Phase I Β· NICENIC INTERNATIONAL GROUP CO., LIMITED Β· IANA #3765
Complete-zone scan of a Chinese registrar enabling industrial-scale domain abuse
π΄ LIVE INVESTIGATION FEED · Auto-updated · Last fetch
2026-06-29
π¦ Domains tracked352,866 |
π° Est. revenue$2,729,157 |
π‘ Deployed54.6% |
β
Confirmed phishing6.6% (23,405) |
β‘ Fresh (β€7d)1.1% |
π΅οΈ Serial regs44 |
π·οΈ Top TLD Zones
| TLD | Count | Avg Reg Period | Est. Revenue |
|---|---|---|---|
.com |
195,183 | 562d | $1,754,695 |
.vip |
27,272 | 372d | $136,087 |
.icu |
16,884 | 396d | $16,715 |
.net |
16,538 | 678d | $165,215 |
.xyz |
15,692 | 479d | $23,381 |
.info |
11,135 | 504d | $44,429 |
.live |
10,724 | 404d | $107,133 |
.cfd |
8,793 | 479d | $43,877 |
.org |
8,253 | 838d | $82,447 |
.sbs |
6,535 | 431d | $32,610 |
π Top Hosting Countries
US ββββββββββββββββββ 12,940 (35.2%)
RU ββββββββββββββββββ 3,096 (8.4%)
CA ββββββββββββββββββ 2,811 (7.7%)
NL ββββββββββββββββββ 2,663 (7.2%)
DE ββββββββββββββββββ 2,240 (6.1%)
GB ββββββββββββββββββ 2,079 (5.7%)
BG ββββββββββββββββββ 1,789 (4.9%)
UA ββββββββββββββββββ 871 (2.4%)
π Registration Burst Days
| Date | Domains | Γ Average |
|---|---|---|
2026-06-16 |
1,382 | 14.8Γ π¨ |
2026-06-08 |
1,251 | 13.4Γ π¨ |
2026-03-06 |
1,243 | 13.4Γ π¨ |
2025-12-04 |
1,215 | 13.1Γ π¨ |
2026-03-05 |
1,207 | 13.0Γ π¨ |
π― Top Targeted Brands & Keywords
coinbase (3,806) · claim (3,481) · login (2,225) · secure (1,691) · token (1,568) · wallet (1,501) · swap (1,364) · ledger (1,324) · support (1,264) · official (1,249) · kraken (1,208) · update (1,156) · crypto (1,143) · connect (1,113) · trust (859)
π΅οΈ Top Serial Registrants β 50 emails with β₯5 domains
| # | Registrant Email (redacted) | Domains |
|---|---|---|
| 1 | inf***@credicentrocoop.com |
97 |
| 2 | inf***@vuz.info |
91 |
| 3 | inf***@africaoil.com |
78 |
| 4 | inf***@ankamall.com.tr |
67 |
| 5 | ang***@gmail.com |
43 |
| 6 | sup***@easybit.com |
35 |
| 7 | ihr***@email.de |
28 |
| 8 | pre***@ethereum.org |
27 |
| 9 | s***@email.com |
26 |
| 10 | sub***@shib.io |
25 |
π₯ Download Threat Intelligence
| File | Format | Description |
|---|---|---|
data/all.txt |
TXT | All tracked domains |
data/index.json |
JSON | Full analytics snapshot |
data/ioc/serial_registrants.json |
JSON | Repeat registrants + their domains |
data/ioc/shared_ips.json |
JSON | Bulletproof hosting clusters |
data/ioc/brand_domains.json |
JSON | Domains by targeted brand |
data/ioc/stix-bundle.json |
STIX 2.1 | MISP/OpenCTI ready bundle |
data/ioc/serial_emails.txt |
TXT | grep-friendly: emailβ₯count |
data/ioc/shared_ips.txt |
TXT | grep-friendly: ipβ₯countβ₯country |
π Live web dashboard: see Pages link at top Β· Updated daily 02:00 UTC
π Table of Contents
|
Investigation |
Evidence |
Legal / Reuse |
Background
NICENIC INTERNATIONAL GROUP CO., LIMITED (IANA registrar #3765) is a Chinese domain registrar with a long-documented track record of slow abuse response, permissive registration policies, and infrastructure that is systematically exploited by phishing operators, carding shops, crypto drainers, illegal gambling networks, and malware distributors.
