Blog
Why Do Attackers Register Domains Instead of Hacking Them?
Written By Nadeem Khan, WhoisFreaks Team Published: June 10, 2026, Last Updated: June 10, 2026
Blog
Written By Nadeem Khan, WhoisFreaks Team Published: June 10, 2026, Last Updated: June 10, 2026
TL;DR: Attackers need web infrastructure like anyone building a site. The difference is how they get it. Many register fresh domain names specifically for each campaign rather than hacking into someone else's website. These are called maliciously registered domains, and a 39-month analysis of over 690,000 phishing domains found that 66.1% were acquired this way. Fresh registrations give attackers full control, a clean reputation history, and a cost structure that makes domain rotation at scale viable for under a dollar per name. Domain registration records expose these choices through timestamps, registrant patterns, and name server reuse.
Every malicious website sits on a domain. But that domain did not always start life as a weapon.
Attackers have two ways to acquire one. The first is to register a fresh domain name specifically for the attack (what security researchers call a maliciously registered domain): a name acquired from a registrar with harmful intent from the start. The second is to find a legitimate website, exploit a vulnerability in its CMS or hosting environment, and inject malicious content into a domain the attacker does not own.
Both approaches work. Security researchers have documented both extensively. But they serve different operational goals, carry different risks, and leave different traces. Across the full spectrum of malicious URLs, compromise is the plurality approach: a 2021 USENIX Security study found that among private-apex malicious sites, 65.6% were compromised legitimate websites vs. 34.4% attacker-registered. For phishing campaigns specifically, that ratio reverses: Lim et al. (2025) found 66.1% of phishing domains are maliciously registered. For C2 infrastructure and bulk spam, the preference for fresh registration follows from operational requirements covered below, not from a comparable dataset.
This article explains what those reasons are, and what WHOIS signals let analysts detect maliciously registered domains before the first victim clicks.
Quick definition: A maliciously registered domain is a domain name intentionally created to serve a harmful purpose from the moment of registration. The registrant is the attacker. The domain was never meant for legitimate use.
Malicious domains as a category include both: those registered with harmful intent from day one and those compromised after legitimate registration. This article focuses on the former. A compromised domain belongs to a legitimate owner who registered it in good faith; an attacker later gained unauthorized access to the hosting environment or DNS configuration.
The distinction matters for detection and mitigation. A maliciously registered domain can be taken down at the registrar or registry level permanently. A compromised domain requires notifying the actual owner and waiting for remediation. A block placed on a compromised domain may harm a real business once the intrusion is cleaned up. The response playbooks are different.
The three campaign types below each have distinct operational reasons for preferring a domain the attacker owns outright. The fourth section covers a phishing-specific constraint (SSL certificate control) that makes a compromised site unworkable as a base for credential-harvesting pages.
Phishing is the clearest use case for malicious registration. The attacker needs a domain that looks like a brand, hosts a convincing login page, and passes a credibility check in a browser address bar. Registering a fresh domain gives them full control over every element of that setup.
A domain like paypa1-secure-login[.]com or microsoft365-verify[.]top can be registered in minutes, pointed at an attacker-controlled server, and issued a free SSL certificate via Let's Encrypt within the hour. The page goes live before any threat intelligence feed has seen the domain.
Research published in a 2025 longitudinal analysis of 690,502 phishing domains by Lim et al. found that 66.1% of phishing domains were maliciously registered. The same study found that these domains target brands by mimicking their names under cheap alternative TLDs like .top, .shop, and .io, rather than the .com or country-code TLD the real brand uses. On average, phishing domains remained accessible for 11.5 days after being detected and added to a blocklist.
The fresh registration approach also gives attackers what a compromised site cannot: a domain they designed for the target brand from day one. No cleanup of someone else's prior content, no risk that the legitimate owner logs in and discovers injected pages, no dependency on the target site's hosting stack.
Spam-at-scale requires domain rotation. Once a sending domain lands on a blocklist, spam filters reject every message that comes from it. The operational answer is volume: register dozens or hundreds of domains, distribute sending across them, and cycle through replacements as each gets flagged.
This is only economically viable with fresh registrations. Many new generic TLDs price domains under $1, sometimes as low as $0.10 during promotional windows. Research into registrar patterns and malicious registration incentives (INFERMAL, 2025) found that bulk registration API access and discount structures at certain registrars significantly increase the probability of abuse. Attackers automate the entire process: domain availability checks, registration, DNS record setup, and renewal all run through registrar APIs without manual intervention.
