Interisle Consulting Group – “Malicious Registrations in the Domain Name Market: An Analysis of 2025 gTLD Registrations and Cybercriminal Demand"

An ISOC LIVE Summary

Authors: Greg Aaron - Interisle Consulting Group; Karen Rose - Former Internet Society (ISOC), FCC, and NTIA executive and policy leader; Dr. Colin Strutt - Interisle Consulting Group, networking technology and cybercrime data analysis researcher

Executive Summary and Core Findings

This June 2026 Interisle Consulting Group report argues that cybercrime has become a large-scale industrialized market that depends heavily on the continuous registration of cheap, disposable domain names. Using publicly available registration data and commercial blocklists, the study estimates that malicious actors accounted for a substantial share of the 2025 gTLD domain registration market.

The report establishes a conservative minimum estimate that 8.5 million domains registered during 2025 were later blocklisted for malicious activity, representing approximately 10% of all new gTLD registrations. However, the authors argue this is only a baseline because many malicious domains are never detected or blocklisted. By projecting future blocklist additions and identifying “associated domains” linked to malicious registration campaigns, they estimate that the true number may be closer to 16.8 million domains, or roughly 20% of all gTLD registrations in 2025.

The report emphasizes that abuse is widespread throughout the gTLD ecosystem but highly concentrated among certain TLDs, registrars, and registry families. According to the study, five registrars accounted for half of all maliciously registered blocklisted domains, and some individual registrars saw abuse rates exceeding 80% of all new registrations.

Another major conclusion is that market incentives may unintentionally reward or tolerate abusive registrations. The report argues that pricing strategies, bulk sales programs, API-driven registration systems, and aggressive growth incentives encourage large-scale domain acquisitions by cybercriminal organizations.

Cybercrime as an Economic Driver of Domain Growth

The report frames malicious domain registrations not as marginal abuse but as a meaningful component of market growth. The authors note that the overall gTLD market had experienced relatively slow growth between 2021 and 2024, but growth accelerated in 2025 as registries and registrars focused heavily on acquiring new registrations.

Out of nearly 85 million new gTLD domains registered in 2025, more than 8.4 million had already been blocklisted by May 2026. The report argues that malicious registrations exceeded overall market growth during several months of 2025. In January 2025, for example, net gTLD growth was about 408,000 domains, while approximately 723,000 domains registered that month were later identified as malicious. Similar patterns occurred in February and May.

The report repeatedly stresses that renewals are not a useful indicator of cybercriminal activity because malicious actors rarely renew domains after one year. Instead, criminals continually abandon domains and acquire new ones in bulk.

Methodology and Use of Blocklists

The authors explain that their analysis relies heavily on professional Reputation Block Lists (RBLs), which are widely used by Internet service providers, DNS resolvers, browsers, and email providers to protect users from phishing, malware, and fraud.

The report argues that blocklists provide practical real-world evidence of malicious activity because they reflect what security organizations are actively detecting and mitigating across global networks. The methodology also mirrors ICANN’s own “Metrica” abuse measurement approach.

However, the authors acknowledge that blocklists significantly undercount malicious registrations because many domains remain undetected or inactive for long periods before being used. Some cybercriminals intentionally “age” domains for months to evade reputation systems that distrust newly created domains.

The study also relies on “associated domain” analysis, identifying clusters of domains that share registration timing, naming conventions, hosting infrastructure, nameservers, and registrar usage. The report references a recent ICANN Office of the CTO study which found that for every three blocklisted domains, two additional associated domains could often be identified.

Abuse Concentration by TLD

The report presents detailed rankings of gTLDs with the largest absolute numbers of malicious registrations and those with the highest percentages of abuse.

Among TLDs with the largest number of malicious registrations:

• .COM led with nearly 1.93 million malicious domains

• .TOP followed with approximately 1.79 million

• .INFO, .BOND, .VIP, and .XYZ also recorded large totals

The report notes that some newer open gTLDs experienced extraordinarily high abuse percentages. The most heavily abused TLDs included:

• .LOCKER – 72.9%

• .LGBT – 72.2%

• .TOWN – 70.2%

• .GDN – 67.3%

• .MOBI – 62.8%

Identity Digital appears prominently throughout these rankings, operating many of the TLDs with the highest abuse percentages. The report notes that twelve of the twenty most heavily abused TLDs by percentage were operated by Identity Digital subsidiaries.

The report also highlights the contrasting case of .XYZ. Although .XYZ added more than seven million domains in 2025, only 3.8% were classified as malicious. The authors suggest this demonstrates that large-scale growth is possible without attracting outsized abuse, though they do not determine the exact factors responsible.

Registry Families and Market Concentration

The study consolidates TLDs into “registry families” based on common ownership and operational control. It finds that approximately 92% of maliciously registered domains in 2025 were concentrated within gTLDs operated by only eight registry groups.

The leading registry families by malicious registration volume included:

• Verisign

• Jiangsu Bangning / Hong Kong Zhongze (.TOP)

• Identity Digital

• ShortDot SA

• GoDaddy Registry

• XYZ.COM LLC

The report suggests that market structure and operational practices at these organizations materially influence cybercriminal activity levels.

Registrar-Level Findings

The report identifies Dynadot, Gname, NameCheap, NameSilo, and GoDaddy as the registrars with the highest total numbers of maliciously registered domains during 2025. Together, the top five registrars accounted for 50% of all maliciously registered blocklisted gTLD domains.

