Spamhaus published the latest report for the most abused top-level domains in botnets from Q4 2021:
A new entry at #4
We don’t often see new TLD entries within the top five of this Botnet C&C Top 20; however, .xxx, an adult TLD, run by registry ICM, has entered at #4. With less than 10,000 active domains but a total of 223 domains associated with botnet C&C activity in Q4 we can only assume that there are problems.
The ccTLD de (Germany) re-entered our quarterly ranking at #20, having dropped off the Top 20 in Q2.
Reductions and departures
We’d like to congratulate all the registries that manage TLDs who departed from our listings along with those who significantly reduced the number of associated botnet C&Cs using their TLDs, including .buzz and .net, who both saw an 80% reduction.
Q3 data inaccuracy
Apologies to Verisign for an error in our Q3 2021 statistic for .com. We misreported the number of botnet C&Cs for the TLD, and the correct figure was 3,730. Various issues led to this error, but we are pleased to confirm that we have worked with Verisign to rectify these.
Interpreting the data
Registries with a greater number of active domains have greater exposure to abuse. For example, in Q4 2021, .net had more than 13 million active domain zones, of which 0.00103% were associated with botnet C&Cs. Meanwhile, .xxx had just over 9,000 active domains, of which 2.4% were associated with botnet C&Cs. Both are in the top ten of our listings, but one had a much higher percentage of active domains associated with botnet C&Cs than the other.
Working together with the industry for a safer internet
Naturally, our preference is for no TLDs to have botnet C&Cs associated with them, but we live in the real world and understand there will always be abuse. What is crucial is that abuse is dealt with quickly. Where necessary, if domain names are registered with the sole purpose of distributing malware or hosting botnet C&Cs, we would like registries to suspend these domain names. We appreciate the efforts of many registries who work with us to ensure these actions are taken, including .xyz and .top.