{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T08:38:14Z","timestamp":1768379894120,"version":"3.49.0"},"reference-count":45,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T00:00:00Z","timestamp":1768348800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T00:00:00Z","timestamp":1768348800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100012165","name":"Key Technologies Research and Development Program","doi-asserted-by":"publisher","award":["2022YFB3102902"],"award-info":[{"award-number":["2022YFB3102902"]}],"id":[{"id":"10.13039\/501100012165","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"Abstract<\/jats:title>\n Illicit website represents a significant challenge on the Internet. Miscreants exploit the inherent flexibility and invisibility of the Internet to promote illicit activities, particularly online gambling and pornography, intending to generate substantial profits. Previous studies have primarily focused on illicit website detection techniques and analyzed illicit activities using passive datasets. However, constrained by the limitations of passive dataset perspectives, the security community lacks a global understanding of illicit website deployment and operational behavior patterns, particularly during the early stages of website activation. In this paper, we conduct an in-depth analysis of the activities of illicit websites through the advantageous lens of newly registered domains (NRDs). The NRD dataset\u2019s key strength is its broad coverage of emerging illicit activities during observation, complementing previous studies. Specifically, we designed and implemented a framework, NRDMiner, for tracking and analyzing illicit activities associated with large-scale NRDs. This framework supports long-term monitoring of vast quantities of domains and enables accurate identification of illicit websites. Over a 133-day period (July 1\u2013Nov 10, 2024), we collected 27,623,326 NRDs across 481 top-level domains (e.g., and ), and identified 910,794 abusive domains. Our analysis highlights several important patterns. First, illicit activity shows a consistent and steady pattern, with an average of 3.3% of NRDs flagged for illicit website. Moreover, 98% of these domains are first-time registrations. Second, 60% of abusive domains are activated on the same day they are registered, indicating mature automated domain abuse techniques. Third, from a global NRD perspective, we observed regional tendencies in illicit activities, like Asia identified as the primary concentration area, with over 70% of illicit website pages being in Asian languages. Furthermore, we analyzed the deployment and operation of illicit websites. Our work provides a large-scale empirical study of the early-stage activities of illicit websites from the perspective of NRDs, offering valuable evidence that contribute to the timely mitigation of illicit activities.<\/jats:p>","DOI":"10.1186\/s42400-025-00523-w","type":"journal-article","created":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T03:58:29Z","timestamp":1768363109000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Darkness at dawn: understanding illicit websites in newly registered domain names"],"prefix":"10.1186","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1166-2830","authenticated-orcid":false,"given":"Bingyang","family":"Guo","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yunyi","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fan","family":"Shi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Min","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pengfei","family":"Xue","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chengxi","family":"Xu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yi","family":"Shen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Miao","family":"Hu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2026,1,14]]},"reference":[{"key":"523_CR1","doi-asserted-by":"crossref","unstructured":"Agten P, Joosen W, Piessens F, et al (2015) Seven months\u2019 worth of mistakes: a longitudinal study of typosquatting abuse. In: Proceedings of the 22nd network and distributed system security symposium (NDSS 2015). Internet Society","DOI":"10.14722\/ndss.2015.23058"},{"key":"523_CR2","unstructured":"AIWEN TECH (2024) Ipgeodb. https:\/\/www.ipplus360.com\/"},{"key":"523_CR3","unstructured":"Alibaba Cloud (2025a) Alibaba cloud content security policy: building