You can refer to previous full reports (such as Phishing Landscape 2025) for more details about our methodology and definitions of terms.

In the previous post, we looked at the key results and compared them to those of the previous year.

In this post we look at the growth of phishing each quarter since our first (2020) Phishing Landscape report – both the number of phishing attacks and the number of domains used for phishing.

In the next post in this series, we’ll look at how the different types of TLDs are affected by phishing.

In this first post in the series, we look at the key results and compare them to those of the previous year.

Refer to previous full reports (such as Phishing Landscape 2025) for more details about our methodology and definitions of terms.

Certain registrars want the policy left as it is. Others want the 15 days shortened and used as an anti-abuse measure. Yet others question whether tightening email verification would reduce DNS abuse. Some community members propose that registrars should only be allowed to activate domains once email verification is complete. (I can only imagine the registrar reaction…)

ICANN is caught in a “failing to see the forest for the trees” situation: neither the findings nor the proposals address the real registrant verification issue.

Your verification succeeded but it didn’t prove identity

Verification is a method for establishing authenticity or integrity of a (user) identity, and in the domain registration context, the identity of a registrant. As formulated in the article, the question under debate assumes that email is a method that authenticates a registrant.

An email address verificaton is not proof of identity: it’s a confirmation of control of an email inbox. It only proves that someone (or automation) has access to that inbox at that moment.

Email verification: contact validation, nothing more

Email verification can confirm that you reached out to a party or automation that controls an inbox and you received a response. That’s “contact-ability”.

Contact-ability is arguably the lowest bar you can set for any form of confirmation. It’s commonly used in “Email Before Download” arrangements to limit or track access to published content. It’s cheap to implement, scales well, but no cybersecurity professional would consider this an effective authentication method.

The limitations of email address verification are numerous

An email address cannot be undeniably associated with a natural person (or organization). There is an exception case - when cryptographic signatures provide non-repudiable proof of origin - but the general public and domain registrars do not typically use secure email (e.g., S/MIME, PGP).

No authority or government has established proof of identity criteria that must be met for its issuance of an email address. Anyone can create one or dozens of email addresses, free of charge. You don’t need proof of age, residence (nexus), incorporation, business presence or any legitimate evidence that the registrant is who they say they are.

Temporary, disposable, or alias emails erode what little verification value one might attribute to an email address. Many email services offer temporary or disposable email addresses. These are purposely used for anonymity or deception, or as part of legitimate criminal investigations (undercover work).

What cybersecurity professionals and investigators say about email verification

We asked prominent criminal investigators to share how they use email addresses and unsurprisingly, they exploit the ability to create an unverifiable but acceptable persona. One investigator shared that:

“As part of our research, I register accounts on hundreds of crypto investment scam websites a week. I own 20-ish domains and have a catch-all on all of them so that any email on any of the domains gets forwarded to my single webmail account that I share with my analysts… I have used thousands or possibly tens of thousands of emails to “Validate” myself on a huge variety of accounts.”

A cybersecurity colleague spoke to us about an investigation performed for a client into the use of free or temporary email addresses as usernames for accounts that were subsequently used for malicious activities (phishing, service misuse):

“We helped [them] map out a few hundred ‘free mail’ and ‘tempmail’ services that worked just like that. They found tens of thousands of accounts that were registered and ‘validated’ using emails of that type, and various researchers have collected them into “block lists” (my favorite currently has 6,933 domains that are known to be (or to have been) temporary email domains. Sadly, @gmail.com is just as easy based on the proliferation of captcha solving services, both AI-based and human-based.“

The last observation is significant.

Automation or AI can respond to verification emails. A script or an AI agent can search for confirmation emails (by origin, for example). By coding or instructing the AI to parse the content as a human recipient would, they can generate the necessary response.

Finally, an email confirmation is an “instance in time” response. You cannot know if the party that uses an email address today is the same party that used that email account at the time when the registration account was created (or any time between). Cybercriminals have hijacked IP address blocks by re-registering expired domain names to create email addresses used as contact information for delegated IP address blocks. Attackers can also identify a high-value domain name, look up the historical registrant email address, register the domain of that email address, and attempt a password reset to hijack a domain registration account.

Takeaway

ICANN shouldn’t burden an already exhaustingly long policy development process with debates over the existing and flawed verification method, but instead should concentrate attention on a uniform and effective registrant authentication method. Quoting one of our frustrated public safety community members and first responder:

“Investigators and criminals have known that email verification is a farce for years … do some honest verification work”.

What contributes to successful romance scams?

As described earlier in this series, “pig-butchering” (from the Chinese “sha zhu pan”) involves contacting a potential victim through an engineered chance encounter and developing a long-term emotional bond with them. Once scammers are confident of this bond, they convince the victim to invest in a cryptocurrency, which is typically a fake crypto platform. They hook the victim with an initial profitable investment, then encourage the victim to invest again and again. The scammers abandon the victim and shut down their fake crypto exchange once the victim indicates that they have nothing more to invest.

How are these scams both successful and scalable?

The answer partly involves classic social engineering, but another significant part involves the way people communicate in the modern age. Digital communications change the nature of relationship building significantly, offering a path through physical, social, and psychological barriers. Online relationship building promises the user a preferred amount of anonymity, which reduces the fear of judgment or rejection. They also allow users to choose and modify their profile to match the appearance they wish to display. They’re also advantageous in the sense that they create an avenue to cultivate relationships for people with little free time.

Additionally, online romance scams have spread rapidly alongside the development of social media and dating apps. These apps offer the opportunity to find your “perfect match” that are backed by scientific algorithms and match users based on common values, interests, geography, and other preferences.

According to a 2024 survey conducted in the U.S., 53% of male online dating service users reported being a victim of a romance scam. Nearly the same percentage of women (47%) identified as victims. These numbers will only continue to evolve alongside social media and dating apps unless major steps are taken to first educate the public on these campaigns, create more effective and expedient avenues for remediation, and most importantly, stop the crime at its source.

While these are revolutionary and sometimes positive changes to the dating world, they also present a new pathway for criminality. Scammers lure in victims with three dynamics that are extremely attractive for the target.

Through fictitious profiles, scammers can develop relationships with their victims over the course of 6-8 months, build a deep emotional bond, and extort money through subtle manipulation. As we touched on in part three of our series, the ideal victim is one who both craves emotional connection and is thus more vulnerable to persuasion. In this state, their judgment is impaired by the notion that someone is attracted to them and craves their company.

The prevailing attitude surrounding scams of this nature is that they are easily avoided through common sense. But the reality is that these schemes are built upon subversion and deception, along with appropriately vulnerable targets.

Scammers rely on long-term psychological manipulation to build false emotional trust with victims as their first step. The scheme involves building unearned trust over weeks and months of casual, seemingly harmless conversations that create the illusion of daily life, hobbies, and family to establish themselves as friends or romantic partners to victims. They fabricate identities using attractive photos displaying luxurious lifestyles in order to appear successful, stable, and, most importantly, legitimate.

Scammers also benefit from the relatively nascent state of cryptocurrency and are able to exploit the lack of familiarity that their targets have with it. This is important because the whole scam hinges on the scammer’s ability to create a convincing—but remember, fake—crypto exchange site. They are only successful because they create a convincing persona and a platform to operate.

