Malware Patrol recently partnered with Cisco’s SURGe Team to investigate how cybercriminals exploit newly registered domains (NRDs) for fraud during major geopolitical events. While we’ve offered NRD data for several years and know firsthand how powerful it is for uncovering malicious activity, the sheer volume of data – 200,000+ domains per day – makes it rather difficult to explore and manipulate it in meaningful ways without the right tooling and know-how. Thankfully, the knowledgeable SURGe team and Splunk Enterprise enabled us to slice and visualize a whopping two and a half years’ worth of newly registered domains in myriad ways, helping us surface patterns, trends, and supporting statistics that would have been hard to see otherwise. We’d like to express our appreciation to their team, namely: Lauren Stemler, Ryan Fetterman, James Hodgkinson and Vandita Anand.
In short, by retroactively aligning NRD activity with a timeline of key geopolitical events, we were able to validate that this data is extremely useful for spotting threats and cybercrime infrastructure. And while our analysis looked backward, the same logic applies going forward: using current newly registered domains data in near real time can help surface burgeoning campaigns and fraud as geopolitical events unfold. We hope this research helps security teams see new ways to make use of NRD data to protect against emerging threats, or at least underscores that the intersection of geopolitics and domain registrations is an important signal they shouldn’t ignore.
The original article appears on their site.
Predicting Cyber Fraud Through Real-World Events: Insights from Domain Registration Trends
Events in the physical world influence the digital world. In the wake of major geopolitical events, attackers register new domains and infrastructure to support fraudulent activities. These domains come in many forms, for example, posing as a natural disaster relief fund to solicit donations, collecting interest in a crypto coin offering, or creating a fake auto insurance website. Large-scale newly registered domain (NRD) analysis reveals consistent patterns in this behavior, allowing us to predict attacker activity long before associated fraud becomes visible.
To demonstrate the relationship between these physical and digital events, Cisco’s SURGe Team and Malware Patrol analyzed more than 200 million historical NRD records in Splunk Enterprise. Since most cyber campaigns require supporting infrastructure, NRDs offer a useful signal of malicious intent. By examining domain registration patterns around key U.S. events from 2023 to mid 2025, specifically in cryptocurrency, natural disasters, and financial sectors, we aimed to identify trends that connect real-world disruption with spikes in suspicious digital activity. This work offers practical insights for defenders seeking to anticipate and analyze fraud tied to geopolitical developments.
Understanding the Link Between Headlines and Cyber Threats
We began our research effort by building a comprehensive list of major breaking news events from January 2023 through August 2025, then narrowed our focus to events with clear opportunities for financially motivated cybercrime, prioritizing situations where adversaries could exploit urgency or heightened interest to obtain money or sensitive information. This prioritization process led to three event categories where attackers create infrastructure in response to real-world developments: cryptocurrency, financial (non-crypto), and natural disasters.
After selecting these three categories, we expanded each into a detailed event timeline. For cryptocurrency, this included Bitcoin price milestones, regulatory shifts, and exchange-related news. For financial events, we incorporated interest rate decisions, market volatility, earnings reports, and tariff/policy announcements. For natural disasters, we tracked hurricanes, wildfires, tornado outbreaks, floods, and severe weather systems. Each event was assigned a time window to allow consistent comparison against NRD activity.
Inside the Dataset: What 213 Million New Domain Registrations Reveal
Our analysis relied on Malware Patrol’s global NRD dataset, which contains more than 213 million domain registrations for the selected period. Each record contains metadata including timestamp, Top-Level Domain (TLD), hosting information, and historical indicators that can be used towards fraud classification. To isolate patterns tied to geopolitical events, we developed custom keyword and regex-based classifiers to tag domains relevant to cryptocurrency, natural disasters, and financial markets.
Splunk Enterprise’s large-scale search and visualization capabilities allowed us to detect anomalies, compare category-level trends against global baselines, and identify moments where domain activity sharply diverged from normal behavior. NRD data does not capture all malicious infrastructure, but it can expose the earliest stages of fraud campaigns.
Detecting Event-Driven Patterns
With this dataset mapped and categorized, the next step was to determine whether meaningful patterns emerged around real-world events. To explore this idea, we used various types of data analysis, combining event volume, fraud rate, and applying Natural Language Processing techniques to intuit the meaning behind the data.
We generated time charts of domain registration activity within each category, and across the full timeframe, measuring activity to identify statistical anomalies using rolling sensitivity bands.
The peaks and valleys of our time charts were aligned with our documented timelines of significant events to look for co-occurrences where we can retroactively confirm significant fraud activity occurred.
