Case Studies & Research

Europol report on illicit trade in fake toys stresses that the limited application of the KYBC principle has led to a lack of traceability of third-party sellers

On Thursday, March 24 2022, Europol has published the results of two subsequent joint-actions against counterfeit toys: A report about the risks of fake toys, based on operation LUDUS I, which was carried out from October 2020 to January 2021, as well as a press release announcing the results of the follow-up operation LUDUS II (October 2021 and 31 January 2022).

In the framework of the LUDUS I operation alone, Europol was able to seize more than five million illicit toys in 21 countries, violating the intellectual property rights of the brand owners. The seized goods had a total value of more than EUR 16 million. 560 involved companies have been identified. The report also underlines the health and safety risks of counterfeit toys, stating that 1 854 administrative/health prevention cases had to be opened during the reference period.

According to Europol:   
“The operation also confirmed that the illicit trade in fake toys relied heavily on the rise of online trade, including on e-commerce platforms as well as social media and instant messaging services, a phenomenon that has surged during the COVID-19 pandemic.
Both genuine and illicit toys are increasingly sold by physical retailers via these online platforms and delivered by postal services. This significant increase in small parcel shipments traded across borders represents an inspection and control challenge for customs authorities, an opportunity that toy counterfeiters have been seizing.
In addition, the limited application of the principle of ‘know your business customer’ online (the KYBC’ principle) has led to a lack of traceability of third-party sellers. This creates a challenge for law enforcement in identifying the counterfeiters and dismantling their networks.”


Read the LUDUS I report here.
And the press release on LUDUS II here.

Malicious Domains

Europe’s top 35 hosting providers collectively host more than three million domains that are either malicious or potentially malicious according to a analysis of data from DomainTools, the world’s leading brand protection, domain monitoring, domain valuation, and cybercrime investigation company. 

This figure represents approximately 15% of all domains hosted by the major EU hosting providers – a staggeringly large threat to legitimate EU consumers and businesses.  

Of these three million domains, the large majority – more than 2.7 million – can be described as “malicious” in that they have DomainTools risk scores of 50 or above (out of a possible 100).  More than 750,000 additional domains can be classified as “potentially malicious” because they score 40 or above.  These risk scores are based on the company’s proprietary threat assessment technology, which examines a wide range of characteristics to identify high-risk domains. 

This data comes from a November 2021 analysis of the company’s database, which is widely regarded as the world’s biggest and most reliable IP/WHOIS/Network dataset. 

Case in point – KYBC would be a simple and transparent solution to address this issue in the Netherlands

According to a recent article published by leading Dutch paper NRC, the Netherlands ranks number 2 in the world for hosting child pornography. A study published by TU Delft that was commissioned by Minister Ferd Grapperhaus identifies Dutch hosting provider NFOrce as the most egregious offender. And while Operations Director Dave Bakvis wants to “…hang the makers [of such sites] from the tallest tree…” he also doesn’t want to lose these customers because “…that’s a fifth of our revenue. Then there will be layoffs here…”.

In the article Bakvis outlines in great detail how he works with law enforcement. “We work well with everyone. With the police, the Public Prosecutors’s Office, Interpol, the reporting check point of the Expertise Centre Online Child Abuse (EOKM)…”. According to him a tedious and time-consuming effort. In the article Bakvis outlines that NFOrce’s services are also used for other illegal activities, these include “...the copyright stuff, the scams, the fake websites, terrorism – everything comes through here”.

When asked how well he knows his customers, he responds that “…they must provide a name, address, email and possibly telephone numbers. We try to get more details for dubious customers, but I’m not going to make that [process] a day job”. Well maybe he should! By introducing simple KYBC obligations that verify business user details against existing databases such as the European Business Register (EBR) and the Ultimate beneficial owners register (UBO register), there will be minimal administrative burdens and no onerous process of trying to track down anonymous operators offering illegal products and services.

KYBC obligations would certainly also help with NFOrce’s reputational issue. According to Bakvis, since the publication of the study, “…we ran into problems with the bank that handles our credit card payments, a data center where our servers are located slammed the door…”.


Read the complete interview on NRC here.

