The modern office building near the harbor in Iceland’s capital, Reykjavik, is best known as the home of the Icelandic Phallological Museum, which displays 320 specimens of mammal penises.
To those who track cyber mischief, however, the building also has a reputation as a virtual offshore haven for some of the world’s worst perpetrators of identity theft, ransomware, disinformation, fraud and other wrongdoing.
That’s because the museum’s street address, Kalkofnsvegur 2, is also the registered address for Withheld for Privacy, a company that is part of a booming and largely unregulated industry in Iceland and elsewhere that allows people who operate online domains to shield their identities.
While the practice has become commonplace for website owners seeking to protect themselves from harassment or spam, it has also helped others cover their tracks from prying regulators, law enforcement officials or victims.
Withheld for Privacy and other so-called proxy services have turned Iceland into a global hub for illicit activity far out of proportion to the country’s size.
The company — created in 2021 by Namecheap, one of the world’s largest providers of websites — has effectively shielded tens of thousands of sketchy internet sites. Even local authorities said they had tried and failed to reach the company’s representatives when problems had arisen.
Researchers at Syracuse University studying deceptive political advertising on Facebook and Instagram stumbled on the penis museum when trying to track down the owners of a website that spent $1.3 million on fraudulent ads targeting supporters of former President Donald J. Trump.
The scam sought to dupe victims into sharing credit card details and unwittingly committing to exorbitant monthly payments before Facebook’s owner, Meta, shut down the ads and blocked the domain behind them this year.
The internet is replete with similar sites trying to trick or bilk credulous users, and proxy services, when abused, make it even more difficult to catch or even identify perpetrators.
“It’s the internet version of giving me the bird,” said Jon Stromer-Galley, a research software engineer in Syracuse’s Institute for Democracy, Journalism and Citizenship.
Because Withheld for Privacy uses the building’s address as a default for its clients, Kalkofnsvegur 2 has been linked to online forums used by a white supremacist group in the United States, Patriot Front, to sell counterfeit hormone drugs to trans women; to phishing sites posing as companies such as Amazon, Coinbase and Spotify to steal money and personal information from visitors; and to Russian influence campaigns intended to spread fake narratives to unsuspecting Americans.
The Russian efforts, which the United States has linked to the administration of President Vladimir V. Putin, include more than 130 fake news outlets registered this year by a former deputy sheriff in Florida now living in Moscow, John Mark Dougan.
Among Mr. Dougan’s latest efforts was a staged interview on the website for KBSF-TV in San Francisco — a channel that does not exist — making a bogus claim that Vice President Kamala Harris injured a girl in a hit-and-run accident in 2011.
Iceland is an attractive place for proxy services largely because of its robust privacy laws, which officials said were intended to protect ordinary users from authoritarian governments — not to shelter fraudsters or other criminals.
“We had the aim to create what we called the Switzerland of bytes,” said Mordur Ingolfsson, a former member of Iceland’s Parliament who helped enact some of the country’s first internet privacy laws. What happened instead “is abuse of the work that we did.”
Neither Withheld for Privacy nor Namecheap responded to repeated requests for comment. “Their service is only to hide who the real controller is,” said Valborg Steingrimsdottir, the head of supervision for Iceland’s Data Protection Authority.
Internet domains — which function like the online version of a street address, while a website is like the building at the address — have long been regulated by the Internet Corporation for Assigned Names and Numbers, an international nonprofit organization known as ICANN, which the U.S. government created in 1998.
Until 2018, anyone seeking to use a domain was required to disclose contact information, which was then recorded in searchable public databases. The goal was to ensure public trust that websites were what they claimed to be.
Then the European Union passed the world’s toughest online privacy law, the General Data Protection Regulation. Its stipulations, which have shaped global standards, allow most registrants to shield their contact information. Proxy protection soon became, in many cases, a default feature.
Unlike certain top-level domains, such as .gov for U.S. government sites or .is in Iceland, the more familiar .com, .org and .net domains and most others are maintained by private companies called registrars. Many — including GoDaddy, the largest — offer privacy services for domain registration, often at no cost, and they face little pressure to share information about potentially problematic clients.
“At a time when cybercrime and concerns about misinformation are increasing,” the industry has become “very opaque,” said Greg Aaron, president of Illumintel, a consulting firm that provides internet policy and security services.
Tech companies that claim they are not responsible when their products or services are put to illicit use are facing a growing backlash in Iceland and other countries.
Iceland’s Data Protection Authority, along with the country’s prosecutor and telecommunications ministry, has pushed for legislation that would effectively ban services like Withheld for Privacy from operating in Iceland.
