Executive Summary

Over a decade after ICANN’s first new gTLD expansion, abuse rates within these domains remain substantially higher than in legacy and country code TLDs. Using data collected from the Global Signal Exchange over a 90-day period in 2025, this analysis evaluates the prevalence and distribution of DNS abuse across the domain name landscape, highlighting key differences among TLD types and operational models.

While overall abuse rates are still below 1% across all TLD classes, new gTLDs demonstrate abuse rates more than 30 times higher than legacy domains like .com or .net, and more than 25 times higher than country-code TLDs such as .uk or .au. Within the new gTLD ecosystem itself, abuse varies dramatically by category, with open, commercially driven Generic Word TLDs exhibiting the highest rates and more controlled spaces like Community, Geographic, and Internationalized TLDs reporting significantly lower levels of abuse.

As the ICANN community prepares for the next gTLD application window in 2026, these findings offer insights into which TLD models foster safer namespaces and which may require stronger oversight, policy safeguards, and technical controls.

Introduction

More than a decade has passed since ICANN launched its ambitious new gTLD program, introducing hundreds of new top-level domains into the global DNS. As the community looks ahead to the next application round, currently targeted for April 2026, it is critical to take stock of the first round of new gTLDs and evaluate how well they’ve lived up to expectations. 

One area of particular concern is DNS abuse. While abuse occurs across all corners of the domain name space, new gTLDs have often been flagged for higher rates of malicious activity. With over a thousand new TLDs now in operation, a decade of operational data offers an opportunity to take a more structured look at abuse patterns across different kinds of TLDs.

This article seeks to answer two basic questions:

1. How do abuse rates in new gTLDs compare to those in legacy and country code TLDs (ccTLDs)?
   
2. Within the new gTLDs, how do abuse rates vary across different categories (e.g., Brand, Generic, Geographic, Community, and Internationalized TLDs)?

To explore these questions, we analyzed recent signal data from the Global Signal Exchange, a collaborative platform that aggregates and validates abuse indicators from across the DNS ecosystem. By combining this signal intelligence with domain registration data, we were able to calculate relative abuse rates and uncover patterns that can inform both policy and operational decisions for the upcoming round.

Methodology

The methodology used to calculate abuse rates is similar to the methodology used in past articles; however, we use an expanded data set of abuse signal data available to us via the Global Signal Exchange. 

• Timeframe: Data included in this analysis includes signals obtained over 90 days from March 20 to June 20, 2025
• Abuse Types: Signals associated with the following abuse types are included: Scam, Phishing, Malware, Trademark, Fraud, Impersonation, Piracy, and Exploit.  
• Abuse Rate: The abuse rate is calculated by dividing the total number of registered domains (obtained using DomainTools counts) in the TLD by the total number of unique abusive domains found.  

Each new gTLD was manually classified into one or more of the following categories, based on ICANN designation, registry marketing, and usage context:

• Brand TLDs (e.g., .google, .bmw) – 465 total
• Generic Word TLDs (e.g., .top, .xyz) – 535 total
• Geographic TLDs (e.g., .berlin, .nyc) – 125 total
• Community TLDs (e.g., .cat, .gay) – 50 total
• Internationalized Domain Name (IDN) TLDs (e.g., .онлайн, .中国) – 151 total

TLDs may fall into multiple categories (e.g., some IDNs are also brands), but the primary classification was used for analysis.

Findings

Top-Level Domain Abuse Rate Comparisons

The first question we wanted to answer was how abuse rates in the new gTLDs compare with abuse rates in both legacy and country code TLDs. Using the methodology described above, we found the abuse rates as follows.   

• Legacy TLDs: .019%
• ccTLDs: .024%
• New gTLDs: .622%

While the average rate for these TLD groups is all under 1%, it is significant that the abuse rate for New gTLDs is 32 times higher than Legacy TLDs, and 25 times higher than ccTLDs.  

New gTLD Category Abuse Rate Comparisons

When we compare the abuse rates for the various categories of new gTLDs, we see a wide range of rates.  

• All: .622%
• Generic Word TLD: .693%
• Brand TLD: .641%
• Community TLD: .102%
• Geographic TLD: .095%
• Internationized TLDs: .049%

Unsurprisingly, more abuse occurs in the more “open” Generic Word TLDs, which include .top and .xyz as examples. The lower rates of abuse for Community and Geographis TLDs are probably due to the more “closed”, and thus more strictly managed, nature of these new TLD categories. Finally, the very low rate for Internationalized TLD reflects their relatively low usage compared with the test.  