Semantic Shift: How is keyword use changing over time?
The volumetric and fraud-rate analyses showed when unusual behavior occurred within a category of interest, but not what attackers were trying to exploit. To capture language-specific changes, we conducted a semantic shift analysis, which would reflect how the language of newly registered domains within a category of interest changed over time.
We parsed each domain into meaningful tokens removing TLDs and subdomains, splitting on punctuation, and digits, segmenting fused words, and removing boilerplate stop words (extremely common words like “a,” “the,” “is,” are filtered out because they have little semantic value on their own). Token counts were aggregated monthly to form a month-by-term frequency matrix. We then converted this matrix into TF-IDF vectors so that each month was represented by its characteristic vocabulary rather than raw frequency dominated by common terms.
To visualize how that vocabulary changed, we projected the monthly TF-IDF vectors into two dimensions using t-SNE. Plotting them chronologically produced a trajectory in which nearby points reflected similar keyword distributions, while long jumps indicated major shifts in attacker themes.
We interpreted these jumps by reviewing top-ranked terms each month and, when useful, examining cosine distances and keyword heatmaps. For example, between December 2024 and January 2025, in the natural disaster category, new terms such as “rebuild,” “wildfire,” “disaster,” “la,” and “firestorm” suddenly became dominant, with “supplies” and “emergency” rising sharply as well. This shift aligned precisely with the Palisades Fire (discussed below) and appeared clearly in the semantic trajectory even before drilling into individual domains.
This natural language analysis, combined with event tagging, anomaly detection, and fraud-rate modeling, helped reveal not only when domain activity spiked in response to real-world events, but how attacker intent and focus changed in measurable ways.
Key Finding #1 Real-world crises create immediate and measurable spikes in fraudulent domain activity
Natural disaster–related domains represent the smallest subset of the study’s tagged NRDs, averaging 313 domains per day. Despite the lower volume, some important insights can be gained from this category due to its event-driven fluctuations. Natural disasters offer one of the clearest demonstrations of how quickly attackers capitalize on real-world crises.
One event that clearly illustrates this pattern is The January 2025 Palisades Fire in Los Angeles County – one of the most destructive and costly wildfire events in recent U.S. history. Within hours of the first evacuation alerts, our data showed a sudden surge in newly registered domains referencing the fire, Los Angeles, relief efforts, or related humanitarian themes. As the fire intensified over the following days, malicious activity grew alongside it.
Attackers registered domains impersonating relief organizations, emergency resource hubs, and donation portals, rapidly deploying infrastructure to exploit public confusion and urgency.
Attackers also blended in more modern lures, including Solana-themed “wildfire relief” tokens and fake cryptocurrency airdrops. Several domain clusters were bulk-registered with identical landing pages designed to harvest email addresses for later phishing campaigns, an increasingly common pattern in crisis-driven fraud. For more information on the most common attack techniques being observed, please check out the Cisco Talos Year in Review Report.
The language embedded in these domains provided further evidence. Using our semantic-shift analysis, we observed a sudden rise in tokens such as “wildfire,” “firestorm,” “lafire,” “supplies,” “donate,” and “emergency”, terms that were largely absent from the dataset just one month prior. January 2025 became the clear high-water mark for natural disaster–related domain registrations in the entire two-year period, and a significant outlier compared to overall NRD activity and the baseline growth trends of other event categories.
Viewed alongside earlier case studies, the Palisades Fire reinforces a broader pattern: real-world shocks produce immediate, measurable spikes in attacker infrastructure. Unlike crypto or financial events, which often generate longer-term waves of fraud, disaster-driven domain activity is sudden and closely tied to public attention cycles. The rapid registration of look-alike donation sites, emergency-aid portals, and geographically themed domains demonstrates how quickly threat actors mobilize when people are most vulnerable. For defenders, this means disaster-driven fraud often materializes before the public fully understands the scale of the event.
Key Finding #2: Crypto events produce the highest fraud volume and the longest-lasting impact.
While natural disasters trigger short-lived bursts of attacker activity, cryptocurrency events generate more persistent waves of fraud. Across the entire dataset, crypto-related domains represented the largest event-linked category and consistently showed the highest fraud prevalence. This pattern coincided with major market and regulatory milestones. One of the most significant upticks occurred in March 2024, when Bitcoin surpassed its previous all-time high. In the days surrounding this event, our dataset recorded one of the largest domain registration spikes in the two-year period, with newly created domains referencing Bitcoin, wallets, exchanges, investment platforms, and token names far exceeding upper sensitivity thresholds.
