Cybercrime Reported in June 2025
Colin Strutt
Interisle publishes quarterly data about cybercrime activity (for phishing, malware, and spam) at the Cybercrime Information Center.
Here we look at cybercrime activity for the month of June 2025. We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks.
Overall numbers
Although May had seen a growth in both phishing and spam, that trend was reversed in June. Malware was essentially flat. But there’s no doubt – the numbers are still very high!
We observed a 26% drop in phishing attacks reported and the number of domains used by phishing reduced by 29%.
We also saw a 40% decline in spam activity reported, and the number of spam domains reported by fell by 44%.
While there was only a 1% increase in malware activity, the number malicious IP address malware records (traffic injectors and attackware) grew 11%,
Phishing
Despite a decline in the number of phishing attacks, there was significant growth in some areas.
Top-level Domains. Phishing domains reported in the .ICU, .SBS, and .LIFE TLDs grew by more than 100%. While .ICU and .SBS frequently appear in our top 20 quarterly rankings, .LIFE looks like a newcomer to our top 20.
We observed 1000% or more growth in the phishing domain scores of the .PICS, .BOATS, .MOTORCYCLES, and .WANG gTLDs. These smallish gTLDs historically had little phishing activity reported in past quarterly reports and are not typically in our top 20 quarterly rankings.
gTLD Domain Registrars. Hello Internet, Spaceship, and Xiamen ChinaSource Internet Service had more than 200% growth in phishing domain scores. The number of phishing domains registered at Spaceship has increased steadily since May 2024.
Hosting Networks. Here again, we see small operators typically not in our top 20 quarterly rankings with more than 200% growth in phishing attacks: Cloudflare London, (AS209242), AMATI (AS42237), Netminders (AS7040), and B2 Net Solutions (AS55286). Of these, only AMATI has appeared in our top 20 in the past 6 months.
Spam
Even though the total amount of spam decreased this month, there was still significant growth.
Top-level Domains. Domains reported for sending or hosting spam in the .JP ccTLD increased by more than 100% and .TOKYO and .BOND had more than a 500% growth in spam domain score.
gTLD Domain Registrars. Hello Internet’s trials extended beyond its increased phishing activity. The gTLD registrar also suffered more than a 15% increase in its spam domain score.
Hosting Networks. Google LLC (AS15169) experienced a more than 500% increase in domains reported for hosting spammed content or spambots.
WorldStream B.V. (AS49981) experienced several orders of magnitude, a more than 20,000% increase, in spam domain score. Google, LLC (AS15169) saw a less shocking but still disturbing 500% increase in spam domain score.
Malware
Most of the malware activity that we collect is reported by hosting addresses. However, four top 20 hosting networks had more than 100% growth in malware activity: HUAWEI (AS136907), CANTV (AS8048), Triple T (AS45758), and Millenicom (AS34296)
Perfect storm candidates
Some operators in this month’s top 20s are underperforming in several key metrics.
#openforphishing
.ICU, .SBS, .VIP, .PRO, .LIVE, .LIFE, .CFD, .BOND, .CYOU, .XIN are poised to land in our next quarterly top 20 TLD rankings for phishing domains reported, phishing domain score, and malicious phishing domains reported.
Eight gTLD registrars had very high counts of phishing domains reported and malicious phishing domains reported… and their phishing domain scores were high as well.
· Cloudflare
· Cloudflare London
· Fastly
· Shenzhen Tencent
· Hostinger International
· Tcloudnet
· Namecheap
· B2 Net Solutions
If these metrics don’t improve, these registrars are likely to be ranked among the top 20 registrars for these phishing metrics in our next quarterly report.
Not to be outdone, a dozen hosting networks appear destined to rank in top 20 in our next ASN rankings by phishing attacks and phishing attack score:
· Dominet (HK) (AS3775)
· NICENIC (AS3765)
· GMO Internet d/b/a Onamae (AS49)
· Gname (AS1923)
· NameSilo (AS1479)
· WebNic (AS460)
· Spaceship (AS3862)
· Key-Systems (AS1345)
· Registrar.eu (AS1647)
· OwnRegistrar (AS1250)
· Aceville (AS3858)
· Hefei Juming (AS3758)
#openforspam
The following TLDs appeared in all three top 20 TLD lists for spam domains, spam domain score, and malicious spam domains: .TOP, .CC, .VIP, .LOAN, .ICU, .GDN, .CYOU
The following gTLD registrars had very high reports of spam domains, malicious spam domains, and a high spam domain score:
· Cloudflare
· Google
· CNSERVERS
· CTG Server
· Dimension Network & Communication
· HENGDA
· PEG TECH
· Cloudie
· Netsec
· AROSSCLOUD
If these metrics don’t improve, these registrars are likely to be ranked among the top 20 registrars for these spam metrics in our next quarterly report.
The following hosting networks (ASNs) networks appear destined to rank in the top 20 in our next ASN rankings in both reported spam attacks and spam attack score:
· Dynadot (AS472)
· Gname (AS1923)
· NameSilo (AS1479)
· Dominet (HK) (AS3775)
· Spaceship (AS3862)
· Domain International (AS3863)
· eName (AS1331)
· WebNic (AS460
· Cosmotown (AS1509)
· Hefei Juming (AS3758)
Be Prepared
We continue to recommend that all users should be very aware of the TLDs cited above – any email from a domain in those TLDs should automatically be suspicious.
If you register domain names, know that if you choose one of the gTLD Registrars cited above, you will be more likely to be in the company of cybercriminals using those registrars.
Network staff might consider blocking those TLDs completely to protect their users, making exceptions only where there is a clear business case.
Similarly, network staff might consider blocking IP address blocks from those ASNs cited above to reduce the chance that one of their users might inadvertently access content that could cause them harm.
Quarterly Malware Results
The quarterly spam activity results for April to June 2025 will be published on the Malware Activity page at the Cybercrime Information Center.