The InterPlanetary File System (IPFS) is a content-addressed peer-to-peer file sharing network from Protocol Labs being exploited by cybercriminals to host phishing sites and other malicious content. Often associated with the web 3.0 movement, it allows its users to upload, share, and download files across a distributed worldwide network.

Gateways make IPFS accessible to the broader public, allowing pages powered by IPFS to be visited in traditional web browsers and shared with potential victims. Netcraft first detected cyber attacks using IPFS in 2016, and now detects and blocks hundreds of attacks using IPFS gateways every day.

This blog post describes what IPFS is and how it works, how and why it is used by cybercriminals, and what Netcraft is doing to block and disrupt attacks that leverage the IPFS network.

What is IPFS?

IPFS is a decentralized storage and delivery network technology. Unlike the traditional web, where most content is hosted on dedicated servers, IPFS is peer-to-peer, which means there is no single server providing each page. Instead, content is accessed via any peer (also known as a node) that has a copy of the content, with little distinction between servers and users.

The decentralized structure allows users to host or share content with increased availability and resilience. Filecoin, a cryptocurrency which builds upon IPFS to incentivize node operators to host content, is significantly cheaper than using cloud storage services like Amazon S3 at the time of writing. Eliminating the need for a single server also means content can be accessed from nodes hosted in a wide variety of locations in multiple jurisdictions—improving availability but making it more difficult to remove content.

How does IPFS manage content?

The traditional web is location-addressed: URLs, such as https://www.netcraft.com/, are used to access content from a specific location. IPFS is instead content-addressed. …

Given the global interest in artificial intelligence (AI), it comes as no surprise that cybercriminals are looking to exploit the media hype. 2023 has seen a rapid increase in AI-themed attacks, following the release of Large Language Model (LLM)-powered chatbot ChatGPT in late 2022 (which quickly became one of the fastest-growing consumer applications ever). One easy way to theme a website around AI is to use a domain name which highlights it, as a .ai domain does.

This blog takes a look at the popularity of the .ai domains in recent years and the malicious activity on them that Netcraft has detected and disrupted.

About the .ai TLD

.ai is the country code top-level domain (ccTLD) for the British Overseas Territory of Anguilla. Registrations for this ccTLD began in 1995, but these have accelerated rapidly due to the boom in AI and related industries. Related fees go to the treasury of the government of Anguilla who, according to a report in the New York Times, made $2.9 million in 2018 from .ai registrations.

The ccTLD is used by many legitimate businesses, including two of the biggest technology companies in the world. Google and Meta registered google.ai and facebook.ai in 2017, which redirect to websites promoting their work in the field of AI.  

Since 2013, the number of .ai domains used by web servers has grown 12,523% from 913 to 115,245 domains. We can also see similar growth in IPs and Active sites, growing from 165 to 37,041 IPs and 647 to 112,600 Active Sites. We detected the first part of this massive growth in 2017, when the technology industry and the wider media first began to take notice of (and report on) the potential of AI.

However, we saw an even bigger explosion in …