A new security study has quantified what researchers suspected for years: the vast majority of toll-scam domains—86.9% according to the data—are registered across just five top-level domains with notoriously lax enforcement policies.
The concentration is staggering. Thousands of TLD options exist, yet scammers return repeatedly to the same handful of extensions because they offer the trifecta fraudsters need: cheap bulk registration, minimal identity verification, and slow abuse response times.
The Five TLDs Enabling Fraud
While researchers haven’t publicly named the specific extensions to avoid providing a roadmap for copycat operations, security professionals familiar with the data point to extensions popular in emerging markets where registry oversight ranges from minimal to nonexistent.
These aren’t major commercial TLDs like .com or .net where registries face reputational pressure and registrar scrutiny. They’re niche extensions—often country-codes or regional TLDs—where registration volume matters more than vetting, and abuse complaints disappear into bureaucratic voids.
The pattern is consistent: scammers register dozens of domains mimicking toll authorities, cycle through them as takedown requests arrive, then register fresh batches in the same TLDs because they know enforcement is theatrical rather than functional.
Why Scammers Cluster Infrastructure
The 86.9% concentration reveals operational logic. Attackers need infrastructure that scales quickly and fails slowly. Registering across hundreds of TLDs would complicate operations—different registrars, varying policies, inconsistent abuse response times.
Clustering in five permissive TLDs streamlines the scam operation. Attackers learn one registry’s quirks, establish relationships with complicit or negligent registrars, and build repeatable processes for rapid domain deployment.
It also suggests coordination. Individual scammers discovering the same five TLDs independently would show more variance. The concentration implies knowledge sharing within fraud networks about which extensions offer the best risk-reward profile for toll scams.
The Registry Accountability Gap
Here’s the uncomfortable question: at what point does a registry become complicit? When 86.9% of a specific fraud type concentrates in five TLDs, those registries aren’t passive infrastructure—they’re actively enabling criminal operations through inaction.
ICANN’s framework addresses registry abuse, but enforcement moves glacially. Registries can absorb years of documented violations before facing meaningful consequences. Meanwhile, thousands of domains cycle through their systems, each one harvesting credit card data from victims who thought they were paying legitimate toll fees.
What Actually Works
Security researchers argue for real-time pattern recognition at the registry level. When someone registers “PayTollOnlineNow.xyz” alongside 47 similar domains in a 24-hour period, that’s not legitimate business activity—it’s obvious fraud infrastructure.
Machine learning can flag these patterns before domains go live. Registries refusing to implement basic screening are making a choice. They’re prioritizing registration revenue over user safety, counting on the fact that by the time abuse reports arrive, the scammers have moved on and the registry has already collected fees.
Five TLDs are hosting nearly 87% of toll-scam infrastructure. Those registries know it, ICANN knows it, and security researchers know it. The only question remaining is whether anyone with authority will actually do something about it.
