# NICENIC Zone Scan — Complete Registrar Investigation
Phase I · NICENIC INTERNATIONAL GROUP CO., LIMITED · IANA #3765
Complete-zone scan of a Chinese registrar enabling industrial-scale domain abuse
🔴 LIVE INVESTIGATION FEED · Auto-updated · Last fetch
2026-07-08
📦 Domains tracked358,143 |
💰 Est. revenue$2,756,834 |
📡 Deployed53.6% |
✅ Confirmed phishing6.7% (24,085) |
⚡ Fresh (≤7d)1.0% |
🕵️ Serial regs44 |
| TLD | Count | Avg Reg Period | Est. Revenue |
|---|---|---|---|
.com |
196,698 | 563d | $1,768,315 |
.vip |
27,686 | 372d | $138,153 |
.icu |
18,908 | 393d | $18,719 |
.net |
16,612 | 678d | $165,954 |
.xyz |
15,844 | 476d | $23,608 |
.info |
11,265 | 504d | $44,947 |
.live |
10,976 | 404d | $109,650 |
.cfd |
9,167 | 475d | $45,743 |
.org |
8,198 | 842d | $81,898 |
.sbs |
6,860 | 434d | $34,231 |
US ██████████████████ 12,524 (34.8%)
RU ████░░░░░░░░░░░░░░ 2,980 (8.3%)
CA ████░░░░░░░░░░░░░░ 2,785 (7.7%)
NL ███░░░░░░░░░░░░░░░ 2,609 (7.2%)
DE ███░░░░░░░░░░░░░░░ 2,209 (6.1%)
GB ███░░░░░░░░░░░░░░░ 2,099 (5.8%)
BG ██░░░░░░░░░░░░░░░░ 1,770 (4.9%)
UA █░░░░░░░░░░░░░░░░░ 873 (2.4%)
| Date | Domains | × Average |
|---|---|---|
2026-06-16 |
1,382 | 14.7× 🚨 |
2026-06-08 |
1,251 | 13.3× 🚨 |
2026-03-06 |
1,244 | 13.2× 🚨 |
2025-12-04 |
1,215 | 12.9× 🚨 |
2026-03-05 |
1,207 | 12.8× 🚨 |
coinbase (3,816) · claim (3,451) · login (2,228) · secure (1,699) · token (1,567) · wallet (1,506) · swap (1,356) · ledger (1,329) · official (1,310) · support (1,262) · kraken (1,213) · update (1,159) · crypto (1,145) · connect (1,110) · trust (904)
| # | Registrant Email (redacted) | Domains |
|---|---|---|
| 1 | inf***@credicentrocoop.com |
97 |
| 2 | inf***@vuz.info |
91 |
| 3 | inf***@africaoil.com |
78 |
| 4 | ang***@gmail.com |
42 |
| 5 | sup***@easybit.com |
35 |
| 6 | pre***@ethereum.org |
27 |
| 7 | s***@email.com |
26 |
| 8 | ihr***@email.de |
25 |
| 9 | sub***@shib.io |
25 |
| 10 | u00***@shib.io |
25 |
| File | Format | Description |
|---|---|---|
data/all.txt |
TXT | All tracked domains |
data/index.json |
JSON | Full analytics snapshot |
data/ioc/serial_registrants.json |
JSON | Repeat registrants + their domains |
data/ioc/shared_ips.json |
JSON | Bulletproof hosting clusters |
data/ioc/brand_domains.json |
JSON | Domains by targeted brand |
data/ioc/stix-bundle.json |
STIX 2.1 | MISP/OpenCTI ready bundle |
data/ioc/serial_emails.txt |
TXT | grep-friendly: email⇥count |
data/ioc/shared_ips.txt |
TXT | grep-friendly: ip⇥count⇥country |
📊 Live web dashboard: see Pages link at top · Updated daily 02:00 UTC
|
Investigation |
Evidence |
Legal / Reuse |
NICENIC INTERNATIONAL GROUP CO., LIMITED (IANA registrar #3765) is a Chinese domain registrar with a long-documented track record of slow abuse response, permissive registration policies, and infrastructure that is systematically exploited by phishing operators, carding shops, crypto drainers, illegal gambling networks, and malware distributors.
