Introduction

Typically, when you buy something from a retailer, you have a limited amount of time to return the item. Domain names are no different. If you register a domain on Monday but have regrets and want to "return" it on Tuesday, most gTLD registries grant registrars an Add/Delete Grace Period (AGP), often up to five days. If a registrar deletes a domain within this AGP window, the registry typically credits the wholesale fee back to the registrar's account. The registrar might still be out a small credit card processing fee and some customer service time, but the main cost of the wholesale fee is recouped, and the customer gets their money back.

This is the best and most ideal outcome.

But, much like with all return policies, if a transaction is fraudulent or falls outside the standard policy, someone ends up footing the bill and taking a loss.

Let's Play 'Who Pays the Bill?'

It is all too common that a bad actor, using a stolen credit card, registers domains for abusive purposes like phishing or malware distribution. There are several players in this unfortunate transaction:

• The Bad Actor
• The Victim (the legitimate credit cardholder)
• The Bank (that issued the credit card)
• The Payment Processor (that handles the transaction for the registrar)
• The Registrar (where the domains were registered)
• The Registry (the operator of the TLD)

For these scenarios, let's say the Bad Actor registers 20 domains for about $50 USD at The Registrar.

Scenario 1: The Fraudulent Charge is Caught Quickly

The Victim receives a notification about the charge from their bank or is diligent about checking their statement daily. Within 24 hours of the domains' registration, The Victim contacts The Bank and notifies them that the charge is fraudulent. The Bank initiates a chargeback, a process to claw back the money from The Registrar. The Registrar receives notice of the chargeback and promptly deletes the domains while they are still within the AGP.

Who Pays the Bill? In this case, the costs are minimized and spread out, but The Registrar still often takes a small hit. The Bad Actor loses their time, the value of the stolen card, and their setup, but their financial loss is minimal. The Victim is made whole by The Bank. The Registrar gets the wholesale domain fee credited back by The Registry, but they are almost always out the non-refundable credit card processing fees and a separate, punitive chargeback fee from their payment processor.

Scenario 1.A: The Fraudulent Charge is Caught Really Quickly (like in 1 Business Day)

Kelly Bush pointed out the following scenario when domains are registered fraudulently and it is caught in a business day:

If a fraudulent domain is flagged within the first business day of registration, many registrars still have the option to void the payment before it settles, which avoids liability for a chargeback altogether.

Scenario 2: The Fraudulent Charge is Caught 14 Days Later

In this case, The Victim checks their statement at the end of the month and sees the $50 charge to The Registrar. The Victim calls The Bank, and the same chargeback process kicks off. The Registrar receives notice of the fraudulent charge, but it is now well past the five-day AGP.

Who Pays the Bill? The Registrar. Why?

• The Bank has the power and obligation to claw back the money on behalf of their defrauded customer.
• The Registry's AGP has expired, so The Registrar will not be credited for the wholesale fees of the 20 domains if they delete them. They have already paid for the domains.
• The Payment Processor will hit The Registrar with a chargeback fee on top of reversing the original transaction.

So what does The Registrar do? They have a few options, none of them great:

• Place the domains on clientHold: This action takes the domains offline, preventing The Bad Actor from using them for abuse. The domains remain registered but non-functional for the period The Bad Actor paid for. This prevents an immediate re-registration by the same actor, but The Registrar still loses money.
• Block the account: This typically goes hand-in-hand with putting the domains on hold. If the account was created solely for fraud, The Registrar will likely block it to prevent future abuse. But sometimes the line is blurry. Is it a legitimate customer account that was compromised? Blocking it entirely could result in lost future legitimate revenue.
• Let it ride until the domains are reported for abuse: As we've discussed, registrars don't make a lot of money on individual domains. Perhaps there was some sort of misunderstanding. Maybe the registrar doesn't have efficient systems to correlate a chargeback to specific domains. Besides, the financial loss already happened, so... what else is there to lose? This passive approach, while risky, is sometimes the path of least resistance.