DK Hostmaster: how KYBC is already working in Denmark

In Denmark, the case of DK Hostmaster demonstrates that verification of business customers is a simple and effective way to create a safer, transparent and trustworthy internet for all users. Since DK Hostmaster has started implementing the verification of business user details through NemID, illegal activities were reduced from 700 instances in 2016 to just 8 in 2019.

DK Hostmaster is a small organization that is authorized to administer Denmark’s .dk domain names. It found that in 2017, nearly 7% of active .dk websites were illegal sites selling counterfeit products and the operators behind these sites were unidentifiable. This anonymity led to a burdensome, time-consuming and costly process for DK Hostmaster to confiscate the domain names. The Danish organization therefore introduced a mandatory identity verification procedure for business customers applying for .dk domain names based on the Danish verification system NemID. Benefiting from the publicly accessible databases existing at national level in Denmark, the procedure immediately reduced the number of .dk sites operating illegal activities, and false webshop/scams sites have almost disappeared from the .dk zone on the internet.

The DK Hostmaster example demonstrates that verification can be carried out simply, as part of a business sign-up process, by checking publicly accessible databases that already exist at national level – just as would happen in the offline world when a business is seeking to rent physical retail space. Similar databases exist at European level, including the European Business Register (EBR) and the Ultimate beneficial owners register (UBO register). They render KYBC obligations easy to implement, with minimal administrative burdens, as part of a business sign-up process.

For more information, read here.

Online business anonymity is putting EU citizens’ health at risk – the COVID-19 pandemic makes it impossible to tolerate the status quo, it’s costing us lives


It is an undisputed fact that EU citizens are put in harm’s way as the sale of falsified and substandard medicines is rampant and growing on the Internet[1]. This is clearly recognised by the European Commission in its Impact Assessment for the Falsified Medicines Directive[2], which clearly states that the Internet is a major source of falsified and substandard medicines. According to the WHO, in over 50% of cases, medicines purchased over the Internet from illegal sites that conceal their physical address have been found to be counterfeit. Similarly, a study conducted under a strict protocol by the European Alliance for Access to Safe Medicines, found that 62% of medicines purchased from sites found by way of common search engines were substandard or counterfeit.[3]

Similarly, according to the non-profit independent National Association of Boards of Pharmacy of the 35,000 of websites selling medicines, more than 96% are operating illegally.[4] [5]

Unscrupulous operators prey on citizens’ fears, especially during the COVID-19 pandemic which have created opportunities for cyber criminals to capitalize on increased demand for COVID-19 cures and preventatives[6]. In fact during March 2020, at least 100,000 new domain names were registered containing terms like “covid,” “corona,” and “virus”, plus more domains registered to sell items such as medical masks.[7] Other domains have been registered and used to spam out advertisements for COVID-themed scams.

The catalogue of patient harm and deaths due to falsified and substandard medicines bought online is well documented[8].

Falsified medicines are not only a threat to patients’ safety, and sometimes life, but also lead to a significant increase of public expenditure on preventable hospitalisation. The Digital Services Act has to upgrade internet accountability across all intermediaries, not just online marketplaces, as the vast majority of rogue pharmacy websites transact their illegal business via their own network of websites not platforms.

To prevent this illegal business and to protect the EU citizen from harm, KYBC obligations should be required by all infrastructure service providers and not be limited to marketplaces.

It is our right to have a safe and secure internet environment that protects EU citizens from dangerous and substandard medicines. The global pandemic makes it ever more urgent to act.

For a moving film about how criminals operate in selling fake medicines to the public click here.

Find out more about fake medicines by clicking here and for a useful infographic on the risks of buying medicines online and how to buy safely click here.


