News archive

DNS Abuse in the Baltics: What the Data Really Shows

The NetBeacon institute was founded in 2021 by Public Interest Registry (PIR), the organization behind the .org domain. Because PIR is a non-profit, the money they make must be used to support the public good. One of the ways they do that is by funding NetBeacon, whose mission is to make the internet safer for everyone.

Before diving into the numbers, Rowena clarified what “DNS abuse” means. In everyday words, it covers things like phishing websites that try to steal your passwords, malicious software spread through hacked pages, attacks that redirect people to fake sites, and spam that delivers harmful links. In her presentation, she focused on phishing and malware because these are the types of abuse NetBeacon can measure most accurately.

To get reliable data, NetBeacon built the NetBeacon Measurement and Analytics Platform, or simply the NetBeacon Map. Instead of offering just another list of “bad domains,” they wanted to create a method that was scientifically strong, consistent over time and able to show what was happening inside individual top-level domains and even specific registrars. To achieve this, they worked with CoreLabs, a research group connected to the University of Grenoble Alpes. CoreLabs collects information from trusted phishing and malware feeds, removes errors, checks the URLs by hand and even takes screenshots of malicious pages before they disappear. They repeat these checks for 30 days so they can see how fast a harmful site is taken down.

Once all this work is done, the data goes into PIR’s systems and is turned into public reports and private dashboards: all free for registries and registrars.

With the background explained, Rowena finally turned to the big question: what is the situation with DNS abuse in the Baltics?

The truth is simple: there is not much abuse at all. When Rowena showed global charts, the Baltic ccTLDs were tiny specks at the far end of the graphs. Looking at the period from June 2022 to May 2025, the average number of maliciously registered domains per month was only two in .ee, two in .lv, and one in .lt. These numbers are so low that they don’t even meet NetBeacon’s threshold for appearing in its usual reports.

To make the numbers easier to compare, she calculated the abuse rate based on the size of each domain. Even then, the Baltics looked excellent. Estonia, Latvia and Lithuania all showed very low results: around one malicious domain per 100,000 active domains. When compared to other European country domains, these numbers were on the lower end. When compared to generic domains like .com or .xyz, the Baltic rates looked even cleaner.

The next part of her talk moved from TLDs to registrars. This was trickier because NetBeacon’s registrar data mostly covers generic domains, not local country ones. Still, Rowena managed to study two ICANN accredited registrars active in the region. One of them showed stable growth and a wide range of abuse rates over time. The other told a much more dramatic story. In earlier reports, this registrar had a very high abuse level and even appeared at the top of NetBeacon’s global tables. After talking with NetBeacon, they took the issue seriously, changed their processes and saw a big improvement. Their abuse rate is now much lower. Rowena highlighted this as a positive example of how transparency and data can actually drive better behavior.

She then shifted to the future. For many years, the domain industry has focused on reacting to abuse reports: taking down harmful domains after they are found. But criminals are registering new domains quickly, often using automated tools. Rowena argued that the next big step is to stop malicious registrations before they happen. Registrars can do this by looking for patterns in suspicious domains, limiting certain payment methods for new customers or using fraud detection tools from payment providers. One registrar she worked with saw a big drop in abuse simply by restricting cryptocurrency payments to trusted users.

Rowena finished her talk by encouraging Baltic operators to join NetBeacon Reporter, another free service that automatically sends enriched abuse alerts to registrars. She noted that Latvia had already joined the night before, and that joining is easy, even a simple abuse email address is enough to start.

Her overall conclusion was clear: in the Baltics, DNS abuse rates are low, and local registrars sit roughly in the middle of global trends, with some strong examples of improvement. But the industry should be ready for the next challenge - stopping bad domains at the moment of registration, not only after they are already causing harm.