Phishers Love New TLDs Like .shop, .top and .xyz

Original Article ↗ Hacker News Discussion ↗

Overall stats and interpretation

  • New gTLDs are overrepresented in cybercrime reports relative to their share of new registrations, but .com/.net still account for a large absolute share of abuse.
  • Some argue the numbers simply show .com/.net “pulling most of their weight” because they dominate the namespace; others stress that, proportionally, new gTLDs are far more likely to be used for abuse.
  • Consensus that very low prices and lax registration requirements make some new gTLDs attractive for disposable phishing domains.

ccTLDs and registration policies

  • Several comments suggest some country-code TLDs are safer because they require residency or positive ID, raising the bar for abuse.
  • Others note that many ccTLDs are widely and legitimately used (.de, .br, .io, .ai, etc.) and have varying policy strictness.

Proliferation of TLDs: benefits vs harms

  • Critics see “infinite” gTLDs as confusing for users, increasing phishing opportunities, and forcing brands to defensively register many variants.
  • Supporters value extra choice for individuals and startups, especially when good .com names are squatted, and say we need better anti-phishing tools than domain memorization.
  • Some see domains as valuable identity handles (e.g., Bluesky-style domain-based usernames) and want more namespaces, not fewer.

User trust, phishing, and UX

  • New TLD links often “look scammy” to some, while younger users reportedly don’t care about TLDs at all.
  • Debate over whether domains like dell.shop are more convincing than dell.computerdealshop.com, and whether that materially affects scam success.
  • Many argue users don’t really understand URLs; they rely on search, ads, and page appearance instead, making domain-level defenses weak.

Squatting, pricing, and economics

  • Widespread frustration with domain squatting and “premium” pricing by registries; some propose making squatting illegal or heavily taxed.
  • Others question how to define “squatting” vs legitimate holding or non-web uses (email, internal services).
  • New gTLDs plus premium first-year pricing are seen by some as a way to raise costs for large-scale squatters, but not a complete solution.

Certificates, verification, and infrastructure

  • Several note that HTTPS and EV certificates were supposed to solve identity verification but largely failed in practice or UI.
  • Some argue domain names themselves are a poor trust signal; certificate identity (organization fields, business registries) would be better, but is rarely surfaced.
  • Operationally, many admins block entire TLDs (.xyz, .top, etc.) due to spam, harming legitimate users; others highlight that Cloudflare’s protection layer, not TLDs, is a major barrier to detecting and taking down phishing.