Cybercriminals are increasingly using specific top-level domains (TLDs) for phishing attacks, with the .li extension emerging as the most dangerous by ratio. A recent study shows that 57.22% of .li domains have been flagged as malicious, making it the highest-risk TLD used by threat actors.
Security firm ANY.RUN identified 20 TLDs that pose the greatest risks to individuals and organizations. Domains such as .es, .sbs, .dev, .cfd, and .ru are commonly used in phishing campaigns that include fake login pages, document scams, and credential theft schemes.
The report highlights the need for better domain monitoring within Security Operations Centers (SOCs) to address evolving cyber threats.
.li Domains Used as Redirectors in Phishing Chains
Although .li domains top the list for malicious activity, most do not directly host malware or phishing payloads. Instead, they serve as redirectors that lead users through multiple attack stages, eventually landing them on harmful websites.
This method allows attackers to bypass many detection tools, which typically focus only on the final destination of a link. Redirects are implemented using PHP header functions, JavaScript location replacements, or HTML meta refresh tags, making the process seamless and deceptive.
Low-Cost TLDs Fuel Large-Scale Attacks
Budget-friendly TLDs such as .sbs, .cfd, and .icu have become popular among attackers because of their low registration fees. For example, .sbs domains can be registered for as little as $1.54 in the first year.
This affordability allows criminals to register thousands of domains quickly, making it easier to launch widespread phishing campaigns.
Historical data from the Cybercrime Information Center shows that .sbs had over 11,000 phishing registrations, while .cfd recorded more than 5,500. The .icu domain, marketed with the phrase “I see you,” has also seen over 3,100 phishing-related registrations.
Trusted Platforms Abused for Phishing
Legitimate hosting platforms are also being misused. Services like Cloudflare’s Pages.dev and Workers.dev are increasingly hosting phishing content. These platforms benefit from Cloudflare’s trusted brand and infrastructure, making malicious pages appear safe to everyday users.
Between 2023 and 2024, phishing incidents on Pages.dev rose by 198%, from 460 to 1,370 reported cases.
One major threat is the Tycoon 2FA phishing kit. It uses advanced methods such as browser fingerprinting, CAPTCHA verification, and command-and-control domain triangulation across TLDs like .ru, .es, .su, .com, .net, and .org. Attacks often begin with compromised email services and use several redirects before reaching phishing sites.
Call for Stronger Monitoring and Defense
Experts urge organizations to adopt real-time domain monitoring and use sandbox environments to analyze suspicious URLs. Extracting indicators of compromise (IOCs) is essential for improving cyber defenses and staying ahead of increasingly complex phishing threats.
