Typosquatting API: Find Registered Typo & Lookalike Domains

Detect every registered typosquatting domain targeting your brand with a single REST API call. Fuzzy keyword search and wildcard pattern matching across 926.7M+ registered domains and 1,528+ TLDs, with registration dates. Free tier included - 500 credits, no card required.

curl --location 'https://api.whoisfreaks.com/v3.0/domain/typos?keyword=google&page=1&apiKey=API_KEY'
[
  {
    "status": true,
    "totalRecords": 384,
    "currentPage": 1,
    "totalPages": 4,
    "hasNextPage": true,
    "nextPageToken": "eyJjdXJzb3IiOiJnb29nbGUuY29tIiwicGFnZSI6MX0=",
    "domains": [
      {
        "domainName": "gooogle.com",
        "createDate": "2022-03-15",
        "expiryDate": "2025-03-15",
        "lastSeen": "2024-01-10",
        "isDropped": false
      },
      {
        "domainName": "googgle.com",
        "createDate": "2021-07-20",
        "expiryDate": "2024-07-20",
        "lastSeen": "2024-01-08",
        "isDropped": false
      },
      {
        "domainName": "gogle.com",
        "createDate": "2019-11-01",
        "expiryDate": "2023-11-01",
        "lastSeen": "2023-10-30",
        "isDropped": true
      }
    ]
  }
]
pricing backgroundEclipse Top RightEclipse Top LeftEclipse WHOIS Stats

Product

What Typosquatting Detection Solves?

Typosquatting is the practice of registering domain names that are misspellings, keyboard slips, or visual lookalikes of legitimate brand domains, then using them for phishing, malware delivery, ad fraud, or brand impersonation.

Character Typos

Omissions, insertions, substitutions.

Keyboard Slips

Adjacent QWERTY layout letters.

Homoglyph Lookalikes

Visually similar characters.

IDN Punycode

Cyrillic or Greek character variants.

Legal Context

In the US, typosquatting that exploits a registered trademark is actionable under the Anticybersquatting Consumer Protection Act (ACPA), with statutory damages from $1,000 to $100,000 per domain.

Trademark RecoveryUDRP Filing

How it works

How the Typosquatting API Works

Access real-time intelligence on registered lookalike domains without complex infrastructure.

Keyword Search

Pass a single brand label and the Typosquatting API returns every registered domain that fuzzy-matches it - character substitutions, transpositions, omissions, and repetitions across 926.7M+ registered domains and 1,528+ TLDs.

keyword=google

Pattern Search with Wildcards

Wildcard patterns combine fuzzy matching with expansion to catch the compound squats plain typo generation misses - prefix, suffix, and hyphenated variants like yourbrand-login.com and mygoogle.io. Up to 3 asterisks per pattern, placed anywhere.

pattern=*google*
Request

GET https://api.whoisfreaks.com/v3.0/typosquats?keyword=google&apiKey=YOUR_API_KEY

Response Preview
1{
2 "status": true,
3 "totalRecords": 3,
4 "domains": [
5 {
6 "domainName": "goog1e-login.com",
7 "createDate": "2026-05-02",
8 "expiryDate": "2027-05-02",
9 "isDropped": false,
10 "vpn_provider_name": "Nord VPN",
11 "vpn_confidence_score": 99,
12 "vpn_last_seen": "2026-01-19",
13 "is_relay": false,
14 "relay_provider_name": "",
15 "is_anonymous": true,
16 "is_known_attacker": true,
17 "is_bot": false,
18 "is_spam": false,
19 "is_cloud_provider": true,
20 "cloud_provider_name": "Packethub S.A."
21 }
22 ]
23}

Comparison

WhoisFreaks API vs Permutation Tools

Access real-time intelligence on registered lookalike domains without complex infrastructure.

FeaturePermutation tools (dnstwist)WhoisFreaks Typosquatting API
MethodGenerates candidates, then resolves each
Searches actual registered domains directly
CoverageLimited to generated permutations
Full 926.7M+ domain set, 1,528+ TLDs
Squatting DetectionMissed unless explicitly generated
Caught via wildcard pattern search
MetadataRequires separate WHOIS lookups
Create, expiry, drop status included
InfrastructureSelf-hosted script, high DNS volume
Managed REST API with SDKs

Use Cases

Domain Typosquatting in Action

See how security teams detect typosquatted domains and prevent phishing, impersonation, and brand abuse.

Feature icon

Brand Protection & Trademark

Run keyword and pattern scans across trademarked terms. Feed registration dates and drop status directly into UDRP filings and ACPA actions.

Feature icon

SOC & Threat Intelligence

Integrate into SIEM/SOAR pipelines to scan recurringly. Enrich hits with WHOIS and DNS context before it becomes a phishing incident.

Feature icon

Anti-Phishing Vendors

Embed detection as a feature. Use pattern search to flag suspicious sender domains and score inbound mail based on registration recency.

Feature icon

M&A & Corporate Dev

Scan target names and internal codenames before public disclosure to avoid speculators registering variants ahead of the news.

Feature icon

Registrars and domain platforms

Offer brand protection scans inside your own platform. Fixed pagination, predictable credit costs, and a single API key across all WhoisFreaks endpoints keep integration simple.

