The industrialization of malicious domain creation

Researchers analyzed more than 1.5 million malicious domains detected via VirusTotal from January to May 2026 and concluded that their registration increasingly resembles an industrial process. Only about 10% of the domains were flagged as malicious after legitimate sites were compromised — the rest were purposefully registered by attackers.

The conclusion that malicious domain registration has become a highly streamlined process is supported by the following observed patterns:

🔴 There is usually very little time between domain registration and detection — the gap is minimal: nearly one‑third of new domains were identified as malicious within a week of registration, with some being flagged on the very day they were registered.

🔴 Most of the infrastructure is concentrated among a small number of registrars and domain zones. The .com TLD leads, followed by .top, .cc, and .xyz. The top 10 TLDs account for two‑thirds of all malicious domains.

🔴 Eight out of ten IP addresses hosting attacker‑controlled domains belong to Cloudflare; the two largest alone handled more than 230,000 domains each. These IPs correspond to reverse proxies through which traffic for numerous sites passes — as previously discussed, attackers exploit this setup to evade blocking of their resources.

Researchers also grouped malicious domains by registrar and creation date. When five or more domains matched on these traits, they were treated as a single batch. Over 75% of the analyzed domains fell into such batches: the largest batch included 2,000 domains registered on the same day with one registrar.