a trustworthy cyberspace safeguard. https:\/\/www.ddos.com.cn\/help\/28506.html"},{"key":"523_CR4","unstructured":"Alibaba Cloud (2025b) Alibaba cloud content security policy: safeguarding cybersecurity in the digital ecosystem. https:\/\/www.ddos.com.cn\/help\/24360.html"},{"key":"523_CR5","doi-asserted-by":"crossref","unstructured":"Alowaisheq E, Wang P, Alrwais SA, et al (2019) Cracking the wall of confinement: understanding and analyzing malicious domain take-downs. In: 26th Annual network and distributed system security symposium, NDSS 2019, San Diego, California, USA, 24-27 Febr 2019. The Internet Society, rate: 4","DOI":"10.14722\/ndss.2019.23243"},{"key":"523_CR6","doi-asserted-by":"crossref","unstructured":"Alqadhi M, Alkinoon M, Lin J, et\u00a0al (2023) Entangled clouds: measuring the hosting infrastructure of the free contents web. In: Regazzoni F, Fournaris AP (eds) Proceedings of the 2023 on cloud computing security workshop, CCSW 2023, ACM, Copenhagen, Denmark, 26 Novemb 2023, p 75\u201387","DOI":"10.1145\/3605763.3625274"},{"key":"523_CR7","unstructured":"Alrwais SA, Yuan K, Alowaisheq E, et\u00a0al (2014) Understanding the dark side of domain parking. In: Fu K, Jung J (eds) Proceedings of the 23rd USENIX security symposium, USENIX Association, San Diego, CA, USA, 20-22 August 2014, p 207\u2013222, rate: 3"},{"key":"523_CR8","unstructured":"Bilge L, Kirda E, Kruegel C, et al (2011) EXPOSURE: finding malicious domains using passive DNS analysis. In: Proceedings of the network and distributed system security symposium, NDSS 2011, San Diego, California, USA, 6th February - 9th February 2011. The Internet Society"},{"issue":"14","key":"523_CR9","doi-asserted-by":"publisher","first-page":"3989","DOI":"10.3390\/s20143989","volume":"20","author":"Y Chen","year":"2020","unstructured":"Chen Y, Zheng R, Zhou A et al (2020) Automatic detection of pornographic and gambling websites based on visual and textual content using a decision mechanism. Sensors 20(14):3989","journal-title":"Sensors"},{"key":"523_CR10","doi-asserted-by":"crossref","unstructured":"Gao Y, Wang H, Li L, et al (2021) Demystifying illegal mobile gambling apps. In: Leskovec J, Grobelnik M, Najork M, et\u00a0al (eds) WWW \u201921: The web conference 2021, Virtual event \/ Ljubljana, Slovenia, 19-23 April 2021. ACM \/ IW3C2, p 1447\u20131458","DOI":"10.1145\/3442381.3449932"},{"key":"523_CR11","unstructured":"greenSec GmbH (2025) ntldstats - new gtld statistics. https:\/\/www.ntldstats.com\/tld"},{"key":"523_CR12","doi-asserted-by":"crossref","unstructured":"Halvorson T, Der MF, Foster ID, et al (2015) From .academy to .zone: An Analysis of the New TLD Land Rush. In: Cho K, Fukuda K, Pai VS, et\u00a0al (eds) Proceedings of the 2015 ACM Internet measurement conference, IMC 2015, ACM, Tokyo, Japan, 28-30 Oct 2015, p 381\u2013394, rate: 3","DOI":"10.1145\/2815675.2815696"},{"key":"523_CR13","doi-asserted-by":"crossref","unstructured":"Han C, Kumar D, Durumeric Z (2022) On the infrastructure providers that support misinformation websites. In: Budak C, Cha M, Quercia D (eds) Proceedings of the sixteenth international AAAI conference on web and social media, ICWSM 2022, Atlanta, Georgia, USA, 6-9 June 2022. AAAI Press, p 287\u2013298","DOI":"10.1609\/icwsm.v16i1.19292"},{"key":"523_CR14","doi-asserted-by":"crossref","unstructured":"Han Y, Wang S, Li Y, et al (2023) Measurement of illegal android gambling app ecosystem from joint promotion perspective. In: 2023 IEEE 10th International conference on data science and advanced analytics (DSAA), p 1\u201311","DOI":"10.1109\/DSAA60987.2023.10302499"},{"key":"523_CR15","doi-asserted-by":"crossref","unstructured":"Hao S, Feamster N, Pandrangi R (2011) Monitoring the initial DNS behavior of malicious domains. In: Thiran P, Willinger W (eds) Proceedings of the 11th ACM SIGCOMM internet measurement conference, IMC \u201911, ACM, Berlin, Germany, 2 Novemb 2011, p 269\u2013278","DOI":"10.1145\/2068816.2068842"},{"key":"523_CR16","doi-asserted-by":"crossref","unstructured":"Hao S, Thomas M, Paxson V, et al (2013) Understanding the domain registration behavior of spammers. In: Papagiannaki K, Gummadi PK, Partridge C (eds) Proceedings of the 2013 internet measurement conference, IMC 2013, ACM, Barcelona, Spain, 23-25 Oct 2013, p 63\u201376, rate: 3","DOI":"10.1145\/2504730.2504753"},{"key":"523_CR17","doi-asserted-by":"crossref","unstructured":"Hao S, Kantchelian A, Miller B, et al (2016) PREDATOR: Proactive recognition and elimination of domain abuse at time-of-registration. In: Weippl ER, Katzenbeisser S, Kruegel C, et\u00a0al (eds) Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, ACM, Vienna, Austria, 24-28 Oct 2016, p 1568\u20131579, rate: 4","DOI":"10.1145\/2976749.2978317"},{"key":"523_CR18","doi-asserted-by":"crossref","unstructured":"Hong G, Yang Z, Yang S, et al (2022) Analyzing ground-truth data of mobile gambling scams. In: 43rd IEEE Symposium on security and privacy, SP 2022, San Francisco, CA, USA, 22-26 May 2022. IEEE, p 2176\u20132193","DOI":"10.1109\/SP46214.2022.9833665"},{"key":"523_CR19","unstructured":"IANA(Internet Assigned Numbers Authority) (2024) Registrar ids. https:\/\/www.iana.org\/assignments\/registrar-ids\/registrar-ids.xhtml"},{"key":"523_CR20","unstructured":"ICANN (2021) Domain abuse activity reporting (daar). https:\/\/www.icann.org\/octo-ssr\/daar"},{"key":"523_CR21","unstructured":"ICANN (2024) Centralized zone data service (czds). https:\/\/czds.icann.org\/home"},{"key":"523_CR22","unstructured":"ICANN (2025) Icann domain metrica: a measurement platform. https:\/\/www.icann.org\/octo-ssr\/metrica-en"},{"key":"523_CR23","unstructured":"IMGL (2024) Size matters: quantifying the illegal us online gambling market. https:\/\/www.imgl.org\/publications\/imgl-magazine-volume-3-no-1\/size-matters-quantifying-the-illegal-us-online-gambling-market\/"},{"key":"523_CR24","doi-asserted-by":"crossref","unstructured":"Izhikevich L, Akiwate G, Berger B, et al (2022) ZDNS: a fast DNS toolkit for internet measurement. In: Barakat C, Pelsser C, Benson TA, et\u00a0al (eds) Proceedings of the 22nd ACM internet measurement conference, IMC 2022, ACM, Nice, France, 25-27 Oct 2022 , p 33\u201343","DOI":"10.1145\/3517745.3561434"},{"key":"523_CR25","doi-asserted-by":"crossref","unstructured":"Kharraz A, Robertson WK, Kirda E (2018) Surveylance: automatically detecting online survey scams. 2018 IEEE symposium on security and privacy, SP 2018, Proceedings, 21\u201323 May 2018. USA. IEEE Computer Society, San Francisco, California, p 70\u201386","DOI":"10.1109\/SP.2018.00044"},{"key":"523_CR26","unstructured":"Kojima T, Gu SS, Reid M, et al (2022) Large language models are zero-shot reasoners. In: Koyejo S, Mohamed S, Agarwal A, et\u00a0al (eds) Advances in neural information processing systems 35: Annual conference on neural information processing systems 2022, NeurIPS 2022, New Orleans, LA, USA, November 28\u2013December 9, 2022"},{"key":"523_CR27","doi-asserted-by":"crossref","unstructured":"Korczynski M, Wullink M, Tajalizadehkhoob S, et al (2018) Cybercrime after the sunrise: a statistical analysis of dns abuse in new gtlds. In: Kim J, Ahn GJ, Kim S, et\u00a0al (eds) AsiaCCS. ACM, p 609\u2013623","DOI":"10.1145\/3196494.3196548"},{"key":"523_CR28","unstructured":"Lauinger T, Chaabane A, Buyukkayhan AS, et al (2017) Game of registrars: an empirical analysis of post-expiration domain name takeovers. In: 26th USENIX security symposium, USENIX Security 2017, Vancouver, BC, Canada, 16-18 August 2017, p 865\u2013880"},{"key":"523_CR29","doi-asserted-by":"crossref","unstructured":"Lever C, Walls R, Nadji Y, et al (2016) Domain-Z: 28 Registrations later measuring the exploitation of residual trust in domains. In: 2016 IEEE symposium on security and privacy (SP) null:691\u2013706","DOI":"10.1109\/SP.2016.47"},{"key":"523_CR30","unstructured":"Linder J (2025) Porn usage statistics. https:\/\/gitnux.org\/porn-usage-statistics\/"},{"key":"523_CR31","unstructured":"Lui M, Baldwin T (2012) langid.py: an off-the-shelf language identification tool. In: Meeting of the association for computational linguistics"},{"key":"523_CR32","volume":"1","author":"M Min","year":"2022","unstructured":"Min M, Lee JJ, Lee K (2022) Detecting illegal online gambling (iog) services in the mobile environment. Secur Commun Netw 1:3286623","journal-title":"Secur Commun Netw"},{"key":"523_CR33","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2021.107909","volume":"189","author":"A Morichetta","year":"2021","unstructured":"Morichetta A, Trevisan M, Vassio L et al (2021) Understanding web pornography usage from traffic analysis. Comput Netw 189:107909","journal-title":"Comput Netw"},{"key":"523_CR34","doi-asserted-by":"crossref","unstructured":"Portnoff RS, Afroz S, Durrett G, et al (2017) Tools for automated analysis of cybercriminal markets. In: Barrett R, Cummings R, Agichtein