Addressing Deceptive Exploitation of People Online: the Case for Internet Infrastructure Coordination

The distributed nature of Internet infrastructure offers resilience but creates a structural challenge when confronting organized abusers. Cross-stack coordination among DNS operators, hosting providers and CDNs is critical to achieve meaningful mitigation of abuses, in particular deceptive exploitation of people. To facilitate such coordination, a dedicated space, the Internet Infrastructure Forum (IIF) was set up in 2025. A key goal is developing voluntary data-sharing mechanisms to improve abuse management workflows and detect patterns enabling more proactive responses.

The Internet’s distributed architecture is a shared vulnerability

The Internet is an ecosystem of thousands of independent operators working together through shared technical standards, including: DNS registries and registrars, hosting providers and Content Delivery Networks (CDNs). This distributed architecture provides resilience, scalability, and openness. But it also carries a structural vulnerability: when actors at each layer operate in separate silos, coordinated responses to coordinated threats become extraordinarily difficult.

Online abuse gets professional

The nature of online abuse has changed fundamentally. What was once the work of opportunistic individuals is now carried out by organized, well-funded criminal enterprises. These actors exploit the infrastructure stack strategically – registering deceptive domain names, hosting fraudulent content, and using CDN infrastructure to amplify their reach, often within hours.

The most pervasive form of these threats is the deceptive exploitation of people to obtain credentials or money: phishing campaigns, fake online shops or parcel delivery notices, romance scams, and business email compromise attacks. Their common mechanism is deception; their common target is ordinary users. With artificial intelligence now enabling the mass production of convincing fraudulent content, the barriers to entry for abusers are falling further still. Dealing with abuses online becomes a growing human and financial burden for operators.

The limits of ICANN's framework

The Internet Corporation for Assigned Names and Numbers (ICANN) represents the primary governance forum for DNS operators. Over several years, coordinated work – in which I&JPN played a significant facilitative role – produced meaningful results: an agreed definition of DNS abuse, amendments to registry and registrar agreements to better address phishing, malware, botnets, and spam, and the parallel creation by PIR of the NetBeacon Institute to streamline abuse report processing. This showed that responsible operators could raise standards across the industry. But it also exposed two important gaps.

The first gap is one of scope. Many of the most harmful deceptive practices – fake shops, romance scams, investment fraud – fall outside ICANN's narrow technical mandate, with no dedicated forum to address the growing regulatory pressure. The second gap is structural: even for abuses squarely within ICANN's remit, effective mitigation requires action beyond DNS operators. If malicious content remains hosted after a domain is suspended, abusers simply register a new domain and continue. Hosting providers and CDNs are essential partners – yet they have no presence or role in ICANN's processes and compose a fragmented, largely uncoordinated industry.

Creating a space for cross-stack coordination: the IIF

Abusers operate across the full infrastructure stack simultaneously. Defenders, by contrast, act within their own layer, unaware of what others do. A registrar suspends a domain but the site is still there, ready to be pointed at by another domain. The abuse migrates rather than disappears. This whack-a-mole dynamic is not a failure of individual operators – it is a systemic failure of coordination. Addressing it requires a dedicated space where actors from across the infrastructure stack can build trust, align processes, and share the data that makes collective action possible.

In 2024, a group of responsible operators called for the creation of such a space to foster coordination when dealing with online harms. Building on a decade of multistakeholder dialogue within I&JPN, and with the support of industry associations eco and i2c, an outreach effort brought together around 50 entities from across the infrastructure stack to an inaugural meeting of the Internet Infrastructure Forum (IIF) in February 2025 in Amsterdam. A second meeting followed in Paris in September 2025, and a third in London in February 2026. The fourth meeting is planned in Toronto in September 2026.

The IIF defines its focus as fostering coordination when addressing deceptive exploitation of people – a framing broader than ICANN's DNS abuse definition, covering scams and fraud that weaponize Internet infrastructure against ordinary users, while remaining grounded in what infrastructure operators can realistically address. Intersessional working groups address practical topics of common concern for participants, including evidence standards for abuse notices, and the automation of abuse management workflows.

Data sharing is the engine of coordination

The most significant outcome of the IIF's early work is a shared conviction: data sharing is essential. When an operator takes action against an abuse – suspending a domain, removing hosted content, blocking malicious traffic – that action currently generates no automatic signal to others in the stack. 

Sharing this data would change the equation: a registrar's domain suspension could trigger an alert to the relevant hosting provider; convergent signals from multiple operators could confirm a campaign and accelerate responses across layers. The IIF provides a space to explore how to operationalize such voluntary data-sharing among operators.

Ultimately, data-sharing can contribute to two complementary objectives. First, optimizing the real-time abuse management workflow to ensure more effective mitigation. 

This will involve the growing group of Notice Processing and Routing Intermediaries (NPRIs) – organizations such as Netbeacon, cleanDNS, and global iQ – that help automate the collection, evaluation, processing, and distribution of abuse notices between reporters and operators. But second and more ambitiously, analysis of aggregated data holds the promise of moving from reactive to more proactive postures by allowing to identify campaigns and specific patterns.

The road ahead

IIF participants share a set of principles regarding in particular mutual commitments to cross-stack coordination and data-sharing to address deceptive exploitation of people. They aim to develop practices and tools that will ultimately be useful for all actors of the ecosystem and will improve the fight against malicious actors.

An inspiration here can be the Information Sharing and Analysis Centers (ISACs) that proved their value in sectors such as finance and energy – enabling market competitors to partner in protecting shared infrastructure from shared threats.

Finally, although the IIF is an industry-based initiative, it is designed to serve over time as an engagement platform with other actors and in particular public authorities, building on fact-based analysis and concrete actions.

Time has come for operators to organize better against organized abuse of their services.

Bertrand de La Chapelle is the Executive Director of the Internet & Jurisdiction Policy Network (I&JPN), which incubates and provides the secretariat for the Internet Infrastructure Forum (IIF). He is an internationally recognized expert on policy and governance issues related to the internet, with more than 25 years of experience. An engineer by training, but also a professional diplomat and entrepreneur, he was previously a Director on the ICANN Board, and France’s Thematic Ambassador for the Information Society.