Defining the scope of a defensive domain name portfolio can be intuitive:  An insurance company will be inclined to register their brand under .INSURANCE, but will probably skip the .PIZZA domain.  Likewise, a company that operates only in Europe will want their brand-match .FR country-code domain (ccTLD), but will treat the .US domain as a lower priority.

These are decisions based on relevance: Logical pairs of brand and domain extension produce domain names that the company might use for itself, or that bad actor could use to impersonate the brand.  This rationale is sound, but extension relevance should not be the only consideration applied when deciding which domains to register defensively.  Portfolio managers should also consider the level of risk associated with a given domain name extension.  Applied to ccTLDs, this can mean registering in countries where the brand has little or no presence, but where abuse is both more probable to occur and more expensive to remediate.

The usual approach for identifying “risky ccTLDs” is mathematical:  Take the number of abusive domains, divide by the total and report the percentage of abusive domains.   That’s a fair metric, but one that can produce skewed results when the sample size is small, or when fraud spikes due to temporary discounted pricing. 

This article will instead focus on domain registration channels and consumer behavior to identify which ccTLDs a fraudster would decide to register for reasons other than price.  Although more speculative in nature, we believe conclusions drawn would prove more resistant to temporary fluctuations and better inform decisions on which defensive domains to register and renew year after year.

For purposes of this article, we have focused on three attributes of ccTLDs that fraud actors would be inclined to consider at the moment they choose a domain to register:

• The ccTLD can be easily registered in their country
• The ccTLD is available through domain name registrars that have a poor track record of responding to abuse complaints.
• The ccTLD’s dispute policy makes it difficult for a foreign victim to neutralize or recover the domain name.

Let’s dive deeper into these risk factors to try and identify which ccTLD registrations may merit additional consideration:

In which countries do the fraudsters operate and which ccTLDs are available there?

This first component requires an understanding of the geographic origin of fraud and phishing attacks.  It’s tough to track where these attacks come from, but one study[1] provides the following breakdown of the top 5 countries of origin for phishing emails:

• Russia (24.77%)
• Germany (14.12%)
• USA (10.46%)
• China (8.73%)
• Netherlands (4.75%)

We would submit that Germany, USA and Netherlands are countries fully integrated into the global economy, in which residents could use their locally-issued bank cards to register domain names under any number of domain name extensions.  It follows that .DE, .US and .NL would not necessarily be the first choice of fraudsters in these countries, who might instead be drawn to whichever domain name extension was available for the lowest price.

That’s not so much the case with Russia and China, countries whose economies are more closed.  A fraudster may have difficulty obtaining a credit card usable with foreign vendors[2] and therefore be inclined to use a registrar that can accept local payment methods.  Likewise, registrars in these countries may have difficulty sourcing domain extensions offered through international registries, if not outright restrictions from doing so[3].  This confluence of factors would lead a fraudster in Russia or China to be more likely to register a domain under their .RU or .CN primarily because they have a realistic means to pay for the registration.  This is somewhat borne out by the traditional statistics of ccTLDs most used for phishing, where both ccTLDs appear in the Top 10.[4]

Which domain name registrars would be attractive to fraudsters and which ccTLDs do they offer?

Website operators that host content that may be considered illegal or immoral tend to seek domain name registrars and webhosts that are less inclined to act upon takedown requests.[5] These are sometimes known as “bulletproof registrars.”

We inspected selection/pricing tables on websites of three registrars that self-identify with this niche to detect patterns in which ccTLDs are available:

1. Trustname

• Country: Estonia
• Excerpt from Website: “Trustname is the world’s most trusted independent domain registrar for sensitive niches.”
• ccTLDs Available[6]: .AC, .AG, .BZ, .FM, .GL, .LC, .ME, .MN. .MU, .PR, .SC, .VC
• Comment: Primarily from small countries, but ccTLD is available through large registry operators (eg. Identity Digital, CentralNic).

2. PRQ

• Country: Sweden
• Excerpt from Website: “We are a specialized hosting provider, located in Sweden, a free-speech haven. We serve a growing community of international clients with special needs.”
• ccTLDs Available[7]: .ST, .AS, .CA, .CC, .CO, .CR, .DK, .FI, .FR, .IM, .IO, .IS, .ME, .PK, .PW, .SI, .SU, .TO, .TV, .UK, .AI
• Comment: Has some ccTLDs available on large registry backend platforms, but others with manual registration procedures conducted directly with the local authorities.