Feature icon

Threat Intelligence Researchers

Researchers map typosquatting campaigns across TLDs, correlating registration dates, drop patterns, and WHOIS records to attribute lookalike domain clusters to the same actor.

Request demo background

Integrate the Domain Reputation API to identify typosquatted domains in real time, detect phishing infrastructure early, and automate block, alert, or investigation workflows with a single API call.

Features

What our Typosquatting API Provide

Registered-Domain Typosquat Detection at Scale Across Thousands of TLDs.

Feature icon

Registered-Set Search

Searches 926.7M+ actually registered domains instead of resolving generated permutations, surfacing lookalikes no typo generator would produce.

Feature icon

Fuzzy Keyword Matching

Finds character substitutions, transpositions, omissions, and repetitions of your brand label in a single case-insensitive request.

Feature icon

Wildcard Pattern Search

Up to 3 free-position asterisks per pattern catch prefix, suffix, and compound squats like brand-login.com that keyword matching misses.

Feature icon

Registration Intelligence

Every match ships with create date, expiry date, and last-seen date - the recency signals that separate staged phishing infrastructure from parked noise.

Feature icon

Drop Status Tracking

The isDropped flag identifies typo variants that have fully dropped from the registry and are available for defensive registration.

Feature icon

Token Based Pagination

Fixed 100-per-page results with nextPageToken pagination keep portfolio-wide scans predictable and resumable.

Feature icon

24-48h Data Freshness

Newly registered typo variants appear in the index within 24 to 48 hours, so daily scans catch squats the same week they are registered.

Feature icon

Supported Formats

Get responses in JSON or XML format, for flexible data integrations in modern and legacy systems.

Integrations

Seemless Integration for Every Workflow

The WhoisFreaks Typosquatting API ships with official Python and Go SDKs, making it easy to add typosquat detection to any security product or brand protection platform with just a few lines of code. Request examples in cURL, Node.js, Java, C#, PHP, Ruby, Swift, and C++ are included in the documentation.

Make, Zapier, and n8n let non-technical teams automate scheduled brand scans and trigger notifications the moment a new lookalike domain is registered - no code required.

For SOC and threat intelligence teams, the API integrates into SIEM and SOAR platforms, MISP, and MS Security Copilot to fire automated alerts and response workflows when typosquatting domains appear across 1,528+ TLDs. Pair with the WHOIS API and DNS API to enrich every match with registrant and mail-server evidence.

Integration Workflow

FAQs

FAQs about the Domain Typosquatting API: risk signals and reputation fields

What is the Typosquatting API?

The Typosquatting API returns registered domains that look like typo variants of a brand keyword or wildcard pattern, matched against 926.7M+ registered domains across 1,528+ TLDs. Each result includes the domain name, registration date, expiry date, last-seen date, and a drop status flag.

How is the Typosquatting API different from dnstwist?

dnstwist generates typo permutations locally and resolves each one with DNS queries from your own infrastructure. The Typosquatting API searches the registered domain database directly - it catches compound and keyword squats that permutation generators miss, returns registration metadata inline without separate WHOIS lookups, and requires no self-hosted setup.

Should I use the keyword parameter or the pattern parameter?

Use keyword when you have a single brand label and want fuzzy typo variants of that exact label. Use pattern when you also want prefix, suffix, and compound squats - a pattern wrapping the keyword in asterisks (pattern=*google*) returns a superset of the keyword=google results. Pass only one of the two parameters per request.

How does wildcard pattern matching work?

The asterisk is the only supported wildcard, each asterisk matches zero or more characters, and up to 3 asterisks are allowed anywhere in the pattern. Total pattern length must be between 3 and 63 characters. Patterns with other regex characters return 400 Bad Request.

How quickly do newly registered typo domains appear in results?

WhoisFreaks ingests newly registered domain data continuously. A newly registered typo variant typically appears in the index within 24 hours of registration, so daily or weekly scans catch new squats the same week they are created.

When is isDropped set to true?

isDropped is true only after the domain has fully dropped from the registry and is available for re-registration. Domains in redemption grace period or pending-delete still report false - to detect imminent drops, monitor the expiry and last-seen dates instead.

How do I retrieve the next page of results?

The response includes nextPageToken whenever hasNextPage is true. Send the same keyword or pattern with your apiKey and set pageToken to that value, repeating until hasNextPage is false. Page size is fixed at 100 domains.

What is the difference between the Typosquatting API and Brand Monitoring?

The Typosquatting API is pull-based: you call it and receive a list of matching registered domains on demand. Brand Monitoring is push-based: it scans continuously with twice-daily TLD sweeps and alerts you when new lookalike registrations appear, with UDRP-ready evidence exports. Teams building their own pipeline use the API; teams that want a managed layer use Brand Monitoring.

Is there a free tier?

Yes. New accounts receive 500 free API credits on signup with no credit card required, and the free Typosquatting Checker tool supports manual single scans without an account.
Start Scoring Domains TodayJoin now and claim 500 credits for free!

Get an API key and send your first domain, or read the full API reference for every field and response code.