What ISNIC said in October 2024

The New York Times investigation Some of the Web’s Sketchiest Sites Share an Address in Iceland, published 9 October 2024, focused on Withheld for Privacy ehf — a domain-privacy proxy service operated by US registrar Namecheap and registered at Kalkofnsvegur 2 in Reykjavík, the same building that houses the Icelandic Phallological Museum and an H&M store. The article documented phishing sites posing as Amazon, Coinbase and Spotify, plus the early stages of what was already being identified as a Russian-linked disinformation network.

The most consequential paragraph in that article was not about any specific scam site. It was the part where ISNIC’s chief executive explained, in plain language, that Iceland’s domain registry cannot do most of what international observers expected it to do.

ISNIC, the CEO acknowledged, could block five specific .is domains where the registrants failed to respond to identity-verification requests. But for everything else:

“Iceland has no legal authority over sites using any other domains, even if they are registered to addresses in the country.”

That is a regulator publicly admitting that the legal framework it operates under does not equip it to act on systemic abuse. It was reported. It was repeated by Seattle Times, Reykjavík Grapevine, the Star, Japan Times, and others. And then nothing changed.

What ISNIC’s rules actually say

ISNIC’s Domain Rules are short and explicit. Article 10 sets out what a registrant must do: comply with laws, pay fees, keep registry information accurate, configure the domain in a technically acceptable way. Beyond that, there is no content-abuse policy. No catalogue of disallowed content categories. No UDRP-style alternative dispute resolution. No proactive review of registrants. The rules permit closure only if a court orders it, the police request it on the basis of a court order, or identity verification fails within thirty days.

This is unusual among European registries.

• .dk (Denmark) operates a published abuse-reporting framework with response timeframes.
• .de (DENIC, Germany) operates an alternative dispute resolution procedure for trademark and content claims and has cooperated with German law enforcement on takedowns.
• .no (Norway) requires registrants to be Norwegian legal entities or persons — eliminating most offshore-shell registrations as a precondition.
• .eu (EURid) operates explicit abuse provisions and has actively suspended domains linked to malware and IP infringement.

.is does none of these things. It is not because ISNIC chose this. It is because Alþingi has not given ISNIC the framework that peer registries operate under.

The CEO’s October 2024 admission to the NYT was, read carefully, an invitation to legislative reform. That invitation has not been taken up.

A Canadian drug operation in its 42nd month

legacypharma.is advertises itself as “Legacy Labs — Canada’s #1 Trusted Shop For Anabolic Steroids.” It was created on 27 July 2022 and has been continuously online since. As of this writing it is in its 42nd month of operation.

What is unusual is not that the operation exists. Drug-shop sites of this kind exist on many country-code top-level domains. What is unusual is the precise structure.

A look at the operator’s own published terms — extracted from their site’s WordPress REST API at legacypharma.is/wp-json/wp/v2/pages?slug=faq — reveals that the operation is, in every respect except the domain, located in Canada:

“All our orders are always shipped Canada domestic, so there are never any customs involved or any risk at all to you when ordering through us.”

“By federal law domestic mail can only be opened by the receiver.”

The carrier is Purolator Xpresspost. Shipping is offered in Canadian dollars at a flat $30, free over $500, three to five business days across Canada. Shipments to the United States are explicitly refused. Payment is accepted only via Interac E-Transfer, the Canadian peer-to-peer banking system. The site advises customers:

“do not include any note in the e-transfer such as product names, order number, or anything relating to ‘AAS’ … please keep the secret to yourself and not the banks.”

In other words: warehouse, courier, payment processor, customer base — all Canadian. Anabolic steroids are Schedule IV controlled substances under Canada’s Controlled Drugs and Substances Act; their unlicensed sale is illegal in every market the operation touches. The single component of the operation that is not Canadian is the website’s address, which sits on Iceland’s .is top-level domain.

The reason for that choice is clear when you compare what would happen if the same operation used a Canadian or US TLD. CIRA, the Canadian Internet Registration Authority, can act on a domestic court order with limited procedural friction. Verisign, which administers .com, suspends domains routinely on US or Canadian law-enforcement request. By contrast, when a Canadian regulator or police force seeks to take down a .is domain, it must navigate cross-jurisdictional procedures with an Icelandic registry whose CEO has publicly stated — in the same article that prompted this investigation — that the registry cannot act on most categories.

