NordVPN Promotion

Home / Industry

Post-Riot Domain Registration Trends: Findings From Tracking Trump-Related Domains and Subdomains

The U.S. Capitol riot on 6 January 2021 was an unexpected event following the 2020 U.S. elections. The incident also made headlines worldwide, prompting us to track the registration trend for Trump-related domains and subdomains. We also looked into two domains for Trump’s e-commerce stores that Shopify shut down.

Trump’s Online Stores Shut Down

Some entities have planned to withdraw their business dealings with Trump’s organizations. For example, Shopify announced on 7 January 2021 that it shut down two e-commerce sites owned by the Trump Organization—trumpstore[.]com and shop[.]donaldjtrump[.]com. Indeed, visiting shop[.]donaldjtrump[.]com on 19 January 2021 still results in an invalid request error.

However, the domain trumpstore[.]com is already up and running since 18 January 2021. It was down on 7—14 January 2021 but was redirected to trump[.]com/trump-store, according to snapshots taken by the Wayback Machine.

The website’s recovery happened after its WHOIS records were modified on 17 January 2021, as revealed by WHOIS History Search. Specifically, the registrant’s contact organization was changed from The Trump Organization to DTTM Operations LLC. The modification was also detected the next day by the Registrant Monitor of the Domain Research Suite (DRS) when we started monitoring DTTM Operations LLC.

The Trend for Trump-Related Domain Names

We observed the registration trend for domains related to Donald Trump during the past two weeks. Specifically, these are the types of domains included in the study:

  • Typosquatting domain names: We downloaded the weekly typosquatting data feed dated 4—10 and 11—17 January 2021. We then counted the number of domain names that contain the string “trump.”
  • Subdomains: We also retrieved all subdomains containing the string “trump” that were added to the Domain Name System (DNS) on 6 January 2021.
Typosquatting Domains

The domains the Typosquatting Data Feed picks up include those bulk-registered along with other similar-looking domains. Bulk domain registrations of domain names containing the string “trump” started to dwindle a week or two after the U.S. elections held on 3 November 2020. However, it peaked again during the week of the Capitol riot (i.e., week ending 10 January 2021).

None of the Trump-related domains registered on the weeks ending on 10 and 17 January 2021 were publicly registered under the Trump Organization or DTTM Operations LLC. Some examples of the domains are:

  • bringbacktrump[.]org
  • bringbacktrump[.]shop
  • bringbacktrump[.]store
  • donaldtrump[.]consulting
  • donaldtrump[.]expert
  • donaldtrump[.]win
  • donaldtrump[.]world
  • lettrumprun[.]com
  • lettrumprun[.]org
  • lettrumprun[.]shop
  • trumpinsurection[.]com
  • trumpinsurrection[.]org
  • trumpinsurrection[.]xyz
  • trumpintwitter[.]com
  • trumpistwitter[.]com
Subdomains

Subdomains Lookup returned 247 subdomains containing the string “trump” that made their way into the DNS starting 6 January 2021. These subdomains were related to 74 domain names, all of which could not be attributed to the Trump Organization or DTTM Operations LLC based on Bulk WHOIS Lookup results. Around 62% of the domains, in fact, had redacted or privacy-protected WHOIS records.

The Trump-related subdomains include these examples:

  • trumpwon[.]deemerge[.]com
  • onlytrumps[.]ibleed[.]net
  • darthtrump[.]thelandofmethandhoney[.]com
  • telltrump[.]dacanesurfshop[.]com
  • thetrumphub[.]trumpsden[.]com
  • trumpybot2[.]repl[.]co
  • americantrumpcards[.]landandair[.]video
  • blog[.]trumpvsbiden[.]adss[.]com
  • cpcontacts[.]trump2[.]torweb[.]site

From the analysis above, it is possible that changes made to the WHOIS record of trumpstore[.]com indicate the organization’s response to Shopify’s shutdown. It would also not be surprising that more domains under the Trump Organization end up moved to DTTM Operations LLC. Additionally, the increase in the number of Trump-related typosquatting domains and subdomains that could not be attributed to Trump’s organizations could also hint at domainers or even threat actors riding the newsworthy tide.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

NordVPN Promotion