Home / Blogs

Cybercriminals Weaponize Bulk-Registered Domain Names

Domain names that can be rapidly acquired, used in an attack, and abandoned before they can be traced are a critical resource for cybercriminals. Some attacks, including spam and ransomware campaigns and criminal infrastructure operation (e.g., “botnets”), benefit particularly from the ability to rapidly and cheaply acquire very large numbers of domain names—a tactic known as bulk registration. When cybercriminals can register hundreds or thousands of domain names in a matter of minutes, an attack can be widely distributed to make detection, blocking, and dismantling more difficult and prolonged.

Cybercrime investigation is always a race against the clock—the longer it takes to identify an attacker and block the attack, the more damage can be inflicted on more victims. Before the adoption by ICANN of a Temporary Specification (“Temp Spec”) for handling domain name registration data in compliance with the European General Data Protection Regulation (GDPR), investigators had ready access to the contact information provided by domain name registrants (“Whois data”). This information, even when incomplete or inaccurate, facilitated rapid attack response both directly (when it correctly identified the attacker) and indirectly (by enabling “connect the dots” methods such as search-and-pivot).

The immediate effect of the Temp Spec since the GDPR took full effect on 25 May 2018 has been to severely limit access to domain name registrant contact information, most of which is now redacted by registries and registrars when they respond to Whois data queries. Although cybercrime investigators with proper authorization can petition a registry or registrar for the redacted information, this takes place on a glacial time scale compared to the “every second counts” imperative to limit the loss or harm caused by an attack.

The use of bulk registration to distribute attacks across hundreds or thousands of domain names in matters of minutes, coupled with the crippling of registration data access by the Temp Spec, presents cybercrime investigators with the dual impediments of harder-to-pursue criminal activity and harder-to-obtain information about the criminals.

Research conducted by Interisle Consulting Group confirms the hypothesis that cybercriminals take advantage of bulk registration services to “weaponize” large numbers of domains for their attacks. The study identifies four specific registrars at which abusive registration activity appears to be concentrated. It also confirms that ICANN’s Temp Spec policy of redacting Whois point of contact information to comply with the GDPR significantly encumbers and delays cybercrime investigation. Working without essential information, both real-time and historical, investigators cannot make the necessary correlations to quickly and thoroughly map a criminal domain infrastructure or to attribute criminal activity to a perpetrator in time to prevent substantial harm to the victims of an attack.

By Lyman Chapin, Internet Technology and Policy Consultant

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global