We are proud to share the 2025 DomainTools Investigations inaugural Domain intelligence year-in-review report.

In the cybersecurity community, it is generally accepted that the threat landscape is fast paced and ever-evolving. It turns out however that there are a few constants that rarely change: Domains and DNS are on top of that list. The purpose of this report is to illuminate Domain patterns and DNS infrastructure created by cybercriminals in order to collectively improve the community’s defenses.

In 2024, over 106 million newly observed domains were seen – approximately 289,000 daily. There are patterns and connections that can be ascertained from observing this data. In DomainTools’ report, findings include: 

• Keyword Analysis of Threat Detection: clear patterns of newly created domain names that included frequently included terms such as “phishing,” “fraud,” “bitcoin,” “scam,” and others. 
• High Publicity Event Exploitation: large events spurn domain registration including elections/politics, technological advancements, natural disasters, social movements, and so on. 
• Commonalities in Malicious Domain Attributes: recurring patterns in preferred registrars, ISPs, nameservers, and SSL issuers used by malicious domains.
• Analysis of Newly Registered Top Level Domains (TLDs): analysis to understand how threat actors utilize new TLDs (.lifestyle, .vana, .living, .music – to name a few) in their campaigns. 

Why does it matter? We want the community to look at this like a blueprint. We are providing analysis on Domain intelligence to enhance our fellow defenders’ ability to identify risky Domains and proactively mitigate threats to help make the Internet a safer place for everyone.