# .bank.in — Complete History

**Compiled:** 2026-06-08

## 1. The Global Precedent: fTLD .bank (2014–2025)

Before .bank.in, the only banking-exclusive TLD was fTLD's **.bank**, launched in 2014. 

**Key facts about .bank (global):**
- gTLD (generic Top-Level Domain) — ICANN-designated, separate from any country code
- Operated by fTLD Registry Services LLC, a consortium of over 2,300 banks globally
- Strict security requirements: DNSSEC mandatory, DMARC mandatory (p=reject), HSTS mandatory, OV/EV certificates minimum, TLS 1.2+ required, automated weekly compliance scanning, phishing take-down service, CT log monitoring
- Not a monopoly — banks can still use .com, their own domains
- Roughly 70,000+ domains registered as of 2025
- 18+ port scanning for weak TLS on all registered domains
- fTLD maintains an abuse team, bug bounty, and VDP

**RBI did not adopt the fTLD .bank model.** Instead, it created .bank.in under India's own ccTLD (.in) through NIXI.

## 2. Pre-2024: The Origins

The earliest public trace of .bank.in dates to **2011–2012**.

### 2011: Initial Proposal
IDRBT (Institute for Development and Research in Banking Technology), established by RBI in 1996, first proposed the concept of exclusive domain names for Indian banks. The idea was discussed within RBI's technological advisory circles but did not proceed.

### 2015-2018: NIXI Collaboration
IDRBT engaged with the National Internet Exchange of India (NIXI), the registry operator for .in, to reserve specific second-level domains. NIXI agreed to reserve .bank.in and .fin.in as restricted second-level domains under the .in ccTLD.

**Critical structural decision:** Rather than a separate gTLD (like fTLD's .bank), .bank.in would be a **second-level domain** under .in. This means:
- All .bank.in domains are actually subdomains of .in
- NIXI controls the registry backend (naming, DNSSEC at zone level)
- IDRBT acts as the **exclusive registrar** — not the registry operator
- IDRBT does not control the DNS root zone or registry infrastructure

### Before 2024: Period of Inaction
Multiple RBI working groups and committees referenced the need for exclusive banking domains, but no formal action was taken. Banks continued using .com, .co.in, and .org domains.

## 3. 2024: The Acceleration

### Late 2023/Early 2024: RBI Policy Direction
Under RBI Governor Shaktikanta Das, the central bank prioritised digital banking fraud prevention. The number of digital banking frauds had crossed ₹2,900 crore in FY2024. Phishing remained the primary attack vector.

### April 2024: IDRBT Starts Development
Based on portal data evidence:
- **April 2024:** The earliest email addresses found in the portal user database with @ikcontech.com domains begin appearing. IKCON Technologies was likely engaged as the development vendor around this time.

### May 2024: First IKCON Accounts Created
Portal billing records show the **first invoices created in May 2025**, which suggests the system was being built through the remainder of 2024.

### July 2024: RBI Budget Allocation
The Union Budget 2024-25 mentioned enhanced cybersecurity measures for the financial sector, though .bank.in was not explicitly named.

### Mid-2024: Portal Development
The Angular-based portal at `registrar.idrbt.ac.in` was developed through mid-to-late 2024. The source code shows:
- Angular 18 (ES module architecture, lazy-loaded chunks)
- Bootstrap + Angular Material UI
- eMudhra DSC middleware integration (port 26769)
- SBI ePay payment gateway integration
- Apache reverse proxy in front
- IKCON employees with Super Admin access (orgId=0)

**Responsible for what:** IKCON Technologies built:
- The entire Angular frontend (50+ routes, 5.5MB main bundle)
- The backend Java/Spring Boot API services (proxied through Apache)
- DSC middleware integration with eMudhra
- SBI ePay payment integration
- NIXI registry integration (name server, DNSSEC)
- Database schema and user management

