Also this wasn’t necessarily a DMCA request.

itch.io said this on the hackernews thread (bolding mine):

The BrandShield software is probably instructed to eradicate all “unauthorized” use of their trademark, so they sent reports independently to our host and registrar claiming there was “fraud and phishing” going on, likely to cause escalation instead of doing the expected DMCA/cease-and-desist.

And BrandShield’s response / nonpology (bolding mine):

BrandShield serves as a trusted partner to many global brands. Our AI-driven platform detects potential threats and provides analysis; then our team of Cybersecurity Threat hunters and IP lawyers decide on what actions should be taken. In this case, an abuse was identified from the itch.io subdomain. BrandShield remains committed to supporting our clients by identifying potential digital threats and infringements and we encourage platforms to implement stronger self-regulation systems that prevent such issues from occurring.

Which translated into English is possibly* something like “We would be very happy if the general public thought this was a normal DMCA takedown. Our chatbot said the website was a phishing page. Our overworked cybersecurity expert hunter agreed after looking at it for zero milliseconds. We encourage itch.io to get wrecked.”

This difference matters because site hosts and domain registrars can be extremely proactive about any possibility of fraud / abuse / hacks, and there’s less of a standard legal process for them.

* Dear Funko please do not call my mom.

Yes and no.

Usually, you send the DMCA/Takedown request to the site.

If they don’t have a DMCA contact, or you’re lazy, you send it to the domain registrar.