Introduction
In 2008, ICANN terminated its registrar agreement with EstDomains, a small Estonian registrar that had a reputation for catering to cybercriminals. ICANN cited the then-recent felony conviction of EstDomains’ president, Vladimir Tsastsin, for money laundering, credit card fraud, and document forgery as the reason.
At face value, it seems straightforward: the DNS community knew the registrar was problematic and the Estonian courts provided a convenient way to solve the problem through contractual means. A short time later, as Tsastsin was charged in the U.S. in 2011 for wire fraud and computer intrusion (basically running malware to game ad networks), which was a much flashier headline that caught more attention.
This whole case stuck with me over the years. I started my career investigating a large MLM selling health products with the mission of proving it was all a fraud. The skills and knowledge have stuck with me and those origins sometimes surface in weird ways and weird times. This case is one of those examples: was EstDomains really part of the money laundering?
Unfortunately, because I don’t speak Estonian and search results for Tsastsin heavily skew toward his malware headlines, I don’t have a clear understanding of whether EstDomains was actually part of the original money laundering charges.
But that gives us a chance to engage in a thought exercise that entertains my roots: Could a registrar be used to launder money? Absolutely. Let’s go through the theory. Remember: this is just a thought exercise. I am not saying this is what happened with EstDomains, but the theory is worth exploring.
An Overview of Money Laundering
FinCEN defines money laundering as disguising financial assets so they can be used without detection of the illegal activity that produced them. In the AML world, the process is described in three stages: Placement (getting dirty money into the system), Layering (moving it around to hide the trail), and Integration (making it look like legitimate profit).
A traditional example involves a cash-heavy business like a laundromat. The bad guy “buys” a massive amount of his own service to mix dirty cash with regular money. Once it is in the bank, he can pay himself a salary and the money is “clean.”
Let’s Be Evil
Pretend you are a tech-savvy bad guy. You are sitting on illicit money from stolen credit cards or click-fraud. The money is in various crypto accounts or money-mule bank accounts. Moving large amounts all at once is hard without being noticed. You need a place to “spend” that money through a business that can be lax with its intake and where the prices can be controlled.
May I interest you in some domains?
If you have read my post on the economics of registrars, the key takeaway is that some registries will sell domains to registrars for pennies. The registrar can then charge whatever it wants.
How would this work?
- You become an ICANN-accredited registrar (your legitimate front).
- You set up a bank account in a jurisdiction with minimal oversight.
- You sign a contract with a registry to sell
.exampledomains for $1 each. - You “slow-walk” the setup by attracting a few real customers for cover.
- Placement: You create fake registrants using stolen PII (to avoid a basic ICANN audit) and have them purchase domains for $50 each. You can even use shell companies to “invoice” your registrar for bulk management services, moving the money via wire transfers instead of just credit cards.
- Layering: Once the money is in the registrar’s account, you create “business expenses” to move it again. You pay yourself or associates inflated “consultant fees” or pay high-end hosting costs to other servers you control. You can even fund expensive business trips to industry meetings to explain away large chunks of cash.
- Integration: What’s left over is recorded as “clean” profit. You pay your corporate taxes, take your salary, and the money is officially back in the system.
But, why?
“Why pay $50 for a domain? Bad guys like cheap domains!”
In this exercise, we aren’t trying to save money; we are trying to clean it. You cannot clean money if you sell your product at cost. You have to charge yourself a premium that covers the registry fee and the ICANN fees while leaving a massive profit on the books. To stay under the radar, you just find the highest-priced boutique registrar on the market and price yourself just below them.
The Napkin Math: The Cost of the “Wash”
Every launderer accepts a loss (a “tax”) to clean their money. Here is what it looks like to wash $100,000 through our $50-per-domain boutique registrar.
Gross Dirty Income: $100,000 (2,000 domains at $50)
Unavoidable Expenses
- Registry/ICANN Fees: -$15,000
- Payment Processing (3%): -$3,000
- Required Operating Expenses: -$10,000 (insurance, business filings, fees, etc)
Fluff Expenses
- Inflated Operating Costs: -$30,000 (remember that if done right, the bad guy gets to keep a lot of this)
Subtotal: $42,000
Taxes after expenses
- Corporate Tax (Est. 20%): -$8,400
Result
- Net Clean Money: $33,600
So $28,000 in real expenses, $30,000 in fluffed operating costs to for your travel and your “contractors”, $8,400 in taxes, and you have $33,600 in clean money. To a criminal, this is a small price to pay for the ability to have $33,600 in the legitimate economy without the IRS or FinCEN knocking on the door.
The Bonus Byproduct - New Domains
In the original examples of a carwash or laundromat, there is limited additional use for what those facilities offer to a criminal network. But in running a registrar, you can supply yourself with a constant stream of domains that are new and can be used in new crimes and abuse. Small time phishing might bring in a few hundred dollars and cost you a few dozen domains. Focused attacks, like ransomware or business email compromise (BEC), can bring in tens of thousands to millions, depending upon the organization targeted. Striking jackpots on these attacks would simply help you grow the number of domains available to you.
Conclusion
While the DNS community focuses on the technical harm of high-abuse registrars, there is a financial reality under the surface that is often ignored. A registrar isn’t just a place to buy a domain; for the right actor, it is a perfect, globally distributed laundromat.
But remember: this was just a thought exercise. I have no real proof this a problem. Section 5.5 of a registrar’s agreement with ICANN makes it clear that financial crimes committed by the company is grounds for termination.
But maybe this helps someone out there look at problematic domains at a registrar in a different light and find something new.