Staging the Investment

Once the victim’s guard is sufficiently lowered, the scammer will initiate a test run. They broach the subject of their recent financial success casually, crediting a new and lucrative platform for almost as an afterthought. Since the scammers have established the illusion of this success with a myriad of pictures, this tricks the victims into believing the platform is legitimate. It worked for their new friend or partner, so… why not try it?

There are two important things to call out here:

These Crypto Sites Are Always Fake. Crypto platforms have emerged rapidly in the last decade. Fake sites are typically very convincing impersonations of legit sites. In December 2025, the US Securities and Exchange Commission filed charges against several fake crypto exchanges, including Berge Blockchain Technology Co. Ltd. An archive.org copy of the fake exchange hosted at bergev[.]org illustrates how convincing fake exchanges are. [Note: Berge was eventually shut down by the US SEC.]

One way to establish exchange legitimacy is to verify their compliance with government regulation. Datavisor provides a list of fake crypto exchanges and explains how to avoid them. The list is helpful but the advice, more so.

The Scheme Hinges on the Victim’s Decision. Importantly, the scammer will never directly push the victim to get into crypto. What they do instead is dangle the illusion of success in front of them until the offer is too tempting not to take. In this way, they avoid suspicion, because after all, they never forced you to do anything.

The initial investment that a victim makes will often yield a fast and high return. In isolation, this should normally be another tip-off to the victim, but when reinforced by the established relationship with the scammer, it instead draws them in deeper.

How Criminals Sustain the Bleeding

As the scheme progresses, the scammer shifts from relationship-building to siphoning money without raising suspicion. The scammers shift away from conventional social media or dating apps to encrypted messaging platforms, such as WhatsApp, Telegram, or WeChat. Criminals may also avoid live interaction, declining live video calls by blaming camera malfunctions, illness, bad hair day, pimples, or sudden emergencies as their cover. They will also decline meetups in real life and often engineer the victim’s desire to draw out more money from them.

At the same time that they avoid being discovered as frauds, the scammers will coach the victim through more fake investments. They will direct the victim towards the investments that have the best return (remember, these are fake) and encourage them when the returns aren’t as fruitful as the first one. If a victim’s bank or crypto exchange flags a transaction, the scammer will teach them how to lie about the purpose of the transfer. If a victim is slow to invest or starts to pull back, the scammer will turn around with a sudden reason why their relationship can’t continue without the investment. In this way, they hold both the farcical relationship and the victim hostage.

The Rug-Pull

In the final phase of the scam, the scammer closes the fake investment platform, blocks the victim, and disappears with all the deposited funds. This often occurs when the victim has spent all their life savings or their pension and is now anxiously awaiting the promised returns.

When the victim attempts to withdraw their money, the fake platform may freeze their account unexpectedly. Attempts to visit the fake site may result in “temporarily unavailable” or other web server errors. The platform may demand an upfront payment of taxes, security deposits, or withdrawal fees. This is another bleed. These sums are usually smaller than the total that the victim has on the platform, to seem like a small obstacle to overcome for the rest of the money. Frustrating, but manageable – or so the victim believes. However, when the victim pays these abrupt fees, the money still won’t come. In fact, there’s another hindrance that requires more money to unlock their funds.

Eventually, when the victim is out of money or realizes they’re being scammed, the scammers disable the website or app, disconnect their phone numbers, and vanish with the stolen cryptocurrency.

Because the victim willingly purchased and transferred the cryptocurrency to the scammers, recovering the funds is incredibly difficult. The victim is left with catastrophic financial losses, deep emotional trauma, and worst of all, no sympathy from their friends and family.

Beyond the Rug Pull: Be Wary of Recovery Scammers!

Recovery scammers target individuals who have already lost money to fraud, offering to recover stolen funds or secure a refund for an upfront fee. Often referred to as “recovery rooms” or advance fee fraud, these scams are a double-victimization where the perpetrators disappear with the new fees.

Takeaways

Romance scams are widespread. The scammers create plausible and attractive lures and authentic looking crypto exchange impersonation sites. They will bleed a victim to financial ruin.

From the Editor

If you’ve enjoyed the Pig-Butchering series, or if you’ve found it informative, please share (begin with Part 1, Part 2, Part 3).

But… more importantly! Warn your friends, colleagues, and family to be wary of any “chance encounters”, people who flaunt their earnings (overt or subtle) in social media or direct messaging apps and be skeptical of anyone who promises to help you lead a lucrative lifestyle if you’ll invest in cryptocurrency. And should someone you know fall victim to a romance scam, warn them to be wary of anyone who offers to help them recover their losses.

Use the special offer endromancscams to
receive 40% off any subscription!

Karen’s representation to the GAC follows:

Good morning. I’m Karen Rose of Interisle Consulting Group. I’m pleased to have the opportunity to share with you some findings from our most recent study.

Our work examined malicious domain name registrations made in 2025 in the gTLDs.

I’ll focus on two questions our research looked at: 1) how much cybercriminal demand drove new domain registrations last year, and 2) whether market incentives allow that demand to persist.

We used publicly and commercially available data for our research, including blocklists and domain registration data – and you can find our full methodology in our report.

Overall, our findings were sobering. We estimate that bad actors purchased 16.8 million gTLD domain names last year — That’s about 20 percent of all new registrations sold.

Put another way, as many as 1 out of every 5 domain names may have been purchased by bad actors to perpetrate phishing, malware, scams and other harmful attacks.

Imagine another industry where 1 out of every 5 products sold was being used to facilitate fraud, theft, or other serious crimes.

Few governments would consider that ordinary misuse. Policymakers would ask whether the rules, safeguards, and accountability mechanisms in that market were adequate to the scale of the problem – and if those measures were sufficiently protecting the public interest.

I think those same questions are relevant to DNS abuse policy discussions here, for the whole ICANN community.

Our study also found that abuse is highly concentrated among certain providers.

We found numerous registries and registrars where over half of all their registrations appeared to be purchased by bad actors.

At one registrar, 88 percent of its registrations were identified as malicious.

In one TLD we examined, nearly all of its registrations – some 100,000 – were associated with FUNNULL – a cybercriminal gang that powered scam farms across Southeast Asia.

Why does abuse exist at this scale? Economics and distorted incentives play a role.

Cybercriminals create sustained demand for domain names. They are high-volume, repeat buyers. And they buy millions of domains each year.

Fierce competition in the gTLD market has driven prices and profit margins down. Sales volume matters. Registrars provide tools that facilitate easy bulk registrations.

Some registries and registrars appear to derive commercial benefits from satisfying cybercriminal demand. Even when malicious registrations generate little revenue, tolerating abuse can still be commercially rational — especially when there are no obligations to prevent it.

While cybercriminals and some in the market may benefit from these transactions, the costs of cybercrime facilitated by domain abuse fall on victims, businesses, governments, and society at large.

In economic terms, this is a classic negative externality – a form of market failure that undermines the very benefits of competition.

Taken together, these findings make it hard to treat current levels of abuse as acceptable.

Importantly, our study also shows that abuse at this scale is not inevitable. Some registries and registrars managed to grow last year without attracting outsized levels of abuse, showing that provider practices and abuse choices make a difference.

And our case studies show that associated domain name checks can be a helpful mitigation step.