Iceland’s role in continuing Russian disinformation

The Russian-linked disinformation operation that the NYT identified in 2024 — focused on Withheld for Privacy ehf as the registrar-anonymity layer — has not slowed. It has expanded.

On 29 January 2025, in a single batch within minutes of one another, 35 fake-news domains were registered through Iceland’s Withheld for Privacy ehf and pointed at identical Cloudflare nameserver pairs. The names suggest local US news outlets: dailyweekly.news, txdaily.news, usatimes.news, windycitytimes.news, silvercity.news, bayoucitytoday.com, goldengatedaily.com, capitalcitydaily.com, and others.

WHOIS verification — direct queries to Verisign and .news registry servers, run for this article on 25 April 2026 — confirmed that 18 of 20 sampled domains use Iceland’s Withheld for Privacy ehf as the listed registrant. The remaining 2 list NameCheap directly, which would also default to WFP for any privacy-protected registration.

The operation is attributed to John Mark Dougan, a former Florida deputy sheriff who fled to Moscow in 2016 to evade criminal charges and was given asylum by Russian authorities. He operates a brand within the Microsoft-named Russian state operation Storm-1516, with the European Digital Media Observatory (EDMO) attributing approximately 290 fake news websites to his “CopyCop” infrastructure. NewsGuard named him “2024 Disinformer of the Year”.

The 35-domain January 2025 batch was operationally used during the German federal election in February, alongside more than 100 German-language AI-generated fake news sites. By early 2026, researchers had attributed an additional 95 domains to the network, of which 94 had not previously been documented. The total network size is now estimated at more than 200 active fake-news outlets.

The chain runs through Iceland at the registrar level: domain registered through Namecheap, registrant identity shielded by Withheld for Privacy ehf at Kalkofnsvegur 2 in Reykjavík. None of the actual content is hosted in Iceland. None of the operators live in Iceland. The function Iceland performs in this operation is to make registrant identity untraceable through the public WHOIS system — and Iceland performs that function whether the registrant is a journalist, a small business, or a Russian-state-paid disinformation operator.

The Withheld for Privacy ehf service itself is owned by Namecheap, an Arizona-based registrar. Iceland is the location of the privacy proxy’s legal incorporation, and as ISNIC’s CEO told NYT, the registry has no legal authority over how that proxy is used.

The selective ISNIC parking pattern

ISNIC has not been entirely inactive in the eighteen months since the NYT story. It has parked at least one specific cluster of .is domains: those registered as part of a reputation-attack campaign against the Kazakh billionaire Kenes Rakishev. The flagship domain in that cluster, kenges-rakishev-investigation.is, was registered on 14 October 2025 and was parked at parking00.isnic.is within weeks of public abuse-flagging.

Rakishev is a billionaire with publicly named legal counsel. He is in active litigation in multiple jurisdictions, including a 2024 federal RICO suit in the United States naming him as a defendant. He has the resources, the legal team, and the international visibility to file a formal complaint with legal weight at the Icelandic registry.

The contrast with legacypharma.is is what gives this story its precise shape. That site has been on the same .is registry, registered to the same Hong Kong-shell company, for 42 months — fourteen times longer than the Rakishev cluster lasted. It is selling Schedule IV controlled substances. ISNIC has not parked it.

A bulletproof hosting cluster operating in plain sight

A separate but related layer of the same problem is hosting. A single Reykjavík-operated provider, OrangeWebsite, operates at least eleven shared-hosting servers, each named after an Icelandic volcano: Esja, Laki, Katla, Hekla, Keilir, Hengill, Eldborg, Eldfell, Askja, Jólnir, Léttir.

Aggregate customer-domain count exceeds 3,137 — and probably 4,000-plus, because the public reverse-IP API used to enumerate the cluster caps responses per IP and seven of the eleven servers hit that cap.

