Last week, ICANN’s Compliance team sent a breach notice to NetLynx, an ICANN-accredited domain name registrar operating out of India. As with most ICANN breach notices, it’s hard to tell the context of what happened just from ICANN’s announcement. We’re happy to fill in the blanks based on our correspondence with key players in the regulatory sector as well as LegitScript’s own data.
In short, the breach notice resulted from a complaint submitted by the UK Medicines and Healthcare products Regulatory Agency (MHRA) regarding a domain name used as a rogue Internet pharmacy, and NetLynx’s failure to do anything in response to the MHRA’s complaint. The MHRA’s complaint appears to have been based on a single domain name, but LegitScript’s research indicates that roughly a quarter of the registrar’s business is dependent on rogue Internet pharmacy registrations.
NetLynx: A Rogue Internet Pharmacy Frequent Flier
NetLynx has been a “frequent flier” in the rogue Internet pharmacy world for some time. That is, as our analysts review and monitor thousands of rogue Internet pharmacies every day, when we look at rogue Internet pharmacies’ domain name registrars, NetLynx is a name we’ve seen quite a bit over the years — more, actually, than we would expect to see for such a small registrar. And, our complaints to them have gone consistently unanswered.
So is NetLynx just an innocent registrar whose services are being misused, or are they an active partner in the criminal enterprise? To evaluate this, I asked our analysts to dig into two questions: first, how many domain names does NetLynx have under management in total; and second, what percentage of those domain names are rogue Internet pharmacies? After all, if rogue Internet pharmacies constitute just a tiny fraction of any registrar’s portfolio, it doesn’t suggest malfeasance or “turning a blind eye” to criminal activity. If, however, a larger percentage of the registrar’s portfolio are rogue Internet pharmacies, it suggests that the registrar knows what’s happening and is offering protection to the illicit business.
Our Analysis: One out of Four Domain Names Internet Pharmacy-Related
In this case, the first question was relatively easy to answer. According to ICANN Compliance’s records, NetLynx has a little over 12,000 domain names under its management, making NetLynx a fairly small registrar. The next question took some legwork by our analysts: of those 12,000 domain names, how many are rogue Internet pharmacies? We were not able to identify every domain name that NetLynx has in its portfolio, but were able to grab a good chunk of them for analysis -- just over 7,000. I asked our team to look at domain names that 1) are currently active rogue Internet pharmacies; 2) those that had been rogue Internet pharmacies recently but were now offline; and 3) those with domain names that reasonably appeared to be “holding domain names” for rogue Internet pharmacies (like medicationrxpal.com). Although many of the rogue Internet pharmacies ended in .in (the India ccTLD), we excluded these from our calculations, since .IN domain names are presumably not included in ICANN's calculations. As I note below, there were plenty of domain names that we couldn't judge one way or the other, and these were not tagged as rogue Internet pharmacies.
Still, the results were startling: about one in every four of the domain names we reviewed met our rogue Internet pharmacy criteria. There is a margin of error in our analysis, but even in the best case scenario (if one were to make the unrealistic assumption that none of the domain names in NetLynx's portfolio we were unable to review are rogue Internet pharmacies), the number would be over 15% -- still a good chunk of the company's revenue. On the other hand, there were plenty of domain names for which we simply couldn't say one way or another, so the figure may well be higher than 25%, too. Assuming that the corpus of domain names we reviewed (more than half of NetLynx's portfolio) is representative of the whole, it means that as a registrar, NetLynx is dependent on rogue Internet pharmacy domain name registrations for somewhere around 20% - 30% of its revenue. Of course, this explains why NetLynx would not respond to the abuse complaints submitted by the MHRA or LegitScript.
As far as we can tell, the MHRA only submitted complaints directly to NetLynx about one domain name: tnawsol24h.com, a rogue Internet pharmacy that is an affiliate of a criminal network that LegitScript knows as “Worldwide Drugstore.” According to a contact within one regulatory agency, falsified drugs acquired from the website were either used or intended to have been used in a suicide attempt. (This underscores one reason that prescription drugs require medical supervision: for a trained medical practitioner to be on the lookout for signs of depression and suicide and get people the help they need.) In any case, when the MHRA’s complaints to NetLynx went unanswered, the MHRA submitted a complaint to ICANN Compliance under Section 3.18 of the 2013 Registrar Accreditation Agreement, which requires registrars to investigate and respond appropriately to abuse notifications. One can infer from the ICANN breach notice that ICANN concluded NetLynx failed to investigate and/or respond appropriately to the MHRA’s abuse complaint.
Is NetLynx's Breach Really Curable?
The interesting question is what will happen to NetLynx next. At the time it issued a breach notice, ICANN did not have (to my knowledge) our data indicating that NetLynx is so heavily dependent on recurring rogue Internet pharmacy domain name registrations as a business model, and was presumably looking at the registrar’s failure to take action against a single abusive domain name. It will be interesting to observe NetLynx’s response to our upcoming abuse notification regarding a much bigger chunk of its portfolio. And, of course, we’ll be interested to see ICANN’s response if we have to submit a complaint regarding NetLynx’s failure to respond to our abuse notice.
There’s an important cautionary note here — for ICANN and others — about “false remediation.” Let’s say that NetLynx begins promptly shutting down rogue Internet pharmacies in response to our, the MHRA’s and other abuse complaints. Does that mean that NetLynx is now a white-hat registrar? Not necessarily: if such a significant chunk of its domain name portfolio relies on domain name registrations, irrespective of whether those subsequently become suspended, its business strategy is still properly understood as being predicated on revenue from domain names used as fly-by-night rogue Internet pharmacies which are then discarded once an abuse complaint comes in. (This was not dissimilar to what we saw a few years ago with now-de-accredited EstDomains.) After all, once a domain name is registered, the registrar receives revenue at that point, irrespective of whether or not the domain name has to subsequently be suspended. Against this backdrop, the best way for ICANN to clearly show that registrars can’t serve as safe havens for criminal activity is to go a step further than the breach notice and de-accredit NetLynx as a registrar.