While NICENIC holds significantly more domains than the average registrar under investigation, the scale is itself the signal: fast, cheap, anonymous registration at volume is the product. The registrar's zone composition reflects a portfolio optimised for abuse enablement rather than legitimate hosting.
This investigation enumerates every domain in NICENIC's zone, classifies content using AI-assisted analysis and threat-intelligence cross-referencing, and publishes structured evidence for enforcement, blocklist, and SIEM use.
Pipeline:
[NICENIC Zone File — 343,107 domains]
│
▼
┌─────────────────┐ aiohttp, 600 concurrent, Googlebot UA
│ Phase 1 — HTTP │ Output: lambda_results.jsonl
│ Fingerprint │
└─────────────────┘
│
▼
┌─────────────────┐ Playwright + stealth v2, isolated context/domain
│ Phase 2 — Render│ SOCKS5 pool + 2captcha (hCaptcha/Turnstile/reCAPTCHA)
│ + Screenshots │ Output: deep_results.jsonl, screenshots/*.jpg
└─────────────────┘
│
▼
┌─────────────────┐ Llama 3.1 (Groq) for content classification
│ Phase 3 — AI │ Rule-based pre-filter + Groq for ambiguous cases
│ Classification │ Output: enriched.csv categories + descriptions
└─────────────────┘
│
▼
┌─────────────────┐ ipinfo.io (country + ASN per IP)
│ Phase 4 — GeoIP │ Output: ip_country, ip_asn fields
└─────────────────┘
│
▼
┌─────────────────┐ Redaction: scan-server IP, API keys, local paths
│ Phase 5 — PII │ Output: clean enriched.csv, data.json, IOC feeds
│ Redaction │
└─────────────────┘
| Field | Value |
|---|---|
| Registrar name | NICENIC INTERNATIONAL GROUP CO., LIMITED |
| IANA ID | #3765 |
| Jurisdiction | China |
| WHOIS server | whois.nicenic.net |
| Abuse contact | abuse@nicenic.net |
| Zone size | 343,107 domains (scan date: June 2026) |
| Supported TLDs | Generic TLDs (gTLD) — .com, .net, .org, .xyz, .top, .shop, .app, .academy, and 100+ more |
| ICANN accreditation | Active |
This investigation covers the complete zone of all domains registered under NICENIC (IANA #3765) as enumerated from public zone data in June 2026. Every domain — alive or dead — is included.
Note: Screenshots and deep-render data were collected only for HIGH and MEDIUM severity domains (estimated 10–25% of zone) to constrain storage and runtime. Dead domains are enumerated and classified but not rendered.
Phase 1 — HTTP Fingerprinting
- Tool: Python 3.14 +
aiohttp, 600 concurrent connections - User-Agent: Googlebot 2.1 (bypass naive bot-blocks)
- Timeout: 5s connect, 8s read
- Extracted: HTTP status, final URL, server headers, title, H1, meta description, form fields, body snippet (first 64 KB)
- Cloudflare detection:
cf-ray/__cf_bmpresence in headers + body - Captcha detection: hCaptcha / reCAPTCHA / Turnstile keyword matching
- Output:
data/lambda_results.jsonl— one JSON object per domain
Phase 2 — Browser Render & Screenshots
- Engine: Playwright 1.40 + headless Chromium
- Stealth:
playwright-stealthv2 - Viewport: 1280 × 800
- Settle delay: 2.5 s post-
domcontentloaded; +5 s on Cloudflare JS challenge - Captcha solving: 2captcha — hCaptcha, reCAPTCHA v2/v3, Cloudflare Turnstile
- Proxy pool: 2,600+ SOCKS5 exits, round-robin per domain
- Output:
docs/screenshots/<domain>.jpg(JPEG 80%, max 1280 px wide)
Phase 3 — AI Classification
- Model: Llama 3.1 8B Instant (Groq API)
- Batch size: 20 domains per Groq call
- Categories:
PHISHING_FINANCE,PHISHING_BRAND,CARDING,CRYPTO_DRAINER,CRYPTO_EXCHANGE,GAMBLING,ADULT,MALWARE,SPAM_PHARMA,SPAM_SEO,PARKING,DEAD,LEGITIMATE,UNKNOWN - Severity map: CRITICAL (4) — phishing/carding/malware; HIGH (3) — crypto/gambling; MEDIUM (2) — adult/spam-seo; LOW (1) — unknown; INFO (0) — parking/dead/legitimate
- Pre-filter: Rule-based keyword matching assigns naive category before Groq; Groq refines uncertain cases
Phase 4 — GeoIP Enrichment
- Provider: ipinfo.io API
- Fields added:
ip_country,ip_asn - Coverage: All live domains with resolved IPs
| Metric | Value |
|---|---|
| Total domains in zone | 343,107 |
| Alive (HTTP 200/3xx) | 37,844 (11%) |
| Dead / Parked / Error | 305,263 (89%) |
| CRITICAL severity | 10,377 |
| HIGH severity | 7,928 |
| MEDIUM severity | 622 |
| Malicious (CRITICAL+HIGH+MEDIUM) | 18,927 (50.0% of alive) |
| Behind Cloudflare | 63,190 (83% of alive) |
| Screenshots captured | 37,844 alive domains — not published in repo (size) |
| Operator clusters identified | 2,939 |
2,939 operator clusters identified via favicon MurmurHash3 + server fingerprint combination. Clusters of 3+ domains sharing identical infrastructure are surfaced as likely operator groups.
