"A registrar that costs $10 will let you do whatever you want and will ignore and laugh at any legal request."
The modern internet, often perceived by the lay public as an ethereal cloud of information, is in reality a rigidly structured hierarchy of physical infrastructure, administrative governance, and contractual trust. At the gateway of this digital ecosystem stand domain registrars β the entities authorized by the Internet Corporation for Assigned Names and Numbers (ICANN) to lease the human-readable addresses that serve as the storefronts, communication hubs, and identity cards of the web.
These gatekeepers are bound by the Registrar Accreditation Agreement (RAA) to maintain the stability and security of the Domain Name System (DNS). However, a distinct subset of accredited entities has emerged that weaponizes this agreement, subverting their custodial duties to create safe havens for illicit activity.
This comprehensive investigative report isolates and analyzes the operations of one such entity: NiceNIC International Group Co., Limited (IANA ID 3765).
Headquartered in Hong Kong, NiceNIC has statistically and operationally distinguished itself not through innovation or market dominance, but through an anomalous and sustained concentration of abuse. This dossier, synthesized from proprietary intelligence gathered by the PhishDestroy Threat Intelligence Team, alongside data from the DNS Research Federation (DNSRF), Spamhaus, and the Cybercrime Information Center, establishes that NiceNIC functions as a structural pillar of the modern cybercriminal economy.
π Key Findings
Our investigation reveals a distinct operational pattern that transcends mere negligence. NiceNIC exhibits the characteristics of a "Bulletproof Registrar," characterized by:
| Pattern | Description |
|---|---|
| Marketing of Anonymity | Explicit prioritization of cryptocurrency payments (USDT, BTC) to sever financial audibility |
| Procedural Obstructionism | "Closed-loop" abuse reporting system designed to obfuscate responsibility and delay mitigation |
| Geopolitical Arbitrage | Exploitation of jurisdictional friction between Western law enforcement and Hong Kong corporate law |
| Statistical Dominance in Crime | Phishing domain score 326 times higher than the industry standard |
The implications of these findings are severe. By providing "full-stack" protection β acting as both registrar and host for high-profile threat actors like Scattered Spider and the perpetrators of the December 2025 Trust Wallet heist β NiceNIC has effectively positioned itself as an open advertisement for global cybercrime.
Part I: The Infrastructure of Malice and the PhishDestroy Methodology
To understand the gravity of the findings presented in this dossier, it is essential to first establish the methodological rigor applied to the data collection.
1.1 The PhishDestroy Protocol: Precision Intelligence
False-positive statistics are no more than 1β2 per 1,000 valid detections
The intelligence underpinning this report is derived from the PhishDestroy Threat Intelligence Team, an independent analytical platform dedicated to the detection and disruption of malicious infrastructure.
π GitHub Destroylist: github.com/phishdestroy/destroylist
π Live Threat Map: phishdestroy.io/live
Our model is fully active and pre-emptive: we aim to eliminate phishing before it causes damage. We operate transparently, maintain a live open database, share data with multiple security systems, and have no profit motive β no donations, no commercial interest, no bias toward or against any registrar. Our only goal is the destruction of phishing.
We run 30+ proprietary parsers that detect threats at the earliest stage through:
- Malvertising monitoring
- SEO-abuse tracking
- Social-media campaign analysis
- Typosquatting detection
- Community intelligence
Confirmed threats are immediately distributed to 50+ major vendors (Google Safe Browsing, Cloudflare, Microsoft, VirusTotal, etc.) for global remediation.
Key Technical Signatures Monitored
- Cryptocurrency Drainers: JavaScript snippets designed to interact with Web3 wallets (MetaMask, Trust Wallet) and execute unauthorized transaction signatures
- Phishing Templates: HTML/CSS structures replicating login interfaces of major financial institutions
- Malicious JavaScript: Obfuscated code blocks associated with drive-by downloads or credential harvesting
Each report contains a full evidence package:
π§ Complete email
π PDF report
πΌοΈ Inline screenshot
π Direct-link screenshot
π Attached screenshot file
We provide this structure to ensure maximum clarity for the abuse team and to simplify verification based on VirusTotal verdicts and other technical indicators.