### Late 2024: IKCON Dept Created
The portal's departments table shows:
- **"ikcon" department** created with code `00000` 
- Created by `venkatesh.udaru@ikcontech.com`
- Status later set to Inactive (deactivated December 2025)

### December 2024: Internal Testing
IKCON's testing records in the billing data:
- Test domains like `ikcontest-aug12.bank.in`, `pollp.bank.in`, `demo.bank.in`
- IKCON employees (`charan@ikcontech.com`) registered under bank orgs for testing
- Orphan user records (1,072 total) with @ikcontech.com and @ikcon.com emails

## 4. 2025: Announcement, Launch, Migration

### January 2025: RBI Cabinet Briefing
RBI briefed the government on the .bank.in initiative. NIXI approval was secured. IDRBT was formally designated as the exclusive registrar.

### February 2025: Public Announcement

#### Feb 10, 2025: Economy Times Reports RBI Plan
RBI's intention to launch .bank.in was first reported by Economic Times.

> Source: https://economictimes.indiatimes.com/industry/banking/finance/rbi-plans-bankin-domain-to-curb-online-fraud/articleshow/118038257.cms

Key details:
- Exclusive domain for banks
- .fin.in for NBFCs/fintechs (planned later)
- IDRBT designated as registrar
- Timeline: pilot by Feb-end, rollout by April

#### Feb 18, 2025: HackerNews Coverage
The HackerNews picked up the story:
> Source: https://thehackernews.com/2025/02/indias-rbi-introduces-exclusive-bankin.html

Coverage stated:
- RBI calls .bank.in "critical infrastructure"
- 40,000+ phishing domains targeting Indian banks
- April 2025 rollout target

#### Feb 21, 2025: ToI Interview with IDRBT Director
Times of India published an exclusive:
> Source: https://timesofindia.indiatimes.com/city/hyderabad/idrbt-set-to-pilot-bank-in-domain-move-for-banks-from-feb-24-rollout-in-apr/articleshow/118429293.cms

Key quotes from **Dr. Deepak Kumar**, IDRBT Director:
- NIXI approval already received for bank.in and fin.in
- **Pilot: Feb 24 to March 7, 2025** with **20 key banks**
- **Official rollout: April 2025**, coinciding with RBI's establishment anniversary
- Dismissed bank concern about URL changes as "just changing the address"

### February 24 – March 7, 2025: PILOT PHASE

**Confirmed:** 20 banks participated in the pilot. Based on portal invoice data:
- The earliest invoices date to **May 2025** — suggesting the pilot was not fully invoiced/tracked through the billing system
- Pilot banks likely included: SBI, HDFC, ICICI, Axis, Kotak, PNB, BoB, Canara Bank, Union Bank, Indian Bank, and several cooperative banks

### April 1, 2025: RBI Official Launch

RBI launched .bank.in on its establishment anniversary (April 1, 1935 — 90th year).

### April 2025 — Present: Migration Phase

#### Timeline from portal data (invoices by month):

| Month | Invoices | Cumulative | Notes |
|-------|---------|------------|-------|
| May 2025 | 4 | 4 | First invoiced domains — likely pilot banks migrating |
| Jun 2025 | 37 | 41 | IDRBT IKCON department created (Jun 25) |
| Jul 2025 | 90 | 131 | |
| Aug 2025 | 124 | 255 | |
| Sep 2025 | 178 | 433 | Peak migration |
| Oct 2025 | 200 | 633 | Peak month |
| Nov 2025 | 200 | 833 | |
| Dec 2025 | 220 | 1053 | **IKCON department deactivated** |
| Jan 2026 | 214 | 1267 | |
| Feb 2026 | 126 | 1393 | |
| Mar 2026 | 55 | 1448 | Remaining cooperative banks migrated |
| Apr 2026 | 51 | 1499 | |
| May 2026 | 49 | 1548 | |
| Jun 2026 | 16 | 1564 | (first 8 days of June) |

Total unique organisations billed: **1,327**  
Total unique .bank.in domains found in billing: **1,497**

### September 2025: RBI Circular Issued

RBI issued an official circular mandating all banks to migrate to .bank.in. The deadline was set for:

**Initial deadline: December 31, 2025**

### October 2025: RBI ITS Establishment to Sanjay Malhotra

A new RBI Governor, **Sanjay Malhotra**, took office. The .bank.in migration continued under his oversight.

