Key Findings
ScamVerify™ analyzed 69,088 malicious domains from the URLhaus threat intelligence feed. The results challenge conventional wisdom about which domain extensions are dangerous.
Finding 1: The .com TLD hosts 86.7% of all malicious domains (59,876 out of 69,088). The advice to "avoid websites with strange extensions" is not just outdated, it is dangerously misleading.
Finding 2: The .net and .org TLDs each host approximately 4,000 malicious domains (5.8% each), making the three most "trusted" TLDs responsible for 98.3% of all tracked malicious domains.
Finding 3: Cheap TLDs like .xyz, .online, and .site - often flagged as risky - collectively host only 1.6% of malicious domains.
Full TLD Breakdown
| Rank | TLD | Malicious Domains | Share | Avg Domain Cost/Year |
|---|---|---|---|---|
| 1 | .com | 59,876 | 86.7% | $10-12 |
| 2 | .net | 4,000 | 5.8% | $10-12 |
| 3 | .org | 3,996 | 5.8% | $10-12 |
| 4 | .xyz | 715 | 1.0% | $1-2 |
| 5 | .online | 182 | 0.3% | $1-3 |
| 6 | .site | 181 | 0.3% | $1-3 |
| 7 | Other | 138 | 0.2% | Varies |
Why .com Dominates Malware Hosting
1. Trust Factor
Users trust .com above all other TLDs. A phishing page at bank-verify.com is far more effective than bank-verify.xyz because people have been trained to view .com as legitimate.
2. Volume
There are over 160 million .com registrations worldwide. The sheer volume provides cover, and malicious domains are needles in a massive haystack.
3. Registrar Ecosystem
The .com registration ecosystem includes thousands of registrars, many offering automated registration with minimal verification. Scammers can register a domain, use it for 24-72 hours, abandon it, and register a new one.
4. Cost-Benefit Calculation
A .com domain costs $10-12/year. A .xyz domain costs $1-2/year. The $8-10 premium for .com is trivial compared to the dramatically higher success rate in phishing campaigns.
What This Means for Safety Decisions
Outdated Advice That No Longer Works
| Old Advice | Why It Fails |
|---|---|
| "Avoid websites with weird extensions" | 86.7% of malicious domains use .com |
| "Look for .com - it's more trustworthy" | .com has 59,876 malicious domains |
| "Only trust .com, .net, and .org" | These three host 98.3% of malware domains |
| "Cheap TLDs are dangerous" | .xyz, .online, .site host only 1.6% combined |
What Actually Works
- Check domain age - newly registered domains are higher risk regardless of TLD
- Verify the exact domain -
amazon.comis safe;amazon-login.comis not - Use threat databases - services like ScamVerify check domains against URLhaus and other feeds
- Check SSL certificate details - free certificates from Let's Encrypt are used by both legitimate and malicious sites; look at who issued the certificate
- Look for business presence - legitimate businesses have WHOIS records, physical addresses, and web histories
Methodology
Data source: URLhaus, operated by abuse.ch, is a project collecting and sharing URLs that are being used for malware distribution.
Analysis: ScamVerify extracted the domain and TLD from each of the 69,088 tracked domains. Domains were grouped by TLD using suffix matching. The "Other" category includes TLDs with fewer than 100 malicious domains each.
Limitations: URLhaus focuses on malware distribution URLs, not all types of malicious activity. Phishing-specific databases may show different TLD distributions. The data represents domains that have been identified and reported - unknown malicious domains are not included.
Data snapshot: This analysis uses production data as of March 2026.
FAQ
Does this mean .xyz and .online domains are safe?
No. A lower share of total malicious domains does not make these TLDs safe. It means the absolute volume is smaller. On a per-registration basis, some cheap TLDs may have a higher percentage of malicious registrations relative to their total size. The key point is that .com domains should not be automatically trusted.
Should I avoid any particular TLD entirely?
No single TLD should be automatically trusted or distrusted. Focus on the specific domain's characteristics: age, WHOIS information, content quality, and threat database status. Use ScamVerify's website checker to verify any domain.
How often does the URLhaus database update?
URLhaus is continuously updated as new malicious domains are discovered and reported by the security community. ScamVerify syncs with this feed regularly to maintain current threat intelligence. New domains can appear in the database within hours of being first used in attacks.
