Bill Hartzer

GoDaddy Airo: Register your .com domain name today!
Home » Domain Names » 106 Million Domains Later—Here’s What Cybercriminals Keep Getting Wrong

106 Million Domains Later—Here’s What Cybercriminals Keep Getting Wrong

Posted on Written by Bill Hartzer

domaintools report 2024

 

Cybercriminals are nothing if not repetitive. DomainTools’ inaugural Domain Intelligence Year in Review confirms this: threat actors follow recognizable patterns, and their reliance on domain infrastructure leaves behind a trail that security professionals can analyze. The 2024 report offers a comprehensive breakdown of how domains are being used—and misused—at scale.

In 2024 alone, over 106 million new domains were registered, averaging around 289,000 per day. Among them, nearly 395,000 were confirmed as malicious, used for phishing, credential harvesting, malware distribution, and managing botnets. With the right tools and data, defenders can catch these threats early.Key Findings

Domains Are Central to Modern Attacks

Cybercriminals used newly created domains for a variety of malicious purposes:

  • Phishing

  • Malware delivery

  • Command and Control (C2) infrastructure

  • Credential theft

  • Financial scams

More than 30% of malicious domains scored 100 on DomainTools’ risk scale, the maximum threat score possible.

Domain Registrars: The Gatekeepers Facing an Uphill Battle

Domain registrars sit at the entry point of the internet’s naming system, issuing digital real estate to businesses, governments, and unfortunately, malicious actors. While their role is foundational to web infrastructure, the increasing misuse of domain names for fraud, phishing, and disinformation has spotlighted the registrar’s responsibility in addressing abuse.

The challenges are significant. Despite being bound by ICANN (Internet Corporation for Assigned Names and Numbers) policies that require action against fraudulent activity, some registrars continue to be linked to high-profile abuses. Investigations published by The New York Times and The Record have traced domains used in state-backed disinformation campaigns—such as those out of Iceland and Russia—back to specific registration providers.

The primary issue isn’t a lack of rules. It’s enforcement at scale. Millions of domains are registered every month. Identifying which ones pose a threat, especially when attackers deliberately mimic legitimate domains or use automated scripts to generate them, can overwhelm even well-intentioned registrars.

Registrars operate under a shared responsibility model. They handle the domain name system logistics, while registrants control the actual content. This separation complicates intervention. Even when Acceptable Use Policies (AUPs) prohibit malicious activity, registrars may struggle to detect policy violations until after damage has occurred.

This creates a dilemma: registrars are held accountable for registrations that may, at first glance, appear benign. But with reputation and security increasingly intertwined, the industry is under pressure to improve vetting processes, monitor high-risk behavior, and collaborate more closely with cybersecurity firms and threat intelligence providers.

Security teams, meanwhile, must remain vigilant. Recognizing patterns in registrar usage—especially among domains that repeatedly score high on risk metrics—can help organizations anticipate where the next wave of abuse may emerge. As attackers continue to exploit registrar blind spots, defenders must treat registrar behavior as a key signal in threat detection.

Attackers Reuse Infrastructure

The report identifies repeated use of specific registrars, nameservers, and ISPs across malicious domains. Patterns in combinations—such as domains registered with “NameSilo LLC” and hosted via “cloudflare[.]com”—suggest preferred platforms that should receive extra scrutiny from defenders.

Keyword Triggers Are Telltale Signs

Malicious domains frequently include red-flag terms. These vary by campaign type:

  • Credential theft: login, verify, reset, password, portal

  • Malware delivery: download, install, patch, update

  • Financial scams: bitcoin, airdrop, profit, wallet

Keyword spikes often correlate with news cycles and global events. In 2024, domain activity spiked around the U.S. Presidential Election and the boom in generative AI.

High-Volume Registration Spikes Signal Risk

Two large surges in domain registrations were recorded:

  • July 3, 2024: 681,099 new domains in a single day

    • About 129,154 (19%) of them were flagged as irregular

  • November 2024: Another major spike, closely aligned with election timelines

These surges often align with disinformation campaigns or spam deployments.

Entropy Analysis Reveals Algorithmically Generated Domains

DomainTools used Shannon entropy to detect DGA (Domain Generation Algorithm) patterns. These domains often appear as jumbled, nonsensical strings. Highlights:

  • Average entropy score across domains: 3.34

  • Over 31.8 million domains fell outside one standard deviation

    • Low entropy outliers (e.g., ooooooooooo[.]ooo): 16.3 million

    • High entropy outliers (e.g., urytwegjsb0953kflqwdn1249aiai[.]com): 15.5 million

High entropy domains were strongly associated with botnet infrastructure and evasion tactics.

New Top-Level Domains (TLDs) Are Being Exploited

Malicious actors flocked to newly launched domain extensions in 2024. Notable examples:

  • .lifestyle – 2,474 domains

  • .music – 6,124 domains

  • .now – 7,035 domains

  • .tr – 67,556 domains

Security tools relying on static TLD allow/block lists risk missing threats hosted on these emerging namespaces.How Security Teams Can Use This Data

  • Incident Response: Prioritize investigation of domains with high entropy, risky infrastructure, or known malicious keywords.

  • Brand Protection: Monitor for typosquatting and lookalike domains using homoglyphs or topical terms tied to your brand or industry.

  • Threat Hunting: Use registrar-hosting-SSL combinations as pivot points to uncover related domains in large campaigns.

  • Detection Engineering: Customize alerting logic around keyword patterns, risk scores, and entropy thresholds.

Why It Matters

Cyber attackers rely on scale and automation. But scale works both ways—analysts who study large-scale trends in domain data can anticipate how and where attackers will strike next. The DomainTools 2024 report doesn’t just look back; it provides a tactical roadmap for what’s coming.

The domain layer remains one of the earliest, most consistent indicators of cyber threats. By recognizing entropy irregularities, keyword clustering, and infrastructure overlap, security teams gain a measurable edge. As the threat landscape continues to evolve, domain intelligence isn’t a nice-to-have—it’s foundational to modern defense.

Filed Under: Domain Names

About Bill Hartzer

Bill Hartzer is the CEO of Hartzer Consulting and founder of DNAccess, a domain name protection and recovery service. A recognized authority in digital marketing and domain strategy, Bill is frequently called upon as an Expert Witness in internet-related legal cases. He's been sharing insights and research here on BillHartzer.com for over two decades.

Disclaimer - Privacy Policy - Terms of Use