Unlike natural-disaster spikes, crypto activity didn’t return to baseline. Instead, March 2024 marked the beginning of a new elevated period that persisted throughout late 2024 and well into 2025. One of our hypotheses prior to starting analysis was that the recent positive changes in the regulatory environment in the U.S. would create more opportunities for crypto-related fraud. These events, for example include:
- January 10, 2024: the SEC approved the first 11 Bitcoin exchange-traded products (ETFs/ETPs) in the U.S. These ETFs provide investors with direct exposure to Bitcoin’s price movements without the need to buy, store, or manage Bitcoin personally.
- March 6, 2025: The U.S. signed an executive order establishing a strategic bitcoin reserve, specifically naming Bitcoin, Ethereum, XRP, Solana, and Cardano currencies.
- March 28, 2025: The U.S. FDIC rescinded its 2022 letter that required banks to notify and obtain prior approval for crypto activities. At this point, FDIC-supervised may engage in permissible crypto activities without prior approval.
- July 18, 2025: The U.S. approves the Guiding and Establishing National Innovation for U.S. Stablecoins (GENIUS act). This legislation continued to signal the trend that cryptocurrencies would be regulated, including reserve rules and marketing standards.
These developments drew millions of new and inexperienced users into the market, widening the pool of potential victims. Attackers responded by registering domains that impersonated exchanges, mimicked customer dashboards, hosted fake wallet downloads, and advertised fraudulent staking or investment opportunities.
The rise in pig-butchering operations during this period further illustrates how attackers adapted to this influx of new users. These long-con social engineering schemes rely on building trust with victims over weeks or months before steering them toward fabricated crypto-investment platforms. Crypto fraud was not only quick-hit phishing attempts, but attackers were playing the long game of establishing trust between themselves and their victims.
Since crypto coin scams often involve multiple domains on shared infrastructure, we used known fraud IOCs to hunt for clusters of other probable fraud activity. Building on a list of initial IOCs we have created flexible categories for capturing common memecoin related themes, and then bucket the category count to give us a variety of sorting options for investigating the data:
The resulting output aggregates suspicious categories as a distinct count and can be used to review values of domain names sharing IP space with known fraud sites.
While U.S. regulation has helped legitimize cryptocurrencies in the past years, investors should consider any investment opportunities advertised in this realm with healthy skepticism and due diligence. The FBI cites increased risk of scam for companies that are not part of self-regulatory organizations like the National Futures Association or FINRA.
Key Finding #3: Economic Fears Supercharge Uncertainty & Cyber Crime
In the financial (non-crypto) category, one of the strongest domain registration surges occurred in March 2024, during a period of heavy U.S. news coverage about increased cost of living and rising insurance costs. As we examined the data, a clear pattern emerged: insurance-related keywords began increasing frequency as early as February and reached a peak in April.
From January through April 2024, U.S. national news outlets repeatedly highlighted double-digit increases in auto-insurance rates, numerous hospital and insurer contract disputes, as well as claims & prior-authorization denial controversies, were publicized. Additionally, Centers for Medicare & Medicaid Services (CMS) confirmed a 2025 premium increase (3.7%) for Medicare Advantage. This sustained narrative produced high consumer awareness and uncertainty, resulting in the kind of environment scammers reliably exploit to deploy convincing insurance-themed phishing, refund fraud, fake coverage notifications, eligibility-verification fraud, and fake insurer-comparison websites.
In the data, we observed a shift in the domains being registered during this period. Insurance-related terms such as “insurance,” “rate,” “car,” “Medicare,” “renew,” and “health” appeared with increasing frequency. We also observed clusters using commonly abused TLDs (.xyz, .site, .online, .buzz, .bond), consistent with disposable phishing infrastructure. Numerous domains were generic or service-oriented (e.g., “insurance,” “health insurance,” “getinsurance,” “ethical insurance”), typical of phishing, scam, or fraud-oriented lures targeting people seeking coverage.
March 2024 – Volume Precedes Focused Campaigns
The data from March mirrors the rise in general financial-services domain creation during ongoing tax-season fraud, refund scams, and credit-repair themes while also demonstrating a strong overlap with the insurance-related narratives that were entering peak national coverage.
