6 domain name registration pilots in the second quarter of 2022

Domain Name System (DNS) patterns can help shape future security practices. We have identified six notable domain registration pilots for the second quarter of this year. The Ukraine-Russia war remained one of the top global events and domain registration drivers in Q2 2022. An alarming 12% of tax-themed properties in Q2 were malicious. The number of domains containing country names accompanied by words like “help” and “donation” were reported as malicious at the end of the quarter.


Best Whois, DNS, IP and Threat Intelligence data provider. We provide APIs, databases and tools.

As an Internet information provider, we continuously monitor domain registration trends and Domain Name System (DNS) activities. The central premise is that DNS models can help shape future security practices and protect the global cyber community. For example, an increase in brand domain registrations can help inform anti-phishing and brand protection strategies.

We have identified six notable domain registration pilots for the second quarter of this year. We have published a detailed report here. Below is an overview of our key findings and conclusions.


As Mother’s Day and Father’s Day were celebrated in several countries on May 8 and June 19, the DNS also detected significant activity related to the events. Additionally, we noticed that over 190 celebration-themed Q2 domains had already been featured in malicious activity.

Registration for the Mother’s Day-themed domain peaked a week before the event. Interestingly, it also saw a slight increase in the week ending May 21, 2022. Domains related to Father’s Day followed a similar trend, increasing a week before the event. These models are shown in the table below.

The .mom top-level domain (TLD) extension also rode the Mother’s Day tide, topping the volume of event theme domains under other TLD extensions.

tax season

The US tax deadline was set for April 18, 2022, but tax season began on January 24, 2022. We detected a steady stream of relevant domain registrations each month, although February, March, and May had comparatively more registrations.

Some may find the trend normal since tax filing is serious business for everyone, and there may be several professionals offering related services online. However, we found that an alarming 12% of Q2 tax-themed properties were malicious. They have already been used in phishing, scams, spam, and other nefarious activities. To give an idea of ​​how easily these domains can lure victims, here are some examples of malicious tax domains:

  • irs-profile-tax-returns[.]com
  • lrs-tax-return-government-info-page[.]com
  • 2022 tax return[.]com
  • TaxxReturnOnline[.]com
  • government-get-your-coronavirus-impact-tax-return[.]on line
  • 4irsgovinfo[.]on line
  • irs-page-government-info[.]com
  • irsgovusa[.]com
  • paymentsirsgovernment[.]on line
  • irsfinancial-refundprogram[.]on line

News related

A major piece of news that disrupted the internet in the second quarter was the Elon Musk-Twitter deal. Twitter accepted the offer on April 25, 2022, which was immediately reflected in DNS. The number of domains containing “Elon Musk” and “Twitter” increased during the week ending April 30, 2022.

Threat actors took domains to action immediately, with 3% of properties reported as malicious by the end of the quarter.

Global Events

The war between Ukraine and Russia remained one of the top global event and domain registration drivers in Q2 2022. The number of relevant domains peaked in March and declined throughout Q2 , although it still exceeded pre-war levels, as shown in the graph below. Dozens of domains containing country names accompanied by words such as “help” and “donation” have been reported as malicious.


We have been tracking domain registrations related to major cryptocurrencies for the past year. In Q2 2022, we added non-fungible tokens (NFTs) and decentralized finance platforms (NFTs) to our watch.

Cybersquatting domains were mostly added in the first two weeks of April, and registrations were erratic throughout the rest of the quarter. Yet these blockchain technologies accounted for more than 880 records per week, and each of them could be used by scammers, fraudsters, phishers, and other threat actors. In fact, 2% of Q2 blockchain-themed domains have already featured in malicious activity.

Industry related

Some domain records may belong to a specific industry, such as those related to car dealerships and social media platforms. In the second quarter, we detected a persistent flow of domains containing the names of the most visited e-commerce platforms. You can see the cybersquatting trend throughout the quarter in the graph below.

Hundreds of Q2 online shopping themed domains have already been used in malicious campaigns.

While threat actors can weaponize any domain, properties under these registration drivers can attract victims more effectively because they are more targeted. Therefore, detecting domain registration trends and themes can help alert Internet users to possible vectors for phishing, scams, spam, fraud, and other cyberattacks.

You can Contact us if you are interested in the domain registration trends discussed in this article. We are also open to research collaborations.

Related stories

. . . comments & After!