Malicious Registrations in the Domain Name Market: An Analysis of gTLD Registrations and Cybercriminal Demand
A new analysis by Interisle Consulting Group finds that cybercriminals registered a significant share of new domain name registrations in 2025, representing a substantial percentage of the generic Top-Level Domain (gTLD) market. The study establishes that malicious actors purchased at least 10 percent of all new gTLD domains registered in 2025, with projections indicating that the actual share may be closer to 20 percent.
In 2025, nearly 85 million gTLD domains were newly registered. As of mid-May 2026, 8.5 million of those domains — 10 percent — had been added to blocklists for malicious activity. Applying conservative projections for additional future blocklistings and associated domains registered by criminals not identified by blocklists, the study estimates that bad actors may have purchased 16.8 million domains, or 20 percent of gTLD registrations.
Cybercriminal demand represents a significant share of new domain registrations, particularly where domain names are cheap and easy to acquire. Abuse is also highly concentrated in certain places.
Some gTLD registries and registrars had more than half — and in some cases up to 80 percent — of their 2025 new registrations blocklisted. Five registrars accounted for 50 percent of all blocklisted gTLD domains created in 2025, while several registries received hundreds of thousands to a million or more malicious registrations each.
Cybercriminals rely on a steady supply of cheap, disposable domain names to conduct attacks, which they can easily obtain in mass quantities in the current market. Market dynamics and certain industry practices that reward volume sales are contributing to the abuse problem. The costs and consequences of cybercrime facilitated by these domains, however, are borne by victims, businesses, and society at large.
The study notes that abuse at this scale is not inevitable, however. Some registries and registrars grew without attracting outsized levels of abuse, indicating that provider practices and abuse prevention and mitigation choices can affect the quality of business.
Interisle concludes that more effective abuse prevention and mitigation policies and enforceable contractual measures are needed to reduce cybercriminals’ access to domain names while supporting sustainable business from legitimate customers, particularly since new open gTLDs will be introduced in 2027 and beyond.
The full report, Malicious Registrations in the Domain Name Market: An Analysis of gTLD Registrations and Cybercriminal Demand, is available at https://interisle.net/cybercriminaldomaindemand. It includes detailed methodology, case studies, and registrar- and gTLD-level data.
Comments can be submitted to feedback@interisle.net