Categorisation of the customer-domain list shows recurring abuse clusters:

• 66 crypto wallet drainers (impersonators of Trezor, Ledger, Atomic Wallet, MetaMask)
• 46 cannabis directories targeting specific cities (the 420norway.com, 420denmark.com, acapulcoweed.com, austintexas420.com pattern)
• 59 auto-generated casino domains
• 24 fake pharmacies (the swisstechpharma.com typo-cluster of three)
• 13 “[country] ethical hackers” recovery-scam franchises (albertaethicalhackers.com, britishethicalhackers.com, canadianethicalhackers.com, globalethicalhackers.com — all on the same Iceland-allocated IP)

On one IP, AbuseIPDB has logged 100 reports over the last 365 days for outbound WordPress brute-force activity.

The corporate structure follows the same pattern observed across this story. The visible operating brand has a Reykjavík physical address. The corporate parent, IceNetworks Ltd., is registered at “60 Market Square, Belize City, Belize” in RIPE records and at “Room 1203, 12F, Tower 3, Hong Kong” in ISNIC records. These are different addresses for the same email contact. The IP space is allocated through Iceland’s normal RIPE allocation process. The registry framework — once the IP block is allocated and the customer’s domains are registered — has no further point at which it can act.

This is not a story about any specific Icelandic company doing something wrong. It is a story about what Iceland’s framework permits to happen on territory it controls.

Why this matters now

Iceland has spent more than a decade building a privacy-friendly hosting jurisdiction. The premise is sound: strong data-protection law, political stability, a well-developed Tor relay infrastructure, and explicit support for activist and journalism use cases. Verne Global runs significant data-centre operations from Reykjanes. Cybersecurity-friendly journalism and privacy software (Fray, decouple.net, PrivacySafe, Friends of Borges, Palestine Action’s UK CRM) are hosted in Iceland precisely because Iceland’s framework supports them.

The same regulatory restraint that protects those legitimate uses also protects the cases described in this article. The rules do not distinguish between the two. They cannot — there is no legal mechanism in current Icelandic law that would authorise ISNIC to make that distinction.

The cost of leaving the gap open is now visible internationally:

• The New York Times, Seattle Times, Japan Times, and several other outlets have named Iceland in connection with international fraud and disinformation infrastructure.
• NewsGuard’s research on the Storm-1516 / CopyCop operation references Iceland directly. EDMO’s analysis does the same.
• Western intelligence services routinely log Storm-1516 activity attributable through Iceland.
• A search of any major media database returns “Iceland disinformation hosting” as a recurring story since October 2024.

If the gap is not closed, the next New York Times follow-up — and there will be one — will not be friendly. The Icelandic privacy-jurisdiction brand is already being eroded by the international perception that it cannot self-regulate.

Reform paths that close abuse without disturbing legitimate use

Several reform paths exist that close the abuse vectors without affecting the legitimate use cases Iceland’s privacy framework is designed to enable.

Option 1: ISNIC adopts UDRP-style content-abuse review

Peer European registries (.dk, .de, .no, .eu) all operate administrative processes that trigger on documented content abuse, not only on court orders. A short list of explicitly disallowed content categories — controlled-substance retail, credential-harvesting phishing kits, wallet-drainer kits, identity-theft infrastructure — would be uncontroversial. Registrant-notification and appeal procedures would protect against over-action. Annual transparency reporting would prevent abuse of the process itself.

Option 2: Alþingi gives ISNIC the legal framework

ISNIC’s CEO told NYT, in plain words, that ISNIC has no legal authority to act. Alþingi can change that. An amendment to the Lög um Internetlén nr. 54/2008 (or equivalent) authorising content-abuse takedown, with specified categories and procedural safeguards, is a relatively narrow legislative change. It does not require dismantling Iceland’s privacy framework. It requires authorising the regulator to act on specific abuse categories.

Option 3: Tighten registrant identity requirements for foreign-shell registrants

Norway requires that .no registrants be Norwegian legal entities or persons. This would be too strong for Iceland, which legitimately serves international users. A weaker version — substantive identity verification beyond a 30-day window for foreign registrants without local nexus, particularly those registering with offshore-shell intermediaries — would close the Hong Kong / Belize loophole that has produced multiple of the cases documented here.

