A Look into the TLDs of the Most Abused Newly Registered Domains

While the generic top-level domain (gTLD) that a company uses is not a telltale sign of maliciousness, some TLDs are more prone to abuse than others. It could be because of the sheer volume of domain registrations within a particular TLD space, the lack of security protocols in registering domains, or a combination of both, among other factors. 

We looked at the list of newly registered domains that used the most abused TLDs, according to multiple sources and analyzed them using data from whoisxmlapi.com.

Three gTLDs were identified—.fit, .top, and .work. The .fit gTLD was cited as the most abused gTLD for spam operations by Spamhaus, with a badness index of 56.9% as of 4 November 2020. For botnet and phishing, the most abused gTLD was .com, mostly because it remains the most used. As such, we settled on the second most abused for two other malicious activities—.top and .work.

Malicious Activity Most Abused gTLD Number of Malicious Domains Found 
Spamming .fit 8,770
Botnet use .top 617
Phishing .work 65,265


Spamhaus is an organization that tracks spammers and spam-related activities, while SURBL provides a collection of phishing sites, malware domains, and Uniform Resource Identifiers (URIs) that appear in unsolicited emails.

For the analysis, we used a list of newly registered domains from 29 October to 2 November 2020. A total of 35,779 newly registered domains across the three gTLD spaces were detected. The chart below reflects the five-day registration trend.

Where Are the Registrants Located?

A majority of newly registered domains under .fit and .work were registered in Japan, while most of the domains under .top were from China.


In particular, 77.03% of .fit and 94.21% of .work domain names were based in Japan. The rest of the domains were spread across dozens of other countries. Note, though, that these TLDs are the most abused for spam and phishing campaigns.


As for the newly registered domains under .top, two registrant countries stood out. Some 54.51% of them were registered in China, while 32.37% cited the U.S. as their registrant country. This finding is consistent with Spamhaus’s top 20 locations of botnet and command-and-control (C&C) servers, citing the U.S. as the top location, with China in eighth place.

What Are the Most Common Registrars?

GMO Internet Inc. owned 72.54% of the newly registered domains under the three gTLDs. The rest of the domains were distributed across dozens of other registrars, but the chart below shows the top 10 registrars for the five-day registration period.

What Percentage of WHOIS Records Have Been Redacted for Privacy?

You may also like...