An Open Letter to ICANN, Registrars, Cloudflare & the Hosting Industry

The factual record

On 5 February 2025, ICANN's compliance division issued a formal Notice of Breach to UltaHost, Inc. (IANA #4331) for violations of the Registrar Accreditation Agreement — specifically RAA §3.18.2 (DNS abuse mitigation) and §3.18.4 (abuse records). UltaHost was given 21 days to cure the breach. The cure period was missed.

The cure was not completed until March 2026 — over a year past deadline. During the unresolved period, an additional several hundred phishing domains were registered through UltaHost infrastructure.

As of 18 April 2026, PhishDestroy's analysis of 342 million domains across 104 registrars ranks UltaHost the #3 worst registrar in the world (risk score 68/100). The current snapshot:

• 728 phishing domains flagged on UltaHost infrastructure
• 433 formal abuse reports filed by PhishDestroy
• 245 domains still live (33.7% alive rate)
• 57% of reported domains remain active after formal complaints
• 98.4% confirmed malicious by VirusTotal

Independent industry classifications — Bolster AI, HostAdvice, WebsitePlanet, OnlyLoudest— now openly list UltaHost as bulletproof hosting. UltaHost's own marketing copy admits the model: “DMCA-ignored servers allow you to stream or share content that lawyers and governments believe violates copyright law.”

The reason this letter exists: continued operation at this risk profile is a choice each addressed institution is currently making, individually and collectively. The infrastructure for action exists. The policy authority exists. What is missing is action.

Five specific asks

1. To ICANN

The cure period was missed by over a year. The conduct that triggered the breach has continued and escalated. We respectfully ask ICANN to publicly clarify what threshold of continued non-compliance, if any, would trigger registrar suspension or termination of accreditation. If the current record is insufficient, please publish what would be sufficient. Predictability of enforcement is itself a deterrent.

2. To Cloudflare Trust & Safety

A significant fraction of UltaHost-registered phishing domains sit behind Cloudflare proxy. Cloudflare's own policy permits action on phishing, malware, and CSAM regardless of host. We ask Cloudflare to publish a periodic transparency report specifically on actions taken against UltaHost-registered domains routed through Cloudflare. The goal is to make the upstream-carrier choice public and accountable.

3. To the Registrar Stakeholder Group / RrSG

The registrar industry has historically argued against external regulation by demonstrating that voluntary self-regulation works. UltaHost's 13-months-past- deadline cure period is a stress test of that argument. We ask the RrSG to consider whether industry-association membership or registrar-of-registrar relationships should carry compliance preconditions, and to publish the deliberation. Silence implies acceptance.

4. To the Anti-Phishing Working Group, M3AAWG, and national CERTs

PhishDestroy's public destroylist on GitHub creates a timestamped record of every abuse report filed against UltaHost-registered domains. We ask cybersecurity coordination bodies to formally cross-reference this dataset with your own threat-intelligence feeds. The aggregate picture is the accountability instrument; no single agency sees the full pattern.

5. To payment-rail providers (card networks, crypto exchanges)

UltaHost's affiliate program offers up to 70% commissions paid in cryptocurrency— an industry-anomalous structure that incentivizes fake-review production. UltaHost's refund policy classifies customer chargebacks as “criminal fraud.” Both of these are payment-rail policy questions. We ask card networks (Visa, Mastercard, Stripe) and major crypto exchanges (Coinbase, Binance) to review whether their merchant terms permit either practice and act accordingly.

What we are not asking

We are not asking for content censorship. Lawful speech that UltaHost happens to host should remain. We are asking specifically for action on documented, evidence-based abuse — the phishing, the wallet drainers, the counterfeit-currency sites, the brand impersonation, the pig-butchering platforms. None of these are protected speech in any jurisdiction.

We are not asking anyone to take our word for it. Every claim in this letter is sourced; our methodology page walks readers through how to verify each claim in under 5 minutes.

We are not asking for personal action against the Doughouz family. No personal legal actions or criminal allegations have been found against Elin Doughouz, Deen Doughouz, or Younes Doughouz individually. Our concerns relate to corporate conduct.

Why now

In the time it takes you to read this letter, somewhere a victim is keying their bank credentials into a UltaHost-hosted phishing site, or having their wallet drained by malware running on UltaHost infrastructure, or watching their bank transfer route to a pig-butchering platform whose backend lives on UltaHost servers. The 245 still-live phishing domains are not a number. They are a daily stream of real harm to real people.

The ICANN breach already established the regulatory finding. The independent cybersecurity research already established the pattern. The four-jurisdiction shell structure (admitted in UltaHost's own Terms of Service) already established the venue-shopping defense. Continuing to address this case at the “monitoring and reporting” layer rather than the “enforcement and termination” layer is itself a policy choice each addressee is making.

We are publishing this letter so that the choice is visible.

Sincerely,

The UltaHostAbuse.com Editorial Team

An independent consumer-watchdog investigation. No commercial relationship with any UltaHost competitor. Editorial contact: contact@ultahostabuse.com.