But we also need effective steps beyond mitigation. Steps that focus more on abuse prevention – and reducing the ability of bad actors to acquire domains in the first place.

This is especially urgent as ICANN prepares for the next round of new gTLDs. The introduction of new TLDs will further intensify competition and risks perpetuating current distortions in the market.

Measurably reducing DNS abuse needs to be our ultimate goal.

We look forward to engaging with the GAC and the community going forward.

Interisle appreciates the active engagement of the GAC and its members on domain name abuse issues and thanks the committee for the invitation to contribute our findings and analysis to this important discussion.

Here we look at cybercrime activity for the month of May 2026. We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks.

Overall numbers

The May results showed a 27% increase in overall phishing reported compared to April.

Spam reported in May increased 35% compared to April.

While malware reported in May decreased 17% compared to April, it still represents an 11% increase over the monthly average for the 12 -month period.

Phishing

Spam

Malware

The majority of malware reports from our feeds cite IP addresses rather than domain names.

There continues to be churn in the choice of ASNs that appear to be used for malware activity. Ten ASNs showed reduced malware (-4% to -36%) while ten ASNs showed increased malware (+7% to +120%).

Be Prepared

Check out the lists above and the tables of the worst TLDs, gTLD registrars, and hosting networks (ASNs) at the most recent Phishing Activity, Malware Activity, and Spam Activity pages to determine which represent the most risk to your organization. Network staff might consider blocking TLDs and ASNs that appear in our Phishing, Malware, and Spam “Favorites” tables to protect against inadvertent access to content that could result in harm, making exceptions only where there is a clear business case.

Quarterly Results

The quarterly spam results for March to May 2026 will be published on the Spam Activity page at the Cybercrime Information Center.

In today’s article, we explore the psychology behind romance scams, particularly the ones driven toward pig butchering. We’ll look at tactics commonly used in these schemes - grooming, urgent crises, or “sunk cost fallacy” - to keep victims invested emotionally and financially.

Psychological Tactics of Criminals

The playbook for romance scams is simultaneously nefarious on the part of the criminal and devastating on the part of the victim. Romance scammers typically employ these tactics:

• Love Bombing[1]: Scammers overwhelm their victims with affection and constant communication. This is intended to speed up the relationship and bait the hook.

• Grooming and Trust Building[2]: Scammers invest significant time (sometimes months) to build trust, adapting their false persona to the victim’s desires.

• Target (Victim) Isolation¹: Scammers will attempt to estrange victims from friends and family. This makes the victim more vulnerable and reliant on the scammer.

• Urgency and Crisis[3][4]: Scammers fabricate emergencies (medical bills, travel costs, visa issues) that require immediate financial help.

• Sunk Cost Fallacy: Victims invest more money, time, and affection to justify the initial investment, or mitigate the loss.

  Psychological Vulnerabilities of Victims

  In addition to the psychological patterns of the criminal, it’s important to characterize the psychology used against the the victims[5]:

  • Loneliness and Grief: People who are newly widowed or isolated are prime targets: their emotional state increases their susceptibility to persuasion.

  • High Need for Affection: Victims are often vulnerable to the kind of affection that a scammer will overwhelm them with. They are desperate for a romantic connection, making them easy to groom.

  • Impulsivity and Sensitivity Seeking: People with impulsive tendencies may jump on opportunities quickly, whether for financial gain or romantic connection. They often fail to verify the identity of the person they are interacting with.

  • Idealized Romance: Individuals who idealize potential partners or believe in “soulmates” are more easily manipulated.

  Role of Technology and AI

  Criminal enterprises benefit from emerging technologies as much as legitimate enterprises do.

  

  Psychological Influence is Present in Every Phase of the Scam

  In our second article[6], we cover the step-by-step mechanics of the scam. here, we’ll examine how scammers apply psychology in each phase of a romance scam. Unlike other mass-marketing fraud victims, these victims experienced a ‘double hit’ of the scam: a financial loss and the loss of a relationship. For most, the loss of the relationship was more upsetting than their financial losses. Most victims are left inconsolable in the aftermath, which is compounded by a lack of understanding from friends and family due to the stigma surrounding victims of fraud.

  Below, we break down each of those phases and look deeper into the psychology behind them:

  

  Takeaway

  Pig Butchering scams merge the deep emotional manipulation of romance scams with the mechanics of fraudulent investment platforms. While traditional romance scammers ask for direct financial help, pig butchering scammers manipulate victims into believing they are building a wealthy future together.

  In the next article, we’ll dive deeper into how and why crypto scams work so well.

[1] https://health.clevelandclinic.org/love-bombing

[2] https://pmc.ncbi.nlm.nih.gov/articles/PMC5806049/

[3] https://www.heraldopenaccess.us/openaccess/romance-scams-and-older-adults-a-health-and-social-care-perspective

[4] https://academic.oup.com/cybersecurity/article/12/1/tyag003/8449214

[5] https://www.sciencedirect.com/org/science/article/pii/S1745017920000183

[6] https://interisle.substack.com/p/pig-butchering-part-2-anatomy-of

[7] https://www.sciencedirect.com/org/science/article/pii/S1745017920000183

The study establishes that malicious actors purchased at least 10 percent of all newly registered gTLD domains in 2025, with projections indicating that the actual share may be closer to 20 percent.

In 2025, nearly 85 million gTLD domains were newly registered. As of mid-May 2026, 8.5 million of those domains — 10 percent — had been added to blocklists for malicious activity. Applying conservative projections for additional future blocklisting and associated domains registered by criminals not identified by blocklists, the study estimates that bad actors may have purchased 16.8 million domains, or 20 percent of gTLD registrations.

The full study, Malicious Registrations in the Domain Name Market, is available at https://interisle.net/cybercriminaldomaindemand

Headline

We observed decreases from the prior quarterly data in overall phishing attacks reported, unique domain names reported for phishing, and phishing attacks hosted at free or cheap web site services (subdomain resellers). We observed significant phishing activity in certain Top-level Domains with little or no prior history of abuse by phishers. Much of this unwelcomed growth can be traced to specific domain registrars.

Top-level Domains: Weed Prevention Fails in .GARDEN

The .GARDEN TLD was the big, little phishing story for this reporting period. The sorry numbers in the table show that nearly 1 in 5 domains registered were reported for phishing. We determined that essentially all of these were maliciously registered domains, and all were registered via Spaceship (Namecheap family of registrars).

We confirmed through our colleagues at SURBL that .GARDEN and .BEER domains were used in credential stealing phishing attacks impersonating Walmart, Omaha Steaks, and Lowe’s.

Small TLDs Under Siege

.GARDEN was one of three small TLDs (under 100,000 registrations) that were targeted so aggressively that they joined the Top 20 ranking for this period.

Domain Registrars: Spaceship Takes Off… But Not in a Good Way

Registrar Spaceship rose 12 spots to claim #1 in our Top 20 rankings for phishing domains reported. Namecheap (locked in at #6) launched Spaceship in August 2023. According to Namecheap’s press release, the goal was “to empower users to get online faster and easier than ever before, bypassing the ingrained complexities often associated with domains and digital products.” Getting online faster and easier is certainly working out for some registrants; sadly, that includes too many cybercriminals. We determined that over 108,000 of the 110,000 phishing domains registered via Spaceship reported during this period were registered for malicious purposes.

