Bulk Domain Registrations:
How Criminals Exploit Cheap Domains
How Cybercriminals Exploit Cheap Bulk Registrations
The retail domain name industry is fiercely competitive, with registrars vying for customers by offering enticing deals on new domain registrations. To attract new clients, many registrars are willing to operate at a loss for the initial registration, banking on the likelihood of recouping those losses through renewals and additional services. This strategy often works in the long run but creates an environment where new domain names can be sold for as little as a few dollars. For businesses and individuals, this affordability is a benefit – but it comes with unintended consequences.
Cybercriminals exploit this competitive pricing model by registering cheap domains in bulk. These low-cost registrations allow bad actors to amass large quantities of domains with minimal financial risk. They use these domains for malicious purposes, such as:
Phishing Sites and Fake Stores
Cheap domains are often used to set up phishing sites that impersonate banks, retailers, and government agencies. Attackers can register hundreds of lookalike domains and rotate through them as older ones are shut down. This volume keeps their scams alive for longer.
Malware Distribution
Criminal groups also use bulk registrations to spin up disposable domains that deliver malware. Because these domains are newly registered, they may not yet appear on threat intelligence blacklists, giving attackers a short but valuable window to infect unsuspecting users.
Bypassing Detection with Scale
The real danger comes from scale. With access to domain resellers offering registrations for a few dollars each, bad actors can flood the internet with malicious domains. If one is taken down, dozens more are already waiting in the wings.
Once the domains serve their purpose, they are quickly abandoned, making it difficult for investigators to track the perpetrators. The ease and affordability of bulk registration enable cybercriminals to operate at scale, turning the competitive dynamics of the domain industry into a vulnerability for the broader internet ecosystem.
The Role of Bulk Registrations in Cybercrime
Bulk domain registration is a key tool for cybercriminals, allowing them to register hundreds or thousands of domains at minimal cost. These domains are quickly weaponized for phishing attacks, spam campaigns, and malware distribution. By mimicking legitimate brands or exploiting common misspellings, attackers deceive users and launch large-scale operations with minimal upfront investment. The volume of domains makes it nearly impossible for defenders to track and shut them all down.
Cybercriminals often focus on specific brands or industries to streamline their attacks. For example, they might register domains impersonating banks or cryptocurrency platforms, reusing phishing templates and infrastructure across scams. This targeted approach increases efficiency and amplifies the impact of their campaigns. Industries like finance, healthcare, and retail are especially vulnerable, making the need for robust detection and enforcement critical.
A 2024 study by Interisle Consulting revealed that over 2.6 million domains linked to cybercrime were registered in bulk, a 106% increase from the previous year. In one instance, over 17,000 malicious domains were registered in under eight hours through a single registrar. This ability to acquire and deploy digital infrastructure at such speed allows cybercriminals to outpace enforcement efforts, leaving defenders struggling to keep up.
New gTLDs: How Low Costs and Minimal Checks Fuel Cybercrime
The introduction of new generic TLDs (gTLDs) like .xyz, .top, and .vip was intended to foster innovation and competition in the domain market. However, these TLDs have inadvertently become a haven for cybercriminals. Their appeal lies in their low registration costs—often as little as $1—and minimal verification requirements.
The impact of this trend is staggering. According to Interisle, despite holding only 11% of the global domain market, new gTLDs accounted for 37% of reported cybercrime domains. Certain TLDs, such as .top, have seen as much as 30% of their domains linked to malicious activities. By comparison, legacy TLDs like .com—although widely used—show significantly lower abuse rates.
The low cost and lack of stringent identity verification create an environment where cybercriminals can operate with minimal risk. For them, these domains are disposable tools—cheap to acquire, easy to use, and just as easy to abandon.
New gTLDs can be very cheap, and are even cheaper when purchased in bulk
How to Protect Against Bulk Registration Targted Attacks
Monitor your Brand
The rise of cheap bulk domain registrations has made it easier than ever for cybercriminals to target businesses and customers with phishing websites, fake online stores, and other scams. Australian organisations are especially vulnerable, with trusted industries like banking, healthcare, and retail frequently targeted. Monitoring your brand online is essential to detect and respond to these threats before they cause harm.
By tracking newly registered domains that mimic your business name or trademarks, you can quickly identify suspicious activity and take action. Advanced tools like Unphish provide real-time alerts and enforcement capabilities, helping businesses disrupt attacks and protect their reputation. Stay vigilant, proactively monitoring your brand is the best defence against the growing threat of online impersonation and fraud.
Respond Quickly with Takedowns
Speed matters. The quicker a phishing or fake site is removed, the less impact it has on customers and brand reputation. An online enforcement partner will have inroads to the major platforms to expedited the takedown of malicious domain names, socials and content,
Educate Customers
Make your customers aware of official domains and communication channels so they are less likely to fall victim to impersonation attempts. Sites like Scam Report can help consumers discern between legitimate emails, text messages and websites.
brandsec's Unphish Platform is Fighting Back
At brandsec, we understand the growing threat posed by bulk registrations and cheap TLDs. Unphish, our monitoring & enforcement platform is designed to detect registration patterns, such a bulk registrations targeting specific brands or industries, and we can mitigate these threats at scale; however, the fight against domain abuse isn’t just about technology—it’s about collaboration. By working with registrars, and enforcement agencies, we aim to remove malicious domain names in bulk, in the same way bad actors register them.
Remove Phishing Content Quickly and Effortlessly with Unphish
Don’t wait for the next phishing attack. Request your Unphish demo now.
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
