Detect every registered typosquatting domain targeting your brand with a single REST API call. Fuzzy keyword search and wildcard pattern matching across 926.7M+ registered domains and 1,528+ TLDs, with registration dates. Free tier included - 500 credits, no card required.
Product
Typosquatting is the practice of registering domain names that are misspellings, keyboard slips, or visual lookalikes of legitimate brand domains, then using them for phishing, malware delivery, ad fraud, or brand impersonation.
Omissions, insertions, substitutions.
Adjacent QWERTY layout letters.
Visually similar characters.
Cyrillic or Greek character variants.
In the US, typosquatting that exploits a registered trademark is actionable under the Anticybersquatting Consumer Protection Act (ACPA), with statutory damages from $1,000 to $100,000 per domain.
How it works
Access real-time intelligence on registered lookalike domains without complex infrastructure.
Pass a single brand label and the Typosquatting API returns every registered domain that fuzzy-matches it - character substitutions, transpositions, omissions, and repetitions across 926.7M+ registered domains and 1,528+ TLDs.
keyword=googleWildcard patterns combine fuzzy matching with expansion to catch the compound squats plain typo generation misses - prefix, suffix, and hyphenated variants like yourbrand-login.com and mygoogle.io. Up to 3 asterisks per pattern, placed anywhere.
pattern=*google*1{2 "status": true,3 "totalRecords": 3,4 "domains": [5 {6 "domainName": "goog1e-login.com",7 "createDate": "2026-05-02",8 "expiryDate": "2027-05-02",9 "isDropped": false,10 "vpn_provider_name": "Nord VPN",11 "vpn_confidence_score": 99,12 "vpn_last_seen": "2026-01-19",13 "is_relay": false,14 "relay_provider_name": "",15 "is_anonymous": true,16 "is_known_attacker": true,17 "is_bot": false,18 "is_spam": false,19 "is_cloud_provider": true,20 "cloud_provider_name": "Packethub S.A."21 }22 ]23}Comparison
Access real-time intelligence on registered lookalike domains without complex infrastructure.
| Feature | Permutation tools (dnstwist) | WhoisFreaks Typosquatting API |
|---|---|---|
| Method | Generates candidates, then resolves each | Searches actual registered domains directly |
| Coverage | Limited to generated permutations | Full 926.7M+ domain set, 1,528+ TLDs |
| Squatting Detection | Missed unless explicitly generated | Caught via wildcard pattern search |
| Metadata | Requires separate WHOIS lookups | Create, expiry, drop status included |
| Infrastructure | Self-hosted script, high DNS volume | Managed REST API with SDKs |
Use Cases
See how security teams detect typosquatted domains and prevent phishing, impersonation, and brand abuse.
Run keyword and pattern scans across trademarked terms. Feed registration dates and drop status directly into UDRP filings and ACPA actions.
Integrate into SIEM/SOAR pipelines to scan recurringly. Enrich hits with WHOIS and DNS context before it becomes a phishing incident.
Embed detection as a feature. Use pattern search to flag suspicious sender domains and score inbound mail based on registration recency.
Scan target names and internal codenames before public disclosure to avoid speculators registering variants ahead of the news.
Offer brand protection scans inside your own platform. Fixed pagination, predictable credit costs, and a single API key across all WhoisFreaks endpoints keep integration simple.
Researchers map typosquatting campaigns across TLDs, correlating registration dates, drop patterns, and WHOIS records to attribute lookalike domain clusters to the same actor.
Integrate the Domain Reputation API to identify typosquatted domains in real time, detect phishing infrastructure early, and automate block, alert, or investigation workflows with a single API call.
Features
Registered-Domain Typosquat Detection at Scale Across Thousands of TLDs.
Searches 926.7M+ actually registered domains instead of resolving generated permutations, surfacing lookalikes no typo generator would produce.
Finds character substitutions, transpositions, omissions, and repetitions of your brand label in a single case-insensitive request.
Up to 3 free-position asterisks per pattern catch prefix, suffix, and compound squats like brand-login.com that keyword matching misses.
Every match ships with create date, expiry date, and last-seen date - the recency signals that separate staged phishing infrastructure from parked noise.
The isDropped flag identifies typo variants that have fully dropped from the registry and are available for defensive registration.
Fixed 100-per-page results with nextPageToken pagination keep portfolio-wide scans predictable and resumable.
Newly registered typo variants appear in the index within 24 to 48 hours, so daily scans catch squats the same week they are registered.
Get responses in JSON or XML format, for flexible data integrations in modern and legacy systems.
Integrations
The WhoisFreaks Typosquatting API ships with official Python and Go SDKs, making it easy to add typosquat detection to any security product or brand protection platform with just a few lines of code. Request examples in cURL, Node.js, Java, C#, PHP, Ruby, Swift, and C++ are included in the documentation.
Make, Zapier, and n8n let non-technical teams automate scheduled brand scans and trigger notifications the moment a new lookalike domain is registered - no code required.
For SOC and threat intelligence teams, the API integrates into SIEM and SOAR platforms, MISP, and MS Security Copilot to fire automated alerts and response workflows when typosquatting domains appear across 1,528+ TLDs. Pair with the WHOIS API and DNS API to enrich every match with registrant and mail-server evidence.
Get an API key and send your first domain, or read the full API reference for every field and response code.