An overview of the domain extensions at the top of the 2025 risk rankings
Table of Contents
Phishing remains profitable, and the numbers make it clear. In 2025, 38% more domains were reported as phishing, and it served as the initial vector in 16% of security breaches (and was partly responsible for 22% of credential abuse-related breaches), according to reports from Interisle Consulting Group and Verizon.
Direct and indirect losses associated with phishing are estimated at over $1 billion globally.
New gTLDs: The Focus of Cybercrime
By domain extension type, new gTLDs account for the highest number of registered domains used for phishing. And this trend shows no signs of slowing down: while in 2024 they held a 9% share of registrations and 21% of the total registered domains were fraudulent, in 2025 this has risen to an 11% share and 51% fraud.
In contrast, .com and .net (grouped together as a category since they were among the first available and thus hold the largest market share) and country code TLDs (ccTLDs) have lost 5 and 4 points, respectively, in the percentage of fraudulent domains.
The most used TLDs for fraud
We can analyze the ranking of high-risk domains in two ways: by looking at the absolute number of fraudulent domains registered for each extension or by calculating the percentage they represent of the total.
If we look at the absolute figures, we see the following:
.com and .net are in the top 10, specifically in first and tenth place. The intermediate positions are mostly occupied by ngTLDs, in this order: .top, .bond, .xyz, .shop, .xin, and .online.
In this top 10, only one ccTLD sneaks in: .cn, corresponding to China, which ranks eighth.
Some of these extensions had already appeared in the previous ranking or have been prominent across multiple editions of the ranking. This is the case for .com, .top, .xyz, .bond, and .cn.
If we look at the percentage of fraudulent domains relative to the total registered for each extension, we see the following:
The top 10 is led by ngTLDs that are mainly minor in terms of total registered domains (less than 100,000 registrations): .world, .monster, .xin, .help, .win, .cfd, .support, .top, and .lol.
Among these, .world and .monster stand out, with percentages of 49% and 32%, respectively.
In this list, some repeat offenders appear again: .monster, .support, and .lol.
It is worth highlighting the 2 TLDs that appear on both lists as the highest-risk: .top and .xin.
In the top 5 of 2025, there are TLDs that have already been in this ranking for at least one previous year, making them established TLDs in terms of cybercriminal use and the ones we should already have under control.
Malicious domains
The Interisle Consulting Group study differentiates between malicious domains, those registered with the intent of carrying out illicit activity, and domains used for phishing.
If we look at the number of malicious domain registrations by extension, we find the same main players: .com, .top, .xyz, .xin, .shop, .cfd, and .lol. But other extensions also make an appearance: .info (5th), .vip (6th), and .ru (8th). Notably, only two TLDs in the top 20 malicious domains are country-specific: .ru (Russia) and .cc (Cocos Islands, 11th place).
Beyond the tenth position, we encounter the usual suspects: .net, .bond, .online, and others already present in the previous edition, such as .icu (20th), and one of this year’s key players, .world (16th).
If we perform the same exercise looking at the percentage relative to total registrations, the ranking is as follows: .world, .bond, .xin, .cfd, .top, .lol, .vip, .pro, .xyz, .cc.
Malicious Domains vs. Compromised Domains
The percentage of malicious domains has decreased across all domain types except for ccTLDs, for which it has increased by 15%, meaning we need to keep a close eye on them.
The five ccTLDs with the highest percentage of malicious domains per phishing domain are: .cc (91%), .ru (82%), .us (74%), .co (72%), and .de (68%). Notably, the only new entry in this top 5 is .de, which must have risen at least 15 points since the 2024 ranking to make it into this edition. Also noteworthy is the growth of .us, which jumped from 53% to 74%, an increase of 21 points.
The most registered
According to the Domain Name Industry Brief, Q3 2025 closed with 378.5 million domain name registrations, an increase of 16.2 million and 4.5% growth compared to 2024.
The most registered domain type was gTLDs, with 7.4 million registrations, followed by ccTLDs, with 4.8 million registrations. Looking at the growth rate between 2024 and 2025, gTLDs again lead the ranking, with 21% growth, followed by legacy TLDs at 9.3%.