NICENIC International didn’t cede the top spot quietly. With nearly 99,000 domains reported for phishing and only 238,000 registrations, this registrar had a terrifyingly high 4,158 phishing domain score for the period. We determined that, of the ~127,000 .COM domains that were malicious registrations: over 46,000 were registered via NICENIC. That’s nearly 20% of NICENIC’s overall registrations.

While GoDaddy appears in the Top 20 for phishing domains reported, their phishing domain score is a very respectable 2.5. Compared to GoDaddy, NICENIC’s numbers are embarrassingly bad.

Hosting Networks: Cloudflare Is King of a Reshuffled Top 20 Mountain

Cloudflare is again the unenviable #1. We’d love to see the IPv4 addresses cloaked by Cloudflare reverse proxy services so we could more accurately report the addresses actually hosting criminal content.

The Top 20 for this reporting period is a crazy reshuffle from the prior period.

It’s hard to distill or individualize what attracted phishers to these hosting providers. In some cases, e.g., Weebly, it may be free/cheap hosting. In others, e.g., Protocol Labs, it may be the opportunity to abuse Interplanetary File Service, IPFS, for bulletproofing properties. Phishers may be exploiting Sucuri because, like Cloudflare, it offers reverse-proxy (IP address obfuscation). Some of the Top 20 newcomers are operators that offer shared IP hosting, low cost, and have small abuse response capacity.

Ball of Confusion

The Temptations nailed the state of the world in 1970.

Fear in the air, tension everywhere…

Great Googamooga
Can’t you hear me talking to you?

It’s a ball of confusion
That’s what the world is today, hey-hey

“Fear in the air, tension everywhere” is now, “Fear in the air, phishing everywhere”.

It’s hard for us to make concrete recommendations when the landscape changes this dramatically and rapidly, especially when policy regimes and regulatory environments change so slowly.

Head down. Raise your shields.

Chronology of a Long Scam

Image Generated by ChatGPT (5/4/2026)

Pig Butchering can be broken down into the following six steps:

1. Chance Encounter Contact begins with an accidental contact: what appears to be a wrong-number text, connection request, or match on a dating app. The scammer’s profile is polished, often featuring an attractive, successful professional living in luxury abroad.

2. Building the Relationship: The scammer establishes trust by investing time and energy to build a relationship over weeks or months into what the target considers a uniquely meaningful connection.

3. Casual Investment Mention: When the scammer is confident that they have established trust, they make mention of substantial returns they’ve made on a cryptocurrency platform. They are not pushy. They frame it as something personal they can share with the target.

4. Guided First Investment: After the victim expresses curiosity, the scammer introduces the target to a crypto platform. They encourage a small investment, and the platform is rigged so that that target sees immediate returns. The target is permitted to make a first small withdrawal to reinforce confidence in the investment opportunity. This is the “fattening of the pig” phase of the scam.

5. Escalating Deposits: Encouraged by initial gains, the victim deposits more: this is the “bleeding the pig” phase of the scam. The scammer will encourage the victim to invest everything they own (“bleeding the pig”).

6. The Exit: When the victim attempts a significant withdrawal, the platform invents obstacles — a tax requirement, a compliance hold, an anti-money-laundering fee. Each payment unlocks a new requirement. Eventually the platform either vanishes entirely or stops responding. The romantic contact disappears simultaneously. This is the “butchering” phase of the scam.

That’s how it works at a high level. But how do criminals actually pull it off? And how does it scale? How can someone pretend to be someone else for long enough to get money out of a victim? And how do they handle multiple victims?

Chance Encounters

Image Generated by ChatGPT (5/4/2026)

Contact begins with what appears to be a wrong-number text, connection request, or match on a dating app. Scammers seek out potential victims using the Telegram and Signal apps as well.

The reach-out is casual, they act apologetically, and they start a friendly conversation to build rapport under the guise of “taking a sudden interest.”

The scammer’s profile is polished, often featuring a charming, attractive, successful professional living abroad. Their profile is usually designed in a way that appears legitimate without a keen eye or thorough inspection. Most importantly, the profile is designed to appeal to targets: someone the target admires and would be excited to know better.

Read more

Applying Old School Firewall Best Practices to DNS blocklisting

Like many first-generation firewall greybeards, I spent a fair bit of time testing and configuring network firewalls. The firewall admins whom I most respected were strong advocates of conservative outbound or egress traffic filtering policies. Over the years, I folded the accumulated wisdom of these admins into a egress traffic filtering best practices article, where I explained how to establish the most secure egress traffic baseline:

The best way to configure egress traffic filtering policies is to begin with a DENY ALL outbound policy, packet filter, or firewall rule. This creates a “nothing leaves my network without explicit permission” security baseline. Next, add rules to allow authorized access to the external services identified in your egress traffic enforcement policy.

Explicit permission is the exception handling language for firewall traffic filtering, and you can apply it in cases where you’ve blocked a TLD.

In previous articles [1][2], we explained that security conscious organizations sometimes choose to take extreme domain name blocklisting measures when they identify a threat and their tolerance for risk exceeds acceptable thresholds. In such scenarios, such organizations may employ stringent traffic filtering or blocklisting using their own security systems, but others may also use features of certain public, open resolvers to reduce risk. We then demonstrated how to block a TLD that is shown to exhibit significant cybercriminal activity, to reduce the threat surface.

Allowlisting Scenario

Since no one can practically begin by blocking the DNS entirely, blocking a TLD is essentially a baseline DENY ALL action on DNS traffic. But organizations should be prepared to handle exceptions should they make this choice.

For example, imagine that your healthcare organization falls victim to a malware attack that is disrupting critical services and is exfiltrating sensitive information. Your security team has monitored outbound DNS traffic and your event logs indicate that the infected systems are communicating with their command-control host using domains from a single TLD. Further analysis reveals that the domains appear to be part of a large network of registered domain names generated algorithmically (RDGAs). Containing and mitigating this threat quickly and thoroughly is your primary concern. You consult with your security team and staff and determine that no authorized or critical services are hosted at domains in this TLD so you and your team agree: blocklist it and continue with remediation and response.

With the command-control now unreachable from your network, you begin to identify infected devices from events in your DNS logs. As you restore services, you learn that you need to access one domain in this TLD to reach a supplier. You’re still remediating affected devices, so removing the block on the entire TLD at this time is premature.

In such a scenario, allowlisting is a practical option: this is a circumstance where explicit permission is appropriate for exception handling in traffic filtering or name resolution. Specifically, you can add an explicit ALLOW filter. This is the name resolution equivalent of what we called “punching a hole through your firewall”.

How to Allowlist Domains

In a previous article, we explained how to block a TLD using the NextDNS public, open resolver. NextDNS accommodates this via the Allowlist tab. In our allowlist scenario, we might add a single (wildcarded) domain:

With this exception filter in place, the organization should be able to reach the supply chain provider, but all other domains in the TLD remain blocked. While our previous articles only focused on using public, open resolvers, many security systems, e.g., firewalls, DNS servers or proxy devices, can accommodate both TLD blocking and exception handling.

