ShadowStack Infrastructure Intelligence Report

Analysis of infrastructure supporting NCII and deepfake content distribution, based on data from ShadowStack's domain monitoring

Published: December 2025 Data Source: ShadowStack Intelligence Platform
Domains Enriched
Top Hosting Provider
Top CDN
Top Registrar

Executive Summary

This report examines the infrastructure used to host and distribute NCII (Non-Consensual Intimate Image) and deepfake content. We analyzed domains to identify hosting providers, CDNs, payment processors, and security configurations that support this content.

Key Finding: Major hosting providers are being paid to host NCII content. This report shows which service providers are involved, their market share, and how to contact them to request content removal.

Data comes from ShadowStack's monitoring platform, which tracks domains and identifies their hosting providers, CDNs, payment processors, and security settings. This snapshot covers infrastructure observed through December 2025.

Infrastructure Landscape Overview

We found a range of infrastructure providers hosting NCII content. The data shows heavy concentration among a few hosting providers, CDNs, and payment processors, which points to both how these sites operate and where to focus disruption efforts.

Key Finding: Service providers (CDNs, hosts, ISPs) are being paid to host these sites and should be held accountable, even if they're intermediaries like Cloudflare. The top service provider hosts % of all domains in this dataset.

Top Hosting Providers

CDN Distribution

Key Service Providers

These service providers host the most NCII domains through hosting, CDN, and ISP services. They're being paid to provide these services and should be held accountable.

Important: All service providers in the chain (CDN, Host, ISP) are being paid and should be held accountable, including intermediaries like Cloudflare. Contacting these providers is the most effective way to get content removed.

Top Service Providers (Consolidated)

Top ISPs

Service Provider Breakdown

Geographic Distribution

Geographic data from DNS history and IP geolocation shows where the infrastructure hosting NCII content is located. However, geographic data is limited as many domains use privacy services, VPNs, or proxy networks that mask their true location. The data shown here represents only the visible geographic footprint and may not reflect the actual operational locations of these sites. This helps identify regional patterns and jurisdictional considerations for enforcement, but should be interpreted with caution given the limited visibility.

Top Countries by Domain Count

Key Domains Analysis

These domains are examples from the dataset with complete infrastructure mapping. They show typical infrastructure patterns and service provider relationships used for NCII content distribution.

View All Domains with DNS History →

Payment Processing Infrastructure

Payment processor identification shows how these sites make money. However, most payment processors were hidden or not detected during analysis, so the data shown here is limited. Understanding payment infrastructure is critical for financial disruption efforts, but this analysis only captures a small portion of the actual payment processing used by these sites.

Payment Processors

Technology Stack Analysis

CMS platforms, web servers, and technology stacks show operational patterns and potential vulnerabilities. Understanding the technology stack helps identify common infrastructure patterns and potential disruption points.

CMS Platforms

Web Servers

Actionable Intelligence & Recommendations

Based on our analysis, these service providers are the highest-priority targets for disruption efforts. Contacting them is the most effective way to get NCII content removed.

Priority: Service providers (CDNs, hosts, ISPs) are being paid to host these sites and must be held accountable, even if they're intermediaries. The top service provider hosts % of all domains in this dataset.

Priority Action Items

Intelligence Collection Methodology

This report is based on data collected through ShadowStack's automated monitoring platform. The methodology includes:

  • Domain Discovery: Automated identification of domains associated with NCII and deepfake content
  • Infrastructure Mapping: WHOIS analysis, DNS enumeration, hosting provider identification, and CDN detection
  • Domain Enrichment: Analysis of domains including payment processor detection, CMS identification, SSL/TLS certificate analysis, and security header evaluation
  • DNS History Analysis: Historical IP address tracking and geographic location mapping from DNS records
  • Data Correlation: Linking domains with infrastructure data to identify relationships and operational patterns

Data Sources: All data is collected from publicly accessible sources. No private channels, dark web access, or unauthorized data collection methods are used. This analysis covers the visible infrastructure ecosystem as monitored through December 2025.

Limitations: This report only covers the visible infrastructure ecosystem. Domains using additional operational security measures, privacy services, or infrastructure not yet identified may not be captured. Analysis is limited to domains that have been identified and successfully enriched. Numbers should be considered minimum estimates of the actual ecosystem size.