ICANN: Don’t take your eye off .TOP quite yet
Colin Strutt
In a recent post, ICANN reported that “On 2 June 2025, .TOP Registry cured the Notice of Breach based on remedial actions it took.” The organization also reported “a noticeable decrease in reported abuse involving .top”.
In the data we analyzed from the Cybercrime Information Center, we also saw a decrease from February to April. Our May data, however, shows significant growth in abuse in the .TOP TLD.
Phishing increased
In April 2025, our feeds associated 10,955 .TOP domains with phishing attacks. This figure grew 187% to 31,403 phishing domains in May 2025. And the number of these phishing domains that we determined to be maliciously registered increased from 8,227 in April 2025 to 23,952 in May 2025 – a disturbing 191% growth month-over-month.
We also measure spam domains, and...
Spam had even larger numbers
In April 2025, our feeds associated 180,637 .TOP domains with spam attacks. This figure nearly doubled (83%) to 330,472 spam domains in May 2025. The number of these spam domains that we determined to be maliciously registered increased 47%, from 159,840 in April 2024 to 235,317 in May 2025.
.TOP’s not on top, but remains a close 2nd
.TOP appeared as #2 in the Feb-Apr 2025 quarterly phishing results. In May 2025, .TOP was again ranked #2 behind the far larger .COM TLD – for both phishing domains and malicious phishing domains. And .TOP was second again behind .COM for both spam domains and malicious spam domains. (You will be able to see .TOP as #2 in the Mar-May 2025 quarterly spam results to be posted soon.)
We looked at the number of phishing domains reported in .TOP each month over the past year. We see a decrease from February to April 2025. This is consistent with ICANN’s "noticeable decrease in reported abuse involving .TOP".
But that trend is reversed in May.
Because we measure three cybercrimes – phishing, spam, and malware - we can look at the broader picture of cybercrime (“DNS abuse”) over that same year. The findings are quite different.
[Note: The vertical axis in this chart is an order of magnitude larger than the prior chart, due mostly to the large volume of spam for .TOP. Spam is not “just content”, it’s attack infrastructure for scams and phishing, and as such a significant threat.]
We looked at the number of cybercrime domains reported each month in .TOP compared to the size of the .TOP zone at the end of each month:
April 2025, there were 192k cybercrime domains in .TOP out of 3.5M (5.4%)
May 2025, there were 362k cybercrime domains in .TOP out of 4.0M (9.2%)
The growth - from 5.4% to 9.2% in one month - is significant.
The absolute numbers of cybercrime domains in .TOP are bad. But let’s consider the proportion of .TOP cybercrime domains reported as a proportion of all gTLD cybercrime domains reported.
.TOP is responsible for a large proportion of cybercriminal activity reported across all gTLDs over the past year.
Act Two
ICANN labeled .TOP as “one of the most abused gTLDs.” We fully agree. A recent Domain Incite post quoted that ICANN will “actively monitor the effectiveness of these new [.TOP] systems and processes, the Registry Operator’s abuse rankings and their compliance with the requirements.” .TOP may have promised to play nice on DNS abuse, but promise is different from execution.
We’re waiting for Act Two.
Interestingly in the recent toll scam domains that we're tracking .top is not at all the top gTLD. As you (or one of colleagues) said they strip mine the tlds and right now .icu and .vip seem to be the big ones with .cfd fighting it out with .top for third place a considerable distance behind the leading two
e.g. domains in CZDS data that match ^gov- as I write this (other tlds <100 and I didn't check com because it's orders of magnitude bigger)
117 cfd
1314 icu
133 top
931 vip