Home / Industry

Should Cracks and Keygens Remain a Cybersecurity Concern?

Cracks and keygens have long been a problem for software vendors in that they allow users to install their products without needing to pay for a legitimate license. As the Internet and website development advanced and became more accessible, the number of sites offering software cracking tools grew.

Our research team recently searched the Web for websites that peddle cracks and keygens in an attempt to add more artifacts to publicly available lists of indicators of compromise (IoCs). We used 39 domains identified as IoCs as a starting point and found:

  • 500 IP addresses to which the domains identified as IoCs resolved, most of which are geolocated in the U.S.
  • 15 email addresses used to register the domains tagged as IoCs
  • 152 additional domains possibly connected to the IoCs since they shared their registrant email addresses and IP hosts
  • 8,475 additional domains containing the strings “crack,” “keygen,” and “serial,” 81 of which are malicious according to various malware engines

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Already Know

Our research team collated 39 domains known for hosting malicious crack and keygen sites. Accessing any of these is harmful to corporate network-connected users in that the activity could lead to malware infection. Worse than that, however, using cracked software is illegal and companies that allow employees to use them could be fined as much as US$150,000 if proven to have committed software piracy in the U.S.

What Our Analysis Revealed

As part of our ongoing effort to make the Internet safer, we sought to identify other threat artifacts aided by WHOIS, DNS, and IP intelligence.

We began by subjecting the IoCs to DNS lookups, which led to the discovery of 500 IP addresses to which they resolved. Based on the results, most of the crack and keygen sites pointed to the U.S., Netherlands, Germany, Canada, China, and France.

We then looked at the IoCs’ historical WHOIS records and uncovered 15 unredacted email addresses used to register them. Most of them were Gmail accounts, which isn’t surprising since anyone can easily obtain one.

Using the IP addresses and email addresses as reverse WHOIS search terms to find more artifacts provided us with 152 additional domains. A closer look at them pointed to seven that may be crack and keygen sites—crack[.]ws, crack[.]ms, netcrack[.]com, crackway[.]com, serials[.]ws, serialsource[.]net, and serialdevil[.]com. The sites’ screenshots showed that four were parked or up for sale, one led to a blank page, one was unreachable, and one—serials[.]ws—was indeed a crack and keygen site.

We then wanted to know if crack and keygen site creation remains popular to this day. So, we searched for domains registered just this year and using strings commonly included in crack and keygen site names, namely “crack,” “keygen,” and “serial.” The searches gave us 6,563 domains containing “crack,” 141 domains containing “keygen,” and 1,771 domains containing “serial.”

A bulk malware check via Threat Intelligence Platform (TIP) for the 6,500+ domains showed that 81 of them were malicious. Below are examples of the malicious crack and keygen sites.

Exhaustive threat intelligence can help security teams uncover more malicious web properties than those that appear on publicly available lists of IoCs. Our IoC expansion study also showed that cracks and keygens remain an issue given the thousands of domains pointing to websites that sell them registered just this year.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



IPv4 Markets

Sponsored byIPv4.Global


Sponsored byVerisign

Domain Names

Sponsored byVerisign


Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API