For many years the Freenom operated TLDs have been a mainstay in virtually every statistic created around internet abuse-related domain registrations, whether they cover spam, phishing or malware. In the first quarter of 2023 we noticed a sharp decline in new registrations in their TLDs – good and bad. So, what is happening?

From ccTLD to gTLD

Freenom operates five country-code top level domains (ccTLDs): .cf (Central African Republic), .ga (Gabon), .gq (Equatorial Guinea), .ml (Mali) and the most well-known one: .tk (Tokelau). While all these are owned by the countries they represent, the policies and operational aspects implemented by Freenom effectively turn them into general top level domains (gTLDs). Consequently, anyone can register any name, without having any special ties to the countries the TLDs are assigned to. Yet, what truly sets these TLDs apart from any others, are their registration fees: for most domain names in these TLDs, registration is free.

Top 10 isn’t always good

As with any free service on the internet, this price point attracts abuse. Time and again, free services attract all sorts of abuse, ranging from drive-by blackhat SEO to the Internet equivalent of serious organized crime. This is especially the case where the free resource is not properly managed with “abuse” in mind.

Ever since Spamhaus have published statistics around which TLDs get the most abuse related registrations, Freenom-operated TLDs have been a consistent Top 10 entry. It’s not just us. Going back as far as 2006, reports from the Anti Phishing Working Group, Interisle Consulting Group, and McAfee have pointed out the large number of abuse-related domain registrations in Freenom TLDs. It is therefore safe to say that Freenom did not have a good grip on the abuse levels of their TLDs.

The polluter pays

In Europe, a simple but powerful idea lies at the heart of environmental laws: “the polluter pays”. This principle is based on common sense: the polluter — the actors or the activity causing the pollution — should pay to right their wrong. This concept is near and dear to Spamhaus, as for over 20 years we have empowered recipients of ‘internet pollution’ by providing the necessary data to clean it up. By allowing accurate blocking of bad internet identifiers such as IP addresses and domain names, we have shifted a significant part of the cleanup costs back to those who own the abusive resources.

Whilst many other TLDs (and registrars) invest resources into the prevention and management of abuse, Freenom, produced an automated anti-abuse tooling, shifting their costs of the clean-up to the recipient. Accordingly, it would appear the consistent pollution of the internet namespace by Freenom-operated TLDs has come back to haunt them.

Meta be ready for this

As of early 2023, Freenom stopped new registrations in any of their free TLDs. While their website cites “technical issues”, we expect there could be a different explanation. Namely, a lawsuit filed on behalf of Meta Platforms (Facebook, Whatsapp, Instagram) naming Freenom and a number of associated companies as defendants. The lawsuit alleges cybersquatting, trademark infringement, false designation of origin and violations of the California Anti-Phishing Act.

The amended filing contains many example domain names that immediately stand out as being problematic. They contain the names of Meta’s products, sometimes in obfuscated form, along with contexts, words and actions regularly found in phishing domain names. All matching an all-too-common pattern that we have seen many times in Freenom operated TLDs.

As is often the case with lawsuits like this, it’s not just about stopping the problem. In spirit with the earlier mentioned principle of ‘the polluter pays’, Meta’s lawyers have put a price tag on dealing with the cleanup. For example, for phishing domains “… Plaintiffs are entitled to recover the greater of their actual damages or five hundred thousand dollars ($500,000) per each phishing website …“. While this is a plea to the court and certainly not an awarded amount of money (yet!), it certainly draws a line in the sand.


With this in mind, we are not at all surprised about the current suspension of registrations at Freenom. Given their track record, it would be hard to imagine opening registrations again anytime soon, while also being equipped to deal with the inevitable abuse of free registrations. Not to mention their business model and operational policies would need to drastically change.

Looking ahead, it will be interesting to see how this unfolds. It would be naïve to believe the abuse thriving on free domains from Freenom will now stop. In reality, abuse-related TLD registrations will be redirected to paid domains, resulting in more miscreants operating across domains in the low-end pricing bracket, causing them slightly higher costs. This is something registries are already experiencing, as explained in Domain Registries – are you experiencing the Freenom effect, and highlighted by the data in our most recent Domain Reputation Report.

Believe it or not, this could be a positive outcome for the internet. Many cybercrimes that require a domain name to function will have an increase in costs, and profitability will decline. The result….a less polluted internet namespace, a concept we certainly get behind.

Read ‘Domain Registrars – are you experiencing the Freenom effect?‘ and access the ‘Q1 2023 Domain Reputation Update’.

Related Products

Data Query Service (DQS)

Spamhaus’ Data Query Service (DQS) is an affordable and effective solution to protect your email infrastructure and users.

Using your existing email protection solution, you will be able to block spam and other related threats including malware, ransomware, and phishing emails.

The service has never failed and utilizes the longest established DNSBLs in the industry.

  • Proactive & preventative
  • Save on email infrastructure & management costs
  • Actionable

Spamhaus Intelligence API (SIA)

Spamhaus Intelligence API (SIA) contains context-rich metadata relating to IP and domain reputation. Integrate this data with your applications to enhance existing data feeds, or consume as an independent data source.

In this easy-to-consume format, SIA can be used for threat detection and investigation, risk scoring, customer vetting, validation and much more.

  • Save valuable time investigating and reporting
  • Simple and quick to access
  • Data you can trust in


Lifting the lid on a long-time operating Brazilian malware gang

6 May 2023


For over 8 years, our researchers have been tracking an operation that targets Brazilian internet users, and is focused on stealing their banking credentials, withdrawing funds from its victim’s accounts. Here’s a potted history.

Domain registries – are you experiencing the Freenom Effect?

15 April 2023


Freenom’s doors have been firmly shut to new domain registrations, for almost three months. The latest Spamhaus domain data suggests, those registries that operate TLDs at the lower end of the pricing spectrum are significantly more susceptible to abusive registrations.

Spamhaus Quarterly Domain Reputation Update, Q1 2023

14 April 2023


Researchers observed unprecedented change, with a decrease in registration and abuse number for all five Freenom ccTLDs, including a steep decline for .ml (-74%). Yet with this, significant increases for gTLDs .store and .fun. Is this the Freenom effect?