The U.S. Capitol riot on 6 January 2021 was an unexpected event following the 2020 U.S. elections. The incident also made headlines worldwide, prompting us to track the registration trend for Trump-related domains and subdomains. We also looked into two domains for Trump’s e-commerce stores that Shopify shut down.

Trump’s Online Stores Shut Down

Some entities have planned to withdraw their business dealings with Trump’s organizations. For example, Shopify announced on 7 January 2021 that it shut down two e-commerce sites owned by the Trump Organization—trumpstore[.]com and shop[.]donaldjtrump[.]com. Indeed, visiting shop[.]donaldjtrump[.]com on 19 January 2021 still results in an invalid request error.

However, the domain trumpstore[.]com is already up and running since 18 January 2021. It was down on 7—14 January 2021 but was redirected to trump[.]com/trump-store, according to snapshots taken by the Wayback Machine.

The website’s recovery happened after its WHOIS records were modified on 17 January 2021, as revealed by WHOIS History Search. Specifically, the registrant’s contact organization was changed from The Trump Organization to DTTM Operations LLC. The modification was also detected the next day by the Registrant Monitor of the Domain Research Suite (DRS) when we started monitoring DTTM Operations LLC.

The Trend for Trump-Related Domain Names

We observed the registration trend for domains related to Donald Trump during the past two weeks. Specifically, these are the types of domains included in the study:

• Typosquatting domain names: We downloaded the weekly typosquatting data feed dated 4—10 and 11—17 January 2021. We then counted the number of domain names that contain the string “trump.”
• Subdomains: We also retrieved all subdomains containing the string “trump” that were added to the Domain Name System (DNS) on 6 January 2021.

Typosquatting Domains

The domains the Typosquatting Data Feed picks up include those bulk-registered along with other similar-looking domains. Bulk domain registrations of domain names containing the string “trump” started to dwindle a week or two after the U.S. elections held on 3 November 2020. However, it peaked again during the week of the Capitol riot (i.e., week ending 10 January 2021).

None of the Trump-related domains registered on the weeks ending on 10 and 17 January 2021 were publicly registered under the Trump Organization or DTTM Operations LLC. Some examples of the domains are:

• bringbacktrump[.]org
• bringbacktrump[.]shop
• bringbacktrump[.]store
• donaldtrump[.]consulting
• donaldtrump[.]expert
• donaldtrump[.]win
• donaldtrump[.]world
• lettrumprun[.]com
• lettrumprun[.]org
• lettrumprun[.]shop
• trumpinsurection[.]com
• trumpinsurrection[.]org
• trumpinsurrection[.]xyz
• trumpintwitter[.]com
• trumpistwitter[.]com

Subdomains

Subdomains Lookup returned 247 subdomains containing the string “trump” that made their way into the DNS starting 6 January 2021. These subdomains were related to 74 domain names, all of which could not be attributed to the Trump Organization or DTTM Operations LLC based on Bulk WHOIS Lookup results. Around 62% of the domains, in fact, had redacted or privacy-protected WHOIS records.

The Trump-related subdomains include these examples:

• trumpwon[.]deemerge[.]com
• onlytrumps[.]ibleed[.]net
• darthtrump[.]thelandofmethandhoney[.]com
• telltrump[.]dacanesurfshop[.]com
• thetrumphub[.]trumpsden[.]com
• trumpybot2[.]repl[.]co
• americantrumpcards[.]landandair[.]video
• blog[.]trumpvsbiden[.]adss[.]com
• cpcontacts[.]trump2[.]torweb[.]site

From the analysis above, it is possible that changes made to the WHOIS record of trumpstore[.]com indicate the organization’s response to Shopify’s shutdown. It would also not be surprising that more domains under the Trump Organization end up moved to DTTM Operations LLC. Additionally, the increase in the number of Trump-related typosquatting domains and subdomains that could not be attributed to Trump’s organizations could also hint at domainers or even threat actors riding the newsworthy tide.