DEV Community

Cover image for Inside The Global Wave Of Lookalike Domain Attacks
MonstaDomains
MonstaDomains

Posted on • Originally published at monstadomains.com

Inside The Global Wave Of Lookalike Domain Attacks

Originally published at https://monstadomains.com/blog/lookalike-domain-attacks/

Over 230 malicious domains. An illegal proxy empire hiding in plain sight since 2022. That is the scale of the operation security researchers exposed this month, and it runs almost entirely on lookalike domain attacks. On 7 July 2026, DNS threat intelligence firm Infoblox published its findings on a threat actor it calls Lurking Lizard, revealing how a single crew quietly weaponised expired and impersonated domains to turn ordinary devices into a criminal residential proxy network. If you own a domain, this story is a blunt warning about how trust online is bought, stolen and resold.

A Proxy Empire Built On Lookalike Domain Attacks

Infoblox describes Lurking Lizard as an end to end malicious proxy business. Rather than running one smash and grab campaign, the group manages every stage of the residential proxy lifecycle, from infecting victim devices to marketing and selling access to the resulting network. The glue holding it together is a web of lookalike domain attacks, more than 230 names built to impersonate trusted brands and services. You can read the full Infoblox threat report for the technical detail. Analysts believe the actor is China based, with WHOIS records pointing to Wuhan and registrant names that vary on “Cheng Li”. The operation has run since at least August 2022.

What makes lookalike domain attacks so effective is that they exploit familiarity. A visitor who trusts a brand rarely inspects a URL character by character. Lurking Lizard leaned on that habit hard, registering names that mimic major proxy providers including IPIDEA, SmartProxy, IP Royal and 911Proxy. It even ran fake “independent” review sites to funnel traffic toward its own scam storefronts, a vertically integrated model where every lookalike domain feeds the next stage of the con. These lookalike domain attacks did not need a zero day; they needed a plausible name.

Scale is the point. A lone phishing page is disposable, but an interlocking network of more than 230 domains, review sites and storefronts is a business with redundancy built in. Take one node down and the others keep earning. That resilience is why lookalike domain attacks have shifted from opportunistic scams into durable, revenue generating infrastructure, and why a single report rarely ends the threat for good.

Inside The Lurking Lizard Campaign

The thread that unravelled the operation was a fake 7-Zip installer. The actor hosted a trojanised version of the popular archiver on a domain reading 7zip, a near twin of the legitimate 7-zip site. Because people routinely misremember the real address, the fake benefited from years of accidental search-engine history. Victims who ran the installer unknowingly handed their devices over as proxy nodes, quietly routing strangers’ traffic. This is how many lookalike domain attacks begin: not with a dramatic breach, but with a familiar name and a single careless click.

The Fake 7-Zip Lure

Infoblox tied the campaign to a wider distribution machine. One linked Android VPN app, WireVPN, logged more than one million downloads and over 34,000 reviews, while a single impersonation domain overlapped with roughly two million active IPv4 addresses. Those numbers show the reach a well aged domain can deliver. A code signing certificate issued to a firm called WEILAI NETWORK TECHNOLOGY CO., LIMITED helped the malware look legitimate to security tools, a reminder that lookalike domain attacks pair technical polish with plain psychological manipulation.

How Drop Catching Turns Dead Domains Into Weapons

The most instructive part of the story is the actor’s use of drop-catching. When a domain expires and its owner walks away, it eventually returns to the open market. Drop-catch services race to grab valuable names the instant they drop. Lurking Lizard used this to inherit domains with long, clean histories, some registered as far back as 2004. Infoblox identified at least seven drop-catch domains in the group’s arsenal. An old domain carries reputation, backlinks and search ranking that a freshly registered name cannot fake, which is exactly why aged names fuel lookalike domain attacks so well.

Reputation is a currency, and drop-catching lets criminals buy it cheaply. Security systems that score domains by age and history see an established, trustworthy site. Users see a name that has “been around”. Neither sees the new owner’s intent. This inversion is what makes modern lookalike domain attacks so dangerous: the infrastructure is not obviously new or suspicious, because it is quite literally recycled from the legitimate web.