Summary

In this post, we’ve used a compromise-and-breach scenario to explain what we mean by “extreme case” where blocking may be in play. In our scenario, a security team concluded that the welfare of the organization outweighed the benefits of universal domain resolvability, and the DENY ALL “staunched the bleeding” communications between the organization’s infected systems and the malware command-control were disrupted. The infected systems could be identified from DNS traffic logs and IT teams could begin malware removal, assess damage, and continue with restoring services. In this as in many scenarios, blocklisting is useful when employed temporarily. In persistent threat scenarios, it may be employed for as long as the threat condition persists.

Here we look at cybercrime activity for the month of April 2026. We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks.

Overall numbers

The April results showed a 27% increase in overall phishing reported compared to March.

Spam reported in April increased 3% compared to March.

While malware reported in April decreased 62% compared to March, it was still 10% over the amount reported in February.

Endpoint malware (targeting user devices) dropped by 56% and Malicious IP address malware (traffic injectors and attackware) dropped by 69% month over month. Internet of Things (IoT) malware increased by 6%.

Phishing

TLDs

• GARDEN, unranked in March, ranked in the Top 5 for phishing domains, phishing domain score, and malicious phishing domains

• TOP grew over 750% in phishing domains and malicious phishing domains

• BEER, WIN, and BOATS grew 1,200% in phishing domain score

• CAM and TOP grew 700% in phishing domain score

Registrars

• Spaceship (IANA ID 3862) increased 1,650% in phishing domains, 1,550% in phishing domain score, and 1,800% in malicious phishing domains

• Unstoppable (IANA ID 4326) increased 1,100% in phishing domains, 950% in phishing domain score, and 900% in malicious phishing domains

Hosting Providers

Five ASNs had a 10,000%+ growth in phishing attacks:

• Gigabit Hosting (AS55720)

• SpectralP (AS62068)

• Advania Island (AS50613)

• PLAY2GO (AS215439)

• Feo Prest (AS208137)

Spam

TLDs

• GARDEN grew 33,000% spam domains, 16,000% spam domain score, and 36,000% in malicious spam domains

• CO, MY, and TOP each grew 80% in spam domains

• AUTOS grew 1,600% in spam domain score

• BAR and TOWN each grew more than 600% in spam domain score,

• WIKI and WIN each grew more than 450% in spam domain score

• TOP grew 75% in malicious spam domains

Registrars

• Realtime Register (IANA ID 839) increased 240% in spam domains

• Spaceship (IANA ID 3862), NameMart (IANA ID 4162), and Cosmotown (IANA ID 1509) each grew more than 100% in spam domains

• DOMAIN NAME (IANA ID 1527) grew 340% in spam domain score

• Cosmotown (IANA ID 1509), Spaceship (IANA ID 3862), and Nicnames (IANA ID 4156) each grew over 100% in spam domain score

• Four registrars had large growths in malicious spam domains: Realtime Register (320%), Spaceship (130%), NameMart (125%), and Cosmotown (130%)

Hosting Providers

• Skycloud (AS7483) grew more than 34,000% in hosting spam content

• CNSERVERS (AS40065) increased more than 200% and Dream Wave (AS18068) increased more than 190% in hosting spam content

Malware

The majority of malware reports from our feeds cite IP addresses rather than domain names.

There continues to be churn in the choice of ASNs that are reported for malware activity. Two ASNs were not ranked in the previous month, each having negligible malware in March but significant reports in April: Neterra (AS34224) and Weebly (AS27647). Amazon (AS14618) increased 170% and Shenzhen Tencent (AS45090) increased over 225% in reporting of hosting malware.

Be Prepared

Check out the lists above and the tables of the worst TLDs, gTLD registrars, and hosting networks (ASNs) at the most recent Phishing Activity, Malware Activity, and Spam Activity pages to determine which represent the most risk to your organization.

Quarterly Results

The quarterly phishing results for February to April 2026 will be published on the Phishing Activity page at the Cybercrime Information Center.

What is pig butchering?

The term pig butchering is derived from a Chinese expression, “fattening a pig before you butcher it”. Criminals embraced this distasteful term to identify a form of online relationship and investment fraud where perpetrators cultivate fake romantic or social relationships with victims before persuading them to invest money into a fraudulent cryptocurrency or other investment scheme, or a request for money to assist with a medical or other emergency. Regrettably, pig butchering scam is more popularly used than the more accurate term, cryptocurrency confidence scam,

Pig butchering scams are so prolific – and the associated losses are so enormous - that some call it a scamdemic. Chainalysis reported that cryptocurrency scams received at least $9.9 billion on-chain in 2024. The FBI Internet Crime Report reported that in the US alone, complaint losses attributed to confidence and romance frauds exceeded $929M in 2025. For many cryptocurrency confidence scams reported, individual victims on average lost nearly $10,000. Some have lost their life savings, retirement accounts, and home equity after taking out loans to invest more.

Potential victims are identified and targeted daily by scammers trying to get our attention, often operating out of Southeast Asia. Historically, scams target susceptible users like the elderly who have low digital aptitude and an accumulation of wealth. They also prey on the lonely and isolated. At present, anyone who with money is an attractive target.

Criminal infrastructures operate these scams out of Southeast Asia, particularly Myanmar, Cambodia, and Laos. Victims are promised high-paying jobs relative to what they would earn in their home country, so they agree to travel to a foreign destination. Upon arrival, they are confined, essentially imprisoned, to a secure compound and forced to run the romance scams against their will.

The series continues…

In this series we’ll cover the following topics:

• How Does Pig Butchering Work?

• Why Are Scammers So Effective? Who Gets Targeted and Why?

• Role of Cryptocurrency: Why is Cryptocurrency So Attractive for Scammers?

• Call to Action

Some of the articles in this series may contain or cite “difficult” material, for example, scripts or how-to posts shared among romance scammers. These articles will be accessible only to paid members.

TLDs and Best Practices

We explained in our first article that blocklisting a domain name or hyperlink (URL) is a commonly used to deter cyber attacks. We cited data from our Cybercrime Information Center to illustrate that criminals often single out specific Top-Level Domains when they register domains for their attacks.

· Why Would You Block a TLD? Your individual or organization’s risk tolerance should identify a threshold for criminal domain registration activity, and any activity above that threshold makes that TLD untrustworthy. In such cases, you may conclude that blocking a TLD is necessary to manage risk.

· When Would You Block a TLD?: When evidence indicates that your threshold has been crossed, and you conclude that further exposure to attack (risk) cannot be tolerated, you should consider TLD blocking.

How to Block a TLD Using NextDNS

Most users default to using a DNS server provided by their ISP, but these typically don’t provide customers with the means to block TLDs. You can instead configure your devices or access router to use NextDNS, a public, open resolver with TLD blocking capabilities.

For this article, we created a NEW free consumer account at https://nextdns.io. You can sign up for free and create a temporary 7-day account to test these settings yourself.

To use NextDNS features, you must change the IP address of your DNS server to NextDNS servers, for example, 40.90.28.147 and 40.90.30.147 (Note: NextDNS server IP addresses may be different in your region). The NextDNS Setup Guide provides detailed instructions for how to configure individual device (Android, iOS, Windows, ChromeOS, MacOS, Linux), browsers, or your router.

