Why the New gTLD Program Matters for Cybersecurity
For those of us working in cyber security, domain abuse is not an abstract policy discussion. It is an operational reality. Every phishing campaign, fake store, impersonation scam, or malware delivery chain starts with infrastructure, and domain names remain one of the cheapest and most flexible components attackers can acquire.
With ICANN preparing to launch the next new gTLD program, it is worth stepping back and asking a simple question: what has the last decade actually taught us about abuse in the DNS?
The answer, backed by both data and experience, is that not all new gTLDs behave the same, and that distinction matters far more than the headline number of strings added to the root.
Two very different types of new gTLDs
In practice, new gTLDs fall into two broad categories:
1. The first are closed brand gTLDs. These are namespaces operated by a single organisation for its own use, with strict governance, tight access controls, and clear accountability. From an abuse perspective, they are almost invisible. The DNS Research Federation’s 2025 analysis reports zero reported abuse in Brand TLDs within its dataset, reinforcing what many practitioners see operationally (DNS Research Federation, New gTLD Abuse Analysis, 2025).
2. The second category consists of retail, open-registration new gTLDs. These are the generic extensions anyone can buy, often marketed aggressively, frequently discounted, and usually subject to minimal eligibility or identity requirements. This is where abuse concentrates.
This distinction is important. Where a namespace is closed and governed, abuse doesn’t exist. Where it is open, cheaps and easily accessible, abuse can by rampant.
The scale of expansion, and why it matters
Before the 2012 new gTLD program, the DNS contained just 22 generic top-level domains. Today, there are more than 1,200 new gTLDs delegated into the root zone (IANA Root Zone Database).
Between 2013 and 2017, the DNS experienced an unprecedented surge in new top-level domain delegations.
As shown in the chart below, more than 1,100 new gTLDs were delegated into the root zone in just four years, with the peak occurring between 2014 and 2016, when several hundred new extensions were launched annually. This was not a gradual expansion of the namespace, it was a compressed, high-volume release that fundamentally changed the attack surface of the internet.
When plotted over time, the data resembles a tsunami of new domain names entering the ecosystem in rapid succession, and for those responsible for domain management, brand protection, and abuse response at the time, that is exactly how it felt. Monitoring requirements, defensive registrations, and enforcement workloads scaled almost overnight, while attacker adoption quickly followed the same curve.
Given the structure and incentives of the next application round, a similar delegation pattern is likely. Commercial registries will move quickly to bring new strings to market, compressing years of namespace growth into a short window. If past cycles are a guide, 2027–2028 will represent a renewed inflection point for domain expansion, with corresponding implications for brand protection, monitoring workloads, and abuse response capacity.
Today's new gTLD volumes
nTLDStats aggregates daily registration data across all delegated new generic top-level domains, providing a snapshot of total volume, growth trends, and market concentration. As shown above, total new gTLD registrations sit at approximately 46 million domains, with overall volumes remaining relatively flat, reflecting a mature, replacement-driven market rather than sustained organic growth.
The distribution is highly concentrated. A small number of extensions account for a disproportionate share of registrations, with .xyz and .top alone representing more than 35% of all new gTLD domains. The top 10 extensions account for the majority of the namespace, while hundreds of other gTLDs sit in the long tail with comparatively low registration volumes.
Open new gTLDs are more likely to be used as attack vectors
Several independent measurement efforts have tried to answer the same question: how often does abuse occur in different parts of the DNS when you normalise for size?
A 2025 analysis by the DNS Research Federation provides one of the clearest comparisons. Using reported abuse signals normalised against total registrations, it found:
- Legacy gTLDs: ~0.019% reported abuse
- ccTLDs: ~0.024% reported abuse
- New gTLDs: ~0.618% reported abuse
When adjusted for volume, domains registered in new gTLDs were roughly 25-30 times more likely to be associated with reported abuse than domains in legacy or country-code namespaces.
DNSRF also breaks new gTLDs down by category. Brand and closed TLDs show effectively zero abuse, while open, generic retail gTLDs drive the elevated averages.
new gTLDs were roughly 25-30 times more likely to be associated with reported abuse
Price, low friction, and attacker economics
Across a decade of reporting from academic researchers, threat-intelligence teams, and anti-abuse organisations, one pattern repeats: attackers optimise for cost and throughput.
Interisle Consulting’s research, presented to ICANN’s Governmental Advisory Committee, shows that the most-abused TLDs are consistently among the cheapest to register, often priced at USD 1-2 or promoted aggressively. They revealed that over 2.6 million domains linked to cybercrime were registered in bulk, a 106% increase from the previous year. In one instance, over 17,000 malicious domains were registered in under eight hours through a single registrar. This ability to acquire and deploy digital infrastructure at such speed allows cybercriminals to outpace enforcement efforts, leaving defenders struggling to keep up.
Krebs on Security reaches a similar conclusion, noting that phishers gravitate toward new gTLDs such as .shop, .top, and .xyz because of rock-bottom prices and minimal registration requirements (Krebs on Security, “Why Phishers Love New TLDs Like .shop, .top and .xyz”, Dec 2024).
