The Internet has been abuzz with talks about Elon Musk buying Twitter since he made an initial offer of US$44 billion on 14 April 2022. The even bigger news? Twitter accepted the offer despite some employees’ qualms about Musk’s future plans for the company.

While we wait for more developments on the matter and see what changes lie in wait for Twitter’s millions of users, we delved into how domain registrants, including possible threat actors, are taking the news too. We looked more closely at domain and subdomain registrations since the buyout announcement and found:

• A smattering of domain and subdomain registrations containing the string combination “elon + musk + twitter” in the past two weeks or so
• More than 20,000 domains and subdomains containing the string combination “elon + musk” and string “twitter” registered for all time
• Around 150 domains and subdomains possibly connected to the current event have already been dubbed “malicious” by various malware engines

A sample of the artifacts obtained from our analysis is available for download from our website.

A Closer Look at the Domain and Subdomain Landscape

We scoured the Internet for web properties that threat actors could misuse or abuse to ride the buzz and lure users to potentially dangerous websites. Domains & Subdomains Discovery provided us with an initial list of 14 domains containing the string combination “elon + musk + twitter” registered on 14–28 April 2022. These are:

• twitterelonmusk[.]xyz
• elonmusktwitter[.]xyz
• elontwittermusk[.]com
• twittermuskelon[.]com
• elonmuskstwitter[.]com
• elonmusktwitters[.]com
• twitterbyelonmusk[.]com
• elonmusktwitterceo[.]com
• elonmuskbuytwitter[.]com
• elonmusktwitterlies[.]com
• elonmuskownstwitter[.]com
• elonmuskpwnstwitter[.]com
• elonmuskruinedtwitter[.]com
• elonmuskboughttwitter[.]com

We then expanded our search to gauge how much interest people usually accord to Musk and Twitter and found thousands of domains and subdomains containing the string combination “elon + musk” and string “twitter” over time.

A more in-depth analysis of the “elon + musk” domains showed that they shared common strings, such as “space” (in reference to SpaceX), “club,” and “coin” (in relation to Musk’s interest in cryptocurrency), among around 500 others. The chart below shows the domain volumes for the top 20 strings. Note that the domain names can contain one or more of the terms.

Our analysis of the Twitter domains and subdomains, meanwhile, led to the discovery of at least 20,000 web properties, showing how much interest people have had in the platform.

Given that Twitter is a copyrighted brand, we sought to uncover how many of the thousands of web properties we obtained were actually owned by the company. Our bulk WHOIS lookup showed that only 2% of the total were reportedly Twitter-owned, based on WHOIS data.

Malware checks on the Threat Intelligence Platform for the total domain and subdomain sample revealed that 147 of them were already detected as malicious by various malware engines. Notably, elonmusktwitter[.]xyz, which coincides with current events, is already dubbed “dangerous,” for hosting malware.

And as it is our mission to make the World Wide Web a safer place for all users, we subjected the domains and subdomains to DNS lookups and found that they resolved to 8,267 unique IP addresses. A few of them could be malicious if subjected to malware checks.

Organizations and individuals alike should be especially wary of the domains and subdomains already tagged as harmful by malware engines, as they could easily serve as malware and disinformation campaign hosts and homes to phishing sites.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.