3. Njalla

• Country: Sweden (operated by Njalla OKTET AB; founded by individuals associated with The Pirate Bay ecosystem)
• Excerpt from Website: “We are a privacy-focused domain name registrar and hosting provider. We register domains on behalf of our customers to minimize their exposure.”
• ccTLDs Available[8]: .BZ, .CC, .CO, .CX, .FI, .SI, .TW, .AC, .DO, .GS, .IO, .LA, .LC, .MS, .TV, .VC, .GD, .GL, .PE, .PH, .AI, .HN, .HT, .SC, .TL
• Comment: Like the above two examples, but with higher integration of ccTLDs operating on CoCCA’s registry software.

Based on the above, we conclude that bulletproof registrars do NOT sort through ccTLDs and decide to offer only those where they perceive there will be less pressure from the ccTLD manager to resolve takedown requests.  Instead, these registrars are prioritizing ease of integration: If a given ccTLD is available through a market-leading registry operator, they’ll support it.  On the other hand, if offering a ccTLD would mean onboarding a new provider, they determine that’s too much work (or too much exposure) and do not offer it.

In this context, it makes sense for the brand portfolio manager to take note of which ccTLDs from less-relevant markets are particularly easy for domain registrars to onboard.  These should become higher priorities for defensive registration, given that they can be registered through companies that will not attend to takedown requests even when fraud is clear and apparent.

What ccTLDs make it hard for foreigners to present a dispute?

When deciding to omit a defensive domain name registration in a less relevant country, a brand manager may assume that, in the event of an active fraud, there will be an opportunity to present a UDRP dispute.  It’s true that more countries are adopting the UDRP standard or variant thereof, but they’re still not in the majority.

Many countries, including some large and important markets, use a ccTLD dispute policy that requires filing in the local language and abiding by a standard unfamiliar to UDRP preparers.  There are others that have no dispute policy at all and instead require that domain disputes be heard in the local courts.  Recovering an abusive domain name in these countries becomes much more expensive than filing a UDRP, as some combination of translators, local attorneys and document authorities must be paid.

Unlike the previous two points, this condition in and of itself doesn’t call for defensive registrations.  Most countries that do not use UDRP meet neither the first nor second criteria for riskiness described in this article, so there is no reason to assume that the ccTLD has a higher probability of being used for an abusive registration.  On the contrary, these ccTLDs tend also to have non-standard registration procedures and use their own domain management platforms.  On balance, it’s likely harder and more expensive for fraudsters to register these domains.

Instead, the lack of the UDRP remedy should be seen as an enhancer to the other two risk factors.  In other words, if a ccTLD is available to fraudsters AND also difficult to dispute, that’s a risk that shouldn’t be ignored.  Concretely, we can return to .CN and .RU from the first section above:  These should be considered for defensive registration even for clients with zero activity in Russia or China, as the countries’ dispute processes are notorious for being difficult for foreigners to use.

Conclusion

Brand portfolio managers are intimately familiar with company’s commercial activity and will generally be able to select the most relevant domain names for defensive registrations.  On the contrary, the world of ccTLDs is a complex web of in-country authorities, registry software operators and accredited registrars.  Untangling this web to expose risk generally falls outside the purview of law firms and in-house counsel, but squarely within the expertise of companies like IP Twins.

Registration accessibility, enforcement friction, and remediation cost are distinct risk dimensions, each of which raise the level of priority that should be allotted to a defensive registration.  Whether formally (eg. a scoring system) or simply by means of increased consciousness, these risk dimensions should factor into determining the threshold that needs to be met to justify the defensive registration.

If this article has raised any questions about potential holes in a brand’s defensive domain portfolio, IP Twins’ Account Managers are happy to conduct an audit and recommend a reasonable approach to cover the riskier ccTLDs that might otherwise be omitted.

Notes

[1] The Latest Phishing Statistics (updated October 2025) | AAG IT Support

[2] Visa and Mastercard suspend Russian operations

[3] Overseas TLD Registries Licensed by Chinese Government

[4] ccTLDs associated with phishing – best & worst | Statistics

[5] BulletProof Domain Registrar in the World | by Chris Ambler | Medium

[6] All Domain Extensions List – Cheap at $7.99 – Trustname

[7] PRQ Customer portal – Checkdomain

[8] Njalla — Pricing