“Right now, most DNS servers are complicit in the crime.”
Craig Sanderson did not ease his audience into that conclusion. Speaking on the Cyber Strategies Stage at ExCeL London on Wednesday, June 3, our cybersecurity strategist opened the Infoblox Infosecurity Europe 2026 session, Using Protective DNS to Dismantle Global Scam Networks, with a premise most defenders rarely say out loud: the internet’s address book does what attackers ask of it. A user clicks a phishing link, the resolver answers and the scam proceeds. Joined on stage by Cliff Wright, senior manager, Threat Intelligence at Infoblox, Craig spent the next 20 minutes arguing that the same infrastructure can be turned against the criminals who exploit it, and that Protective DNS is how you do it at scale.
Craig and Cliff expand on several of these themes in companion videos on the Infoblox YouTube channel.
The Third-Largest Economy Nobody Elected
Craig opened with numbers designed to recalibrate the room. “If you took the size of the global economy from a scam point of view, it would only be behind the United States and China in size,” he said. In the United Kingdom alone, he noted, fraud now accounts for 20 percent of all crime, and two thirds of that fraud is cybercrime.
Faced with figures like that, the instinct is to call for more prosecutions. Craig didn’t entertain the idea: “Prosecuting our way out of this problem is just not viable.” Much of the industry operates from scam compounds in Myanmar, Cambodia and Laos, where, by his account, the proceeds of cybercrime amount to roughly 46 percent of GDP. Expecting those jurisdictions to dismantle their largest revenue stream is not a strategy.
Cliff described what those compounds have become: operations the size of small towns, with the integrated functions of a real enterprise. Recruitment, training, scriptwriters and vast numbers of workers, many of them trafficked and forced into the work. “It’s kind of an industrial revolution of sorts,” he said. Profits get reinvested into the compounds, and the machine grows. Craig and Cliff unpack the economics of this criminal industry in a companion video series, Using Protective DNS to Dismantle Global Scam Networks, on the Infoblox YouTube channel: Episode 1, Episode 2 and Episode 3.
Reputational Armor: Crime in Plain Sight
The session’s strangest evidence came from a United Nations report connecting organized crime to sponsorship of European football clubs. Cliff, who brings more than two decades in threat research, called it “probably the boldest thing that I’ve seen so far in 20-something years of working in this industry.” The payoff for the criminals, he explained, is legitimacy: “They’ve ended up with this layer of credibility, this reputational armor, if you like.” Regulators, victims and potential partners see a brand on a football shirt and stop scrutinizing it.
Craig made it personal. As a Crystal Palace supporter, he pointed out, “I was also like a walking advertising board for illegal Chinese gambling,” referring to a former shirt sponsor later tied to illegal gambling operations in the Far East. The club, he was careful to note, was happy to take the money but most likely had no understanding of where it came from. That is the point: these operations manufacture brands from scratch, complete with payment systems, crypto rails and holding companies, then hide inside the legitimate economy.
The same plain-sight logic powers the technical machinery. Cliff walked the audience through traffic distribution systems (TDSs): redirection networks that intercept a user after a click and route them wherever the attacker wants, profiling them along the way through data leaked in HTTP requests. Marketing teams have used TDSs legitimately for years, which is precisely why criminal versions blend in. The malicious variants add cloaking, filtering out researchers, law enforcement, sandboxes and bots, while delivering hyper-personalized lures to real victims. “There’s no point presenting a scam in a completely different language to the victim,” Cliff observed. The right threat reaches the right victim at the right time.
Craig then closed the loop for enterprise defenders who consider consumer scams someone else’s problem. Citing the most recent Verizon 2026 Data Breach Investigations Report, to which Infoblox is a contributing organization for the second consecutive year, he described how ransomware campaigns frequently begin with what looks like a personal scam. Stolen credentials get sold on to access brokers, and a consumer compromise becomes a corporate back door. The case for Protective DNS, in other words, is not a consumer story.
Taking Out the Drone Factory
So how do defenders fight infrastructure that can be built and torn down at will? Cliff’s answer: stop chasing domains and start fingerprinting actors. DNS is a record-based system, and the way attackers configure and operate their records leaves what he called an “infrastructure fingerprint.” Combine those behaviors with clustering, and Cliff’s threat intelligence team can identify individual threat actors, map their estates and track them as they evolve.
Craig offered the session’s most useful analogy: “Rather than trying to shoot down millions of drones, you’re trying to take out the infrastructure of the drone factory.” The window for doing so is surprisingly wide. Infoblox research puts the average gap between when scam infrastructure is first set up and when it is weaponized at about 68 days. Identify the actor’s infrastructure inside that window, and protective DNS can block it before a single victim clicks.
Protective DNS itself, Craig explained, means putting threat intelligence onto the DNS resolution path so that malicious or policy-violating domains simply fail to resolve. Governments are already proving the model in two flavors. Governmental protective DNS shields public sector estates: the U.K.’s National Cyber Security Centre (NCSC) protects the National Health Service (NHS), central and local government, and some schools, with Australia and the United States running comparable programs. National Protective DNS pushes threat intelligence onto ISP infrastructure to protect citizens directly. Craig pointed to Ukraine, where the financial impact of Russian-origin fraud on citizens dropped 30 percent in the first month of deployment, and to Latvia, where the national CERT blocked 2.5 billion malicious queries in three months. Craig and Cliff follow this thread into the mechanics of preemptive blocking in a companion video on the Infoblox YouTube channel.
From Best Practice to Mandate
Craig saved his most direct advice for organizations that neglect their own estates. Companies routinely let registered domains lapse, leaving a decade of accumulated reputation free for any threat actor willing to pay a registrar. Those resurrected domains then power phishing campaigns against the brand’s own customers. His verdict on organizations without a proper domain life cycle: “You’re simply aiding and abetting these cybercriminals and you’re making their life a lot easier.”
Regulation is catching up. Craig highlighted National Institute of Standards and Technology (NIST) Special Publication (SP) 800-81 Rev. 3, published in April, as the U.S. government’s DNS security guidance, with federal mandates expected to follow. In the European Union, organizations regulated under the NIS2 Directive will face DNS security requirements covering resilience, hygiene and Protective DNS. Singapore has gone further still, embedding Protective DNS and DNS security best practices into the foundational policy for its secure AI infrastructure.
Asked for a starting playbook, Craig gave the audience three steps. First, establish a DNS hygiene policy across the estate, because ownership of DNS security too often falls between networking and security teams. Second, integrate DNS into the cybersecurity control stack, deploying protective DNS to turn a networking platform into a security asset with ubiquitous visibility across cloud, on-prem and roaming users. Third, treat DNS telemetry as seriously as Protective DNS blocking. DNS query data provides a complete audit trail of what a compromised device tried to reach, and DHCP lease data anchors event correlation when IP addresses shift. Craig put the stakes in career terms: “CISOs don’t get fired for breaches, they get fired when someone says, well, what was the scope of the breach? And they’re like, I don’t know.”
Hear the Full Conversation
Watch the companion videos on the Infoblox YouTube channel to hear Craig and Cliff go deeper on the scam economy, preemptive defense with Protective DNS and the DNS security playbook. Then, take the next step Craig offered the room: our DNS security workshops audit how your environment measures up, with our experts working directly alongside your networking and security teams. Your DNS infrastructure already exists. The only question is whether it works for you or for the criminals.

