Most abused domain extensions and registrars (Spamhaus Botnet Threats)


Super Administrator
Staff member
Spamhaus released its botnet threat update for Q1 2020.

Among other botnet related details, Spamhaus announced the most abused domain extensions and domain registrars associated with botnets.

Here is what the Spamhaus wrote:

Most abused top-level domains, Q1 2020
.la: The most significant change in this Top Twenty list is the appearance of country code top-level domain (ccTLD) .la (Laos). Not only did .la make its way onto the chart, but it also entered at #2!

.com: Throughout 2019, we reported that the vast majority of botnet C&C domains were registered in the generic top-level-domain (gTLD) .com. This trend continued in Q1 2020 with .com accounting for approximately 45% of the top-level botnet C&C domains.

.pw & .xyz: These two TLDs have appeared in the Top Twenty for over a year, although there was a significant increase in the number of botnet C&C domain registrations associated with these TLDs in Q1 2020, placing them at #3 & #4 respectively

Most abused domain registrars, Q1 2020
Namecheap: The USA based domain registrar ‘Namecheap’ continued to be the favorite place for malware authors to register their botnet C&C domains.

Key Systems: German based ‘Key Systems’ became the domain registrar with the second largest number of newly registered botnet C&C domains in Q1 2020.

This registrar only appeared on the Top Twenty List in Q3 2019, illustrating how quickly miscreants take advantage of weak vetting processes.

Hosting Concepts: Last year, this Dutch domain registrar was responsible for a large number of botnet C&C domain registrations, particularly relating to bulletproof hosting. We are pleased to see that it appears Hosting Concepts is improving its registration processes, dropping from #3 in Q4 2020 to #7 in Q1 2020.