While NICENIC holds significantly more domains than the average registrar under investigation, the scale is itself the signal: fast, cheap, anonymous registration at volume is the product. The registrar's zone composition reflects a portfolio optimised for abuse enablement rather than legitimate hosting.
This investigation enumerates every domain in NICENIC's zone, classifies content using AI-assisted analysis and threat-intelligence cross-referencing, and publishes structured evidence for enforcement, blocklist, and SIEM use.
Pipeline:
[NICENIC Zone File β 343,107 domains]
β
βΌ
βββββββββββββββββββ aiohttp, 600 concurrent, Googlebot UA
β Phase 1 β HTTP β Output: lambda_results.jsonl
β Fingerprint β
βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ Playwright + stealth v2, isolated context/domain
β Phase 2 β Renderβ SOCKS5 pool + 2captcha (hCaptcha/Turnstile/reCAPTCHA)
β + Screenshots β Output: deep_results.jsonl, screenshots/*.jpg
βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ Llama 3.1 (Groq) for content classification
β Phase 3 β AI β Rule-based pre-filter + Groq for ambiguous cases
β Classification β Output: enriched.csv categories + descriptions
βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ ipinfo.io (country + ASN per IP)
β Phase 4 β GeoIP β Output: ip_country, ip_asn fields
βββββββββββββββββββ
β
βΌ
βββββββββββββββββββ Redaction: scan-server IP, API keys, local paths
β Phase 5 β PII β Output: clean enriched.csv, data.json, IOC feeds
β Redaction β
βββββββββββββββββββ
Subject
| Field | Value |
|---|---|
| Registrar name | NICENIC INTERNATIONAL GROUP CO., LIMITED |
| IANA ID | #3765 |
| Jurisdiction | China |
| WHOIS server | whois.nicenic.net |
| Abuse contact | [email protected] |
| Zone size | 343,107 domains (scan date: June 2026) |
| Supported TLDs | Generic TLDs (gTLD) β .com, .net, .org, .xyz, .top, .shop, .app, .academy, and 100+ more |
| ICANN accreditation | Active |
Scope
This investigation covers the complete zone of all domains registered under NICENIC (IANA #3765) as enumerated from public zone data in June 2026. Every domain β alive or dead β is included.
Note: Screenshots and deep-render data were collected only for HIGH and MEDIUM severity domains (estimated 10β25% of zone) to constrain storage and runtime. Dead domains are enumerated and classified but not rendered.
Methodology
Phase 1 β HTTP Fingerprinting
- Tool: Python 3.14 +
aiohttp, 600 concurrent connections - User-Agent: Googlebot 2.1 (bypass naive bot-blocks)
- Timeout: 5s connect, 8s read
- Extracted: HTTP status, final URL, server headers, title, H1, meta description, form fields, body snippet (first 64 KB)
- Cloudflare detection:
cf-ray/__cf_bmpresence in headers + body - Captcha detection: hCaptcha / reCAPTCHA / Turnstile keyword matching
- Output:
data/lambda_results.jsonlβ one JSON object per domain
Phase 2 β Browser Render & Screenshots
- Engine: Playwright 1.40 + headless Chromium
- Stealth:
playwright-stealthv2 - Viewport: 1280 Γ 800
- Settle delay: 2.5 s post-
domcontentloaded; +5 s on Cloudflare JS challenge - Captcha solving: 2captcha β hCaptcha, reCAPTCHA v2/v3, Cloudflare Turnstile
- Proxy pool: 2,600+ SOCKS5 exits, round-robin per domain
- Output:
docs/screenshots/<domain>.jpg(JPEG 80%, max 1280 px wide)
Phase 3 β AI Classification
- Model: Llama 3.1 8B Instant (Groq API)
- Batch size: 20 domains per Groq call
- Categories:
PHISHING_FINANCE,PHISHING_BRAND,CARDING,CRYPTO_DRAINER,CRYPTO_EXCHANGE,GAMBLING,ADULT,MALWARE,SPAM_PHARMA,SPAM_SEO,PARKING,DEAD,LEGITIMATE,UNKNOWN - Severity map: CRITICAL (4) β phishing/carding/malware; HIGH (3) β crypto/gambling; MEDIUM (2) β adult/spam-seo; LOW (1) β unknown; INFO (0) β parking/dead/legitimate
- Pre-filter: Rule-based keyword matching assigns naive category before Groq; Groq refines uncertain cases
Phase 4 β GeoIP Enrichment
- Provider: ipinfo.io API
- Fields added:
ip_country,ip_asn - Coverage: All live domains with resolved IPs
Headline Findings
| Metric | Value |
|---|---|
| Total domains in zone | 343,107 |
| Alive (HTTP 200/3xx) | 37,844 (11%) |
| Dead / Parked / Error | 305,263 (89%) |
| CRITICAL severity | 10,377 |
| HIGH severity | 7,928 |
| MEDIUM severity | 622 |
| Malicious (CRITICAL+HIGH+MEDIUM) | 18,927 (50.0% of alive) |
| Behind Cloudflare | 63,190 (83% of alive) |
| Screenshots captured | 37,844 alive domains β not published in repo (size) |
| Operator clusters identified | 2,939 |
Operator Clusters
2,939 operator clusters identified via favicon MurmurHash3 + server fingerprint combination. Clusters of 3+ domains sharing identical infrastructure are surfaced as likely operator groups.