Notable clusters:
| Cluster | Domains | Description |
|---|---|---|
Favicon 1921725183 |
1,043 | Single phishing operator — uniform credential-harvesting kit |
IP 188.114.96.3 |
13,293 | Cloudflare anycast — bulk domain parking on shared exit |
| Carding infra | 544 CC shops | 83% behind Cloudflare DDoS protection |
Full cluster data: data/clusters.json — includes favicon hash, server fingerprint, domain list, and category distribution per cluster.
| File | Rows | Description |
|---|---|---|
data/enriched.csv |
86,114 | Full enriched dataset — all classified domains with category, severity, IPs, country, AI descriptions |
data/high_severity.csv |
20,480 | CRITICAL+HIGH filtered subset |
data/dead_domains.csv |
— | Dead / parked / error domain enumeration |
data/clusters.json |
2,939 | Operator cluster map — favicon hash + server fingerprint groupings |
ioc/domains_high.txt |
18,305 | Production blocklist — CRITICAL+HIGH domains |
ioc/domains_all_malicious.txt |
18,927 | Production blocklist — CRITICAL+HIGH+MEDIUM |
ioc/indicators.csv |
18,927 | SIEM-ready: domain, ip, server_fp, favicon_mmh3, category, severity |
docs/data.json |
— | Slim per-domain dataset for the live report |
pkg/raw_data/lambda_results.jsonl.gz |
— | Phase 1 raw HTTP fingerprint output (compressed) |
pkg/raw_data/enriched.csv.gz |
— | Compressed enriched dataset |
pkg/raw_data/high_severity.csv.gz |
— | Compressed CRITICAL+HIGH subset |
SHA256SUMS.txt |
— | SHA-256 checksums of all published data files |
# HIGH severity domains (blocklist)
https://raw.githubusercontent.com/phishdestroy/nicenic-evidence/main/ioc/domains_high.txt
# HIGH + MEDIUM domains
https://raw.githubusercontent.com/phishdestroy/nicenic-evidence/main/ioc/domains_all_malicious.txt
# SIEM indicators (CSV)
https://raw.githubusercontent.com/phishdestroy/nicenic-evidence/main/ioc/indicators.csvNICENIC operates under Chinese jurisdiction. Effective enforcement requires multi-channel pressure:
| Channel | Action |
|---|---|
| ICANN Contractual Compliance | Registrar Compliance report — failure to respond to abuse reports per §3.18 RAA |
| FBI IC3 | ic3.gov — US-victim phishing and fraud |
| Europol EC3 | Cross-border cybercrime referral |
| CISA / NCSC | National-level threat-intel sharing |
| Spamhaus DBL | Bulk submission of HIGH domains |
| URLhaus / ThreatFox | Automated daily IOC feed |
| Downstream hosters | Cloudflare, Fastly, AWS — abuse reports to hosting providers (not just registrar) |
| Brand owners | Microsoft, PayPal, Amazon, Metamask — direct UDRP and legal action |
ICANN's Registrar Accreditation Agreement §3.18 requires registrars to maintain and respond to abuse contacts within 24 hours. Documented non-response is grounds for accreditation suspension.
