close of 2025; the list contained 133 unique strings. A total of 93 TLDs are represented in the live IWF TLD Hopping List.

Top ten TLDs abused in domain hopping (by number of domains on IWF listed service)

The figures shown reflect a list compiled over the past five years and should not be interpreted as a measure of performance or of abuse levels specific to 2025 alone.

Although .xyz appears high in our top 10 abused TLDs across the four-year period, the majority of this activity occurred before the current reporting year.

We are pleased to have collaborated closely with the .xyz registry operator, an IWF Member, to curb abuse effectively. Our direct partnership has allowed for rapid action, with dedicated abusive domains suspended.