Notable clusters:
| Cluster | Domains | Description |
|---|---|---|
Favicon 1921725183 |
1,043 | Single phishing operator β uniform credential-harvesting kit |
IP 188.114.96.3 |
13,293 | Cloudflare anycast β bulk domain parking on shared exit |
| Carding infra | 544 CC shops | 83% behind Cloudflare DDoS protection |
Full cluster data: data/clusters.json β includes favicon hash, server fingerprint, domain list, and category distribution per cluster.
Evidence Archive
| File | Rows | Description |
|---|---|---|
data/enriched.csv |
86,114 | Full enriched dataset β all classified domains with category, severity, IPs, country, AI descriptions |
data/high_severity.csv |
20,480 | CRITICAL+HIGH filtered subset |
data/dead_domains.csv |
β | Dead / parked / error domain enumeration |
data/clusters.json |
2,939 | Operator cluster map β favicon hash + server fingerprint groupings |
ioc/domains_high.txt |
18,305 | Production blocklist β CRITICAL+HIGH domains |
ioc/domains_all_malicious.txt |
18,927 | Production blocklist β CRITICAL+HIGH+MEDIUM |
ioc/indicators.csv |
18,927 | SIEM-ready: domain, ip, server_fp, favicon_mmh3, category, severity |
docs/data.json |
β | Slim per-domain dataset for the live report |
pkg/raw_data/lambda_results.jsonl.gz |
β | Phase 1 raw HTTP fingerprint output (compressed) |
pkg/raw_data/enriched.csv.gz |
β | Compressed enriched dataset |
pkg/raw_data/high_severity.csv.gz |
β | Compressed CRITICAL+HIGH subset |
SHA256SUMS.txt |
β | SHA-256 checksums of all published data files |
IOC Feed
# HIGH severity domains (blocklist)
https://raw.githubusercontent.com/phishdestroy/nicenic-evidence/main/ioc/domains_high.txt
# HIGH + MEDIUM domains
https://raw.githubusercontent.com/phishdestroy/nicenic-evidence/main/ioc/domains_all_malicious.txt
# SIEM indicators (CSV)
https://raw.githubusercontent.com/phishdestroy/nicenic-evidence/main/ioc/indicators.csv
Enforcement Posture
NICENIC operates under Chinese jurisdiction. Effective enforcement requires multi-channel pressure:
| Channel | Action |
|---|---|
| ICANN Contractual Compliance | Registrar Compliance report β failure to respond to abuse reports per Β§3.18 RAA |
| FBI IC3 | ic3.gov β US-victim phishing and fraud |
| Europol EC3 | Cross-border cybercrime referral |
| CISA / NCSC | National-level threat-intel sharing |
| Spamhaus DBL | Bulk submission of HIGH domains |
| URLhaus / ThreatFox | Automated daily IOC feed |
| Downstream hosters | Cloudflare, Fastly, AWS β abuse reports to hosting providers (not just registrar) |
| Brand owners | Microsoft, PayPal, Amazon, Metamask β direct UDRP and legal action |
ICANN's Registrar Accreditation Agreement Β§3.18 requires registrars to maintain and respond to abuse contacts within 24 hours. Documented non-response is grounds for accreditation suspension.
βοΈ Legal Notice & Responsible Disclosure
All data in this repository was collected exclusively from publicly accessible sources:
| Source | Method |
|---|---|
| Zone file | ICANN CZDS β accredited access, permissible use |
| WHOIS | Public WHOIS protocol (RFC 3912) |
| HTTP responses | Passive crawl of publicly reachable URLs |
| DNS records | Passive DNS / authoritative queries |
| Screenshots | Rendered pages accessible to any browser |
No non-public systems were accessed. No credentials were tested. No authentication was bypassed. No victim data was processed.