[1] OECD/EUIPO report Illicit trade – Trade in Pharmaceutical products
[2] 2.10.2015 SWD(2015) 189 final COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document COMMISSION DELEGATED REGULATION (EU) – supplementing Directive 2001/83/EC of the European Parliament and of the Council by laying down detailed rules for the safety features appearing on the packaging of medicinal products for human use.
[3] The Counterfeiting Super Highway EAASM report
[4]  Internet Drug Outlet Identification Program, National Association of Boards of Pharmacy, 2016
[5] The Internet Pharmacy Market in 2016, LegitScript and the Center for Safe Internet Pharmacies, January 2016
[6] How Covid-19-related crime   infected Europe in 2020 11 November 2020
[7] Don’t Panic: COVID-19 Cyber Threats.” Palo Alto Networks Unit 42 blog, 24 March 2020, at:
[8] Examples of patients harmed by medications purchased online

Taking the Profit Out of Intellectual Property Crime


Piracy content distribution models have become more sophisticated and professionalised over time, with piracy operations now perpetrated by a mixture of technically skilled and well-coordinated crime groups or individual offenders. That’s what independent security and defence think tank, the Royal United Services Institute (RUSI), stated in its recent report “Taking the profit out of intellectual property crime”, which looks at how and why transnational organised crime networks perpetrate online audio-visual piracy.

The report emphasises how this type of IP crime, which threatens the creative industries by profiting to the tune of hundreds of millions of pounds every year off the backs of those who create intellectual property, can also cause direct harm to consumers, delivering age inappropriate advertising, malware, fraud, and surreptitious cryptomining.

Currently law enforcement and civil actions seeking to tackle this type of criminal activity are often undermined because these services do not verify their business customers. One of the solutions recommended by the RUSI report is the implementation of “Know Your Business Customer” (KYBC) requirements for online service providers to record and verify customer identity. RUSI also calls for a more coordinated policy approach, bringing together law enforcement, regulators, financial institutions, and the private sector with the aim of contributing to the ‘demonetisation of piracy’.

Despite the report’s focus on the film and TV sector in the UK, almost all the recommendations are applicable internationally.

The complete report is available here.




Openload is a notorious pirate service – listed on the European Commission’s piracy and counterfeiting watch list. An investigation revealed that Openload operated within the European Union using infrastructure and hosting services provided by EU companies.

A court ordered the European hosting company to identify customer details for Openload, but it turned out that the listed customer was a defunct shell entity. The hosting provider admitted the customer data they hold is “purely declarative” and that it had no way of tracing or authenticating the identity of Openload. This is despite the hosting company having received more than €19 Million in fees paid through a PayPal account linked to a Costa Rican advertising agency and various untraceable credit cards.

Learn more on this video

Domains of Danger: How Website Speculators and Registrars Trade Internet Safety for Profit


Following reports of increasing fraud related to the COVID-19 pandemic, the Digital Citizens Alliance conducted a three-month investigation that found that “little to no effort” is made to police domains whose sole purpose would be to scam, endanger those most vulnerable, or entice those seeking dangerous drugs. During this investigation, the DCA found it easy to register domains such as “” and was even encouraged to bid on domains such as “”.

The report outlines how the domain name industry frequently puts profits over consumer safety and describes an industry that bases its dealings on what it can, rather than what it should do to foster a healthy internet. Furthermore, the report shines a light on the lack of due diligence conducted by a number of these companies with respect to their commercial customers – and how that indifference could have real world consequences for consumers.

Read more here.



Moonwalk was considered one of the largest content sources for a significant number of infringing streaming sites. The Moonwalk network particularly focused on serving the majority of the largest Russian piracy sites, attracting millions of end-users. ACE, together with BREIN, conducted an investigation that revealed the technical infrastructure, based in the Netherlands. BREIN and ACE obtained an injunction against the Dutch hosts which resulted in taking down the Moonwalk service. In order to effectively take action against the operators, BREIN also obtained a court order allowing BREIN to seize the necessary information to identify the responsible people behind Moonwalk in the administration of the three Dutch hosting providers. Subsequently, the hosts voluntarily provided identifying information which proved either false or not traceable. For example, the data led to people in Russia and Ukraine who clearly lacked the technical skills for such an operation.

The court case regarding the received information continues in the Netherlands: effective piracy operations are undermined by the fact that some hosting providers currently do not verify their customer data and/or do not require that their (mostly foreign-based) resellers keep verified data. It is important that hosting providers adapt their business practices, general terms and conditions and administration in such a way, to ensure that customer information is verified, authenticated and available at all times.

For more information read here.