Once you’ve configured DNS servers, scroll to the Block Top-Level Domains (TLDs) feature under the Security Tab:

Here, we’ve added the .TOP and .XIN TLDs. We reported our earlier post that .TOP and .XIN had been persistently exploited by phishers throughout 2025 to support Unpaid Toll Scams. Our Cybercrime Information Center quarterly reports show that both continue to be exploited by phishers and spammers in 1Q2026. A case can again be made to block .TOP or .XIN in their entirety because there’s a much higher chance of a domain registered in these smaller TLDs being reported as a phishing domain.

We’re again using a Windows PC, so we’ll open a command prompt to confirm our configuration. Again, do not visit a malicious website with the blocked TLD while testing. Instead, try it out safely, from command prompt:

We see that we’re using an NextDNS server IP address.

The 0.0.0.0 IP address returned looks unusual. The NextDNS Test DNS Query? page explains that NextDNS queries will return an IP address of 0.0.0.0 when it blocks a domain or TLD. Your device’s DNS client interprets this IP address as “unable to connect”. Here, 0.0.0.0 confirms that our TLD block is working.

Benefits and Risks

As we highlighted last time, TLDs like .TOP and .XIN have been persistently misused, and this has continued in 1Q2026, so you’re blocking domains that continue to resolve, remain on blocklists from CY2025, and thus remain potential threats. You’re preemptively blocking domains that may be registered by phishers for phishing attacks.

We’ll emphasize again that blocking a TLD is an all-or-nothing measure. Before you block any TLD, consider whether it is likely that you’d want to visit web sites in a TLD that you’d block. We again emphasize that you should do this as a security measure.

We don’t advocate blanket condemnation of any TLD. Our six years of accumulated phishing activity show that phishers are TLD agnostic – they’ll exploit a TLD so long as they are successful and profitable doing so. We’ve seen occasions where a TLD was exploited by phishers. Some operators have responded quickly, they revised their detection and mitigation techniques, and the phishers moved on to a different TLD.

Unfortunately, metrics for phishing or spam domain reports for some TLDs are so chronically bad that the risk of exposure to attack is too great to ignore. We recommend that if you do choose to block TLDs, periodically check our quarterly phishing and spam activity reports. Decide for yourself which TLDs are too phishy or spammy for your safety.

Malicious IP Activity and Redirector Malware on the Rise

Malicious IP activity reports (e.g., attackware and traffic injectors) dramatically increased during the current period. Fourteen previously unranked hosting networks appeared in our Ranking of Hosting Networks (ASNs) by Number of Malware Records. ApateWeb, a resilient redirector campaign, reappeared with vengeance. Reports of malicious scanners probing email server vulnerability or injection opportunities increased significantly as well.

Endpoint Malware

We saw a modest quarter over quarter decrease (7%) in the number of endpoint devices reported for malware (Key Statistics). Here, we show the most reported malware types and within that type, the named malware most reported:

Last period, we reported a whopping increase in cryptocurrency malware. This period, we received over 40,000 reports of redirector malware, malicious software that exploits your browser behavior in a variety of ways; for example, criminal use click hijacking and search or error page redirection to direct users to criminally controlled advertising (malvertising) pages or to enable click-fraud (fraudulent pay-per-click campaigns). Other criminals use redirectors, for example, ApateWeb, to lure victims to phishing pages.

ApateWeb was most reported redirector malware (campaign) for this period. Palo Alto Networks Unit42 researchers reported in 2024 that ApateWeb had used more than 130,000 domains to distribute scareware, potentially unwanted programs (PUPs), and other scam pages.

In 2025, threat research by Unit42 associated ApateWeb with suspicious Blogspot links that redirected users to malicious websites. A later Aaron Meese post explained the significance of token parameters in ApateWeb campaigns. Approximately half of the path elements of the URLs we associated with ApateWeb in our recent data included the string “api/users?token”, which is consistent with URL composition used in the 2025 blogspot campaign.

The ASNs with the most IP addresses associated with endpoint malware were:

This latest evolution of ApateWeb again uses thousands of domains. The majority appear to be auto generated and bulk registered. Nearly 8,000 of the reported URLs were hosted at pages.dev (hosted by Cloudflare, Inc.).

IoT Malware

Internet of Things (IoT) malware – malware that targets sensors, wearables, appliances – decreased by 18% compared to the prior period. Mirai accounted for most of the fluctuation across the past three reporting periods.

IP addresses in AS 4837, China Unicom, again hosted the most IoT Malware.

Malicious IPs (Attackware and Traffic Injectors)

We saw an 82% increase in IP addresses reported for malicious traffic generation. The rise of the hosting provider CTG Server Ltd. to the top of our Ranking of Hosting Networks (ASNs) by Number of Malware Records is largely the result of reports of malicious activity emanating from IP addresses in its delegations. The same is true for two previously unranked hosting providers: HostHatch, now #9 and Turing Group, now #13.

The top 5 ASNs with the most IP addresses identified as sources of malicious IP traffic:

Attackware

Reports identifying IMAP, Postfix, SSH and (generic) vulnerability scanners increased significantly.

Traffic Injectors

We observed very little change in reported traffic injectors.

Embrace the Suck?

We found an interesting perspective of the benefits of embracing the suck in an article about this common military phrase:

• Discipline: This phrase can strengthen discipline among individuals and units so that they have the drive and motivation to overcome challenges and hardships.

• Mental toughness: This idea can encourage service people to push past barriers, both psychological and physical, to remain determined and resilient.

• Perseverance: This concept can foster an attitude of continuing forward and never giving up.

• Adaptability: This phrase can inspire people to understand that others have gone before them so they can improvise and adapt without giving in.

Cybersecurity professionals, especially those tasked with dealing with cybercriminal “suck” can relate. But take heart: the author notes that

“The suck” implies a condition or situation that will eventually end.

What Are Top-Level Domains

A Top-level Domain is the last part of a website’s hyperlink, e.g., the alphanumeric string at the end of that link; for example, in the link

https://amazon.com

, the TLD is .COM.

There are basically two types of TLDs:

· National top-level domains: country code domains that are assigned to the nation states and their dependency territories; for example, .FR, .JP, .UK, or .US.

· Generic top-level domains: domains with three or more letters indicating a community or general purpose, such as .EDU for education, .COM for commercial enterprise, and .BANK for verified financial institutions.

Why and When Would You Block a TLD?

TLD blocking is routinely adopted by risk-averse organizations as a defense against cyber-attacks. Blocking a TLD should always be a carefully made decision based on a practical risk assessment; for example, when evidence indicates that the volume of harmful messages from domains registered in that TLD significantly exceeds the likelihood that legitimate communications will be disrupted.

In a November 2025 post, we explained that “some TLDs persistently exhibit an alarmingly high percentage of malicious registrations - domains that were purposely registered by criminals for the purpose of conducting cybercrimes”.

Data provided at the Cybercrime Information Center (CIC) is useful in determining the risk profile of a TLD. For example, if you visit the page Phishing Activity in Top-level Domains August 1, 2025 - October 31, 2025 you’ll see that the .TOP TLD had over 160,000 phishing domains reported in just 3 months. If you scroll down to the Ranking of TLDs by Phishing Domain Score on the page Ranking of TLDs by Phishing Domain Score (November to January 2026) you’ll find the .XIN TLD was #1 among TLDs with highest rates of phishing domains. In earlier posts, we reported that .TOP and .XIN had been persistently exploited by phishers throughout 2025 to support Unpaid Toll Scams.

