You can detect a phishing site in seconds. Taking it down can take days. That gap is not a tooling problem. It is a coordination problem.
Most security discussions still frame phishing as a detection challenge: classify the URL, flag the domain, warn the user. That view is incomplete. A phishing campaign is not just a web page. It is a distributed system that spans registrars, hosting providers, CDNs, DNS infrastructure, social platforms, and sometimes telecom networks. Each component sits under a different authority, with different processes, different response times, and different thresholds for action. The attacker only needs one of these layers to remain active. The defender has to align several of them at once [1–4].
This is why takedown consistently lags behind detection. Measurement studies have shown that phishing campaigns can operate within short time windows where most victim interaction occurs early, often before coordinated response can take effect [2]. Even after detection, phishing pages can remain accessible, especially when attackers rotate content, infrastructure, or delivery channels to extend operational lifetime [3]. From the attacker’s perspective, the system is resilient by design. From the defender’s perspective, it is fragmented by default.
The coordination problem appears in three places. First, authority fragmentation: the entity that can suspend a domain is not the same as the one that hosts the content, and neither controls social impersonation accounts or scam phone numbers. ICANN guidance on DNS abuse already reflects this reality, emphasizing that effective mitigation depends on routing complaints to the “best positioned actor,” which varies by case [4]. Second, evidence mismatch: takedown requests require structured, defensible evidence, yet user reports often arrive incomplete or unstructured. Research on phishing reporting ecosystems shows that users struggle to provide actionable reports, and systems rarely close the loop with meaningful outcomes [5]. Third, time asymmetry: attackers deploy infrastructure in minutes, while takedown processes involve verification, escalation, and cross-party coordination, often measured in hours or longer [1–3].
A simple example illustrates the issue. A user reports a fake banking site. The domain is newly registered through one provider, hosted on another, proxied through a CDN, and promoted via a social account. A detection engine flags the URL quickly. But removing it requires at least one of the following: registrar action, hosting suspension, CDN intervention, or platform enforcement. If only one layer acts, the campaign may persist through another path. If none act quickly enough, the campaign completes its objective before disruption occurs. The technical signal is clear, but the operational response is delayed. This is where most security stacks stop. They detect, classify, and sometimes alert. They do not execute. That gap defines the difference between identifying phishing and stopping it.
A solution like NothingPhishy is built around this exact constraint. It is an external threat disruption platform for fast takedown of phishing infrastructure. It does not treat phishing as a single artifact. It treats it as a coordinated system that must be disrupted across layers. That means aligning takedown workflows across domains, hosting, social impersonation, and related surfaces, and doing so with speed as a primary objective rather than a secondary outcome.
The emphasis on fast takedown is not cosmetic. Empirical work has shown that reducing the lifetime of phishing infrastructure directly reduces victim exposure, even when detection accuracy remains constant [1,2]. In practice, that means prioritizing cases, structuring evidence for action, and routing requests to the right authority without delay. It also means recognizing that disruption is not a one-off event. Attackers reuse infrastructure, templates, and delivery channels. Without continuous monitoring and watchlist-based follow-up, the same campaign can reappear with minimal cost [3,6].
This leads to a more accurate model of phishing defense. Detection answers the question “what is this?” Coordination answers the question “who can act?” Execution answers the question “is it stopped?” Most systems are strong in the first step and weak in the next two. NothingPhishy is designed to operate where those weaknesses exist.
The implication is straightforward. If phishing were purely a technical problem, better classifiers would solve it. They have not. The persistence of phishing at scale reflects the fact that the bottleneck is not identifying malicious content but aligning the entities that can remove it. Until that alignment is addressed, detection alone will continue to outpace disruption.
If detection tells you what is wrong, takedown decides whether it stops.
References
[1] Moore, T., & Clayton, R. (2007). Examining the impact of website take-down on phishing. APWG eCrime Researchers Summit.
[2] Oest, A., Zhang, P., Wardman, B., Liu, H., Dupé, A., Ahn, G.-J., Wang, R., Bao, T., & others. (2020). Sunrise to sunset: Analyzing the end-to-end life cycle and effectiveness of phishing attacks at scale. USENIX Security Symposium.
[3] Lee, K., Kwon, Y., Kim, S., & colleagues. (2025). 7 days later: Analyzing phishing-site lifespan after detected. Proceedings of the ACM Web Conference.
[4] ICANN. (2024). Advisory: Compliance with DNS abuse obligations in the registrar accreditation agreement and the registry agreement.
[5] Sun, Z., Kokulu, F. B., Zhang, P., Oest, A., Stringhini, G., Bao, T., Wang, R., Shoshitaishvili, Y., Dupé, A., & Ahn, G.-J. (2024). From victims to defenders: An exploration of the phishing attack reporting ecosystem. RAID.
[6] Bijmans, H., et al. (2021). Catching phishers by their bait: Investigating the phishing landscape through phishing kit detection. USENIX Security Symposium.
Top comments (0)