The assembly line behind 1.5 million malicious domains
Attackers registered roughly 1.5 million malicious domains during the first five months of 2026. The registration patterns resemble industrial output. Most of the domains were created by attackers, put to use within weeks, and concentrated among a small set of registrars, top-level domains, and hosting providers.
New research examined more than 1.5 million unique domains flagged on VirusTotal between January and May 2026. Each domain was flagged by at least five independent VirusTotal scanning engines and first appeared on the platform during the study window. The detections were combined with WHOIS registration records, passive DNS resolution data, and the Tranco popularity ranking of well-known sites.
Close to nine in ten of the domains were registered by attackers for malicious use. The remainder were existing legitimate domains that attackers took over. Most of that smaller group qualified because of age, having been registered years before detection, a sign that long-established sites were repurposed for attacks.
Domains built for a short life
New malicious domains appeared at a steady, high volume each month. January 2026 recorded the most, with several hundred thousand domains, and the following months stayed in a similar range.
Attacker-created domains reached VirusTotal quickly after registration. The median domain was about two months old at first detection. A portion were detected within one day of registration, and close to a third within one week. This short window gives defenders limited time to identify a domain before attackers activate it.
Abuse concentrates at a few registrars and TLDs
A small number of registrars handled most attacker-created domains. The four busiest together covered more than a third of attack domains. The top ten registrars handled close to six in ten of the domains with known registrar data, with a long tail of several thousand additional registrars splitting the rest.
Top-level domain choices showed similar concentration. The .com extension led by a wide margin, accounting for roughly a third of all attack domains. It was followed by lower-cost generic and country-code extensions such as .top, .cc, and .xyz. The top ten extensions together covered about two-thirds of attack domains, with the remainder spread across hundreds of others.
This concentration points to intervention. Anti-abuse policies and faster takedown procedures at the leading registrars could reduce a large share of attacker-created domains.
The shared infrastructure problem
Most of the busiest hosting addresses belonged to Cloudflare. Eight of the top ten IP addresses hosting attack domains were Cloudflare addresses. The two busiest each hosted more than 230,000 distinct attack domains. These addresses are shared reverse-proxy endpoints used across Cloudflare’s network, so a single address serves many sites at once and hides the origin server behind it.
At the network level, Cloudflare’s autonomous system hosted the largest number of attack domains, with another large network and AWS close behind. Attackers gravitate toward reputable cloud and content-delivery providers because traffic from these networks is harder to block at the network level. The same services that protect legitimate sites from attack and surveillance also shield malicious ones, which makes takedown a question of provider cooperation.
DNS traffic concentrates in a small group
Query volume followed a steep distribution. Most attack domains drew modest traffic. A small group at the top drew enormous volumes, with the single busiest domain receiving more than two billion queries. This high-traffic group accounted for most of the query volume and the most user exposure. Sinkholing it would lower end-user risk substantially.
Registration in bulk
Coordinated mass registration appeared throughout the dataset. Grouping attack domains by registrar and creation date, any group of five or more domains sharing both attributes counted as a batch. More than three-quarters of attack domains with usable WHOIS records belonged to such a batch.
The largest single batch held more than two thousand domains registered with one registrar on a single day. Domain names within batches often followed short alphanumeric patterns, a sign of automated generation. Same-day registration of thousands of domains under one registrar points to scripts that produce and register names in bulk to assemble large attack fleets quickly.
Brand impersonation targets a few large names
Attackers embedded recognizable brand names into their domains. Brand tokens drawn from the most popular sites were checked against each attack domain name. WhatsApp was the most-copied brand by a wide margin, appearing in close to 20,000 attack domains. Google, Coinbase, and Bet365 also ranked among the leaders. The presence of a cryptocurrency exchange and a gambling platform points to credential harvesting and phishing aimed at financial accounts.
The matching method used simple substring detection, so some entries reflect common letter sequences more than deliberate impersonation. The distinctive brand names in the results, led by WhatsApp, carry more weight. A small share of all attack domains contained a recognizable brand token, spread across thousands of distinct brands.
Where defenders can intervene
The good news is that the same concentration that makes this work efficient for attackers also gives defenders a short list of places to push. If a handful of registrars are issuing most of the domains, rate limits and anti-abuse checks on same-day bulk registrations would slow a lot of the activity at once. The patterns are easy to spot: thousands of names with the same registrar and the same creation date, often with machine-generated spellings.
The hosting side calls for a different kind of work. Cloudflare and AWS both run abuse-reporting programs, and the volume here suggests those programs need automated pipelines that connect threat intelligence teams directly to the providers, so flagged domains tied to known malicious hosting get pulled faster. The busiest domains, the small group pulling billions of queries, are the ones worth sinkholing first, since they reach the most people. And the brands attackers lean on most, WhatsApp and Google among them, are obvious candidates for automated monitoring.
The throughline is that domain abuse runs like a production line with a few chokepoints. A few registrars issue most of the domains. A few extensions host most of the names. A few networks carry most of the traffic. Press on those points and you reach a large share of the problem. The researchers released their annotated dataset publicly for anyone who wants to dig further.
Apply today: Simplify security management with CIS SecureSuite Platform