The alliance dimension

The cases described above are typically discussed as a domestic Icelandic policy question. Read against Iceland’s actual strategic position, they look different.

All Icelandic internet traffic transits four submarine cables: FARICE-1 (Hafnarfjörður–Hellingsø, Denmark), DANICE (Hafnarfjörður–Esbjerg, Denmark), IRIS (Vestmannaeyjar–Galway, Ireland, opened 2022), and GREENLAND CONNECT via the northwest route. Four cables is a chokepoint that the United States, Germany, France and the United Kingdom do not have. Iceland’s small footprint and concentrated cable infrastructure are the technical reason it is more able than larger states to act on documented threats at the network level — not less.

This is not a censorship argument. It is a capacity argument. The capacity has not been used.

Iceland’s strategic value within NATO comes from the same geography. The Greenland–Iceland–UK gap is the chokepoint the alliance has watched for sixty years. Russian submarine activity near Iceland’s submarine cables has been observed and reported on multiple occasions since 2020. The Keflavík NATO base is again hosting US P-8 patrol operations. Iceland’s defence contribution to the alliance is, in plain terms, geographic position and the systems that operate on it.

The Storm-1516 operation documented earlier in this article targets NATO allies directly. The 2024 US presidential election was a target. The February 2025 German federal election was a target. The 2025 French political environment was a target. The Microsoft and EDMO designations of Storm-1516 as a Russian-state-directed operation are not contested. The Storm-1516 infrastructure that uses Iceland’s registry as its identity-shielding layer continues to operate after eighteen months of public exposure.

Article 3 of the North Atlantic Treaty obligates members to “maintain and develop their individual and collective capacity to resist armed attack.” The alliance has, since the 2014 Wales summit and more explicitly since 2016, treated cyber operations as falling within that framework. The article does not require any specific action. It does require that members not allow their capacity to deteriorate.

What capacity-failure looks like in practice is not a single dramatic event. It looks like an eighteen-month gap between the publication of a New York Times investigation, a regulator’s public admission that it cannot act, and any change to the legal framework. It looks like specific operations — one Canadian drug shop, thirty-five fake-news domains, a 3,000-domain hosting cluster — continuing through that gap. From outside Iceland it looks less like a domestic regulatory issue and more like an alliance member whose privacy framework is being exploited against the alliance, in plain sight of the host country and without legislative action to close the gap.

What this article is, and what it is not

This article has named specific cases — legacypharma.is, the Rakishev cluster, the Storm-1516 January 2025 batch, the volcano-named hosting cluster — because the cases are public, reproducible from public sources, and necessary to show that the gap is real and growing. It has named Iceland’s domain registry because ISNIC’s chief executive himself explained in October 2024 that the registry cannot do what international observers expected.

It has not named any specific Icelandic company as the responsible party for any of these cases. The companies whose names appear in operational details are subjects of public RIPE and ISNIC records. The question of whether they have done anything wrong is not the question this article asks. The question this article asks is whether the legislative and regulatory framework that supervises them gives Iceland the tools it needs.

ISNIC has said it does not. The cases have continued to accumulate. Eighteen months is long enough to know what comes next.

Iceland could choose to be the privacy-friendly jurisdiction that closed its specific abuse vectors before international pressure forced the question. Or it could choose to wait and find out what the third New York Times article looks like.

Methodology & sources

• NYT — Some of the Web’s Sketchiest Sites Share an Address in Iceland (9 Oct 2024)
• Reykjavík Grapevine — summary of NYT story
• ISNIC Domain Rules
• EDMO — Storm-1516 publication
• NewsGuard — Dougan / CopyCop network special report
• NewsGuard — 2024 Disinformer of the Year
• NBC News — 150+ Russian fake news sites traced to Florida deputy sheriff
• Wikipedia — Storm-1516
• Persónuvernd ruling 2023/1656 (Strætó breach)
• Kenes Rakishev — Wikipedia
• KIAR — Rakishev named in 2024 Trump-interference suit
• TechBullion — analysis of .is registry as a global risk factor