Compromised domains do not scale this way. You cannot bulk-acquire compromised websites the way you can bulk-register domains. Each compromise requires finding a vulnerable site, exploiting it, and maintaining access: a labor-intensive process that breaks the economics of high-volume spam infrastructure.
Domain Generation Algorithms (DGAs) are built entirely around fresh domain registration. The algorithm takes a seed value (typically a date) and produces a list of pseudo-random domain names. On a given day, the malware on infected hosts might look for xkqtmzp[.]top, rnbdvxk[.]top, and hundreds more generated by the same formula. The attacker pre-registers the specific names from that day's list before the malware calls home.
This architecture requires attacker-owned domains by definition. A compromised site cannot be pre-configured to answer DGA queries on a rotating daily schedule. The attacker would need persistent server-level access to a third party's infrastructure, and could lose it the moment the legitimate owner patches, reboots, or rotates credentials.
Fresh registration also gives C2 operators full control over DNS TTLs. Short TTLs (60 seconds or less) let malicious operators rotate the IP address a domain resolves to with minimal lag (a technique called fast-flux), used to keep C2 servers available despite blocklisting and takedown attempts.
This section covers a phishing-specific constraint, not a fourth campaign type. C2 operators run implants over raw TCP or DNS and have no need for browser-trusted certificates. Spam operators sending bulk email have no use for HTTPS either. For phishing, though, HTTPS is non-negotiable: users have been trained to look for the padlock, and modern browsers flag plaintext HTTP sites with visible "Not secure" warnings.
For a fresh registered domain, getting a trusted certificate is trivial. Let's Encrypt issues free Domain Validation certificates in under a minute via automated challenge-response. The domain needs to resolve to a server the attacker controls, and the certificate is issued. The phishing page runs over HTTPS with a valid certificate chain before any threat feed knows the domain exists.
Compromised websites frequently already have SSL certificates. But those certificates are bound to the legitimate domain owner's account at their certificate authority. The attacker cannot renew them, cannot modify SANs to add subdomains used in the attack, and loses the certificate entirely if the legitimate owner revokes it during incident response. The attacker is a guest in someone else's PKI relationship.
Maliciously registered domains leave traces in registration metadata. Attackers know this and take steps to obscure them. Even with WHOIS privacy enabled and disposable registrant emails, patterns persist.
Creation date proximity to campaign activity. The creation_date field in a WHOIS record is the clearest early signal. A domain registered within hours or days of when phishing emails went out, or when malicious DNS records appeared, is a strong indicator of purpose-built infrastructure. This is why monitoring new domain registrations against brand keywords catches threats before they operate at scale.
Registrar selection. Attackers gravitate toward registrars with lax abuse enforcement, low prices, and API-friendly registration processes. Research has consistently identified that certain registrars and TLD operators account for disproportionate shares of malicious registrations. The registrar field in a WHOIS record is a fast triage signal when combined with other indicators.
Registrant email patterns. Even with GDPR-driven redaction, some WHOIS records still expose registrant email addresses. Disposable email services (guerrillamail, mailnull, temporary-mail equivalents) in the registrant contact are a consistent marker. More useful still: the same registrant email appearing across 20 or 40 domains, especially those with similar naming patterns, points to organized infrastructure rather than a single incident.
Expiry settings. Maliciously registered domains are almost always set to the minimum registration period: one year, sometimes less where supported. A threat actor does not invest in multi-year domain registrations for throwaway phishing infrastructure.
Name server clustering. Malicious infrastructure often reuses name servers across multiple domains. When the same custom name server appears on 15 newly registered domains with brand-mirroring names, that cluster is almost certainly part of a single campaign. WHOIS records expose name server assignments, and pivoting on them reveals the full scope of the infrastructure.
Registration burst patterns. A single registrant or registrant organization creating 30 domains in a 2-hour window, especially with sequential or algorithmically similar names, is a bulk registration burst. These bursts are visible in WHOIS registration timestamps when queried at scale.
The WHOIS signals above require both lookup depth and pivot capability. A single WHOIS query tells you about one domain. Detection at scale requires being able to pull registration metadata for any suspect domain, then pivot across registrant fields to find related infrastructure.
WHOIS lookup for individual domain triage. When a suspect domain appears in a log, alert, or threat report, a WHOIS lookup returns the full registration record: creation date, registrar, registrant organization, name servers, and expiry. This is the first step in determining whether you're dealing with a freshly registered attacker domain or a legitimate site that got compromised.