E, et al (eds) Proceedings of the 26th International conference on world wide web, WWW 2017, ACM, Perth, Australia, 3\u20137 April 2017, p 657\u2013666","DOI":"10.1145\/3038912.3052600"},{"key":"523_CR35","unstructured":"Stat DN (2025) New generic tlds statistics. https:\/\/domainnamestat.com\/statistics\/tldtype\/new"},{"key":"523_CR36","doi-asserted-by":"publisher","DOI":"10.1109\/TCSS.2024.3406501","author":"G Stechschulte","year":"2024","unstructured":"Stechschulte G, Wintner M, Hemmje M et al (2024) In-database feature extraction to improve early detection of problematic online gambling behavior. IEEE Trans Comput Social Syst. https:\/\/doi.org\/10.1109\/TCSS.2024.3406501","journal-title":"IEEE Trans Comput Social Syst"},{"key":"523_CR37","unstructured":"Tongyi AC (2025) Qianwen. https:\/\/www.tongyi.com\/qianwen\/"},{"key":"523_CR38","doi-asserted-by":"crossref","unstructured":"Vallina P, Feal \u00c1, Gamba J, et al (2019) Tales from the porn: A comprehensive privacy analysis of the web porn ecosystem. In: Proceedings of the internet measurement conference, p 245\u2013258","DOI":"10.1145\/3355369.3355583"},{"issue":"16","key":"523_CR39","doi-asserted-by":"publisher","first-page":"2489","DOI":"10.3390\/electronics11162489","volume":"11","author":"C Wang","year":"2022","unstructured":"Wang C, Zhang M, Shi F et al (2022) A hybrid multimodal data fusion-based method for identifying gambling websites. Electronics 11(16):2489","journal-title":"Electronics"},{"key":"#cr-split#-523_CR40.1","doi-asserted-by":"crossref","unstructured":"Yang H, Du K, Zhang Y, et al (2019) Casino royale: a deep exploration of illegal online gambling. In: Balenson DM","DOI":"10.1145\/3359789.3359817"},{"key":"#cr-split#-523_CR40.2","unstructured":"(ed) Proceedings of the 35th annual computer security applications conference, ACSAC 2019, ACM, San Juan, PR, USA, 09-13 Dec 2019, pp 500-513"},{"key":"523_CR41","unstructured":"Yang R, Wang X, Chi C, et al (2021) Scalable detection of promotional website defacements in black hat SEO campaigns. In: Bailey MD, Greenstadt R (eds) 30th USENIX security symposium, USENIX Security 2021, 11-13 August 2021. USENIX Association, p 3703\u20133720"},{"key":"523_CR42","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2021.107296","volume":"228","author":"J Zhao","year":"2021","unstructured":"Zhao J, Shao M, Peng H et al (2021) Porn2vec: a robust framework for detecting pornographic websites based on contrastive learning. Knowl Based Syst 228:107296","journal-title":"Knowl Based Syst"},{"key":"523_CR43","doi-asserted-by":"crossref","unstructured":"Zhao R (2023) The chameleon on the web: an empirical study of the insidious proactive web defacements. In: Ding Y, Tang J, Sequeda JF, et\u00a0al (eds) Proceedings of the ACM web conference 2023, WWW 2023, Austin, TX, USA, 30 April 2023\u20134 May 2023. ACM, p 2241\u20132251","DOI":"10.1145\/3543507.3583377"},{"key":"523_CR44","unstructured":"Zmap (2024) Zgrab2: Fast application scanner. https:\/\/github.com\/zmap\/zgrab2"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00523-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-025-00523-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00523-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T03:58:43Z","timestamp":1768363123000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-025-00523-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,14]]},"references-count":45,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["523"],"URL":"https:\/\/doi.org\/10.1186\/s42400-025-00523-w","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,14]]},"assertion":[{"value":"28 July 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 November 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"14 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The purpose of this work is to analyze the early-stage characteristics of illicit websites in order to support efforts against illicit activities. All potentially harmful content in this study was stored on dedicated servers with restricted access. The dataset was collected and maintained solely for academic research purposes. It will not be made directly available to the public, and any external request must strictly comply with both ethical standards and legal requirements.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"The authors declare that they have no competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"101"}}