Cybercrime Reported in April 2025
Colin Strutt
Today, we look at cybercrime activity for the month of April 2025. We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks.
Overall numbers
Overall, we observed a reduction in all three cybercrimes in April. But it’s not time to be complacent – these numbers are still very large.
Phishing activity continues its downward trend from a peak in January and is now back to the levels at the end of 2024.
Spam activity dropped by nearly 50% since March, though the number of spam incidents reported January-March 2025 were considerably higher than in the prior six months. April’s numbers are still 15% higher than those prior six months.
Malware activity over the past three months has continued below January’s peak and is nearly 19% below the average of the last six months of 2024. Let’s hope this trend continues and that it reflects a real reduction in malware activity (rather than being due to fewer instances of malware being reported).
Phishing
Three top-level domains (TLDs) had more than 100% growth in phishing domains and phishing scores: .pro (857% and 832%), .win (911% and 840%), and .world (102% and 98%).
Three generic Top Level Domain (gTLD) registrars had more than 500% growth in phishing domain scores: Bizcn (729%), Jiangsu Bangning (896%), and Tecnocrática Centro de Datos (550%).
Two hosting networks (ASNs) had more than 1,000% growth in phishing attacks: AMATI (2,892%) and Beget (2,353%).
Malware
The breakdown of malware types (endpoint malware, Internet of Things (IoT) malware, traffic injectors or attackware, and uncategorized) was largely unchanged from the previous month, with traffic injectors or attackware comprising about 78% of the malware activity.
HUAWEI (AS136907) saw a nearly 7,000% growth in malware activity since March.
Spam
Two TLDs had more than 500% growth in spam domains: .win (555%) and .xn--p1ai (1,295%). The .tk TLD had a 4,606% growth in spam domain score. And two TLDs had more than 500% growth in malicious spam domains: .win (674%) and .xn--p1ai (1,527%).
One gTLD registrar – Danesco Trading – had a 2,154% growth in spam domains.
One hosting network – IQWeb (AS59692) – had a 262% growth in spam content or spambot hosts.
Phishing (Dis)-Honorable Mentions
The following TLDs appeared in all three top-20 TLD lists for phishing domains, phishing domain score, and malicious phishing domains: .top, .xin, .pro, .vip, .win, .world, .cc, .sbs, .cfd, .icu, and .click.
The following gTLD registrars appeared in all three top-20 Registrar lists for phishing domains, phishing domain score, and malicious phishing domains: Dominet (HK), NICENIC, NameSilo, WebNic, Registrar.eu, OwnRegistrar, Sav.com, and Hefei Juming.
The following hosting networks (ASNs) appeared in both top-20 ASN lists for phishing attacks and phishing attack score: Cloudflare (AS13335), Shenzhen Tencent (AS132203), Fastly (AS54113), Beget (AS198160), Hostinger (AS47583), and Namecheap (AS22612).
Spam (Dis)-Honorable Mentions
The following TLDs appeared in all three top-20 TLD lists for spam domains, spam domain score, and malicious spam domains: .top, .cc, .vip, .blog, .world, .win, .life, .icu, and .loan.
The following gTLD registrars appeared in all three top-20 Registrar lists for spam domains, spam domain score, and malicious spam: Dynadot, Gname, Dominet (HK), NameSilo, Domain International, Registrar.eu, InterNetX, NICENIC, URL Solutions, Sav.com, and WebNic.
The following hosting networks (ASNs) appeared in both top-20 ASN lists for spam attacks and spam attack score: Cloudflare (AS13335), Dimension Network (AS59371), CTG (AS152194), Clayer (137951), HENGDA (AS138415), Cloudie (AS55933), Netsec (AS45753), Tcloudnet (AS399077), and Cloudflare London (AS209242).
Be Prepared
These illegal activities can affect your or your company both directly (by being phished or spammed) and also indirectly.
All users should be very aware of the TLDs cited above – any email from a domain in those TLDs should automatically be suspicious.
If you register domain names, know that if you choose one of the gTLD Registrars cited above, you will be more likely to be in the company of cybercriminals using those registrars.
Network staff might consider blocking those TLDs completely to protect their users, making exceptions only where there is a clear business case.
Similarly, network staff might consider blocking IP address blocks from those ASNs cited above to reduce the change that one of their users might inadvertently access content that could cause them harm.
Interisle publishes quarterly data about cybercrime activity (for phishing, malware, and spam) at the Cybercrime Information Center.