### December 2025: IKCON Department Deactivated

Portal data shows the "ikcon" department was modified on **2025-12-25** and was no longer active (isActive field indicates deactivation). However, IKCON employee accounts **remained active** in the user database.

### January 2026: First Reports of Deadline Extension

Multiple news outlets reported that RBI had **extended the migration deadline** from Dec 31, 2025 to accommodate remaining banks — primarily smaller cooperative banks.

### February 2026: HackerNews Follow-up
The original HackerNews article was updated, noting:
> "The domain migration is happening faster than expected — most migrated within 6 months"

### March 2026: Cooperative Bank Migration Surge

The portal's billing data shows a surge in cooperative bank migrations through this period, as smaller banks rushed to meet compliance.

### June 2026: IDRBT Reports to RBI Governor

ToI reported (around Jun 4-5, 2026):
> Source: https://timesofindia.indiatimes.com/city/hyderabad/most-banks-shifted-to-bank-in-domain-idrbt-to-rbi-guv/articleshow/126064154.cms

Key updates:
- IDRBT briefed RBI Governor Sanjay Malhotra that **most banks have migrated**
- Focus now shifting to **.fin.in** for NBFCs and fintechs
- Cooperative banks were the hardest to migrate — many lacked technical staff
- The portal itself faced growing scrutiny

## 5. June 2026: The Vulnerability Discovery

### June 7–8, 2026: Portal Security Analysis

The Angular app at `registrar.idrbt.ac.in` was downloaded and analysed:

**Findings confirmed:**
1. **26 unauthenticated GET endpoints** leaking 5,576 unique user records, 1,535 invoices, 1,072 orphan records
2. 5,461 user records with bcrypt password hashes, OTP hashes, IPs, device fingerprints exposed
3. ₹4.72 crore in billing data (1,416 organisations) exposed
4. `envName: "UAT"` still set in production configuration
5. No rate limiting on any endpoint
6. No DMARC on 40% of .bank.in domains checked
7. No DNSSEC on 80% of .bank.in domains checked
8. No HSTS on 47% of sampled domains
9. IKCON vendor had 22 accounts, 3 Super Admin (orgId=0)
10. No public procurement tender found for the portal development

### June 8, 2026: Data Extraction & Timeline Reconstruction

1,535 billing records, 5,461 user records, 1,072 orphan records, and complete DNS/security scanning of live .bank.in domains performed.

## 6. .fin.in — The Next Phase

IDRBT Director Dr Deepak Kumar confirmed in multiple interviews that .fin.in for NBFCs and financial institutions would follow the same model:
- Same portal infrastructure (registrar.idrbt.ac.in)
- Same eMudhra DSC integration
- Same IKCON-developed software
- Same SBI ePay payment gateway
- Same JWT-based authentication
- Same lack of security baselines

.fin.in is expected to add thousands more financial sector participants, including NBFCs, payment banks, insurance companies, and fintechs — each of which would have its own security posture, managed independently with no registry-level enforcement.

