Phishing Activity in Top-level Domains (TLDs)
May 1, 2021 - July 31, 2021
We analyzed the phishing domains to see how they were distributed across the top-level domains. For our analysis, we extract the Top-level Domain (e.g., com, xyz, uk) from the hostnames we found in phishing reports. We then rank TLD operators based on the number of reported phishing domains and a metric, phishing score.
Most phishing continues to be concentrated in just a few TLDs: for the period, we identified 115 TLDs with a minimum of 30,000 delegated domains and at least 25 reported phishing domains.
- 80 TLDs had more than 100 domain names reported for phishing.
- 36 TLDs had more than 500 domain names reported for phishing.
- 29 TLDs had more than 1000 domain names reported for phishing.
- 9 TLDs had more than 5000 domain names reported for phishing.
In the table below, we present the twenty TLDs that had the highest number of reported phishing domains. Four TLDs are legacy TLDs (com, net, info, org). Nine are country ccTLDs (cn, tk, ga, ml, cf, gq, ru, co, ir). Seven are new TLDs (xyz, shop, work, bar, top, live, club).
Ranking of TLDs by Phishing Domains(May to July 2021)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains ▼ | Phishing Domain Score |
| 1 | com | 156,355,371 | 64,929 | 4.2 |
| 2 | cn | 9,810,170 | 17,575 | 17.9 |
| 3 | xyz | 3,090,432 | 11,774 | 38.1 |
| 4 | tk | 5,426,258 | 11,525 | 21.2 |
| 5 | shop | 901,904 | 10,201 | 113.1 |
| 6 | ga | 5,702,004 | 9,729 | 17.1 |
| 7 | work | 572,567 | 9,325 | 162.9 |
| 8 | ml | 4,368,720 | 6,881 | 15.8 |
| 9 | bar | 321,316 | 6,218 | 193.5 |
| 10 | cf | 4,660,651 | 4,933 | 10.6 |
| 11 | top | 1,194,236 | 4,732 | 39.6 |
| 12 | net | 13,372,506 | 3,634 | 2.7 |
| 13 | gq | 3,713,473 | 3,376 | 9.1 |
| 14 | ru | 4,871,041 | 3,367 | 6.9 |
| 15 | info | 3,877,086 | 3,353 | 8.7 |
| 16 | live | 490,620 | 2,842 | 57.9 |
| 17 | co | 3,195,734 | 2,722 | 8.5 |
| 18 | org | 10,476,328 | 2,612 | 2.5 |
| 19 | ir | 1,156,828 | 2,555 | 22.1 |
| 20 | club | 1,066,645 | 2,013 | 18.9 |
To allow comparison of large and small Top-level Domains, we also rank TLDs based on a metric, phishing domain score, which is calculated by dividing the number of domain names reported for phishing in a TLD by the number of domains delegated from that TLD.
TLD Phishing Score = (number of phishing domains/domains delegated from TLD) * 10,000
This score can highlight where high-volume phishers place multiple phish on one domain.
Table 2 presents the twenty TLDs that had the highest phishing domain score.
Ranking of TLDs by Phishing Domain Score (May to July 2021)
TLDs with a minimum of 30,000 domains and 25 phishing domains
| Rank | TLD | Domains in TLD | Phishing Domains | Phishing Domain Score ▼ |
| 1 | bar | 321,316 | 6,218 | 193.5 |
| 2 | work | 572,567 | 9,325 | 162.9 |
| 3 | shop | 901,904 | 10,201 | 113.1 |
| 4 | buzz | 201,202 | 1,521 | 75.6 |
| 5 | live | 490,620 | 2,842 | 57.9 |
| 6 | cyou | 123,217 | 589 | 47.8 |
| 7 | casa | 52,994 | 238 | 44.9 |
| 8 | link | 129,082 | 529 | 41.0 |
| 9 | top | 1,194,236 | 4,732 | 39.6 |
| 10 | xyz | 3,090,432 | 11,774 | 38.1 |
| 11 | cam | 42,795 | 159 | 37.2 |
| 12 | tokyo | 153,927 | 525 | 34.1 |
| 13 | finance | 37,141 | 105 | 28.3 |
| 14 | asia | 199,819 | 467 | 23.4 |
| 15 | pro | 265,332 | 618 | 23.3 |
| 16 | icu | 567,983 | 1,291 | 22.7 |
| 17 | ir | 1,156,828 | 2,555 | 22.1 |
| 18 | tk | 5,426,258 | 11,525 | 21.2 |
| 19 | rest | 44,240 | 93 | 21.0 |
| 20 | digital | 99,461 | 205 | 20.6 |