These figures confirm the following:
- gTLDs are currently the highest-risk domain extensions.
- Other legacy extensions, apart from .com and .net, also play a significant role in the cybercrime landscape, as seen with .info, for example.
Namecheap has also published its ranking of the most registered extensions in 2025. This is interesting for two reasons: first, because Namecheap is the fourth largest registrar for phishing domains; and second, because it shows how the results from the Interisle report translate into reality.
Comparing the rankings, we observe that 9 of the extensions mentioned in the phishing report appear in Namecheap’s top 20: .com, .info, .shop, .xyz, .online, .net, .pro, .co, and .us. Additionally, the increase in .info registrations stands out, while the rest are the “usual suspects” that remain stable in the ranking.
Another exercise we carried out was to select a random date in 2025 (June 26) and observe which domains were registered the most. These are the results: .com, .top, .xyz, .shop, .vip, .au, .cn, .org, .online, and .de make up the top 10, and 9 of them are flagged in the phishing rankings.
How Do Scammers Choose the Extension?
There are basically 3 key factors:
Ease of registration
As we have already mentioned in previous articles, the key factor for the use of a domain extension for fraudulent purposes is primarily the lack of ownership verification requirements and validation mechanisms when registering a domain.
This depends on the policies set by each registry, meaning there is a direct relationship between a domain extension’s registration requirements and the percentage of fraud associated with that extension.
Bulk registration
When registrars allow bulk registrations, cybercriminals take advantage. According to Interisle, at least 37% of domains used for phishing were registered through bulk registration.
4 of the 5 registrars with the highest number of fraudulent domains are linked to the largest number of mass-registered phishing emails.
Cost
The cheaper the domain extension, the more fraudulent registrations it attracts. That’s why we need to take this factor into account in our preventive registration strategy.
According to the Interisle report, extensions with a registration cost below 2 euros generally accumulate the most fraudulent domains. There are some exceptions, such as .finance, which, despite its higher cost, falls into a similar range in terms of volume.
This means we should not overlook particularly sensitive themes.
Summary: The Highest-Risk Extensions
The following table lists all mentioned TLDs, along with their associated risk indicators. The most relevant ones, acording to the Interlise ranking data, are highlighted in red and grey
| TLD | Most Used for Phishing | Highest % of Fraud | Cybercrime Stalwarts | Most Malicious Domains | Highest % of Malicious Domains | Popularity |
|---|---|---|---|---|---|---|
| .com | x | x | x | x | ||
| .top | x | x | x | x | x | x |
| .xyz | x | x | x | x | ||
| .net | x | x | x | x | ||
| .bond | x | x | x | |||
| .shop | x | x | x | |||
| .xin | x | x | x | |||
| .online | x | x | ||||
| .cn | x | |||||
| .world | x | x | ||||
| .monster | ||||||
| .help | ||||||
| .win | ||||||
| .cfd | x | x | ||||
| .support | x | |||||
| .lol | x | x | ||||
| .info | x | x | ||||
| .vip | x | x | ||||
| .ru | x | x | ||||
| .cc | x | x | ||||
| .pro | x | x | ||||
| .de | x | x | ||||
| .us | x | x | ||||
| .co | x | x |
Conclusions
- New gTLDs should be on the radar of our Online Brand Protection strategy, which means keeping an eye on new launches.
- Attention should be paid to the .top, .bond, .shop, and .info extensions, which were already present in previous rankings but have grown or are growing strongly.
- For ccTLDs, the percentage of malicious registrations is increasing. Focus should be on .cc, .de, and .us due to their year-over-year growth, as well as the usual suspects .cn, .ru, and .com.
- A gTLD that stands out for appearing for the first time and with significant impact is .xin.
- It is important to analyze and identify gTLDs that, due to their theme and sector sensitivit, represent a threat, such as .finance for the Banking and Finance sector.
Do you need help against online fraud?
Write to us with your inquiry, and we will get in touch with you soon.