Domain Registrars Powering Russian Disinformation: A Deep Dive into Tactics and Trends

In the digital battlefield of influence operations, domain registrations serve as the foundation for launching disinformation campaigns. Russian state-sponsored actors, such as APT28 (Fancy Bear), APT29 (Cozy Bear), and the Internet Research Agency (IRA), have long relied on strategic domain registrations to impersonate trusted entities, spread propaganda, and conduct cyber-enabled espionage.

Despite efforts to curb the abuse of domain registration services, Russian-aligned threat actors continue to exploit specific registrars, hosting providers, and domain obfuscation techniques to evade detection. This analysis explores historical data, cybersecurity reports, and real-world case studies to uncover the domain registrars favored by Russian disinformation operations and the tactics that make their campaigns so effective.

How Russian Disinformation Actors Use Domains

Disguising Disinformation with Fake News Websites

A core strategy of Russian influence operations is the creation of fake news portals that mimic legitimate media organizations. These sites publish pro-Kremlin narratives, fabricated stories, and distorted news articles, often in multiple languages to target diverse audiences.

Example:

• A 2022 Microsoft report detailed how SEABORGIUM, a Russian state-sponsored group, registered domains mimicking major Western think tanks and media outlets, such as:
  • bloomberg-us[.]com (mimicking Bloomberg)
  • bbcnews[.]site (spoofing BBC News)
  • nato-int[.]org (targeting NATO)

Typosquatting and Homoglyph Attacks

To enhance credibility and fool unsuspecting users, Russian actors frequently engage in typosquatting (registering domains with minor spelling variations) and homoglyph attacks (substituting characters with lookalikes).

Example:

• APT28 (Fancy Bear) used domains like:
  • dnc-email[.]org instead of dnc.org (2016 U.S. election hack)
  • o365-portal[.]net mimicking Microsoft’s login page

Bulletproof Hosting & Fast Flux Networks

Domain registrations alone are not enough—where a website is hosted matters just as much. Russian influence operators often leverage bulletproof hosting providers in Russia, Moldova, and the Netherlands that turn a blind eye to takedown requests.

Fast Flux techniques (where domain IPs frequently change) further complicate tracking efforts, making it difficult for security teams to take down malicious infrastructure.

Which Domain Registrars Do Russian Disinformation Actors Prefer?

Cyber threat intelligence reports from Mandiant, Recorded Future, Microsoft, Graphika, and Spamhaus reveal a pattern of Russian threat actors registering domains with registrars that offer low-cost, privacy-protected, and anonymous domain services.

Commonly Used Registrars

Registrar	Why It’s Used	Examples of Use in Disinformation Ops
Namecheap	Affordable, easy to register anonymously	IRA-linked domains used in 2016 U.S. election meddling
Reg.ru (Russia)	Domestic registrar, less likely to comply with Western takedowns	Used in pro-Kremlin media campaigns
PublicDomainRegistry	Bulk domain purchases allowed	Used for bot networks spreading fake news
Tucows	Lax oversight on domain abuse	Hosted domains impersonating U.S. government agencies
Epik	Historically associated with extremist content and disinformation	Favored by fringe political disinformation campaigns

Case Study:

In 2022, security researchers uncovered a Russian disinformation network that registered over 100 fake media domains via Namecheap and Reg.ru, promoting anti-Ukraine narratives in Western countries.

Russian Disinformation Hosting & Infrastructures

Beyond registrars, Russian actors strategically select hosting providers that offer either complete anonymity or jurisdictional protection from Western law enforcement.

• Bulletproof Hosting: These providers ignore abuse complaints and host malware, phishing sites, and fake news portals.
• Cloudflare & Reverse Proxies: Russian threat actors often hide behind Cloudflare to mask their hosting locations.
• Compromised Websites: Instead of registering new domains, Russian operations increasingly hijack legitimate websites to host disinformation.

Example:

• The Secondary Infektion campaign (Graphika, 2020) used compromised WordPress sites across Europe to spread anti-NATO propaganda while avoiding detection.

Emerging Trends: How Russian Actors Are Evolving Their Tactics

As domain registration oversight improves, Russian actors are adapting their methods to maintain their influence.

Aging Domains for Credibility

Instead of launching new domains immediately, Russian disinformation operators are now registering domains months in advance to make them appear more legitimate before deploying them in active campaigns.

Greater Use of Third-Party Resellers

Rather than registering domains directly, Russian actors are purchasing through resellers that operate under major registrars but have weaker oversight policies.

Shift Toward Encrypted & Decentralized Infrastructure

There is growing evidence that Russian-aligned actors are exploring blockchain-based domain name services (e.g., .eth, .crypto) and peer-to-peer hosting to avoid centralized control.

Strategically Registered Domains for Disinformation Campaigns

The use of strategically registered domains is a cornerstone of Russian disinformation campaigns, and despite increased scrutiny, these operations remain highly adaptable. By exploiting privacy-friendly registrars, bulletproof hosting, and emerging technologies, Russian actors continue to manipulate public discourse and influence geopolitics.

As cyber defenders, journalists, and policymakers, it is crucial to stay ahead of these evolving tactics and disrupt their ability to weaponize domain infrastructure for disinformation.

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.