• car-insurance-47993.bond (multiple sequential variants)
• health-insurance-19289.bond (multiple sequential variants)
• insuranceconcierge.expert, insuranceconcierge.guru (bulk-pattern cluster)
• betterinsurancerate.net
• insurebestrateusa.info
• auto-insurance-deals.shop
• autoinsurancefind.today
• plansmedicare.org
• fullycoveredinsurance.com
April 2024 – A Surge in Insurance-Specific Keywords
Despite March’s higher overall volume, April produced significantly more domains containing insurance-trigger keywords:
• autoinsuranceforseniors204203.life (multiple sequential variants)
• accident-insurance-15849.bond (multiple sequential variants)
• getinsurance.pro
• governmentmedicalinsurance.com
• gov-insurance-now-8.live
• cheapautoinsurancetip.top
• cheapcarinsurancenet.top
• health-insurance-12396.bond (multiple sequential variants)
• insuranceforseniorsite.com
• medical-insurance122.online (multiple sequential variants)
• middle-agedandelderlyinsurance991.online (multiple sequential variants)
• senior-car-insurance-20352.bond (multiple sequential variants)
• americanmedicarequote.com, americanmedicarequotes.com
• medicareformedicare.site, medicare-plans-help.today
• the-car-insurance030.site (multiple sequential variants)
As a point of interest, April’s activity showed more diverse insurance subcategories (auto, medical, Medicare, homeowners, cyber, senior, contractor), suggesting that the campaigns were directly “riding” the elevated media noise from the preceding months. There were also more bulk/cluster registration patterns in April’s data, a possible indication of heightened (or peak) malicious campaign activity.
Our analysis indicates that both the March 2024 financial-domain surge and the insurance-specific increase in April can likely be explained by the compounding effect of January to March news cycles. The steady stream of headlines created fertile ground for threat actors to exploit confusion around benefits, coverage options, and plan updates.
Cross-Category Comparison: How Each Event Type Behaves in the Data
Since the scale of each category of interest is different, for a direct side-by-side comparison, we instead tracked the relative growth of each category. Each line starts at 100 for the first month; rising to 150 means +50% vs its own baseline. The tight tracking of these lines shows how each category is still influenced by macro-level trends, and deviations from the cohort overall are more notable.
As a grouped category, crypto-related domains had the highest fraud rate, of 26.86%, well above the global baseline of 23.10%. While the Natural Disaster category is much smaller in daily volume, it produces the sharpest short-term deviations and is easier to track trends without detailed keywords, compared to the financial categories. Fraud rates for Natural Disasters were also elevated to 24.26%. Financial (non-crypto) events tend to create modest increases in suspicious domain activity. Fraud rates for this category average 23.69%, slightly higher than the global baseline. Our categorization of ‘fraud’ for these purposes included any historical hosting of malware, domain generation algorithms, or command-and-control infrastructure. Since this reputation is IP-based, we expect the rate of fraud domains (many of which can be hosted on the same IP) to be potentially inflated and not representative of the true global rate of fraudulent domains.
Conclusions: Turning Event Awareness into Early Action
Attacker infrastructure frequently appears within hours or days of major real-world events, which means defenders benefit from treating external developments as operational signals. Incorporating event awareness into threat intelligence workflows begins with tracking high-impact geopolitical and economic activity and prioritizing the events most relevant to your sector or user base.
Once relevant events are identified, teams can determine which organizations or services attackers are most likely to impersonate. Converting those likely targets into keyword patterns makes NRD monitoring more effective, allowing clusters of newly registered domains to surface as early indicators of staging activity. Domains using unusual TLDs, typosquatting, or obfuscated permutations (for example, govuk-verify[.]info or unhcr-supp0rt[.]org) can then be evaluated against known threat-actor behaviors to assess whether they align with phishing kits or previously observed campaigns.
Adding contextual tags, such as the associated event, likely “spoofed entity”, or “suspected TTP”, helps SOC analysts and threat hunters pivot on related domains more effectively. Certificate metadata and sandboxing results provide additional signals to distinguish benign alerts from malicious activity. Feeding this enriched context into a SIEM or TIP allows detections to operate faster and with greater precision.
These findings highlight that NRD monitoring is a reliable early indicator of cybercrime taking shape. By pairing domain trends with current events, defenders can anticipate the kinds of lures and impersonation themes that are likely to emerge next. Building this context into threat intelligence programs helps teams detect malicious infrastructure earlier, prioritize investigations more effectively, and prepare for incoming campaigns rather than reacting after the fact. As cybercriminals align their operations with real-world disruptions, adopting event-driven threat intelligence is essential for staying ahead.
Credit to authors and collaborators: Lauren Stemler (Splunk / SURGe), Ryan Fetterman (Splunk / SURGe), James Hodgkinson (Splunk / SURGe) and Vandita Anand (Splunk / SURGe), Andre Correa (Malware Patrol), Leslie Dawn (Malware Patrol).
