Originally published at https://monstadomains.com/blog/new-tld-abuse/
Hundreds of fresh domain endings are about to flood the internet, and criminals are already queuing up to exploit them. New TLD abuse is not a future risk to worry about someday. It is a documented pattern that repeats every single time the namespace expands. With ICANN’s 2026 round now in full swing, security researchers are watching the same movie play out again, and the opening numbers are grim.
The last great expansion of generic top-level domains began in 2012. It gave us everything from .xyz to .zip, and it also handed attackers a buffet of cheap, lightly policed places to register malicious infrastructure. The 2026 round is shaping up to be even larger. Understanding why new TLD abuse follows expansion so reliably is the difference between a registrar that protects you and one that quietly profits from the chaos.
The 2026 Expansion That Reopened New TLD Abuse
On 30 April 2026, ICANN opened the application window for its second-ever round of new generic top-level domains. It runs until 12 August 2026, and it is the first major expansion of the namespace in over a decade. This time the programme accepts applications in 27 different scripts, covering hundreds of languages, with an evaluation fee of USD 227,000 per string. The list of approved extensions, known as Reveal Day, is expected around mid-October 2026.
The internet already carries more than 1,400 valid top-level domains. The 2026 round will push that number higher still. Every previous expansion taught the same lesson, and new TLD abuse spikes whenever a wave of cheap, unfamiliar extensions reaches general availability. Defenders have not forgotten 2012, but the registries chasing volume often act as if they have.
The timing matters because the threat is not theoretical. While ICANN processes applications, criminals are still working the extensions that already exist, and the data from early 2026 shows exactly where new TLD abuse concentrates.
What Interisle’s Latest Data Reveals
Interisle Consulting Group, which has tracked phishing infrastructure for six years, published cybercrime figures for March 2026 in early April. They are not subtle. Overall phishing rose 28 percent compared with February. Malware reports surged 189 percent, with endpoint malware targeting user devices up a staggering 440 percent. Spam climbed 14 percent month over month. These are not slow trends. They are sharp, sudden jumps clustered in specific corners of the namespace.
Drill into which extensions drove the spike and the story sharpens. Interisle found that phishing domains and phishing domain scores grew more than 100 percent in the BOND, CFD and LIFE extensions alone. BOND, XYZ, CFD, SHOP, LIFE and MOM each saw malicious phishing registrations exceed 100 percent growth. On the spam side, BOND posted over 1,000 percent growth in spam domains in a single month.
The Extensions Driving the Spike
None of this is random. The extensions topping the abuse charts share a profile: low registration cost, weak vetting, and registrars willing to sell in bulk without asking questions. Interisle’s annual study found phishing reached nearly two million attacks in its most recent reporting year, an increase of over 180 percent since 2021, with 77 percent of phishing domains maliciously registered by criminals rather than hijacked from legitimate owners. New TLD abuse thrives precisely because registering a throwaway domain is faster and cheaper than compromising a real one.
How New TLD Abuse Actually Works
The mechanics are blunt. Attackers do not lovingly craft one malicious site at a time. They register in bulk, spin up thousands of lookalike domains, blast out phishing or malware, and abandon the lot before takedown catches up. Security researchers have documented a single registrar processing 17,000 malicious domains in under eight hours. Some individual extensions show malicious and spam rates above 90 percent, meaning the legitimate use of that TLD is the exception, not the rule.
The pattern is fast because it is profitable. When the .zip and .mov extensions launched in 2023, phishing crews were exploiting them within days, leaning on the confusion between a file name and a web address. New TLD abuse works on that same psychology: an unfamiliar ending looks plausible enough that a hurried target clicks before thinking. The 2026 wave will hand attackers a fresh set of unfamiliar endings to weaponise.
Why Cheap Extensions Attract Attackers
Economics drive everything here. A domain that costs a dollar and ships with no identity checks is disposable ammunition. Criminals burn through them by the thousand because the per-domain cost is trivial against the payoff of a successful campaign. Roughly 37 percent of phishing domains, Interisle reports, are acquired through bulk registration services. Cut the price and remove the friction, and new TLD abuse becomes a volume business that scales as fast as the registry will allow.
What the New TLD Abuse Surge Reveals About Vetting
Strip away the headline numbers and the real lesson is about accountability. The extensions drowning in abuse are not victims of clever attackers. They are the predictable result of registries and registrars that treat volume as the only metric that matters. When a TLD operator earns the same fee whether a domain hosts a family blog or a credential-harvesting kit, the incentive to vet anything evaporates. New TLD abuse is a governance failure dressed up as a security problem.
This is why ICANN’s DNS abuse enforcement push matters more than ever heading into the 2026 round. Contract amendments now require registrars to act on abuse reports rather than ignore them, and the registries handling the new extensions are supposed to operate under tighter terms than their 2012 counterparts. Whether that holds when the money starts flowing is the open question every defender is asking.
The Policy Response Taking Shape
ICANN has not walked into 2026 blind. The new round ships with stricter registry contracts, mandatory abuse-mitigation obligations, and a longer evaluation process designed to weed out bad-faith applicants before they reach the root zone. On paper, the framework is sterner than anything that governed the first wave. The problem is enforcement, because rules without consequences are decoration.
Independent researchers remain sceptical. The same bulk-registration tactics that fuelled millions of malicious registrations earlier this year exploit gaps that policy language has historically been slow to close. Cybercriminals shift opportunistically between registrars and hosting networks the moment one tightens up, a behaviour Interisle flagged directly in its March report. New TLD abuse migrates; it does not disappear. The 2026 framework will be judged not by its wording but by how fast it forces the worst actors out.
There is also a market dimension that policy rarely addresses. New generic extensions now make up more than 12 percent of all registrations and rank as the fastest-growing slice of the namespace, yet they renew at barely 30 percent. That churn is the signature of new TLD abuse at scale: domains registered cheaply, used briefly for harm, then dropped before renewal. A namespace optimised for sign-up volume rather than long-term stewardship will keep producing the same outcome no matter how many extensions ICANN adds in 2026.
What Domain Owners Should Do Now
You cannot control which extensions ICANN approves, but you can refuse to be collateral damage. Treat unfamiliar endings in links and emails with suspicion, especially the extensions Interisle named as abuse hotspots. Verify the real destination before you click, and never trust a domain purely because its ending looks official. For your own properties, lock down the registrar account with strong authentication and keep your contact records current so a hijack attempt cannot quietly reroute you.
Just as important, choose where you register with the same scrutiny you would apply to any security decision. A registrar that protects your data with proper WHOIS privacy protection and refuses to surrender your identity is structurally on your side. MonstaDomains built its model around exactly that principle, treating your anonymity as the default rather than an upsell, because new TLD abuse and weak registrar accountability are two faces of the same disregard for users.
None of this demands paranoia, just better habits. The shift that fuels new TLD abuse is structural, so your defence should be structural too. Assume unfamiliar endings are guilty until proven safe, and route your own domains through a provider whose revenue does not depend on quietly selling you out.
Where This Leaves You
The story of 2026 is simple to state and hard to fix. ICANN’s expansion will multiply the namespace, the abuse data already shows where criminals will go, and the registries chasing volume will keep cashing in unless enforcement bites. New TLD abuse is not an accident of technology; it is the cost of a system that rewards quantity over care. Watch the abuse-heavy extensions, vet your links, and harden your own domains before the next wave lands.
Most of all, register with people who answer to you and not to a surveillance machine. If you want a domain home that puts your privacy first, start with anonymous domain registration and keep your identity yours.
Top comments (0)