Initial Takedown Notice (1st Notice)
The first notification includes: the email, the forensic PDF, all screenshots (inline, link, attached).
Examples:
Escalation Report (2nd Notice)
A repeated notification is sent only when our parsers or repeated user signals confirm that the threat has been detected again and remains active.
Examples:
- Second email (Escalation Notice)
- Escalation PDF (bigspin.cc) β Report #17 for a domain ignored for more than 1300 hours
Part II: The Data of Distrust β Statistical Evidence
Anecdotal evidence of abuse is common across the registrar industry; even giants like GoDaddy or Namecheap host thousands of malicious domains simply due to their immense market share. However, the rate and concentration of abuse distinguish a negligent registrar from a rogue one.
2.1 The League Tables of Internet Neighborhoods
Absolute champions in terms of the amount of malicious infrastructure over several years
The concept of "Internet Neighborhoods" posits that just as physical cities have safe zones and high-crime zones, the internet is divided into TLDs and registrars that are either safe or dangerous.
In the 2024β2025 reporting periods, NiceNIC consistently appeared in the upper echelons of the DNSRF's "League Tables" for abuse. The report highlighted a cluster of high-abuse registrars in the Asia region, specifically identifying NiceNIC as part of an "unsafe neighborhood" comparable to a "lawless Wild West."
2.2 The Phishing Landscape 2025: A Statistical Anomaly
The most damning statistical evidence comes from "The Phishing Landscape 2025" report by the Cybercrime Information Center.
π interisle.net/insights/phishing-landscape-2025
![Phishing Landscape 2025]
Source: cybercrimeinfocenter.org
According to the Phishing Activity Quarter-Over-Quarter (AugβOct 2025) report, NiceNIC shows a consistent upward trend in phishing domain volume, while most major registrars are tightening controls and reducing abuse.
Phishing Domain Score Comparison
| Registrar | Phishing Domain Score | Status |
|---|---|---|
| NiceNIC (IANA 3765) | 1,141.74 | π΄ Critical Threat |
| Google / GoDaddy | 3.2β3.5 | π’ Industry Standard |
| Namecheap | ~3.5 | π’ Industry Standard |
Analysis: NiceNIC's score is approximately 326 times higher than the industry standard. This is a statistical anomaly so vast that it cannot be explained by accident, resource constraints, or incompetence.
2.3 Spamhaus Reputation Metrics
NiceNIC, led by Hugo Julian, is striving to become the best among the worst
Spamhaus is widely regarded as the most authoritative arbiter of reputation in the email and network security space.
- Global Ranking: NiceNIC has consistently ranked among the top 10 most abused registrars globally
- The "Badness" Index: NiceNIC's score of 6.03 places it in the company of the world's worst offenders
π spamhaus.org/resource-hub/domain-reputation
Part III: Mechanisms of Evasion β The "Bulletproof" Model
How does a registrar achieve such notoriety? It requires a combination of technical permissiveness, procedural obstruction, and policy exploitation.
3.1 The "Closed Loop" Abuse System
The RAA requires registrars to maintain an abuse contact and investigate reports. NiceNIC complies with the form of this requirement while completely gutting its substance.
The Auto-Responder Wall
Upon submitting a detailed forensic report, the reporter receives a generic acknowledgement template:
Dear Reporter,
Thank you for submitting your report. We have received your message
and appreciate the effort to keep the Internet safe.
However at this stage the information provided is not sufficient for
our team to verify the issue or to determine the nature of the
reported activity...
[Standard boilerplate continues...]
Best regards,
NiceNIC Abuse Team
ICANN Accredited Registrar since 2012
This template is sent even when the initial report contains exactly the requested data β URLs, screenshots, and server logs. It is a delay tactic.
