Not all domain extensions carry equal risk. Some TLDs are dominated by legitimate commerce and communication. Others have become reliable infrastructure for phishing campaigns, malware distribution, and scam operations — so reliably that blocking them by namespace is a defensible, low-false-positive security decision for most organizations.
alphaMountain analyzed domain risk ratings across our full dataset as of May 15, 2026. Every domain carries a risk rating on a 1.00–10.00 scale, updated hourly by our continuously-trained AI engine. For this analysis, a domain is classified as risky if it scores 7.00 or above. We then calculated the risky fraction — risky domains divided by total domains — for every TLD and ccTLD in the dataset with at least 5,000 observed domains.
What follows are the 10 TLDs and ccTLDs with the highest percentage of risky domains. This isn’t about which namespaces have the most malicious domains in absolute terms (that’s a different list, led by .xyz with 6 million). This is about which namespaces are most thoroughly compromised — where the majority of registrations, not just a slice, are malicious or high-risk.
For the full report with over 100 TLDs sorted by risk and blocklist configurations for Palo Alto Networks, Cisco Umbrella and Fortinet, click here.
The Top 10 Riskiest Top Level Domains
1. .xin — 85.1% risky
A Chinese-market gTLD meaning “heart” or “new.” With 82,955 risky domains out of 97,514 total, .xin is one of the most thoroughly abused gTLDs in our dataset. Nearly 85% of domains in this namespace are classified as risky — making it a clear blocking candidate for any organization without specific China-market business requirements.
2. .bond — 81.6% risky
The volume story of this report. .bond has 884,679 domains in our dataset — nearly 900,000 registrations — of which 721,897 are risky. That’s an extraordinary scale of abuse for a single gTLD. .bond consistently appears in threat intelligence research as a preferred namespace for phishing infrastructure. At 81.6% risky across a dataset this large, the signal is unambiguous.
3. .buzz — 77.3% risky
Over 1.4 million risky domains out of 1.86 million total. .buzz has become heavily exploited for spam, phishing, and scam campaigns at scale. The combination of high volume and a 77% risky rate makes this one of the highest-confidence namespace blocks in the dataset.
4. .sbs — 71.9% risky
A gTLD with over 500,000 domains, 71.9% of them risky. Originally marketed to the broadcast and media industry, .sbs has seen significant abuse — particularly phishing pages targeting financial services and e-commerce. The brand premise never took hold; the abuse did.
5. .qpon — 71.7% risky
A coupon-themed gTLD where 71.7% of observed domains are risky. The theme is consistent with the abuse pattern: fraudulent discount schemes, fake coupon sites, and credential-harvesting pages designed to look like legitimate retail offers.
6. .cc — 69.2% risky
The Cocos (Keeling) Islands ccTLD, long repurposed as a generic gTLD alternative. With 3.38 million total domains and 2.34 million classified as risky, .cc is one of the largest-volume high-risk namespaces in the dataset. Its history as a cheap, low-friction registration option has made it a persistent favorite for malicious actors.
7. .mov — 69.0% risky
Google’s .mov gTLD — named after the video file extension — has achieved notoriety for abuse disproportionate to its size. With 69% of 13,169 domains risky, .mov is frequently used in phishing lures that exploit the file-extension association: a link to invoice.mov or receipt.mov looks like media, not malware infrastructure.
8. .rip — 67.1% risky
With 16,726 of 24,936 domains classified as risky, .rip is a consistently abused gTLD. Its low cost and connotations of finality map well onto urgency-driven phishing lures. The 67% rate across nearly 25,000 domains makes it a straightforward blocking candidate.
9. .zip — 61.8% risky
Another file-extension gTLD from Google, and another abuse story. .zip carries a 61.8% risky rate across 78,033 domains. Social engineering via file-extension-lookalike domains — payslip.zip, update.zip, contract.zip — is an established phishing technique, and this namespace has become a reliable home for it. Nearly two in three .zip domains in our dataset are classified as risky.
10. .beer — 59.5% risky
A novelty gTLD where nearly 60% of observed domains are risky. The low cost and informal character have made .beer attractive for spam and phishing operators who benefit from the non-corporate appearance. 16,593 of 27,897 domains are classified as risky — making it a clear block despite the benign-sounding name.
What the numbers mean for your security policy
A risky fraction above 50% means the majority of a namespace’s registrations are malicious or high-risk. Seven of the ten TLDs above cross that threshold. For those namespaces, blocking by TLD isn’t an aggressive move — it’s a statistically justified default.
For context: legitimate TLDs like .com carry risky fractions well below 10%. The gap between a healthy namespace and the ones above isn’t marginal. It’s the difference between normal signal noise and systematic abuse.
These ten TLDs are a starting point, not a complete list. Our full 2026 dataset covers 126 namespaces above the 15% risky threshold — including high-volume gTLDs like .xyz (54.9% risky, 11 million domains), .top (53.6%), and .shop (32.6%), plus a set of ccTLDs that often escape scrutiny in default security policies.
The full report includes the complete ranked table, methodology details, and step-by-step blocking configuration instructions for Palo Alto Networks, Fortinet FortiGate, and Cisco Umbrella.
Download the full 2026 Domain Threat Report →
Want to investigate any of these domains in your environment? threatYeti.com is free — enter any domain or IP and get a real-time intelligence picture: risk rating, threat categories, passive DNS history, WHOIS, and more.
For API access or to integrate alphaMountain’s domain and IP intelligence into your security stack: [email protected]