Domains expire, return, and link.
We diff consecutive zone-file snapshots to find domains that expired (left the zone) and were newly registered (entered it). The ones that drop and come back are reused, the classic abuse precursor. Then we follow the link graph one hop to see where collected domains actually point. Two views of the same lifecycle, below.
RDAP creation date after the April baseline (n=15). The 858 "returning" diffs are TLD-coverage-gap artifacts, excluded.
Which registered domains are actually malicious
Every newly-registered domain checked against DomainDefender's own ingested blocklist, which aggregates public threat feeds (PhishTank, OpenPhish, URLhaus, abuse.ch, Phishing.Database, Phishing.Army). A domain is malicious because one of those feeds listed it for phishing or malware.
▶ Operator clusters click to expand
Shared-content operator clusters
These domains serve byte-identical content (same content hash), one phishing kit / operator running many throwaway names. Unlike the graph's social hubs, every domain here is a lead.
Click a cluster to expand its domains.
Where collected pages point, one hop out. Each node is a domain, each edge a link. Most inbound traffic goes to expected social/CDN hubs (dimmed in the list), the signal is in the non-obvious targets and the flagged sources. Click a dot to see what it links to.
these get the most inbound links, click one to find it in the graph
How to read this page
▶ How are domains surfaced and analyzed?
The page surfaces and analyzes domains through several independent, data-driven layers:
- Delta detection, diffing consecutive zone-file snapshots to find domains that expired and were newly registered.
- Maliciousness, checking every newly-registered domain against DomainDefender's own blocklist (the panels above).
- Reuse, domains that expired and were genuinely re-registered (RDAP creation date after the April baseline).
- Operator clusters, domains serving byte-identical page content (same content hash = one operator running many throwaways).
The link graph then maps where collected pages point one hop out, and who still links back to the domains we analyze.
▶ Are these domains actually malicious? How do you know?
To test maliciousness we intersect the newly-registered domains with DomainDefender's own ingested blocklist, which aggregates public threat feeds (PhishTank, OpenPhish, URLhaus, abuse.ch, Phishing.Database, Phishing.Army). A domain is malicious if one of those feeds has reported it for phishing or malware.
Many newly-registered abuse domains are not on any feed yet, which is exactly the early-warning value of catching them at the zone-delta stage, before the feeds list them. The feeds themselves are maintained and vetted by the security community.
▶ How is a domain counted as malicious?
A domain counts as malicious if it appears on DomainDefender's own ingested blocklist. That blocklist aggregates public threat feeds, PhishTank, OpenPhish, URLhaus, abuse.ch (MalwareBazaar / Feodo / SSLBL), Phishing.Database, and Phishing.Army, covering phishing, malware download, scamming, and C&C.
These signals are not ours. A domain is on the list because one of those feeds observed and reported it serving phishing or malware. We do not label domains ourselves; we intersect the newly-registered set with the feeds.
Stated plainly, this measures "listed by a public threat feed as malicious," a reputation signal, not an independent forensic analysis of each domain. Freshly-registered abuse is often not on any feed yet, which is why catching it early at the zone-delta stage is the value of this pipeline.
▶ Do we have registration info for these domains?
Yes. The creation date, registrar, and registrant come from RDAP enrichment. The "newly registered" flag on this page is from the zone delta, a domain present in the June zone files but absent from our April-26 baseline, which we then join to the actual registration record.
▶ Why are .com and .xyz at the top if you say they're not abusive?
The default "By volume" ranking tracks TLD size, .com tops it simply because it's the biggest zone (11.6M churned = only 6.85%, normal turnover). Switch to "By rate" and the big TLDs fall below the 14.3% median; the real per-zone abuse intensity is in cheap flood TLDs. Size ≠ abuse.
▶ What are "operator clusters"?
Operator clusters, groups of domains serving byte-identical page content (same content hash). Identical content across many throwaway names is one operator / phishing kit; every domain in a cluster is a lead.
▶ What's the data source and time window?
Zone files from ICANN CZDS (588 gTLDs). The delta compares the 2026-04-26 baseline against the latest June snapshots. Maliciousness comes from DomainDefender's own ingested blocklist; the link graph from our own content crawl. .com is included; .net/.org are a known coverage gap (not re-pulled in June yet).
▶ What's the difference between "flagged" and "malicious"?
Surfaced = a domain shows up in one of our analysis layers (newly registered, re-registered, or part of a shared-content operator cluster). It is a candidate, derived cheaply from zone + content data.
Malicious = the domain appears on DomainDefender's blocklist, meaning a public threat feed reported it for phishing or malware. A domain can be surfaced but not malicious, or malicious but not surfaced by our other layers. We report them separately.
▶ How accurate / verified is the maliciousness evaluation?
The match is deterministic: a newly-registered domain either appears on a public threat feed or it does not, so there is no model or score to second-guess. The blocklist is maintained and vetted by the security community (PhishTank, abuse.ch, and so on). The malicious set's TLD distribution (heavy on .top / .click / .cfd / .cyou) matches known abuse patterns.
▶ What data sources power the maliciousness and link-graph views?
The maliciousness signal is DomainDefender's own ingested blocklist (PhishTank, OpenPhish, URLhaus, abuse.ch, Phishing.Database, Phishing.Army), refreshed by our own pipeline. The link graph is built from our own content crawl. (An external infrastructure graph was used only for early exploration; the figures on this page are entirely from DomainDefender's own data.)
▶ How much data does this cover?
279M zone records across 588 gTLDs. The April→June delta found 9.3M expired and 13.3M newly-registered domains. All 13.3M newly-registered were scored for maliciousness; the link graph holds 11,084 forward + 1,961 reverse edges.
▶ Why does this matter?
Domain abuse, phishing, scams, malware delivery, starts at registration. Most malicious domains aren't in any threat feed yet when they're registered; catching them at the zone-delta stage (newly registered + on bad infra + listed by threat intel) is an early-warning signal that leads the feeds. This page is the research surface for that pipeline.