League Tables - Most and Least Abused 

Legacy TLDs

Most Abused

1. .pro .89%
2. .info .27%
3. .com .23%
4. .biz .19%
5. .net .15%

Least Abused

1. .name 03%
2. .gov .04%
3. .aero .04%
4. .coop .05%
5. .edu .06%

Country Code TLDs

Most Abused

1. .ms 5.85%
2. .gd 5.69%
3. .io 3.55%
4. .ly 2.16%
5. .gg 1.56%

Least Abused

1. .ar .01%
2. .au .01%
3. .za .01%
4. .tr .01%
5. .uk .01%

New gTLDs

Most Abused

1. .xin 42.49%
2. .win 33.83%
3. .mom 14.26%
4. .luxe 10.07%
5. .claims 9.37%

Least Abused

1. .locker 0%
2. .pф 0%
3. .xxx 0%
4. .swiss 0%
5. .school 0%

Policy Recommendations

Based on the observed disparities in DNS abuse across TLD categories, the following recommendations aim to guide policy, operational standards, and application processes in advance of ICANN’s next round of new gTLDs in 2026:

1. Apply Stricter Baseline Requirements for Open TLDs

New gTLDs operating under open registration models (particularly Generic Word TLDs) should be subject to enhanced DNS abuse mitigation obligations, including:

• Mandatory adoption of DNS Abuse Framework best practices
• Real-time threat intelligence integration
  Clear thresholds for abuse rates, triggering required remediation actions

2. Increase Transparency and Accountability for Registry Operators

Require all new gTLD applicants to:

• Publish clear abuse handling policies and escalation procedures
• Provide regular public reporting on abuse rates and mitigation actions
• Disclose partnerships with backend operators or security providers

Registries with historically high abuse rates (e.g., .win, .xin) should be subject to enhanced monitoring and possible conditional renewal terms.

3. Investigate Brand TLD Abuse Patterns

The unexpectedly high abuse rate among Brand TLDs suggests misuse that warrants deeper analysis. ICANN and registry stakeholders should:

• Examine whether abuse is due to spoofing (e.g., homograph attacks) outside of the TLD zone
• Assess the effectiveness of defensive registration and enforcement mechanisms
• Revisit security requirements for Brand TLD registries, even if closed-use

4. Incentivize and Reward Low-Abuse Operational Models

Promote Community, Geographic, and Internationalized TLDs with strong track records of abuse prevention by:

• Offering streamlined compliance audits
• Prioritizing these models for programmatic support or technical grant opportunities
• Highlighting best-in-class practices in ICANN public forums

5. Strengthen Application Review Criteria for 2026

Revise the Applicant Guidebook to include:

• Risk-based assessment of TLD string type and intended registration model
• Mandatory commitments to abuse mitigation plans
• Review of abuse history from previous rounds when evaluating registry operators’ fitness

6. Expand Data Sharing and Ecosystem-Wide Signal Intelligence

Encourage broader adoption and integration of platforms like the Global Signal Exchange across registries and registrars to:

• Improve early detection and containment of abuse
• Facilitate cross-TLD abuse pattern recognition
• Promote shared accountability through community-driven signal validation

Conclusion

More than a decade after the launch of the new gTLD program, our analysis reveals a clear and persistent pattern: new gTLDs continue to experience significantly higher abuse rates than both legacy and country code TLDs. While the overall abuse rates remain below 1% across all TLD categories, the relative disparity is stark; abuse is over 30 times more prevalent in new gTLDs compared to legacy TLDs, and over 25 times more than in ccTLDs.

Within the new gTLD space, the variance in abuse rates by category highlights the importance of TLD management practices and registration models. Generic Word TLDs, largely open and commercially driven, predictably lead in abuse, while more restricted or community-managed spaces like Geographic and Community TLDs show much lower abuse rates. 

As ICANN prepares for the next application round in 2026, these findings underscore the need for stronger baseline safeguards, greater accountability mechanisms, and clearer guidance on operational best practices, especially for open or unrestricted TLD models. Informed by a decade of operational data, the next generation of gTLDs must be shaped not only by innovation but by clear-eyed lessons from the past.