How Cybercriminals Exploit Cheap Bulk Registrations
The retail domain name industry is fiercely competitive, with registrars vying for customers by offering enticing deals on new domain registrations. To attract new clients, many registrars are willing to operate at a loss for the initial registration, banking on the likelihood of recouping those losses through renewals and additional services. This strategy often works in the long run but creates an environment where new domain names can be sold for as little as a few dollars. For businesses and individuals, this affordability is a benefit—but it comes with unintended consequences.
Cybercriminals exploit this competitive pricing model by registering cheap domains in bulk. These low-cost registrations allow bad actors to amass large quantities of domains with minimal financial risk. They use these domains for malicious purposes, such as launching phishing websites, hosting spam campaigns, or deploying ransomware. Once the domains serve their purpose, they are quickly abandoned, making it difficult for investigators to track the perpetrators. The ease and affordability of bulk registration enable cybercriminals to operate at scale, turning the competitive dynamics of the domain industry into a vulnerability for the broader internet ecosystem.
The Role of Bulk Registrations in Cybercrime
Bulk domain registration is a key tool for cybercriminals, allowing them to register hundreds or thousands of domains at minimal cost. These domains are quickly weaponized for phishing attacks, spam campaigns, and malware distribution. By mimicking legitimate brands or exploiting common misspellings, attackers deceive users and launch large-scale operations with minimal upfront investment. The volume of domains makes it nearly impossible for defenders to track and shut them all down.
Cybercriminals often focus on specific brands or industries to streamline their attacks. For example, they might register domains impersonating banks or cryptocurrency platforms, reusing phishing templates and infrastructure across scams. This targeted approach increases efficiency and amplifies the impact of their campaigns. Industries like finance, healthcare, and retail are especially vulnerable, making the need for robust detection and enforcement critical.
A 2024 study by Interisle Consulting revealed that over 2.6 million domains linked to cybercrime were registered in bulk, a 106% increase from the previous year. In one instance, over 17,000 malicious domains were registered in under eight hours through a single registrar. This ability to acquire and deploy digital infrastructure at such speed allows cybercriminals to outpace enforcement efforts, leaving defenders struggling to keep up.
New gTLDs: How Low Costs and Minimal Checks Fuel Cybercrime
The introduction of new generic TLDs (gTLDs) like .xyz
, .top
, and .vip
was intended to foster innovation and competition in the domain market. However, these TLDs have inadvertently become a haven for cybercriminals. Their appeal lies in their low registration costs—often as little as $1—and minimal verification requirements.
The impact of this trend is staggering. According to Interisle, despite holding only 11% of the global domain market, new gTLDs accounted for 37% of reported cybercrime domains. Certain TLDs, such as .top
, have seen as much as 30% of their domains linked to malicious activities. By comparison, legacy TLDs like .com
—although widely used—show significantly lower abuse rates.
The low cost and lack of stringent identity verification create an environment where cybercriminals can operate with minimal risk. For them, these domains are disposable tools—cheap to acquire, easy to use, and just as easy to abandon.
New gTLDs can be very cheap, and are even cheaper when purchased in bulk
A Call for Action - Monitor Your Brand
The rise of cheap bulk domain registrations has made it easier than ever for cybercriminals to target businesses and customers with phishing websites, fake stores, and other scams. Australian organisations are especially vulnerable, with trusted industries like banking, healthcare, and retail frequently targeted. Monitoring your brand online is essential to detect and respond to these threats before they cause harm.
By tracking newly registered domains that mimic your business name or trademarks, you can quickly identify suspicious activity and take action. Advanced tools like Unphish provide real-time alerts and enforcement capabilities, helping businesses disrupt attacks and protect their reputation. Stay vigilant—proactively monitoring your brand is the best defence against the growing threat of online impersonation and fraud.
brandsec's Unphish Platform is Fighting Back
At brandsec, we understand the growing threat posed by bulk registrations and cheap TLDs. Unphish, our monitoring & enforcement platform is designed to detect registration patterns, such a bulk registrations targeting specific brands or industries, and we can mitigate these threats at scale; however, the fight against domain abuse isn’t just about technology—it’s about collaboration. By working with registrars, and enforcement agencies, we aim to remove malicious domain names in bulk, in the same way bad actors register them.
Remove Phishing Content Quickly and Effortlessly with Unphish
Sign up for early access to Unphish Beta and experience best in class takedown service
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.