“The law needs to be changed so this problem can be managed,” Ms. Steingrimsdottir said.
Namecheap announced in 2021 that it was shifting its privacy domain service to Withheld for Privacy; it had previously used a proxy based in Panama. The announcement said the company had chosen Iceland because it was “a country known for its privacy standards.”
Withheld for Privacy, like many of its clients, is a mysterious entity, its activity seemingly obfuscated by design. It is registered at Kalkofnsvegur 2, according to Iceland’s tax department, but there is no outward sign that the service occupies space in the six-story building.
The Icelandic Phallological Museum is in the basement, while an H&M clothing store occupies the first two floors. A sales manager at Regus, a British company that operates a shared-services office on the third floor, said Withheld for Privacy had no presence in the building.
Thordur O. Thordarson, the museum’s chief operating officer, expressed bewilderment at the building’s links to nefarious activity online. “We are a penis museum, yes,” he said during a tour of its scientific and cultural displays, “but we are a serious penis museum.”
Withheld for Privacy’s director is listed as Sergio Raygoza Hernandez, who is from Mexico, according to public records at the tax department in Reykjavik, but neither he nor anyone else could be reached through a phone number or an email address provided by its website.
ISNIC, a private corporation that is responsible for regulating Iceland’s .is domain, has also failed to reach anyone from Withheld for Privacy. It was attempting to verify the identities of people trying to register five .is domains using Withheld for Privacy.
ISNIC’s chief executive officer, Jens Petur Jensen, said that, by law, ISNIC could block those five domains, but Iceland has no legal authority over sites using any other domains, even if they are registered to addresses in the country.
Almost immediately after Withheld for Privacy was registered in 2021, authorities around the world began tracing troublesome activity to Kalkofnsvegur 2.
The Texas State Securities Board served a cease-and-desist order that year against a site registered there, Prestige Assets Management, accusing it of running a scheme to impersonate another company and deceive potential investors into offering up sensitive identifying information.
The Cybersecurity and Infrastructure Security Agency in Washington also issued an alert that year about two ransomware sites at the Reykjavik address linked to DarkSide, a cyberhacking group based in Russia that carried out an attack on a major U.S. pipeline.
A group of sites hidden behind Withheld for Privacy was linked to an online campaign to malign Simu Liu, the Canadian actor. Other sites included apparent scams that targeted applicants for jobs and apartments, sports car enthusiasts, and musicians, seeking personal information or financial data.
Meta, which owns Facebook, Instagram and WhatsApp, has tangled with Namecheap. In 2020, Meta sued the company and its previous proxy service “for registering domain names that aim to deceive people by pretending to be affiliated with Facebook apps.” In a settlement that was amended in 2022 to include Withheld for Privacy, Namecheap agreed to cooperate with Meta in fighting copyright infringement and other abuse.
That appeared to be the case with Liberty Defender Group, whose Facebook pages Meta shut down this year. According to Syracuse’s researchers, other domains linked to the same operators continue to place ads under other names, like American Benefits News and Frontier of Freedom.
For other sites, whose content is protected by freedom-of-speech laws, there are even fewer means of recourse.
Mr. Dougan, the former sheriff’s deputy now in Russia, registered his new domains through Withheld for Privacy after his registrations for previous sites in the United States were exposed as fake news organizations, according to McKenzie Sadeghi, a researcher with NewsGuard, a company that tracks disinformation online.
The fake television news site that spread the false claim about Ms. Harris’s car accident — which Microsoft and the U.S. government linked last month to the Kremlin — was registered only in August, according to ICANN’s database.
The site has since been blocked. Mr. Dougan declined to comment on the sites registered in Iceland.
Russia’s involvement has raised particular concerns in Iceland, which is a member of NATO but does not have a standing army or intelligence service.
“Our vulnerabilities as an open, democratic society are being exploited,” said Elfa Yr Gylfadottir, the director of the country’s Media Commission, which monitors disinformation.
The challenge for those who would change the practice is that it has staunch defenders. Zach Edwards, a researcher with Silent Push, a threat analysis company, said privacy services were a vital source of protection for many legitimate domain owners.
“Most serious threat actors aren’t going to actually expose themselves,” he said. “Whereas for everyone else who owns domains, if we didn’t have features like Withheld for Privacy, it would dramatically make normal folks’ privacy much worse.”
Withheld for Privacy has registered roughly 35 million domains at the building in Reykjavik, with the vast majority presumably legitimate users. The opacity of the privacy service, however, has made policing those who are not more difficult.
“Where does use stop and abuse start?” asked Mr. Ingolfsson, the former lawmaker. “These are very difficult questions, and we haven’t answered them.”
Kitty Bennett contributed research.