Here is what a representative WHOIS record for a brand-impersonation domain might look like at triage:
Domain Name: paypa1-secure-login.top
Created Date: 2024-11-14T08:33:02Z ← registered 6 hours before first phishing send
Expiry Date: 2025-11-14T08:33:02Z ← minimum 1-year throwaway lifecycle
Registrar: Reg-Enabler, Inc. ← high-abuse-volume registrar
Registrant: REDACTED (privacy proxy)
Name Server: ns1.fast-host-infra.com ← shared across 38 other newly registered domains
Name Server: ns2.fast-host-infra.comThree signals in one record: creation timestamp within hours of campaign launch, a registrar with a documented abuse pattern, and name servers that appeared on 38 other freshly registered domains following the same brand-impersonation naming convention.
Historical WHOIS for infrastructure change detection. Attackers sometimes modify registration details after an initial lookup: switching name servers, updating registrant data, or transferring the domain. Historical WHOIS lookups show how a domain's registration record changed over time, which is useful for identifying when a dormant or parked domain was weaponized and what changed at that moment.
Reverse WHOIS for registrant pivoting. If a single phishing domain surfaces and the registrant email is visible, a reverse WHOIS search returns all other domains registered to that email address, organization name, or name server. This turns a single indicator into a full campaign map. One domain with a disposable registrant email linked to 40 others sharing the same name server cluster is no longer an isolated incident.
Each of the signals above maps directly to a field in a standard WHOIS record: creation date, registrar, registrant email, expiry setting, name servers, and registration timestamp. Pull the record for any suspect domain and those fields either clear it or flag it. The three lookup workflows described above cover individual triage, infrastructure change detection, and registrant pivoting at campaign scale. Run your first lookup free at whoisfreaks.com.
What is the difference between a maliciously registered domain and a compromised domain?
A maliciously registered domain was created by an attacker specifically to carry out harmful activity: phishing, malware distribution, spam, or command-and-control operations. The attacker owns the domain and controls every aspect of its DNS configuration and hosting. A compromised domain belongs to a legitimate owner who registered it in good faith; an attacker later gained unauthorized access to the hosting environment or DNS settings without the owner's knowledge or consent.
How long do maliciously registered domains typically stay active?
It depends heavily on campaign type and how much effort the operator invests in evasion. Bulk phishing infrastructure sits at the short end: high-volume operations rotate domains in hours or a few days, discarding each as it gets flagged and queuing up pre-registered replacements. C2 domains used in targeted intrusions tend to last longer because the operator needs consistent reachability for active implants. The detection window also matters. A domain that never gets reported to a major blocklist stays up indefinitely. One that hits a large feed may get actioned quickly but still reaches victims during the gap. Lim et al. (2025) found that across the full dataset, domains remained accessible for an average of 11.5 days after detection, but that average masks wide variance: some operations were taken down in under 24 hours, while others persisted for months.
Can WHOIS privacy protection hide malicious registration intent?
Privacy protection masks registrant contact details behind proxy or redaction services, which removes the most direct identification signal. It does not hide the creation date, registrar, name servers, or expiry settings, all of which remain visible and remain useful triage signals. Registration burst patterns, name server clustering, and TLD/registrar combinations still expose malicious infrastructure even when contact fields are redacted.
What TLDs do attackers most commonly use for malicious registrations?
New generic TLDs that price domains very cheaply (.top, .shop, .xyz, .online, .site) appear disproportionately in phishing domain datasets. The research into phishing domain lifecycles identified that attackers favor TLDs where a domain costs $1 or less, especially during promotional windows. Before its shutdown, Freenom's free-registration TLDs (.tk, .ml, .ga, .cf, .gq) accounted for a large share of malicious registrations. Following Freenom's exit, .cn and cheap new gTLDs absorbed much of that volume.
How does bulk domain registration relate to phishing campaigns?
Bulk registration is the infrastructure layer beneath high-volume phishing. Attackers register many domains simultaneously, sometimes hundreds in a single session, using registrar APIs that support automated registration. Each domain may be used briefly before being discarded once it appears on blocklists. This rotation strategy maintains campaign continuity: when one sending or hosting domain is blocked, the next pre-registered replacement is already configured and ready.
A decision-layer runbook for SOC analysts: when to block at DNS, email gateway, or proxy. Covers threat types, trade-offs, and implementation guidance.
13 min read
Historical WHOIS data is the digital fingerprint of domain activity. WhoisFreaks tools help security teams trace attackers, rebuild attack timelines, preserve court-ready evidence, and detect threats early, strengthening incident response and proactive cybersecurity defenses.
11 min read