This publication is conducted under:
- ICANN Registrar Accreditation Agreement Β§3.18 (abuse response obligations)
- CISA Coordinated Vulnerability Disclosure guidelines
- FIRST.org TLP:CLEAR definition β unlimited public sharing permitted
Regarding Reputational Impact
This research documents objectively verifiable facts: domain registration patterns, HTTP response content, and registrar abuse-response latency. These facts were publicly visible before this repository existed.
NICENIC INTERNATIONAL GROUP CO., LIMITED is an ICANN-accredited registrar operating under contractual obligations to the global internet community. Registrars that facilitate industrial-scale phishing infrastructure have no legitimate reputational interest in suppressing evidence of that facilitation. Publication of factual evidence of contractual non-compliance is not defamation β it is the function ICANN's transparency requirements were built to serve.
If NICENIC disputes any finding: submit documented evidence via phishdestroy.io. Findings supported by evidence will be corrected in a timestamped update.
Repository Structure
nicenic-evidence/
βββ scan/
β βββ phase1_http.py # aiohttp mass scanner
β βββ phase2_screenshots.py # Playwright browser scan
β βββ classify.py # Groq AI classification
β βββ fast_classify.py # Rule-based pre-filter pass
β βββ geoip_enrich.py # ipinfo.io enrichment
β βββ build_clusters.py # Favicon+fingerprint cluster analysis
β βββ build_ioc.py # IOC feed generation
β βββ build_domains_html.py # Regenerate domains.html
β βββ threat_intel.py # TI cross-reference
β βββ redact_creds.py # PII/credential redaction
β βββ finalize.py # Final pipeline step
β βββ compress_screenshots.py # PNGβJPEG compression
β βββ merge_zone.py # Zone data merge
β βββ lambda_handler.py # AWS Lambda variant
β βββ invoke_all.py # Lambda orchestrator
βββ docs/
β βββ index.html # Investigation landing page (GitHub Pages)
β βββ domains.html # Searchable domain table (76,117 domains)
β βββ data.json # Slim per-domain dataset
β βββ build_datajson.py # Regenerate data.json from enriched.csv
β βββ assets/ # Hero image, OG card, favicons
βββ data/
β βββ enriched.csv # Canonical enriched dataset (86,114 rows)
β βββ high_severity.csv # CRITICAL+HIGH subset (20,480 rows)
β βββ dead_domains.csv # Dead / parked enumeration
β βββ clusters.json # Operator cluster map (2,939 clusters)
βββ ioc/
β βββ domains_high.txt # CRITICAL+HIGH blocklist (18,305 domains)
β βββ domains_all_malicious.txt # CRITICAL+HIGH+MEDIUM (18,927 domains)
β βββ indicators.csv # SIEM-ready IOC feed (18,927 indicators)
βββ pkg/
β βββ raw_data/ # Compressed raw scan output (.gz)
βββ SHA256SUMS.txt # Checksums of all published data files
βββ PROVENANCE.md # Chain-of-custody documentation
βββ README.md # This file
πΈοΈ Network of Complicit Registrars
This investigation is part of a series documenting ICANN-accredited registrars that systematically obstruct anti-phishing enforcement or directly profit from fraud infrastructure. All three registrars share a documented pattern: direct requests backed by evidence are ignored, delayed, or met with active suppression.
| # | Registrar | IANA | Zone | Confirmed Malicious | Russian Connection | Investigation |
|---|---|---|---|---|---|---|
| 1 | NICENIC INTERNATIONAL GROUP (this) | #3765 | 349,376 | 18,927 (50% of alive) | π·πΊ #2 hosting country (8.5%) | nicenic-evidence Β· Live Report |
| 2 | Trustname.com / Fewmoretaps ΓΓ | #4318 | 9,343 | 1,114 HIGH (86% alive) | π·πΊ Russian-operated, Estonian shell | trustname-evidence Β· Live Report |
| 3 | NameSilo, LLC | #1479 | 5,251,494 | 183,419 | π·πΊ Russian team members, suppression campaign | namesilo-evidence Β· Live Report |
π·πΊ Russian Connection & Complicity Record
Russian Presence β CEO OSINT
Helen Ho, the CEO of NiceNIC, is directly associated with the email [email protected], which appears registered across multiple Russian-language platforms. She maintains an active VKontakte (VK) account under the handle:
nicenic_globalβ vk.com
VK is a Russian social network with no meaningful presence in China. For a CEO of a Chinese registrar to maintain an active VK account β and to be highly active on it β is strategically significant. Analysis of her follower network on VK reveals entities engaged in scam activity while using NiceNIC domain services.