The Forwarding Game
Instead of investigating the evidence, NiceNIC forwards the complaint to the registrant (the criminal). The criminal registrant then replies denying the abuse, or simply ignores it. If they deny it, NiceNIC often accepts this denial at face value and closes the ticket.
This "closed loop" allows NiceNIC to claim they are "processing" reports, thereby satisfying ICANN auditors, while ensuring that no action is actually taken.
3.2 Marketing Anonymity: The Crypto-Currency Nexus
NiceNIC explicitly markets its acceptance of Bitcoin (BTC), Tether (USDT), Ethereum (ETH), and Litecoin (LTC) for domain registration and renewals.
By prioritizing and advertising these payment methods, NiceNIC signals to the market:
"We do not want to know who you are."
This severance of the financial link between the criminal and the infrastructure is a critical service feature.
3.3 Technical Forensics: Homograph Attacks and DGAs
NiceNIC's ambition extends beyond phishing β they want to dominate every criminal vector
Homograph Attacks and Faux Cyrillic:
Threat actors exploit IDNs via "homograph attacks," using Cyrillic characters that look identical to Latin letters to spoof brands. NiceNIC's automated systems are a playground for these attacks.
Domain Generation Algorithms (DGAs):
Google Threat Intelligence has flagged the presence of "recently created DGA domains" within NiceNIC's portfolio β indicating botnet management.
Part IV: Case Studies in Cybercrime
4.1 Case Study: The Trust Wallet Heist (December 2025)
NiceNIC openly ignores abuse reports and positions itself as a protector for scammers
In December 2025, the cryptocurrency ecosystem was destabilized by a sophisticated attack targeting users of Trust Wallet.
The Attack Vector
Threat actors distributed a malicious browser extension, designed to harvest "seed phrases" β the master keys to user wallets.
The NiceNIC Connection: Full-Stack Control
SlowMist analysis - domain confirmed
Forensic analysis confirmed that the critical data-exfiltration infrastructure was not only registered via NiceNIC but also hosted on NiceNIC servers. This "full-stack" control meant NiceNIC had absolute technical sovereignty over the exfiltration nodes.
The Operational Failure
Intelligence indicates that the NiceNIC operator was active on Telegram (visible status "Online") during the heist, receiving urgent alerts from PhishDestroy and other researchers.
Despite the real-time notification of a massive financial crime in progress, the infrastructure remained live. The theft reached an estimated $8.5 million in drained assets.
π Trust Wallet Official Statement
4.2 Case Study: The "Soulless" Scam Machine (August 2025)
In August 2025, investigative journalist Brian Krebs exposed a massive network of Russian scam gambling sites.
The Scale
PhishDestroy intelligence identified over 1,200 identical sites sharing the same code base, the same crypto-drainer scripts. The vast majority registered through NiceNIC.
π Full list of sites
Symbiosis with Crime Panels
Source: t.me/gambler_tech/39 β Fraudulent Russian group recommends NiceNIC as the "best provider"
Owners of scam panels actively train their affiliates to use NiceNIC. Leaked Telegram screenshots reveal instructors explicitly recommending NiceNIC as a "safe haven."
4.3 Case Study: Scattered Spider (UNC3944)
Scattered Spider: The Supply Chain of Ransomware
Scattered Spider is one of the most aggressive threat groups currently operating, known for targeting identity providers like Okta to breach major corporations (MGM Resorts, Caesars Entertainment).
The Lookalike Tactic
The group relies heavily on "lookalike" domains β domains that visually resemble corporate login portals (e.g., okta-support-update.com). Intelligence from Mimecast, Google Threat Intelligence, and Silent Push has linked a significant number of these domains to NiceNIC.
The Operational Requirement
If a Blue Team reports a domain and it is taken down in 30 minutes (standard for reputable registrars), the attack fails. If it stays up for 48 hours β the typical "ignore" window of NiceNIC β the attack succeeds.
