Know Thy Enemy: Domain and DNS Intelligence Can Combat Cybercrime

DomainTools’ analysis on newly observed domains in 2024 provides actionable insights into threat actor infrastructures.

Seattle, WA – April 24, 2025 – DomainTools, a leader in Domain and DNS intelligence, is proud to share DomainTools Investigations inaugural domain intelligence year-in-review report.

In the cybersecurity community, it is generally accepted that the threat landscape is fast paced and ever-evolving. It turns out however that there are a few constants that rarely change: Domains and DNS are on top of that list. The purpose of this report is to illuminate Domain patterns and DNS infrastructure created by cybercriminals in order to collectively improve the community’s defenses.

“As defenders, we tend to focus our limited resources on what happens after an attack has occurred - Did we get phished or brute-forced, was it ransomware, who might have done it etc.,” said Daniel Schwalbe, chief information security officer and head of investigations at DomainTools. “But there is actually quite a bit that can be done before an attack occurs, just as the saying goes 'An ounce of prevention is worth a pound of cure.'"

In 2024, over 106 million newly observed domains were seen - approximately 289,000 daily. 

These domains are created for a multitude of reasons, some nefarious ones include: 

• Hosting websites to deliver malware and credential harvesting 
• Serve as Command and Control (C2) servers to manage compromised systems 
• Operate as part of botnets for large-scale attacks
• Phishing campaigns to deceive users
• And more

Key Findings from the DomainTools Year In Review Domain Intelligence Report

Not every Domain created serves a sole purpose. There are patterns and connections that can be ascertained from observing this data. In DomainTools’ report, findings included: 

• Risk Scoring Detection Techniques: the likelihood of a Domain’s proximity to malware, phishing, spam, etc. to enable prioritization for further investigation and analysis.
• Keyword Analysis of Threat Detection: clear patterns of newly created Domain names that included frequently included terms such as “phishing,” “fraud,” “bitcoin,” “scam,” and others. 
• High Publicity Event Exploitation: large events spurn Domain registration including elections/politics, technological advancements, natural disasters, social movements, and so on. 
• Commonalities in Malicious Domain Attributes: recurring patterns in preferred registrars, ISPs, nameservers, and SSL issuers used by malicious domains.
• Analysis of Newly Registered Top Level Domains (TLDs): analysis to understand how threat actors utilize new TLDs (.lifestyle, .vana, .living, .music - to name a few) in their campaigns. 

Threat actors often reuse infrastructure because their tactics and techniques have proven to be lucrative, but the good news is that it creates patterns defenders can add to their arsenals. 

“This report is not just about identifying bad actors in 2024,” said Schwalbe. “We want the community to look at this like a blueprint. We are providing analysis on Domain intelligence to enhance our fellow defenders’ ability to identify risky Domains and proactively mitigate threats to help make the Internet a safer place for everyone.” 

Find the report here: https://www.domaintools.com/dti-inaugural-domain-intelligence-report 

About DomainTools

DomainTools is the global leader for Internet intelligence and the first place security practitioners go when they need to know. The world’s most advanced security teams use our solutions to identify external risks, investigate threats, and proactively protect their organizations in a constantly evolving threat landscape. For the latest research from DomainTools Investigations, visit https://dti.domaintools.com/.