Helen Ho's VK account is subscribed to the community Β«Π’ΠΈΠΏΠΈΡΠ½ΡΠΉ ΠΌΠΎΡΠ΅Π½Π½ΠΈΠΊΒ» ("Typical Scammer") β a Russian-language VK page dedicated to scam tutorials, fraud toolkits, and cybercriminal community content.
The CEO of an ICANN-accredited registrar, subscribed to a scammer community on a Russian social network, with followers who are active fraud operators using her registrar's services β is not an ambiguous data point. It is a documented conflict of interest at the executive level.
Additional key facts:
- Russia is the #2 hosting country in NICENIC's zone: 3,113 deployed domains (8.5%)
- NiceNIC is the preferred registrar of Russian-speaking fraud affiliate networks β documented in leaked Telegram screenshots where network instructors explicitly recommend NiceNIC to affiliates
- The "Soulless" scam network registered 1,200+ identical phishing sites via NiceNIC
- NICENIC accepts Bitcoin, Tether, Ethereum, Litecoin β specifically to sever financial audit trails and enable anonymous registration
βWe Are Not Against Scammingβ
On January 10, 2026, a post appeared from a NiceNIC-attributed account stating:
βWe are not against scammingβ¦ we here to make cash.β
NiceNIC subsequently claimed the account was βhackedβ by a user named βJulianiβ to maintain ICANN deniability. The statement is consistent with the operational record regardless of its attribution.
Documented Obstruction
- RAA Β§3.18 requires 24-hour acknowledgement of abuse reports. NICENICβs effective response is measured in weeks or is absent entirely.
- NICENICβs abuse system forwards complaints directly to the registrants (the criminals) rather than investigating independently β and accepts registrant denials at face value to close tickets.
- Auto-responder templates claim βinsufficient evidenceβ even when full forensic packages are submitted: screenshots, AI classification, WHOIS, live HTTP proof, financial transaction hashes.
- Trust Wallet heist (December 2025): $8.5M stolen β infrastructure hosted on NiceNIC. Domains remained live post-report.
- Scattered Spider lookalike domains for ransomware supply-chain attacks registered via NiceNIC.
- NICENICβs phishing domain score: 1,141.74 β 326Γ higher than the industry average of ~3.5.
- No public abuse transparency report published by NICENIC for any reporting period.
- ICANN Contractual Compliance complaint filed. NiceNICβs continued accreditation depends on a process measured in months during which thousands of fraud domains remain live.
- Direct requests with documented evidence: systematically ignored.
External Coverage
| Publication | Title |
|---|---|
| π° PhishDestroy / Medium | βNiceNIC Exposed: The ICANN-Accredited Registrar Powering the Worldβs Cybercriminal Ecosystemβ |
| π° DecodeCybercrime | βNiceNIC: The Leading Bulletproof Domain Registrar Enabling Global Cybercrimeβ |
| π° PhishDestroy.io | nicenic-real β Full investigation |
βNICENICβs abuse response SLA is effectively infinite. This investigation makes it finite.β
Related Investigations
| Investigation | Registrar | Zone Size | Alive | Malicious | Report |
|---|---|---|---|---|---|
| Trustname / Fewmoretaps OΓ | IANA #4318 | 7,641 | β | 1,114 HIGH | phishdestroy.github.io/trustname-evidence |
| NameSilo | IANA #1479 | 5,269,357 | 658,733 (12.7%) | 183,419 | phishdestroy.github.io/namesilo-evidence |
| NICENIC INTERNATIONAL GROUP (this repo) | IANA #3765 | 343,107 | 37,844 (11%) | 18,927 (50% of alive) | phishdestroy.github.io/nicenic-evidence |
PhishDestroy
Automated detection, classification, and public disclosure of domain abuse infrastructure.
phishdestroy.io Β· GitHub Β· LEGAL.md Β· TLP:CLEAR
"NICENIC's abuse response SLA is effectively infinite β we've made it finite."
MIT License Β· TLP:CLEAR Β· June 2026
Comments