Unit 42’s analysis shows that a small subset of (cheap) TLDs accounts for the majority of malicious domains, and that TLD-level reputation can be a useful detection signal when applied carefully. Similar conclusions appear in Spamhaus and DuoCircle reporting, which identify recurring “high-risk” TLDs year after year (DuoCircle, “Prime TLDs Targeted by Cyber Attackers”, 2024).
DNS abuse is primarily economics for attackers. When domains cost almost nothing, they will be registered and deployed for malicious purposes. We have discussed this more detail in our blog: “Bulk Domain Registrations: How Criminals Exploit Cheap Domains“
The .xyz example, what it tells us and what it doesn’t
The .xyz TLD is often cited in abuse discussions and is useful precisely because it illustrates how incentives shape outcomes.
In its early launch phase, .xyz registrations surged following ultra-low-cost and free promotions, including a widely reported Network Solutions opt-out free-domain campaign, which caused registrations to spike by thousands per day.
Around the same time, the APWG Global Phishing Survey (2H 2014) found that almost two-thirds of phishing domains observed in new gTLDs were in .xyz, with the majority of maliciously registered new-gTLD phishing domains concentrated there.
More recent datasets continue to show .xyz prominently in abuse reporting, particularly for spam and scam activity (Unit 42, Top-Level Domains Used for Cybercrime).
It would be inaccurate to claim that one promotion “caused” all abuse in .xyz. What the evidence supports is more nuanced: flooding the market with low-coat/friction registrations creates conditions attackers reliably exploit.
Low Usage Density Increased Cyber Risk
Research by Veronika Vilgis (2022) shows that registration volume in new gTLDs is a weak proxy for real adoption. While extensions such as .xyz, .online and .top dominate by raw registration numbers, a much smaller proportion of those domains resolve to active websites.
As illustrated in the graph above, once parked pages and placeholders are excluded, genuine usage drops significantly. Several heavily registered gTLDs fall into low double-digit or even single-digit percentages of active sites, with extensions such as .cyou, .icu and .buzz showing particularly low levels of meaningful use. By contrast, gTLDs with fewer registrations, including .dev, .club and .tech, demonstrate higher activity and stronger traffic signals.
From a cybersecurity perspective, this low usage density creates a signal-to-noise problem. Large namespaces with minimal legitimate activity reduce the effectiveness of reputation-based controls, allowing phishing and impersonation infrastructure to blend into a background of dormant domains. The research underscores a critical point for defenders, many retail new gTLDs function less as active digital ecosystems and more as pools of largely unused registrations, conditions that increase monitoring complexity and elevate abuse risk as the namespace continues to expand.
Where defenders feel the strain
Operationally, the impact is predictable. Low-cost domain churn overwhelms manual review. Registrar and registry responsiveness varies widely, adding delay to takedowns. Hosting and CDN layers span jurisdictions, complicating escalation. Email and web gateways struggle to incorporate TLD reputation without creating false positives.
These issues have been documented repeatedly in practitioner reporting and threat-intel analysis over the last decade (Spamhaus, Domain Reputation Reports).
What might change in the next round
Some things are better than they were in 2012. ICANN’s DNS Abuse framework is more mature, DAAR provides a baseline for reporting, and registry-level safeguards are more widely discussed.
But incentives have not changed. Attackers will continue to follow price and friction. Enforcement will remain uneven. Abuse will still concentrate where domains are cheap and easy to obtain.
For defenders, that means planning for continuity rather than transformation.
Practical preparation, what actually helps
Over the past decade, certain defensive approaches have consistently proven effective. Monitoring high-risk retail gTLDs, integrating TLD reputation as one signal among many, tracking Certificate Transparency logs, and using passive DNS all reduce detection latency.
Brand and keyword monitoring remains essential, particularly in open new gTLDs. Enrolling trademarks in the Trademark Clearinghouse provides baseline protection and access to blocking mechanisms.
New registry-level blocking mechanisms, such as GlobalBlock, are designed to scale alongside the expansion of the DNS by preventing the registration of exact-match and confusingly similar brand terms across a growing number of new gTLDs. By constraining abuse at the point of registration, these controls materially reduce the opportunity for bad actors to weaponise newly delegated namespaces. As the domain ecosystem continues to expand, registry-level blocking is likely to become a foundational defensive control for brand owners, rather than an optional add-on.
What the last decade really taught us
After 13 years of data and lived experience, the conclusion is not that new gTLDs are inherently unsafe. It is that open, low-cost, lightly governed namespaces predictably attract abuse, while closed, well-governed namespaces do not.
As ICANN moves toward the next new gTLD round, this distinction should not be ignored. For security teams, the task is not to fear expansion, but to understand where risk concentrates, why it does so, and how to respond efficiently.
The patterns are no longer emerging. They are well established. The real question is whether we apply what we have already learned.
Learn more about new gtld programme today
About brandsec
brandsec is a team of highly experienced domain name management and online brand protection experts. We provide corporate domain name management and brand enforcement services, helping brands eliminate phishing platforms across the internet. Supporting some of the largest brands in the region, we offer innovative solutions to combat threats across multiple industries.
