Latest news of the domain name industry

Recent Posts

.xxx shows up in botnet top-five TLDs for the first time

Kevin Murphy, January 21, 2022, 07:36:17 (UTC), Domain Registries

It is a truth universally acknowledged that the cheaper a TLD, the more likely it is to be abused by bad actors, and that may be what happened to .xxx in the fourth quarter.

SpamHaus listed .xxx as its fourth most-abused TLD for botnet command and control domains in its newly published Q4 statistics, a new entry on the top 20 table that raised researchers’ eyebrows.

From zero, .xxx went up to 223 C&C domains in the period, sandwiched between .ga’s 143 and .xyz’s 396, SpamHaus said. It worked out to 2.4% of .xxx’s active domains, the compamny said.

.com was of course still the runaway leader, with 3,719 C&C domains. .top came in second, with 715 domains.

SpamHaus said:

We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.

It’s noteworthy because .xxx is not a cheap TLD. With wholesale prices around $60, they usually sell for around $100 a year. Botnet operators, like other types of malefactor, usually choose cheap domains for their activities.

But in 2021 .xxx was celebrating its 10th anniversary, and at least one company was offering names at a .com-equivalent $10 a year, starting in the middle of the year and extending into Q4.

While .xxx registry ICM is now owned by GoDaddy, it was still part of MMX at the time the pricing promotion began.


If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.

Tagged: , , , , ,

Comments (1)

  1. Matthias Pfeifer says:

    >It is a truth universally acknowledged that the >cheaper a TLD, the more likely it is to be >abused by bad actors, and that may be what >happened to .xxx in the fourth quarter.

    This truth should reach DAAR 😀

Add Your Comment