Given this long history of findings, a case can be made to block .TOP or .XIN in their entirety because there’s a much higher chance of a domain registered in these smaller TLDs being reported as a phishing domain.

When deciding, consider using our Cybercrime Information Center data in combination with other risk factors, including the probability that your users will need to interact with legitimate users of TLDs that are otherwise frequently abused by cybercriminals. If you conclude that the risk of your users falling victim to a phishing attack or other cybercriminal activity from a highly abused TLDs is unacceptably high, adopt measures to shield your users from accessing any domain registered in a highly phishy TLD.

Choosing to block a TLD is an appropriate security measure to mitigate cybercrime: for you, your family, or your organization. However, TLD blocking by an ISP or government has implications and impacts beyond security. We agree with the conclusions of the Internet Society (ISOC) that mandated DNS level blocking at the country level for content purposes is a counterproductive policy tool.

“Cut bait and don’t get phished”

Most users default to using the DNS server provided by their Internet service. These typically do not provide a means to block a TLD; however, you don’t have to use these. You can configure your devices or your access router to use a public, open resolver that provides a wildcard or explicit “block TLD” feature.

A public open resolver is a DNS server that anyone can use (hence “open”) to provide domain name to IP address resolution. For most of your Internet use, you’ll get the same name service whether you use your Internet provider’s DNS server or choose to configure your device to use an open resolver such as OpenDNS. For example, in both configurations, if you type https://interisle.net into your browser, both servers will return the IP addresses for Interisle.net (e.g., 198.185.159.145), and your browser will attempt to connect to our web site.

However, OpenDNS offers many name and content filtering controls for consumers and enterprises in addition to basic name resolution that your ISP may not.

To begin using OpenDNS features, you must change the IP addresses of your DNS server to 208.67.222.222 and 208.67.220.220. You can do this at an individual PC or device, at your home network’s residential proxy (access router), or at your organization’s firewall, internet gateway, or router.

For this article, we created a free consumer account at opendns.com.

Once the account was created, from the SETTINGS tab, we created our network profile :

And then we selected Web Content Filtering from the dropdown menu.

At the top of this page, you can customize content filters. At the bottom of this page, Manage Individual Domains, we add the TLD string (no “.”). Here, we blocked .TOP, and .XIN.

So, how do we test this filter? The answer is not, “look up a suspicious domain and check.” NEVER DO THAT.

Instead, to safely check if this worked, we open command/DOS window and used the nslookup or dig utility to do a DNS query on a reported phishing page from our data sets. (This example was performed using Windows, but these tools are also available for Linux and MacOS).

The output confirmed that we’re using an OpenDNS server’s IP address. We also see that an “answer” that includes an IP address of 146.112.61.104, which is a Cisco Umbrella Block Page IP Address. A name resolution that is blocked by the Cisco Umbrella service, e.g., OpenDNS, returns this address, and OpenDNS may also return a block page instead of the page with the blocked content. This confirms that we’ve correctly configured OpenDNS to block the .XIN TLD.

Confident that our OpenDNS configuration was “operational”, we tried a few more reported phishing domains. From the STATS tab of the OpenDNS dashboard, we checked the logs. Here, we applied a filter on the log messages to view only requests (TLDs) that we blocklisted:

Note: enable stats and logs to view your network’s block history.

How do I benefit?

As tiring as the phrase may be, adversaries – especially phishers who are increasingly employing AI to enhance their deceptions and impersonations – are always one step ahead. OpenDNS allows users to be proactive rather than reactive about cybersecurity.

TLDs like .TOP and .XIN have been persistently misused, and it’s reasonable to assume that this may continue, so you’re not only blocking domains that are already reported for phishing (and thus remain active threats) but you’re preemptively blocking domains that may be registered by phishers for phishing attacks.

For our experiment and post, we’ve only blocked 2 TLDs using OpenDNS. At present, the free version of OpenDNS limits accounts to 25 domains (or TLDs), but that’s enough to include the majority of the persistently phishy TLDs that we report at the Cybercrime Information Center’s quarterly Phishing Activity pages.

What’s the risk?

Blocking a TLD is an all or nothing measure. Before you block any TLD, consider whether it is likely that you’d want to visit web sites in a TLD that you’d block. We again emphasize that you should do this as a security measure.

We don’t advocate blanket condemnation of any TLD. Our six years of accumulated phishing activity show that phishers are TLD agnostic – they’ll exploit a TLD so long as they are successful and profitable doing so. We’ve seen occasions where a TLD was exploited by phishers: they quickly revised their detection and mitigation techniques and the phishers moved on to a different TLD. We recommend that if you do choose to block TLDs, periodically check our quarterly phishing and spam activity reports. Decide for yourself which TLDs are too phishy or spammy for your safety.

Here we look at cybercrime activity for the month of March 2026. We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks.

Overall numbers

The March results showed a 28% increase in overall phishing reported compared to February.

Spam reported in March increased 14% compared to February.

Malware reported in March increased 189% compared to February and was just shy of the amount reported in January. Endpoint malware (targeting user devices) grew 440% and Malicious IP address malware (traffic injectors and attackware) increased over 200% month over month. Internet of Things (IoT) malware decreased by 10%.

Phishing

Phishing domains and phishing domain score increased more than 100% in BOND, CFD, and LIFE; phishing domains also increased more than 100% in XYZ and MOM; phishing domain score also increased more than 100% in INK, HOMES, and BIO.

BOND, XYZ, CFD, SHOP, LIFE, MOM increased more than 100% in malicious phishing domain registrations.

The gTLD registrar NICENIC continues at the #1 spot for phishing domains reported, phishing domain score and for malicious phishing domain registrations.

The gTLD registrars Dominet (HK), West263, Aceville, and NameMart all have the dubious distinction of having at least 100% growth in phishing domains, phishing domain score, and malicious phishing domains. Onamae and URL Solutions had an increase of more than 100% for phishing domains and malicious phishing domains. Epik and URL Solutions increased more than 100% in phishing domain score and malicious phishing domains; Nicnames more than doubled in phishing domain score; Dynadot more than doubled in malicious phishing domains.

Ten previously unranked hosting providers appeared in the top 20 for phishing attacks reported in March 2026. We continue to observe phishing patterns moving from hosting network to hosting network. The highest increases were in Protocol Labs (AS40680), Network Solutions (AS19871), Dataline (AS49063), DigitalOcean (AS14061), FOP Hornostay Mykhaylo Ivanovych (AS212913), Interserver (AS26666), and Sucuri (AS30148).

Spam

Despite a modest increase in spam detected in March compared to February, some TLDs exhibited a large growth in spam domains, particularly BOND which grew more than 1,000% and CFD, SBS, and HELP which each grew over 100% in both spam domains and malicious spam domains.

Using additional domain registration data courtesy of DomainTools, we have been able to identify data for many more domains in TLDs that severely restrict access to domain registration data. We also observed significant increases in gTLD registrars of spam domains (10 of the top 20 registrars increased more than 100%), spam domain score (7 of the top 20 increased more than 100%), and malicious spam domains (11 of the top 20 registrars increased more than 100%).

Two ASNs had larger increases in hosted spam content: Kaopu Cloud HK Limited (AS138915) grew over 130% and Oracle (AS31898) grew 450% compared to February 2026.

