This post was co-authored by Greg Aaron, Partner of Interisle Consulting Group.

Interisle just released a new study that quantifies the number of malicious domain registrations being made by cybercriminals. We found that bad actors made an estimated 20% of all new gTLD registrations in 2025. It’s alarming how much demand is being driven by bad actors, and remarkable how large some of their buying campaigns are.

Using data from multiple reputation blocklists, we determined that 8.5 million of the 85 million gTLD domains registered in 2025 have already been blocklisted for malicious activity, or 10% of new registrations. That’s the absolute floor. When we apply conservative projections for additional future blocklistings and associated domains registered by criminals, the actual share is likely 20%—or roughly 16.8 million domains. That’s 1 in 5 of all domain names created in 2025. And we believe this projection is conservative - some security companies, such as Infoblox, place the figure closer to 25%.

We found that abuse occurred in pretty much every open gTLD and at 88% of all ICANN-accredited registrars. But malicious registrations were highly concentrated at certain registry and registrar operators. Five registrars accounted for 50% of all blocklisted domains created in 2025. At one registrar, nearly 88% of new registrations were later blocklisted. On the registry side, more than three-quarters of all domains that were created in 2025 and then blocklisted were in gTLDs operated by just four companies. Our report contains tables with the data and the names.

We hope the numbers, case studies, and analysis in the report will help registries, registrars, policymakers, and the broader ICANN community develop more effective ways to reduce cybercriminals’ access to domain names while supporting sustainable business from legitimate customers.

Case studies illustrate massive batch registration

Our analysis of specific gTLDs documents how criminal organizations registered hundreds of thousands of domain names to conduct phishing, malware, and scam campaigns. The detection and mitigation of this activity was partial and far from effective.

For example, we found that the sanctioned FUNNULL cybercriminal organization bought at least 100,000 .LOAN domains. Even after the U.S. government imposed sanctions on FUNNULL and the U.S. FBI released detailed information about FUNNULL’s registrations, the group continued to register thousands of domains. A malware operation registered at least 350,000 .BOND domains at one registrar in 2025, even after the activity was publicly documented by security researchers.

The problem is under-estimated, and under-prevented

Starting with blocklisted domains as indicators, we performed associated domain checks in three gTLDs to see what domains were registered by bad actors, but were missed by the blocklist providers. We found 38% to 63% more associated domains that were likely registered by the bad actors. This lines up with findings from ICANN’s security research team, which documented that for every three newly registered malicious domains reported through RBL feeds, conservative research identifies an additional two related domains.

Only 57% of the domains on the FBI’s large list of FUNNULL domains made their way onto the blocklists we monitored, either before or after the FBI released its list. This is an example of how malicious registrations can be missed by RBLs. Case studies in our report show that even when domains were blocklisted, small percentages were suspended by registrars and registry operators.

Incentives to sell to criminals

Finally, the research suggests that:

Some registrars are apparently benefitting commercially by selling large numbers of domains to abusive registrants, even when they sell the domains at low prices.

Economic incentives lead some registrars and registries to accept or tolerate abusive registrations. Some sales programs, volume-based discounts, and rebate programs create commercial incentives designed to encourage repeat, bulk domain sales. Cybercriminals, who purchase domains in large quantities and rarely renew them, represent a large and reliable source of precisely this kind of demand.

Bad actors appear to be using acceptable payment instruments to acquire many of their registrations. At the same time, however, we found that abuse at scale is not inevitable. Several registries and registrars achieved growth in 2025 while keeping malicious registrations relatively low. Business choices and abuse prevention strategies really do matter.

A classic negative externality

Cybercriminals benefit when they use the domain names they purchase. But the resulting social costs of the cybercrime—including financial losses, business disruption, and eroded public trust—are imposed on victims, businesses, and society at large. This is a classic negative externality that shows a market out of balance, where the broader benefits of competition are not serving the public well enough.

Looking ahead

As ICANN prepares to introduce new open gTLDs in 2027 and beyond, the current scale of abuse becomes even more concerning. All things being equal, new entrants and an increased supply of domains will intensify competitive and price pressure. Without stronger measures to prevent abuse—not just mitigate it—the problem will get worse.

The full study, “Malicious Registrations in the Domain Name Market: An Analysis of 2025 gTLD Registrations and Cybercriminal Demand,” is available here.