Several registrars displayed extraordinarily high abuse percentages:

• NICENIC INTERNATIONAL – 87.6%

• MainReg – 85.7%

• Aceville – 82.6%

• URL Solutions – 67%

• Key-Systems – 58.4%

The report contrasts these registrars with providers such as Tucows and Newfold Digital, which maintained relatively low abuse rates and higher renewal rates despite operating at large scale.

FUNNULL and Organized Criminal Infrastructure

A major section of the report examines FUNNULL, described as a sophisticated criminal infrastructure provider supporting Southeast Asian cybercrime networks. The report states that FUNNULL enabled phishing, malware distribution, cryptocurrency investment fraud, gambling operations, and “pig butchering” scams that caused billions in losses globally.

The authors explain that FUNNULL used algorithmic bulk registration techniques across multiple TLDs and registrars. In May 2025, the U.S. government sanctioned FUNNULL and its administrator Liu Lizhi. The FBI subsequently released a list of over 332,000 domains linked to the operation.

The report emphasizes that only about 56.6% of the FBI-attributed FUNNULL domains appeared on the blocklists monitored by the researchers, reinforcing the claim that conventional abuse metrics significantly underestimate the scale of malicious registrations.

Case Study: .LOAN

The .LOAN TLD serves as one of the report’s most detailed case studies. Originally a very small TLD, .LOAN grew from approximately 7,000 domains in early 2024 to over 132,000 by September 2025. The authors attribute most of this growth to malicious registrations.

Using expansion analysis, the researchers estimate that over 108,600 .LOAN domains — more than 82% of the TLD — were likely registered for abuse. Much of this activity appeared connected to FUNNULL.

The report describes recognizable numerical naming schemes such as:

• 00001.loan through 99999.loan

• Sequential patterns across multiple TLDs

• Cross-TLD numeric coordination such as .loan, .loans, .one, and .me registrations

The study also found that after U.S. sanctions were imposed, most FUNNULL domains remained active and additional domains continued to be registered through U.S.-based registrars. Only a small minority of malicious domains were suspended before expiration.

A dramatic collapse in renewal rates followed the malicious registration wave. .LOAN’s renewal rate reportedly fell to just 4.6%, which the report interprets as evidence that the domains had little legitimate use.

Case Study: .PINK

The report presents a similar analysis for .PINK, operated by Identity Digital. The TLD grew rapidly from approximately 5,800 domains in mid-2024 to nearly 42,000 by March 2025.

Researchers identified 22,987 blocklisted .PINK domains plus an additional 8,798 associated domains not detected by blocklists. They conclude that over 76% of the .PINK namespace was associated with abusive activity during the study period.

The report again attributes much of the activity to FUNNULL and describes coordinated numeric naming sequences, multi-registrar registration strategies, and nameserver infrastructure tied to Chinese DNS providers.

As with .LOAN, the report states that most domains remained active even after sanctions and blocklist activity. Renewal rates later collapsed from historical averages of 60–70% to roughly 3.1%.

Case Study: .BOND

The .BOND TLD case study focuses on the “Revolver Rabbit” cybercriminal gang, which allegedly registered at least 350,000 .BOND domains during 2025 using registrar Key-Systems. These domains were used to distribute information-stealing malware.

The domains followed highly recognizable naming conventions involving hyphenated phrases and five-digit numerical suffixes. The report notes the irony that .BOND was being promoted commercially as a TLD associated with trust and professionalism while simultaneously serving as large-scale malware infrastructure.

Conclusions and Policy Implications

The report concludes that malicious registrations are not isolated anomalies but a structural feature of the current domain name market. The authors argue that cybercriminal demand has become economically significant for certain registries and registrars, creating incentives that may conflict with abuse prevention goals.

The study warns that upcoming rounds of new gTLD expansion could worsen the problem if stronger controls are not introduced. It suggests that without more effective abuse mitigation practices, increased competition and greater domain supply will continue shifting the social costs of cybercrime onto Internet users, businesses, and public institutions.

The authors ultimately argue that abuse is not inevitable. Some registries and registrars have demonstrated that growth can occur without disproportionately attracting malicious registrations. The report therefore frames the issue as one of incentives, operational practices, and policy choices rather than unavoidable Internet behavior.

RESOURCES

• Malicious Registrations in the Domain Name Market — the Interisle report analyzing 2025 gTLD registrations and cybercriminal demand

• Full report (PDF) — detailed methodology, case studies, and registrar- and gTLD-level data

• Executive Summary (PDF) — the report’s key findings in brief

• Interisle Consulting Group — technology research firm behind the study

• Cybercrime Supply Chain 2025 — companion Interisle study analyzing more than 26 million cybercrime events

• ICANN Domain Metrica — ICANN’s RBL-based abuse measurement platform, whose methodology the study mirrors

• Treasury action against FUNNULL — May 2025 OFAC sanctions on Funnull Technology and administrator Liu Lizhi

• FBI FLASH advisory on FUNNULL — technical indicators and the list of 332,000+ linked domains

• KrebsOnSecurity — Brian Krebs’s investigative reporting on Funnull and abusive new-TLD registrations

• Identity Digital — registry operator of twelve of the twenty most-abused TLDs by percentage