All data in this repository was collected exclusively from publicly accessible sources:
| Source | Method |
|---|---|
| Zone file | ICANN CZDS — accredited access, permissible use |
| WHOIS | Public WHOIS protocol (RFC 3912) |
| HTTP responses | Passive crawl of publicly reachable URLs |
| DNS records | Passive DNS / authoritative queries |
| Screenshots | Rendered pages accessible to any browser |
No non-public systems were accessed. No credentials were tested. No authentication was bypassed. No victim data was processed.
This publication is conducted under:
- ICANN Registrar Accreditation Agreement §3.18 (abuse response obligations)
- CISA Coordinated Vulnerability Disclosure guidelines
- FIRST.org TLP:CLEAR definition — unlimited public sharing permitted
This research documents objectively verifiable facts: domain registration patterns, HTTP response content, and registrar abuse-response latency. These facts were publicly visible before this repository existed.
NICENIC INTERNATIONAL GROUP CO., LIMITED is an ICANN-accredited registrar operating under contractual obligations to the global internet community. Registrars that facilitate industrial-scale phishing infrastructure have no legitimate reputational interest in suppressing evidence of that facilitation. Publication of factual evidence of contractual non-compliance is not defamation — it is the function ICANN's transparency requirements were built to serve.
If NICENIC disputes any finding: submit documented evidence via phishdestroy.io. Findings supported by evidence will be corrected in a timestamped update.
nicenic-evidence/
├── scan/
│ ├── phase1_http.py # aiohttp mass scanner
│ ├── phase2_screenshots.py # Playwright browser scan
│ ├── classify.py # Groq AI classification
│ ├── fast_classify.py # Rule-based pre-filter pass
│ ├── geoip_enrich.py # ipinfo.io enrichment
│ ├── build_clusters.py # Favicon+fingerprint cluster analysis
│ ├── build_ioc.py # IOC feed generation
│ ├── build_domains_html.py # Regenerate domains.html
│ ├── threat_intel.py # TI cross-reference
│ ├── redact_creds.py # PII/credential redaction
│ ├── finalize.py # Final pipeline step
│ ├── compress_screenshots.py # PNG→JPEG compression
│ ├── merge_zone.py # Zone data merge
│ ├── lambda_handler.py # AWS Lambda variant
│ └── invoke_all.py # Lambda orchestrator
├── docs/
│ ├── index.html # Investigation landing page (GitHub Pages)
│ ├── domains.html # Searchable domain table (76,117 domains)
│ ├── data.json # Slim per-domain dataset
│ ├── build_datajson.py # Regenerate data.json from enriched.csv
│ └── assets/ # Hero image, OG card, favicons
├── data/
│ ├── enriched.csv # Canonical enriched dataset (86,114 rows)
│ ├── high_severity.csv # CRITICAL+HIGH subset (20,480 rows)
│ ├── dead_domains.csv # Dead / parked enumeration
│ └── clusters.json # Operator cluster map (2,939 clusters)
├── ioc/
│ ├── domains_high.txt # CRITICAL+HIGH blocklist (18,305 domains)
│ ├── domains_all_malicious.txt # CRITICAL+HIGH+MEDIUM (18,927 domains)
│ └── indicators.csv # SIEM-ready IOC feed (18,927 indicators)
├── pkg/
│ └── raw_data/ # Compressed raw scan output (.gz)
├── SHA256SUMS.txt # Checksums of all published data files
├── PROVENANCE.md # Chain-of-custody documentation
└── README.md # This file
This investigation is part of a series documenting ICANN-accredited registrars that systematically obstruct anti-phishing enforcement or directly profit from fraud infrastructure. All three registrars share a documented pattern: direct requests backed by evidence are ignored, delayed, or met with active suppression.
| # | Registrar | IANA | Zone | Confirmed Malicious | Russian Connection | Investigation |
|---|---|---|---|---|---|---|
| 1 | NICENIC INTERNATIONAL GROUP (this) | #3765 | 349,376 | 18,927 (50% of alive) | 🇷🇺 #2 hosting country (8.5%) | nicenic-evidence · Live Report |
| 2 | Trustname.com / Fewmoretaps ÖÜ | #4318 | 9,343 | 1,114 HIGH (86% alive) | 🇷🇺 Russian-operated, Estonian shell | trustname-evidence · Live Report |
| 3 | NameSilo, LLC | #1479 | 5,251,494 | 183,419 | 🇷🇺 Russian team members, suppression campaign | namesilo-evidence · Live Report |
Helen Ho, the CEO of NiceNIC, is directly associated with the email support@nicenic.net, which appears registered across multiple Russian-language platforms. She maintains an active VKontakte (VK) account under the handle:
nicenic_global— vk.com
VK is a Russian social network with no meaningful presence in China. For a CEO of a Chinese registrar to maintain an active VK account — and to be highly active on it — is strategically significant. Analysis of her follower network on VK reveals entities engaged in scam activity while using NiceNIC domain services.