Scenario 3: The Victim Never Notices the Charge

In this scenario, The Bad Actor successfully registers the domains and keeps them for the full year. They carry out several successful phishing attacks before letting the domains expire.

Who Pays the Bill? The Victim. And, to blame The Victim a bit, their lack of awareness not only directly cost them money, but it also enabled the Bad Actor's subsequent crimes against others. This is the ideal outcome for the Bad Actor, who gets a full year of infrastructure for a crime they didn't pay for. The Registrar and Registry, unaware of the fraud, keep their respective fees.

What about The Registry?

I could not readily think of or imagine a scenario where a registry would directly pay the bill for a single fraudulent domain registration. However, that doesn't mean they don't bear significant indirect costs when their TLDs are associated with high levels of abuse. For example:

• Reputational Damage: Anti-abuse providers like Spamhaus and SURBL maintain public lists of the most abused TLDs. Being high on these lists can scare off legitimate customers and corporate investors, impacting long-term sales.
• Incentive Costs: Some registry operators provide financial incentives, like rebates on wholesale fees, to registrars who keep their abuse scores below certain benchmarks. High abuse rates can mean these incentives aren't paid out, affecting the registry's relationship with its retail partners.
• Community and Regulatory Scrutiny: A TLD with a persistent abuse problem invites scrutiny from ICANN, the DNS industry, cybersecurity researchers, and governments. This scrutiny can translate into forced policy changes, increased compliance costs, and significant operational overhead to address the problem.

And, opposite to paying the bill... There are also cases where the registries might even continue to making money. Remember how I said most gTLD registries offer AGP? Ms. Bush, from her experience, reiterates:

While most gTLDs also provide the AGP safety net, not every registry offers it, which leaves registrars with the registration cost.

And What About The Bank and The Payment Processor?

While these entities are designed to be intermediaries that pass costs along, they aren't immune. I'm not an expert in fraudulent transactions, but there are scenarios where they can end up footing part of the bill.

• The Bank: The bank that issued the credit card operates on risk. It may absorb the loss on small fraudulent charges as a cost of doing business, especially if the cost of arbitrating the chargeback with the merchant is higher than the transaction amount itself. In cases of widespread, sophisticated international fraud, recovering funds can be difficult, and the issuing bank may ultimately be unable to claw back the money, leaving them with the loss.
• The Payment Processor: Processors manage risk by monitoring their merchants. If a registrar has a high rate of chargebacks, the processor will designate them as "high-risk." This can lead to higher transaction fees, a requirement for a larger cash reserve held by the processor, or the processor may simply terminate the relationship, cutting the registrar off from being able to accept payments.

Turning a Loss into a Gain

Ms. Bush highlighted that having to absorb a cost is not all bad:

In practice, registrars often accept short-term financial losses as the price of protecting the DNS—while also iterating on rules and signals to prevent repeat abuse. Those signals can come from payment details, order patterns, or domain intelligence (e.g., precrime flags, phishing indicators, or suspicious buyer histories). It’s a constant, daily cycle of analysis and refinement to stay ahead of threat actors.

This is an excellent point that can easily expand across the rest of the ecosystem. Here are two examples:

• Registries seeing higher-than-usual deletes under AGP from a given registrar could trigger an investigation into the registrar's practices.
• Banks and payment processors could pick up on fraudulent charge claims that may all have a common factor like a single vendor during a timeframe that may have a compromised point-of-sale system.

So while some places may end up taking a loss, that loss could be very small compared to the cost of allowing it to persist over a longer period of time.

Conclusion

The financial fallout from a single fraudulent domain registration reveals a system of misaligned incentives. Registrars often bear the immediate and direct financial costs of chargebacks, which is why they are a critical partner in the fight against abuse. When fraud goes undetected, the victim ultimately pays the price, not just with their money but by enabling further harm across the internet. Disappointingly, this cat-and-mouse game of shifting liability will likely continue to plague the DNS and broader cybersecurity industries. Understanding "who pays" is key to understanding why different entities have different motivations and levels of urgency when it comes to mitigating DNS abuse.