Originally published at https://monstadomains.com/blog/malicious-domain-registration/
Malicious domain registration is no longer a fringe security problem. New research published on June 12, 2026, analyzed 1.5 million domains flagged on VirusTotal between January and May of this year – and the findings reveal an industrial-scale abuse pipeline running through a small, predictable set of domain registrars. The study is the most detailed mapping of attack domain infrastructure published to date.
The scale of malicious domain registration documented here represents a step change from earlier estimates. It is not random churn. It is organized infrastructure built on concentrated registrar relationships, automated batch registration, and a deliberate choice to exploit registrars with minimal abuse vetting.
The Scale of Malicious Domain Registration in 2026
The research, published as arXiv paper 2606.11111, examined more than 1.5 million unique domains each flagged by at least five independent VirusTotal scanning engines during the study window. Close to 89 percent were freshly registered by attackers specifically for malicious use. The remaining 11 percent were legitimate domains that had been taken over – a distinct attack path with serious implications for domain owners who inherit infrastructure with a difficult history.
January 2026 had the highest single-month volume. Subsequent months maintained similar rates, which means malicious domain registration has settled into a continuous, automated cadence rather than a burst tied to any single campaign.
What the Numbers Mean at Scale
At 1.5 million flagged domains across five months, attackers were seeding the internet with roughly 300,000 attack domains every month. One domain in the dataset accumulated over 2 billion DNS queries – evidence that a small number of high-traffic nodes absorb a disproportionate share of user exposure, while the long tail of shorter-lived domains rotates rapidly to evade blocklists.
A Handful of Registrars Handle Most Attack Traffic
The most striking finding concerns concentration. The top four registrars by volume collectively processed more than a third of all attacker-created domains. The top ten handled roughly 60 percent of the domains with known registrar data. Attackers are not distributing their activity evenly – they are routing it through registrars that either lack effective abuse detection or choose not to act on the signals they have.
Bulk registration patterns were rampant throughout the dataset. More than three-quarters of the domains with usable WHOIS records belonged to batch registrations – groups of five or more domains registered simultaneously. The largest single batch contained more than 2,000 domains registered with one registrar on the same day, pointing directly to automated scripts executing malicious domain registration at production scale.
The TLD Mix Attackers Rely On
About a third of attack domains used the .com extension – attackers know .com carries implicit trust. The top ten extensions combined, including .top, .cc, and .xyz, accounted for 66 percent of all attack domains. Attackers pick .com for its perceived legitimacy and low-cost alternatives for their loose registration controls and minimal identity requirements.
From Malicious Domain Registration to Active Attack in Days
The median domain was approximately two months old at first detection – but that average conceals a more dangerous pattern. Close to a third of the attack domains were detected within one week of registration. Some were flagged within one day of going live. The compressed window between malicious domain registration and active use means that by the time a domain surfaces in a commercial threat feed, a phishing campaign may already have reached thousands of targets.
High-traffic domains in the dataset drew the bulk of query volume, while lower-traffic domains cycled in and out rapidly. This two-layer structure – a persistent high-traffic core plus a rotating perimeter – makes blocklist-based defenses insufficient on their own.
The Brands Attackers Clone Through Phishing Domains
Brand impersonation was central to the attack infrastructure. WhatsApp was the most-copied brand, with approximately 20,000 attack domains spoofing it. Google, Coinbase, and Bet365 also appeared heavily in the dataset. The primary intent across these impersonations is credential harvesting – directing targets to convincing fake sites that capture login details or drain crypto wallet credentials through a fake verification step.
The appearance of Coinbase in the top targeted brands is a specific signal for crypto users. Fake Coinbase domains are used overwhelmingly for phishing attacks designed to harvest wallet credentials or trick users into entering seed phrases on fraudulent login pages. For anyone managing crypto assets through a browser-facing account, the risk from lookalike domains in the malicious domain registration pipeline is direct and financial.