Malware

The majority of malware reports from our feeds cite IP addresses rather than domain names.

As we observed with hosting networks for phishing, the ranking of hosting networks for malware showed a huge switch from hosting provider to hosting provider. Thirteen of the top 20 hosting networks were not previously ranked – each growing to between 5.7k and 26.7k reports of malware hosted in March 2026. As with phishing, it appears that malware actors are moving “opportunistically” from hosting provider to hosting provider.

Be Prepared

Check out the lists above and the tables of the worst TLDs, gTLD registrars, and hosting networks (ASNs) at the most recent Phishing Activity, Malware Activity, and Spam Activity pages to determine which represent the most risk to your organization. Network staff might consider blocking TLDs and ASNs that appear in our Phishing, Malware, and Spam “Favorites” tables to protect against inadvertent access to content that could result in harm, making exceptions only where there is a clear business case.

Quarterly Results

The quarterly malware activity results for January to March 2026 are published on the Malware Activity page at the Cybercrime Information Center.

In this article, we’ll look at botnets generally and how they exploit the DNS. We’ll then look at a variation of the conventional botnet exploitation of the DNS that leverages the name space for Ethereum blockchain.

Botnets

Botnets are large sets of compromised devices on the Internet that can be used for nefarious purposes by criminals. They are usually comprised of computers in homes and businesses that have been “taken over” as a result of not having been patched with the latest security updates or having had malware inadvertently downloaded onto them via a click on a link in a bad email or on a bad web page. The botnets disrupted by this action consisted mainly of “Internet of Things” devices such as routers, printers, TVs, networked appliances, and security cameras, which can be compromised and remotely operated by attackers because they are running software that hasn’t been updated by either the manufacturer or the end user to patch security holes (often, known vulnerabilities).

Criminals typically use a “command-and-control” (C&C, or C2) infrastructure to manage their botnets. This is usually a device or devices controlled by the criminals and identified by the botnet devices via its domain name, usually one using long strings of random characters such as rrfd4ddl8u413.vvb2du7ed4es.top.

The C&C is the head of the beast.

Go for the Head

The botnets disrupted by the DOJ pre-programmed the C&C domain name into malware that was loaded into the compromised devices, and the devices used that domain name to look up the C&C device’s IP address via the Domain Name System (DNS). Once the devices obtained the C&C’s IP address, they identified themselves to the C&C. Cyberattackers then directed the devices via the C&C to execute attacks of various kinds.

In the case of a denial of service (DoS) attack, the devices would be directed to send a huge number of packets or connection requests to a particular IP address that the criminals wished to attack. They would amplify a DOS attack by ordering a large number of compromised devices to simultaneously send a large number of connection requests to the same device address. This is called a Distributed DOS (DDoS) attack. By amplifying the DoS attack in this manner, criminals would more effectively and quickly overrun (‘flood”) the attack target with so much traffic that the target’s operation would be disrupted or shut down entirely. The aim of such attacks is often to disrupt the target victim’s operations, create financial losses for them, or demand extortion payments from them.

Locating the Head

One of the primary ways that law enforcement and online security professionals “take down” botnets is by locating the C&C. They can then attempt to physically remove the C&C from the Internet.

Physical seizure isn’t always possible; for example, the C&C may be in a foreign country or even be a part of a foreign state apparatus. Law enforcement may request an Internet Service Provider (ISP) to disconnect the C&C from the Internet. In such cases, law enforcement may seek international assistance (for example, through a mutual legal assistance treaty request, MLAT) and will coordinate with international partners to seize the C&C infrastructure.

Note that jurisdiction matters. In some cases, none of these options are possible: the ISP doesn’t wish to cooperate, the C&C is run by a foreign state that won’t recognize a (US) court order, or a foreign state will not agree to an MLAT.

In such cases, law enforcement will try to determine the domain name for the C&C computer. There are a number of ways this can be done, but it’s usually done by a security professional examining either the actual malware in a compromised computer or IoT device or a trace of the packets sent to and from a compromised device to find the pre-programmed domain name.

Once they have determined the domain name, they can then request a domain registrar or registry (usually via a court order) that the domain name be removed from the Domain Name System. Once that happens, the compromised devices cannot communicate with the C&C computer, and the criminals lose control of the botnet. In some cases, depending on the particular malware code, the C&C domain name can then be pointed to a system controlled by law enforcement in order to shut down the malware in the compromised devices. Note that this course of action also relies on jurisdiction but in the case of this takedown, it was a resolvable matter.

A Use Case: How Criminals Adapt

A quote in the Wired article caught our attention. It stated:

“… cybersecurity researchers and law enforcement had engaged in a monthslong cat-and-mouse game with the botnet operators. At times … the operators used innovative tricks like moving their domain name system to the Ethereum blockchain to prevent the hijacking of their command-and-control servers.”

What is the Ethereum blockchain and how can it be used as an alternative to the DNS to avoid attempts by legal authorities to take down the botnet? This quote is a reference to the Ethereum Name Service (ENS), which is an alternative naming service based on the Ethereum blockchain, which is used for applications such as Ether cryptocurrency itself and the naming service for the Ethereum blockchain network.

The ENS is usually used to identify crypto wallets that contain Ether cryptocurrency. Ethereum wallet addresses are 42-character hexadecimal strings (such as 0x71c7a56ec7ab88b098defb7c1b7401b5f6d8a76f) that are used to send and receive cryptocurrency – you can think of them as being similar to a combination of bank account and routing numbers.

It’s even harder to memorize wallet addresses than IP addresses, so Ethereum created a naming service so that a user-friendly name, such as andywalletexample.eth, can be used to identify a particular crypto wallet. To send a crypto payment to Andy’s wallet, you only need to know the ENS name andywalletexample.eth rather than a long wallet address. The association between the ENS name and the wallet address is stored on the Ethereum blockchain, and an ENS name to wallet address lookup is similar in principle to (but differs technically from) a DNS lookup. Note that .ETH is not a DNS top-level domain

How Cybercriminals Exploit ENS

The ENS can be used to store more than just wallet addresses: it can be used to store any alphanumeric string, such as an IP address. This gets us back to the topic of the article. According to the Wired article, the botnet group(s) used the ENS in addition to (or instead of) the DNS in order to try to thwart law enforcement from dismantling their botnet(s) by taking control of their DNS domain name. They added “resiliency” by programming their malware to do an ENS lookup as well as (or instead of) a DNS lookup to find the IP address of the C&C computer on the Internet.

To make it even more difficult to take down the botnet, the operators often don’t simply store the IP addresses directly in the ENS, but rather store encrypted addresses or use indirect lookups through other decentralized systems such as the InterPlanetary File System (IPFS).

There are several reasons why blockchain techniques are exploited by botnet operators. Blockchains are public resources that can be accessed from anywhere on the Internet, they are decentralized without any one single point of management that can be subject to law enforcement, and they are immutable records, meaning that once something has been added to it (such as an ENS name mapping), it can’t be removed, it can only be changed by the owner of the ENS name (the entity with the proper credentials, such as an Ethereum wallet address and the wallet’s pass phrase).

ENS exploitation is yet another example of the arms race between criminals and law enforcement on just one aspect of Internet malfeasance.