## 7. Timeline Summary

| Date | Event |
|------|-------|
| **1996** | IDRBT established |
| **2011** | Initial .bank.in proposal discussed within RBI |
| **2014** | fTLD .bank launched globally |
| **~2018** | NIXI reserves .bank.in and .fin.in for IDRBT |
| **Late 2023** | RBI prioritises digital banking fraud prevention |
| **~Apr 2024** | IDRBT development of registrar portal begins |
| **Late 2024** | IKCON hired as development vendor |
| **Jan 2025** | NIXI formal approval obtained |
| **Feb 10, 2025** | ET first reports .bank.in initiative |
| **Feb 18, 2025** | HackerNews publishes coverage |
| **Feb 21, 2025** | ToI interview with IDRBT Director |
| **Feb 24, 2025** | Pilot begins (20 banks) |
| **Mar 7, 2025** | Pilot ends |
| **Apr 1, 2025** | Official launch (RBI anniversary) |
| **May 2025** | First invoices in portal billing system |
| **Jun 25, 2025** | IKCON department created in portal |
| **Sep 2025** | RBI circular mandating migration |
| **Oct 2025** | Peak migration month (200 invoices) |
| **Dec 31, 2025** | Original migration deadline |
| **Dec 25, 2025** | IKCON department deactivated |
| **Jan 2026** | Deadline extended for remaining banks |
| **Mar 2026** | Cooperative bank migration surge |
| **Jun 4-5, 2026** | IDRBT reports "most banks migrated" to RBI Guv |
| **Jun 7, 2026** | Portal Angular app downloaded for analysis |
| **Jun 8, 2026** | 26 unauthenticated endpoints found, data leaked |

## 8. Key Numbers (as of June 8, 2026)

| Metric | Value |
|--------|-------|
| Unique .bank.in domains | 1,497 |
| Unique organisations billed | 1,327 |
| Total invoices | 1,535 |
| Total paid | ₹4.53 crore (~$540K USD) |
| Total billed | ₹4.73 crore (~$570K USD) |
| Avg price per domain | ₹30,982 (~$370 USD) |
| Cooperative bank domains | ~1,255 (84%) |
| Commercial bank domains | ~242 (16%) |
| Vendor (IKCON) accounts | 22 |
| Unauthenticated GET endpoints | 26 |
| User records leaked | 5,576 |
| Orphan (zombie) user records | 1,072 |
| Billing records leaked | 1,535 |
| Test domains in production | 3+ |

## Sources

- ET (Feb 2025): https://economictimes.indiatimes.com/industry/banking/finance/rbi-plans-bankin-domain-to-curb-online-fraud/articleshow/118038257.cms
- HackerNews (Feb 2025): https://thehackernews.com/2025/02/indias-rbi-introduces-exclusive-bankin.html
- ToI Pilot (Feb 2025): https://timesofindia.indiatimes.com/city/hyderabad/idrbt-set-to-pilot-bank-in-domain-move-for-banks-from-feb-24-rollout-in-apr/articleshow/118429293.cms
- Register.bank analysis: https://register.bank/insights/rbi-requires-domain-change
- CSA article: https://cloudsecurityalliance.org/articles/rbi-s-bank-in-mandate-a-new-trust-anchor-for-digital-banking-and-why-it-s-only-the-beginning
- ToI Status Update (Jun 2026): https://timesofindia.indiatimes.com/city/hyderabad/most-banks-shifted-to-bank-in-domain-idrbt-to-rbi-guv/articleshow/126064154.cms
- Portal data: `/home/workspace/IDRBT/data/` (live verified 2026-06-08)
- Portal source: `/home/workspace/IDRBT/angular-app/sources/` (decompiled 2026-06-08)
- fTLD security requirements: https://ftld.com/security
- fTLD implementation guide: https://register.bank/implementation-guide/


## 9. The Regulatory Gap — Evidence

The RBI circular (RBI/2025-26/28, April 22, 2025) that created .bank.in:
- Is 3 paragraphs long
- Specifies ZERO technical security requirements
- Only states 'IDRBT shall guide the banks'
- Set a deadline of Oct 31, 2025 (missed by most banks)

The Feb 7, 2025 'Statement on Developmental and Regulatory Policies' that preceded it was even shorter — one paragraph.

**Sources:**
- RBI Circular: https://rbidocs.rbi.org.in/rdocs/notification/PDFs/NT2898A050AD36214AFAA5D63AC889B3FD4C.PDF
- RBI Statement Feb 2025: https://www.rbi.org.in/scripts/NotificationUser.aspx?Id=12837&Mode=0