The Compromised Registry: One in Five New Domains Serves Cybercrime

The Scale of Malicious Domain Registrations

Every fifth newly registered domain may actively serve cybercriminals. Consequently, this alarming conclusion stems from a comprehensive 2025 domain market analysis by Interisle Consulting.

According to the report, malicious actors registered between 10% and 20% of all new generic top-level domains (gTLDs). Unquestionably, even the conservative baseline metric remains profoundly staggering. Out of nearly 85 million domains established in 2025, security vendors blacklisted over 8.5 million entities. Therefore, technology firms blocked these malicious nodes to neutralize phishing, financial fraud, and malware proliferation.

Latent Threats and Market Volatility

Furthermore, the authors emphasize that the true magnitude of this threat likely sits significantly higher. Many malicious domains remain entirely undetected for extended durations. Similarly, certain addresses weaponize only months after their initial acquisition.

Therefore, incorporating these latent factors allowed analysts to adjust their mathematical projections. They estimate that threat actors acquired up to 16.8 million domains throughout the year. This total represents approximately 20% of the entire global registration market.

Asymmetric Distribution Across Registrars

Interestingly, the study reveals that this systemic vulnerability manifests highly unevenly. Merely five specific registrars facilitated roughly half of all illicit domain acquisitions.

Remarkably, one boutique registrar witnessed nearly 88% of its new registrations enter global blacklists. Additionally, specific domain zones saw over half of their addresses subverted for fraudulent campaigns and phishing schemes.

Case Studies in Exploitation: FUNNULL and Special TLDs

The report dedicates substantial attention to a prominent threat collective known as FUNNULL. United States authorities link this syndicate to massive investment scams, aggressive phishing, and malware distribution.

Consequently, the group registered over one million domains to sustain its malicious architecture. Remarkably, their operations persisted even after the United States levied strict economic sanctions in May 2025. Instead, new FUNNULL domains continuously emerged across diverse global registrars.

The Infiltration of the .LOAN Top-Level Domain

Furthermore, the authors highlight the rapid subversion of the .LOAN domain zone. Within a brief timeframe, total registrations within this extension expanded nearly twentyfold.

Subsequent analysis revealed that over 82% of these addresses participated in active abuse. Specifically, many names consisted of automatically generated numerical sequences engineered for automated fraud.

Disposable Infrastructure Patterns

Concurrently, researchers identified a defining operational characteristic within these corrupted zones. Once the initial registration period expired, the threat actors systematically abandoned the addresses. In fact, renewal rates plummeted to a mere few percent. This sharp decline clearly confirms the disposable nature of these domains within modern criminal workflows.

Institutional Accountability and Market Controls

Ultimately, Interisle argues that certain market participants actively derive financial benefits from these mass registrations. This monetization occurs despite the explicitly malicious intent of their consumer base.

Therefore, the authors conclude that existing regulatory mechanisms remain profoundly ineffective. If the top-level domain ecosystem continues to expand without rigid safeguards, fraudulent assets will multiply exponentially. Consequently, both global enterprises and ordinary consumers will endure escalating financial devastation.