Helen Ho's VK account is subscribed to the community «Типичный мошенник» ("Typical Scammer") — a Russian-language VK page dedicated to scam tutorials, fraud toolkits, and cybercriminal community content.
The CEO of an ICANN-accredited registrar, subscribed to a scammer community on a Russian social network, with followers who are active fraud operators using her registrar's services — is not an ambiguous data point. It is a documented conflict of interest at the executive level.
Additional key facts:
- Russia is the #2 hosting country in NICENIC's zone: 3,113 deployed domains (8.5%)
- NiceNIC is the preferred registrar of Russian-speaking fraud affiliate networks — documented in leaked Telegram screenshots where network instructors explicitly recommend NiceNIC to affiliates
- The "Soulless" scam network registered 1,200+ identical phishing sites via NiceNIC
- NICENIC accepts Bitcoin, Tether, Ethereum, Litecoin — specifically to sever financial audit trails and enable anonymous registration
On January 10, 2026, a post appeared from a NiceNIC-attributed account stating:
“We are not against scamming… we here to make cash.”
NiceNIC subsequently claimed the account was “hacked” by a user named “Juliani” to maintain ICANN deniability. The statement is consistent with the operational record regardless of its attribution.
- RAA §3.18 requires 24-hour acknowledgement of abuse reports. NICENIC’s effective response is measured in weeks or is absent entirely.
- NICENIC’s abuse system forwards complaints directly to the registrants (the criminals) rather than investigating independently — and accepts registrant denials at face value to close tickets.
- Auto-responder templates claim “insufficient evidence” even when full forensic packages are submitted: screenshots, AI classification, WHOIS, live HTTP proof, financial transaction hashes.
- Trust Wallet heist (December 2025): $8.5M stolen — infrastructure hosted on NiceNIC. Domains remained live post-report.
- Scattered Spider lookalike domains for ransomware supply-chain attacks registered via NiceNIC.
- NICENIC’s phishing domain score: 1,141.74 — 326× higher than the industry average of ~3.5.
- No public abuse transparency report published by NICENIC for any reporting period.
- ICANN Contractual Compliance complaint filed. NiceNIC’s continued accreditation depends on a process measured in months during which thousands of fraud domains remain live.
- Direct requests with documented evidence: systematically ignored.
| Publication | Title |
|---|---|
| 📰 PhishDestroy / Medium | “NiceNIC Exposed: The ICANN-Accredited Registrar Powering the World’s Cybercriminal Ecosystem” |
| 📰 DecodeCybercrime | “NiceNIC: The Leading Bulletproof Domain Registrar Enabling Global Cybercrime” |
| 📰 PhishDestroy.io | nicenic-real — Full investigation |
“NICENIC’s abuse response SLA is effectively infinite. This investigation makes it finite.”
| Investigation | Registrar | Zone Size | Alive | Malicious | Report |
|---|---|---|---|---|---|
| Trustname / Fewmoretaps OÜ | IANA #4318 | 7,641 | — | 1,114 HIGH | phishdestroy.github.io/trustname-evidence |
| NameSilo | IANA #1479 | 5,269,357 | 658,733 (12.7%) | 183,419 | phishdestroy.github.io/namesilo-evidence |
| NICENIC INTERNATIONAL GROUP (this repo) | IANA #3765 | 343,107 | 37,844 (11%) | 18,927 (50% of alive) | phishdestroy.github.io/nicenic-evidence |
Automated detection, classification, and public disclosure of domain abuse infrastructure.
phishdestroy.io · GitHub · LEGAL.md · TLP:CLEAR
"NICENIC's abuse response SLA is effectively infinite — we've made it finite."
MIT License · TLP:CLEAR · June 2026