NiceNIC is effectively part of the supply chain for ransomware attacks against Fortune 500 companies.
π Silent Push Report
π MITRE ATT&CK Profile
Part V: The Manifesto and the PR Stunt
On January 10, 2026, the implicit actions of NiceNIC were made explicit in a bizarre public incident. The official NiceNIC X (Twitter) account posted:
"We are not against scamming the whole world⦠we here to make cash."
They posted it β or someone using their official Twitter account did β and they even managed to include a Cyrillic character (creating plausible deniability: "This wasn't us, this was Russian attackers").
What this really looks like is not an apology or an explanation for the public β it's PR aimed at the hackers themselves. A signal:
"We're on your side, we don't block scams, we don't cooperate with ICANN, we don't care about reports. We're the registrar you can rely on."
Part VI: Geopolitics and Regulatory Inertia
6.1 The "Notice and Cure" Loophole
NiceNIC games the ICANN system effectively. If ICANN sends a notice regarding 50 specific domains, NiceNIC simply deletes those 50 domains on Day 14. ICANN declares the breach "cured." Meanwhile, NiceNIC has registered 5,000 new malicious domains.
This "Whac-A-Mole" dynamic allows the registrar to be perpetually in breach and perpetually "curing" it.
6.2 The Hong Kong Shield
NiceNIC's Hong Kong jurisdiction is a critical component of its "bulletproof" status. Western law enforcement agencies face significant bureaucratic hurdles when serving subpoenas in Hong Kong.
The Great Firewall of China is obsessed with internal political stability; content that criticizes the CCP is taken down in seconds. However, a phishing site targeting a French bank or a US crypto wallet is not a priority for local censors.
NiceNIC exploits this asymmetry.
π HKIRC Accredited Registrars
Conclusion: A Rogue State in the DNS
In the modern ecosystem, no registrar should be willing to protect scam syndicates for $10 per domain
The evidence compiled in this report leads to a singular conclusion: NiceNIC (IANA 3765) is a rogue registrar. It does not operate within the spirit of the ICANN community; it operates as a parasite upon it.
| Finding | Evidence |
|---|---|
| Statistical Outlier | Abuse rates exceed industry norms by over 300% |
| Operational Complicity | "Closed loop" abuse process and crypto-anonymity protect criminals |
| Proven Harm | Facilitates high-end cyberwarfare (Scattered Spider) and mass-market fraud (Trust Wallet) |
Hiding behind 'free speech' to justify refusing takedowns, while calling automated replies an 'abuse desk,' isn't just dishonest β it's criminal. It's a bargain-bin excuse for aiding offenders, shielding their infrastructure, and undermining every attempt at investigation.
π Recommendations for Remediation
Immediate ICANN Audit: ICANN must invoke its audit rights under the RAA to examine NiceNIC's abuse handling records and crypto-payment KYC procedures
Invocation of RAA Section 3.11.3: The security community must build a case that NiceNIC's continued accreditation poses a threat to the stability and security of the internet
Financial Sanctions and Payment Rails: Pressure should be applied to upstream registries (Verisign for .com, PIR for .org) to de-peer NiceNIC
Until IANA 3765 is revoked, the internet's "Red Light District" will remain open for business, and the victims will continue to pile up.
π Thanks for reading!
Stay alert when you come across a domain registered via NiceNIC π¨
Don't act like NiceNIC β act responsibly π
Together, we can push phishing and scam out of the internet πβ¨
π Further Reading / References
- Trustpilot Reviews β User reviews on abuse handling and phishing domains
- nicenic.support β Independent write-up on NiceNIC abuse reporting process
- dev.to/destroyphish β OSINT analysis of registrars enabling scams
- Cybercrime Info Center β Registrar phishing domain ranking
- Interisle Phishing Trends β Phishing activity analysis
This report was produced by the PhishDestroy Threat Intelligence Team. We have taken down over 500,000 phishing domains to make the internet safer for everyone.
Top comments (0)