Key Findings
ScamVerify™ analyzed 74,032 malicious domains from the URLhaus threat intelligence database. While .com dominates with 81% of malicious domains, the full TLD ranking reveals how threat infrastructure is distributed across every major domain extension.
.net hosts 7,272 malware domains, making it the second most dangerous TLD. Combined with .com (60,047) and .org (4,007), these three "legacy" TLDs account for 96.3% of all tracked malicious domains. The extensions most people consider safe are the ones most frequently used for attacks.
Complete TLD Threat Ranking
| Rank | TLD | Malicious Domains | Share | Original Purpose |
|---|---|---|---|---|
| 1 | .com | 60,047 | 81.1% | Commercial entities |
| 2 | .net | 7,272 | 9.8% | Network infrastructure |
| 3 | .org | 4,007 | 5.4% | Non-profit organizations |
| 4 | Other | 1,388 | 1.9% | Various ccTLDs and niche TLDs |
| 5 | .xyz | 728 | 1.0% | General purpose (cheap) |
| 6 | .online | 191 | 0.3% | General purpose |
| 7 | .site | 189 | 0.3% | General purpose |
| 8 | .ru | 132 | 0.2% | Russia country code |
| 9 | .cn | 33 | 0.04% | China country code |
| 10 | .top | 19 | 0.03% | General purpose |
| 11 | .info | 16 | 0.02% | Information sites |
| 12 | .shop | 6 | 0.01% | E-commerce |
Why .net Is the Second Most Dangerous
The Infrastructure Association
.net was originally designated for network infrastructure providers: ISPs, hosting companies, and networking organizations. This heritage gives .net domains an aura of technical credibility. A domain like secure-network-update.net sounds more plausible than the same name with a .xyz extension.
Attackers exploit this association in several ways:
- Fake software update portals that deliver malware instead of patches
- Phishing pages for network-related services (VPNs, email providers, cloud storage)
- Command-and-control servers that communicate with malware on infected systems
Comparable Cost, Higher Trust
.net domains cost $10-12 per year, the same as .com. For attackers, this means identical cost with a slightly different trust profile. Some phishing campaigns use .net specifically because targets who have been warned about .com phishing are less suspicious of .net links.
Lower Scrutiny
Security awareness training overwhelmingly focuses on .com domains. Few training programs specifically address .net threats, creating a blind spot that attackers exploit. The 7,272 malicious .net domains in URLhaus suggest this blind spot is significant.
.org: The Non-Profit Disguise
With 4,007 malicious domains, .org ranks third. The .org TLD was originally reserved for non-profit organizations, and that association persists in public perception. Scammers use this to:
- Create fake charity websites, especially during disaster relief campaigns
- Impersonate government-adjacent organizations
- Build fake "consumer protection" or "watchdog" sites that harvest personal data
As detailed in our guide to fake government websites, the .org TLD is frequently used for government impersonation because it sounds official. Unlike .gov, anyone can register a .org domain for about $10 per year with zero identity verification.
The Cheap TLD Myth
The data contradicts the widespread belief that cheap, newer TLDs are the primary threat:
| TLD | Cost/Year | Malicious Domains | Share |
|---|---|---|---|
| .com | $10-12 | 60,047 | 81.1% |
| .net | $10-12 | 7,272 | 9.8% |
| .org | $10-12 | 4,007 | 5.4% |
| .xyz | $1-2 | 728 | 1.0% |
| .online | $1-3 | 191 | 0.3% |
| .site | $1-3 | 189 | 0.3% |
| .shop | $1-5 | 6 | 0.01% |
The three most expensive TLDs host 96.3% of all threats. The cheapest TLDs (.xyz, .online, .site, .shop) host a combined 1.5%. Cost does not predict danger.
This does not mean cheap TLDs are safe. On a per-registration basis, some newer TLDs may have higher malicious ratios. However, the absolute volume of threats is overwhelmingly concentrated in legacy TLDs because that is where attackers achieve the highest success rates.
Country-Code TLDs: Minimal But Notable
Country-code TLDs (ccTLDs) represent a small fraction of the URLhaus database:
- .ru (Russia): 132 malicious domains
- .cn (China): 33 malicious domains
These numbers are low in absolute terms, but both ccTLDs have reputations for limited cooperation with Western takedown requests, which can extend the operational lifespan of malicious domains registered under them.
The "Other" category (1,388 domains) includes dozens of additional ccTLDs and niche TLDs, none large enough individually to rank on their own.
Cross-Referencing With ThreatFox
ScamVerify also monitors 60,758 indicators of compromise through ThreatFox, which tracks malware command-and-control infrastructure, credential harvesting endpoints, and botnet communication channels. The ThreatFox data reinforces the URLhaus findings: legacy TLDs dominate threat infrastructure across both malware distribution and operational command channels.
Together, these feeds give ScamVerify visibility into 134,790 threat indicators that are checked every time someone runs a URL through the website checker.
Check any URL now
Paste a URL to scan it against 74,000+ threat domains and real-time intelligence.
What This Means for You
Stop Trusting TLDs
The TLD tells you nothing about a website's safety. A .com, .net, or .org domain is not inherently safer than a .xyz domain. Evaluate websites based on domain age, content quality, business presence, and threat database status.
Check Everything
Run unfamiliar URLs through ScamVerify's website checker regardless of their domain extension. The analysis checks against both URLhaus and ThreatFox in real time.
Use Multiple Signals
No single indicator determines safety. Domain age, SSL certificate details, contact information, business presence, and threat database results should all factor into your assessment. For a complete verification process, read our guide on how to check if a website is safe.
Methodology
Data source: URLhaus (abuse.ch), tracking malware distribution URLs. ThreatFox (abuse.ch), tracking indicators of compromise.
Analysis: TLD extracted from each of the 74,032 URLhaus domains using suffix matching. Grouped and ranked by count. Country-code TLDs with fewer than 30 entries grouped into "Other."
Limitations: URLhaus focuses on malware distribution. Phishing-only or fraud-only databases may show different distributions. Data represents identified and reported domains only.
Data snapshot: Production data as of March 2026.
FAQ
Is .net less safe than .com?
In absolute numbers, .com is far more dangerous (60,047 vs 7,272). However, both TLDs should be evaluated the same way: check the specific domain's age, content, and threat database status rather than making assumptions based on the extension.
Should I avoid .net websites?
No. Millions of legitimate websites use .net, including major technology companies and service providers. The point is that .net should not be automatically trusted any more than .com. Verify each website individually.
Why does .shop have so few malicious domains?
The .shop TLD is relatively new and has far fewer total registrations than legacy TLDs. Additionally, some .shop registrars have implemented stricter registration verification. The low absolute count (6 domains) does not mean .shop is inherently safe.
How often does the URLhaus database update?
URLhaus is continuously updated as new malicious domains are discovered by the security community. ScamVerify syncs with this feed regularly. New threat domains can appear in the database within hours of being first used in attacks.
