Criminal Use of Domain Name Bulk Registration Services

Colin Strutt

The criminal exploitation of bulk registration services is covered in our recent reports, including Phishing Landscape 2024 and Cybercrime Supply Chain 2024 which are based on analyses of data collected by the Cybercrime Information Center.

Many domain registrars provide some means by which customers can rapidly acquire large numbers of domain names. Our studies show that cybercriminals exploit these services to weaponize domains for cybercrime activities, making it much more difficult for security teams to block cybercriminals and get these domains taken down. Some registrars even offer bulk domain registration as a service, often with discount pricing – making it effortless and cost-effective for cybercriminals to obtain domain names for their illegal activities.

Cybercriminals can use tools such as NameCheap’s Beast Mode or Domain Generation Algorithms (DGAs) to register large numbers of domain names. In studying domains used for cybercrime activities, we often see patterns in domain names that are registered in bulk (as shown in the reports cited above). Some are obvious, visually: for example, they use the same string with different numbers appended, use random character domain names of the same length, or use combinations of two or three concatenated words.

How We Identify Bulk Registrations

For our analyses, we look for patterns in the timing of cybercrime domain registrations rather than relying on trying to discern patterns in the domain names themselves. We begin with domains that are reported for cybercrime activity (phishing, spam, or malware) and look for sequences of at least ten cybercrime domain names registered through the same domain registrar with a gap of no more than ten minutes between successive registrations.

To investigate bulk registrations for this article, we took a closer look at the cybercrime domains included in the CIC phishing feeds for January 2025. We found that a total of 20,921 sequences of bulk domain registrations accounted for 848,706 cybercrime domains.

Registrars and Registries Exploited in January 2025

We counted the total number of cybercrime domains that were bulk registered, identifying the generic Top-Level Domain (gTLD) registrar through which they were registered and the number of domains under management (DUM) through that registrar. Here are the top 5, which account for 70% of the bulk registered domains:

The top 5 gTLD registrars with the longest sequences of bulk registrations account for 38% of the bulk registered domains:

We next identified the gTLD Registry Owner (which could be responsible for multiple gTLDs). Here are the top 5, which account for 69% of the bulk registered domains:

It is important to consider how rapidly domains can get registered. For example, for the registrar Dynadot Inc., we found 6 sequences of at least 100 domains, each registered in a matter of seconds:

Overall, we found 164 sequences of at least 100 domains with a registration rate of more than one domain per second.

We note that, as shown in the table above, some bulk domain registrations occurred well before the domains were detected for cybercrime activity. The implication is that cybercriminals are bulk registering domains and stockpiling them for use months or years later. Our data show that 388 sets of bulk domain registrations occurred at least 6 months before they were detected for cybercrime, with some going back to 2016.

For example, there was a set of 9,999 domain names registered in bulk through GMO (Onamae.com), all in the .lol gTLD nearly a year before they were detected for cybercrimes. All were registered between 03:48:02 and 07:57:08 on 2/19/2024 at a rate of over 40 domain names per minute over that four-hour period. There were also three other sets of bulk registrations in .lol through GMO (Onamae.com) on that date, making a total of 17,670 .lol domains registered that day in the twelve-hour window between 01:11 and 13:29. Lacking access to contact data for domain registrations, we cannot confirm that these were all registered by the same registrant, but the pattern is clearly very suspicious.

Summary

The practice of gTLD registrars and gTLD registries allowing bulk registration of domain names in large numbers provides cybercriminals with a tactical advantage over first responders, who must identify, block, and seek to suspend all the domains so registered to fully mitigate a phishing attack. As we suggested in our Cybercrime Supply Chain 2024 study: “Registrars and registries should monitor and scrutinize high-volume transactions for suspicious registration behavior”. In that same study, we made a strong recommendation that additional requirements be placed wherever domain names are registered in bulk. Effective systems already exist to detect suspicious domain name registration behavior, such as the Abuse Prevention and Early Warning System (APEWS) created by EURid.

Domain name registrars and registries who choose to reduce abuse resulting from bulk registrations which will surely have an impact on reducing the overall scourge of cybercrime.