For operators of legitimate websites and services, malicious domain registration may already be targeting your brand without your knowledge. Variants of your domain name – with common typos, added prefixes, or swapped TLDs – may be live right now. Monitoring for these registrations before users encounter them is the earliest possible intervention point.
Malicious Domain Registration and the Infrastructure Behind It
Cloudflare hosted eight of the top ten IP addresses used to serve attack domains. The two busiest Cloudflare addresses each hosted more than 230,000 distinct attack domains. The infrastructure findings show that malicious domain registration does not operate in isolation – it sits on a concentrated set of hosting relationships that researchers can now map with precision.
The research represents the most comprehensive structural picture yet of how malicious domain registration is organized at an infrastructure level. By combining VirusTotal flagging, WHOIS registration records, passive DNS data, and the Tranco popularity ranking, the researchers traced the full path from registration through hosting to user-facing attack. The full dataset has been released publicly for security teams and registrars to cross-reference.
What Malicious Domain Registration Reveals About Registrar Accountability
The concentration of malicious domain registration at specific registrars is a structural problem, not just a technical one. ICANN’s registrar accreditation requirements set a baseline, but they do not prevent a registrar from processing thousands of bulk-registered attack domains in a single day. The research does not publicly identify the responsible registrars by name – but the data pattern implies that a small number of providers are either unwilling or unable to detect abuse at the scale now documented.
What makes this particularly striking is that the patterns of malicious domain registration are not subtle. Batch sizes of 2,000 registrations at one provider on one day are detectable algorithmically by any registrar motivated to look. The data suggests that motivation is distributed unevenly across the industry – and that ICANN accreditation is not a sufficient proxy for registrar quality.
Regulatory pressure on registrars has increased through 2026. Earlier coverage of dangling DNS hijacking campaigns showed how quickly misconfigured infrastructure becomes a platform for coordinated attacks. This new research extends that picture considerably: the problem is not only attackers exploiting existing domains, but attackers constructing fresh infrastructure through registrars that ask few questions. Help Net Security’s coverage of this research notes that the full dataset has been released publicly, giving security teams and registrars the data they need to identify abuse patterns in their own systems.
What Domain Owners Should Do Now
This research is primarily about attacker infrastructure – but it has direct practical implications for anyone who operates a website or brand online. The first concern is impersonation: malicious domain registration targeting your brand may already be live. Variants with common misspellings, hyphenated versions, or alternative TLDs are the most frequent attack patterns. Activating WHOIS privacy protection on your existing domain also prevents attackers from mining your contact data to build targeting lists.
The second concern is registrar choice. The research shows that malicious domain registration concentrates sharply at a small set of providers. Hosting your legitimate domain at a registrar that appears frequently in threat intelligence data brings collateral risk – shared IP reputation, proximity to abuse infrastructure, and a provider that may be slow to respond when you need help. Choosing a registrar that enforces strict abuse detection and does not cater to bulk-registering clients is now a practical security decision, not just a privacy preference. MonstaDomains does not require identity verification and does not share registration data with third-party WHOIS aggregators or data brokers.
For context on how a single registrar-adjacent vulnerability can cascade into a large-scale attack campaign, the cPanel authentication bypass incident earlier this year is instructive. The pattern repeats: concentrated infrastructure, diffuse victims, and a window of exploitation that threat feeds close too slowly.
The Bottom Line
Malicious domain registration is operating at industrial scale. The 1.5 million domains flagged between January and May 2026 represent coordinated, automated infrastructure – not the work of individual opportunists. It is built on a small number of registrars, a predictable set of TLDs, and a handful of hosting providers. That concentration makes it measurable. Making it stoppable requires registrars to act on signals that are already visible in their own data.
For domain owners, two things follow directly from this research. Your brand may already be the target of malicious domain registration you did not initiate – check for impersonation variants. And your choice of registrar has real security consequences that extend beyond the annual renewal price.
If you want to move your registration to a provider that does not collect personal data or contribute to the WHOIS aggregation databases that researchers and attackers both rely on, MonstaDomains’ private domain registration keeps your details out of the records entirely.
Top comments (0)