Editor's Note: This post has been revised on September 2, 2025 in light of feedback on the use of the definition of Brand TLDs. The blog now adopts the ICANN definition of Brand TLDs.

Executive Summary

Over a decade after ICANN’s first new gTLD expansion, reported abuse rates within these domains remain substantially higher in new gTLDs than in legacy and country code TLDs. Using data collected from the Global Signal Exchange over a 90-day period in 2025, this analysis evaluates the prevalence and distribution of DNS abuse reports across the domain name landscape, highlighting key differences among TLD types and operational models.

While overall rates of reported abuse are still below 1% across all TLD classes, new gTLDs demonstrate reported abuse rates more than 30 times higher than legacy domains like .com or .net, and more than 25 times higher than country-code TLDs such as .no (Norway) or .dk (Denmark). Within the new gTLD ecosystem itself, abuse varies dramatically by category, with open, commercially driven Generic Word TLDs exhibiting the highest rates and more controlled spaces like Community, Geographic, and Internationalized TLDs reporting significantly lower levels of abuse, and the closed, Brand TLDs showing none.

As the ICANN community prepares for the next gTLD application window in 2026, these findings offer evidence-based insights into which TLD models foster safer namespaces and which may require stronger oversight, policy safeguards, and technical controls.

Introduction

More than a decade has passed since ICANN launched its ambitious new gTLD program, introducing hundreds of new top-level domains into the global DNS. As the community looks ahead to the next application round, currently targeted for April 2026, it is critical to take stock of the first round of new gTLDs and evaluate how well they’ve lived up to expectations. 

One area of particular concern is DNS abuse. While abuse occurs across all corners of the domain name space, new gTLDs have often been flagged for higher rates of malicious activity. With over a thousand new TLDs now in operation, a decade of operational data offers an opportunity to take a more structured look at abuse patterns across different kinds of TLDs.

This article seeks to answer two basic questions:

1. How do rates of reported abuse in new gTLDs compare to those in legacy and country code TLDs (ccTLDs)?
2. Within the new gTLDs, how do rates of reported abuse vary across different categories (e.g., Brand, Generic, Geographic, Community, and Internationalized TLDs)?

To explore these questions, we analyzed recent signal data from the Global Signal Exchange, a global clearinghouse for the exchange of scam and fraud threat signals. By combining this signal intelligence with domain registration data, we were able to calculate relative rates of reported abuse and uncover patterns that can inform both policy and operational decisions for the upcoming round of new gTLDs.

Methodology

The methodology used to calculate rates of reported abuse is similar to the methodology used in past articles; however, we use an expanded data set of abuse signal data available to us via the Global Signal Exchange. 

• Timeframe:  Data included in this analysis includes signals obtained over 90 days from March 20 to June 20, 2025
• Abuse Types:  Signals associated with the following abuse types are included: Scam, Phishing, Malware, Trademark, Fraud, Impersonation, Piracy, and Exploit.  
• Reported Abuse Rate: The rate of reported abuse is calculated by dividing the total number of registered domains (obtained using DomainTools counts) in the TLD by the total number of abuse reports found for unique  domains.  

Each new active gTLD was classified into one or more of the following categories, based on ICANN designation, registry marketing, and usage context. In particular, the categorisation of community and TLDs is a matter of contract between the registry operator and ICANN, under  specification 12 and 13 respectively. Internationalized Domain Names are identified by the use of the xn-- prefix. Geographic names were classified with the assistance of a generative AI tool, and manually checked.

• Generic Word TLDs (e.g., .beer, .pizza) – 650 total active TLDs
• Geographic TLDs (e.g., .berlin, .nyc) – 107 total active TLDs
• Community TLDs (listed in ICANN’s specification 12 categorisation) – 47 total active TLDs
• Brand TLDs (listed in ICANN’s specification 13 categorisation).  – 360 total active TLDs
• Internationalized Domain Name (IDN) TLDs (e.g., .онлайн, .中国) – 151 total active TLDs

TLDs may fall into multiple categories (e.g., some IDNs are also brands, some well known brands are not officially categorised under specification 13 in ICANN’s contractual framework), but the primary ICANN classification was used for analysis.

Findings

Top-Level Domain Reported Abuse Rate Comparisons

The first question we wanted to answer was how abuse rates in the new gTLDs compare with abuse rates in both legacy and country code TLDs.  Using the methodology described above, we found the abuse rates as follows.   

• Legacy TLDs: .019%
• ccTLDs: .024%
• New gTLDs: .618%

While the average rate for these TLD groups is under 1%, it is significant that the abuse rate for New gTLDs is 32 times higher than Legacy TLDs, and 25 times higher than ccTLDs.  

New gTLD Category Reported Abuse Rate Comparisons

When we compare the reported abuse rates for the various categories of new gTLDs, we see a wide range of rates.  

• All: .62%
• Generic Word TLD: .68%
• Brand TLD: 0%
• Community TLD: .07%
• Geographic TLD: .119%
• Internationized TLDs: .04%

Unsurprisingly, more abuse occurs in the more “open” Generic Word TLDs, which include .top and .xyz as examples.  The lower rates of abuse for Community and Geographic TLDs are probably due to the more “closed”, and thus more strictly managed, nature of these new TLD categories.   The very low rate for Internationalized TLD reflects their relatively low usage compared with the test.  Finally, Brand TLDs –which are used directly by brands and not available for public registration– have no detectable abuse due to their closed nature and strict registration policies.

Conclusion

More than a decade after the launch of the new gTLD program, our analysis reveals a clear and persistent pattern: new gTLDs continue to experience significantly higher reported abuse rates than both legacy and country code TLDs. This finding echoes that of multiple studies, such as the European Commission’s Study on Domain Name Abuse (2022) and the DNS Research Federation’s Habits of Excellence study in 2023. While the overall reported abuse rates remain below 1% across all TLD categories, the relative disparity is stark; abuse is over 32 times more prevalent in new gTLDs compared to legacy TLDs, and over 25 times more than in ccTLDs.

Within the new gTLD space, the variance in reported abuse rates by category highlights the importance of TLD management practices and registration models. Generic Word TLDs, largely open and commercially driven, predictably lead in abuse, while more restricted or community-managed spaces like Geographic and Community TLDs show much lower reported abuse rates, and the Brand TLDs have none. 

As ICANN prepares for the next application round in 2026, the findings of this evidence based analysis are consistent with other studies, and offer the opportunity for the next generation of gTLDs to be shaped not only by innovation but by clear-eyed lessons from the past.