Drop-catching is not illegal, and that is part of the problem. Legitimate investors and marketers use the same expiry auctions to acquire good names. The market that lets a small business rescue a lapsed brand also lets Lurking Lizard resurrect one for abuse. Until registrars scrutinise who is catching high reputation domains and why, the pipeline feeding these attacks will keep flowing.

lookalike domain attacks - a recycled expired domain being weaponised in a proxy network

What Lookalike Domain Attacks Reveal About Trust

The Lurking Lizard case reveals an uncomfortable truth: online trust is inferred from signals that are trivial to forge. A padlock, an aged domain, a plausible name and a review site are all it takes to launder a criminal operation into something that looks reputable. Lookalike domain attacks succeed precisely because our defences, both human and automated, lean on those shallow signals. When the same crew also controls the “independent” reviews vouching for its services, the feedback loop that is supposed to protect buyers becomes part of the trap.

It also reveals how little separates a legitimate domain from a weaponised one. The technical steps behind lookalike domain attacks, registering a name, catching an expired one, standing up a site, are the same steps any honest business takes. That is why enforcement is so slow and why the burden increasingly falls on registrars and domain owners to watch their own perimeters instead of waiting for a takedown.

For privacy conscious readers there is a second lesson. The same WHOIS records that helped researchers trace Lurking Lizard to Wuhan are the records exposed on every domain that lacks privacy protection. Attackers mine that data to build convincing impersonations, while defenders use it to attribute abuse. Whichever side you sit on, public registration data is fuel, and reducing what you expose is one of the few levers an ordinary owner actually controls.

The Wider Wave Of DNS Hijacking In 2026

Lurking Lizard is one symptom of a much larger problem. Separate Infoblox research into the Sitting Ducks technique found that more than one million domains were exposed to hijacking through a DNS misconfiguration called lame delegation, where a domain points to name servers that no longer control it. Roughly 800,000 domains remained vulnerable and about 70,000 had already been hijacked. Attackers prize these names for the same reason they chase drop-catch domains: instant, borrowed reputation that powers spam, phishing and lookalike domain attacks at scale.

Regulators have noticed. ICANN spent much of 2026 tightening its stance on DNS abuse and pressuring registrars to act faster on malicious registrations. We have tracked that shift in our coverage of new TLD abuse and the recent domain hijacking that drained millions in crypto. The pattern across all of it is consistent: the domain layer, not the endpoint, is where modern lookalike domain attacks are won and lost.

What Domain Owners Should Do Now

The direct lesson from this campaign is that your domains are assets worth guarding even after you stop using them. Do not let a project domain simply lapse if it carries any reputation, because a crew like Lurking Lizard may catch it the moment it drops. Audit the names you own, renew anything with history or backlinks, and lock down DNS so lame delegation cannot leave a name orphaned. Treat every abandoned asset as a potential seed for future lookalike domain attacks aimed at the people who once trusted it.

Monitor Your Domain Footprint

Watch for impersonators too. Periodically check for names that mimic your brand, inspect their records with a DNS lookup tool, and report clear abuse to the hosting registrar. Registrars that resist lame delegation and drop-catch abuse, like MonstaDomains, and that do not force you to publish personal data, hand attackers less to work with. Shrinking your own exposed footprint also shrinks the surface that lookalike domain attacks depend on. Privacy and security are not opposites here; they reinforce each other.

The Takeaway

The Lurking Lizard investigation is a reminder that the domain name system runs on reputation, and reputation can be bought, stolen or recycled. Lookalike domain attacks work because they borrow trust rather than build it, using drop-catch history, familiar names and even fake reviews to slip past defences. The Sitting Ducks figures show the raw scale of exposed infrastructure waiting to be abused. For owners, the response is unglamorous but effective: hold onto reputable names, harden your DNS and watch for impersonators before they find you.

If you want a registrar that treats your privacy and your domains as worth protecting, start with anonymous domain registration at MonstaDomains and keep control of your own footprint.

Top comments (0)