Kanye West trended after he announced his plan to run for U.S. president on 4 July 2020. On Twitter, his announcement was liked over 1.1 million times and retweeted more than 500,000 times. Elon Musk was also quick to express his support.

On 5 July 2020, a day after the announcement, our typosquatting detection capabilities picked up nine Kanye West domain names:

• kanyeowest2020[.]com
• kanyewest2020[.]today
• kanyewest2020[.]ventures
• kanyewest2020[.]gallery
• kanyewest2020[.]vision
• kanye2020[.]store
• kanye2020[.]run
• kany2020[.]com
• kanye2020[.]vote

A WHOIS registrant lookup of these newly registered domains raises questions about domain ownership and the possible reasons for these registrations. Let’s take a closer look.

WHOIS Registrant Lookup of Kanye West Domain Names

Kanye West has an official website, kanyewest[.]com, where people can find his clothing merchandise and some of his videos. According to a WHOIS registrant lookup, the domain name is owned by Universal Music Group under the registrant organization “Island Def Jam,” which is based in New York. The email address mentioned on record—hostmaster@umusic[.]com—belongs to Universal Music as well.

The Kanye West domain names detected, on the other hand, do not match the details present in the official domain’s WHOIS record. Here are the general findings on the lookalike domains:

• Registrant name and organization: All domain name records except for that of kanye2020[.]store have either been redacted or left blank. The domain kanye2020[.]store was registered under the registrant organization, Callum Phillips.
• Registrant address: While registrant addresses could reflect that of the domains’ privacy protection company, it is still important to note that four domains have U.S. addresses, two were based in Panama, while the others were U.K.-, Australia-, and Canada-based.

  

• Registrar: The registrar of most of the domains were either GoDaddy or NameCheap, while one was Google Inc.

  

Digging Deeper Using Domain Intelligence

Aside from these Kanye West domains, we also saw some Yeezy-related domain names on the same day that the lookalike domains were detected:

• freindsofyeezy[.]vote
• freindsofyeezy[.]com
• freindsofyeezy[.]support

Yeezy is Kanye West’s clothing line. The official site kanyewest[.]com contains a link to the domain yeezysupply[.]com.

We also wanted to see what other domain names belong to the registrant organization Callum Phillips, so we ran a reverse WHOIS search. Aside from the kanye2020[.]store, the organization also owns the domain yeezy2020[.]store. Both domain names appeared to be parked at the time of writing.

What Could the Goals of These Domain Registrations Be?

While many of these “Kanye West” domains may have been speculatively registered as part of an investment strategy, some could be weaponized and used in phishing and malware attacks or financial scams. That’s unless Kanye West or someone in his team registered them for commercial purposes, of course.

Nevertheless, domainers and threat actors are known to quickly react to headlines. Since the beginning of June, for instance, there have been hundreds of election-related domain names detected in the Domain Name System (DNS). As the U.S. election nears, we are bound to see more.

Registrants of the Kanye West domain names could be taking advantage of the millions of searches for Kanye West and his political plans. The image below is from Google Trends, which shows that there were over 2 million searches for Kanye West on 4 July 2020.

It’s also possible that the Kanye West domain names could be used to trick supporters into giving monetary donations or purchasing pirated merchandise, for example. Furthermore, these lookalike domains could figure in phishing and malware campaigns, which would cause far more damage.

Whether or not Kanye West will be running for U.S. president is irrelevant when it comes to cybersecurity. People should be wary of any proven typosquatting domain names either way. WHOIS registrant lookup queries can also reveal more about identities and inconsistencies between legitimate and potentially suspicious domains names.