Study says malicious actors bought up to 20% of new gTLD domains in 2025

By AI, Created 4:06 PM UTC, June 01, 2026, /AGP/ – Interisle Consulting Group says cybercriminals accounted for at least 10% of new generic domain registrations in 2025, with the real share possibly closer to 20%. The findings underscore how cheap, disposable domains continue to fuel attacks and why registries and registrars face pressure to strengthen abuse controls.

Why it matters: - Cybercriminals depend on a steady supply of low-cost domains to run phishing, malware and other attacks. - Interisle says the scale of abuse is large enough to distort parts of the domain market and shift costs onto victims, businesses and society. - The findings arrive as new open gTLDs are expected in 2027 and beyond, raising the stakes for abuse prevention.

What happened: - Interisle Consulting Group published a new analysis of 2025 generic Top-Level Domain, or gTLD, registrations. - The study found malicious actors purchased at least 10% of all newly registered gTLD domains in 2025. - Interisle estimates the actual share may be closer to 20%. - The report, Malicious Registrations in the Domain Name Market: An Analysis of 2025 gTLD Registrations and Cybercriminal Demand, is available online.

The details: - Nearly 85 million gTLD domains were newly registered in 2025. - By mid-May 2026, 8.5 million of those domains had been added to blocklists for malicious activity. - Interisle’s conservative projection raises the estimate to 16.8 million domains, or 20% of gTLD registrations. - Greg Aaron, an Interisle partner and study co-author, said abuse is highly concentrated in certain places. - Aaron said some gTLD registries and registrars had more than half, and in some cases up to 80%, of their 2025 new registrations blocklisted. - Five registrars accounted for 50% of all blocklisted gTLD domains created in 2025. - Several registries received hundreds of thousands to more than a million malicious registrations each. - The report says abuse is easier when domain names are cheap and easy to acquire in volume. - Karen Rose, an Interisle partner and study co-author, said market dynamics and industry practices that reward volume sales contribute to the abuse problem. - Rose said the costs of cybercrime enabled by these domains are borne by victims, businesses and society at large. - The study says some registries and registrars grew without attracting outsized abuse. - Rose said that pattern shows provider practices and abuse prevention choices can improve business quality. - Interisle says more effective abuse prevention, mitigation policies and enforceable contractual measures are needed. - Interisle also says those steps should reduce cybercriminal access to domain names while still supporting legitimate customers.

Between the lines: - The report points to a market problem, not just a security problem. - High-volume sales incentives can make abuse easier to scale unless registries and registrars actively intervene. - The concentration of abuse among a relatively small number of providers suggests enforcement and screening may matter as much as broader industry rules.

What’s next: - Interisle is pushing for stronger contractual requirements and more aggressive mitigation from domain industry players. - The expected rollout of new open gTLDs in 2027 and later could make abuse controls even more important. - The full report includes methodology, case studies and registrar- and gTLD-level data for further review.

The bottom line: - Interisle’s core message is blunt: cheap domain registrations remain a major tool for cybercrime, and current market practices are still letting too much of that abuse through.