Namecheap was most abused domain registrar in Botnets

Spamhaus has named Namecheap the most abused domain registrar in Botnets in Q3-2019.

The main problem here is that Namecheap is number one abused registrar by a very wide margin from the other registrars.

The amount of newly detected botnet command & control servers (C&Cs) reached an all-time high in July this year with more than 1,500 botnet C&Cs detected by Spamhaus Malware Labs. This is far in excess of the monthly average, set in the first half of this year, of 1,000 botnet C&Cs.

Report on the most abused domain registrars, Q3 2019

Namecheap: The US-based domain registrar ‘Namecheap’ continued to be the favorite place for malware authors to register their botnet C&C domains.

OpenProvider: The number of fraudulently registered domain names registered through the Dutch domain registrar ‘OpenProvider’ (aka ‘Hosting Concepts’) almost doubled from 188 in Q2 to 344 in Q3, placing them at #3 in the chart. Great work by ‘’, who looks to have improved processes, as they no longer appeared on our Top 20 most abused domain registrars in Q3. This is in stark comparison to Q1, where they accounted for 22% of the total number of registered domains used for botnet C&Cs.

Newcomers: Newcomers to our chart of most abused domain registrars were the German based domain registrar ‘Key Systems’ and the French registrar ‘OVH’.

(An article on the most abused domain name extensions is coming in a couple of days.)


About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the blog in 2012.


  1. I have no doubt the title is well justified. From a personal experience, I have been flooded by spam coming from domains registered at NameCheap. Most are either .ICU or .Best domains as I’ve reported on DomainGang, and all my complaints and submissions of these domains – that use Cloudflare as a DNS proxy – come with a standard response.

    NameCheap apparently agrees to go as low as possible with retail domain registrations, e.g. $1.80 for .ICU domains. Scammers and spammers seize the opportunity to get disposable domains cheap and the circle continues.

    ICANN should have a process in place that penalizes such inability to eradicate spam. For what it’s worth, spam from .XYZ domains is very very low. Perhaps NameCheap should collaborate with the .XYZ Registry to figure out how they achieve this.

    • Konstantinos Zournas

      Yes I watched the twitter thread between you and Namecheap. I too get a lot of spam from .icu domains.

      To be fair you are comparing a registrar Namecheap with a registry .xyz. Maybe the .icu registry must do something about this mess…

      • The problem isn’t just .ICU or just .Best, it’s the agreement between NameCheap and these registries (and probably others.) They hit rock bottom price-wise thus enabling spammers with their throwaway domains.

        I mentioned .XYZ because they do have technology disabling spammers quickly. NameCheap has done nothing as far as I see to stop spammers’ accounts.

        NameCheap also accepts Bitcoin which adds another layer of anonymity for the spammers, on top of the Cloudflare use.

  2. Andrew Dickinson

    Namecheap still deserves the title.
    I have been hammered with 10 to 20 Bitcoin spam per day for months, all using Namecheap domains.

    Namecheap took no apparent action, despite hundreds of spam reports, until I hit their Live Chat a month ago. The poor beleagured helpdesk operative floundered with saying they could not escalate the matter t a supervisor, then terminated the chat.
    So I left the most negative feedback possible.
    Their support followed up, and the spam flood stopped for about a week.
    When it restarted, with more daily cases than before, I started to Cc (the email from which they had replied) on all spam reports, as well as giving them weekly separate updates.
    The spam flood stopped again three days ago.
    So far, so good.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.