Bulk Registrations Used for Unpaid Toll Scams

Colin Strutt

Previous Interisle Insights articles have covered the topics of Bulk Registration of Domain Names for Cybercrime and Unpaid Toll Scams. In this article, we look at details of some of the bulk-registered domain names used for this particular scam.

In the original Unpaid Toll Scams article, we noted 1,869 domain names reported for cybercrime contained ‘txtag’ of which 1,562 started with ‘org-txtagstorfront’ registered in the .XIN and .WORLD gTLDs.

Cross-referencing the spam bulk domain registrations for February 2025, we found 1,158 domains containing ‘txtag’ were registered in bulk, 1,030 of which started with ‘org-txtag’. All were registered between 24th and 28th February 2025.

The domain names starting with ‘org-txtag’ were registered through three different registrars: Dynadot, NameSilo, and Dominet (HK). These were registered in 26 bulk sequences between 2/24/2025 06:50 and 2/28/2025 14:20.

The longest sequences of ‘org-txtag’ domain names were all registered via Dominet (HK):

• 159 domains in both .world and .xin – 2/24/2025 from 11:51 to 12:05

• 137 domains in .xin – 2/24/2025 from 13:38 to 14:15

• 113 domains in .xin – 2/25/2025 from 10:55 to 12:40

• 60 domains in .xin – 2/28/2025 from 10:13 to 12:06

• 59 domains in .xin – 2/25/2025 from 09:58 to 10:10

In some cases, these bulk-registered domains appeared in bulk registration sequences (with less than 10 minutes between consecutive registrations at the same registrar) with other domains not containing ‘org-txtag’.

This implies one of two things:

1. More than one entity is registering domain names in bulk around the same time using the same registrar … so we treat them as part of the same sequence. If so, this could be coincidental, coordinated, or correlated with another factor.

2. A single entity is registering domain names in bulk with more than one (discernible) string pattern, perhaps employing a Domain Generation Algorithm (DGA) or bulk registration submission form.

The toll scam continued beyond the end of February. We anticipate seeing more of these domain names reported in the March 2025 data. We will continue to monitor and analyze data related to this scam in an effort to build a more complete picture of the domain registration tactics and vulnerabilities fueling it.

We recommend domain name registrars and registries monitor their systems for these domains and registration patterns and take action to mitigate the abuse. We have previously noted that effective systems such as the Abuse Prevention and Early Warning System (APEWS) already exist to prevent cybercrime-related bulk registrations.