Domain Registrars Powering Russian Disinformation: A Deep Dive into Tactics and Trends
In the digital battlefield of influence operations, domain registrations serve as the foundation for launching disinformation campaigns. Russian state-sponsored actors, such as APT28 (Fancy Bear), APT29 (Cozy Bear), and the Internet Research Agency (IRA), have long relied on strategic domain registrations to impersonate trusted entities, spread propaganda, and conduct cyber-enabled espionage.
Despite efforts to curb the abuse of domain registration services, Russian-aligned threat actors continue to exploit specific registrars, hosting providers, and domain obfuscation techniques to evade detection. This analysis explores historical data, cybersecurity reports, and real-world case studies to uncover the domain registrars favored by Russian disinformation operations and the tactics that make their campaigns so effective.
How Russian Disinformation Actors Use Domains
Disguising Disinformation with Fake News Websites
A core strategy of Russian influence operations is the creation of fake news portals that mimic legitimate media organizations. These sites publish pro-Kremlin narratives, fabricated stories, and distorted news articles, often in multiple languages to target diverse audiences.
Example:
- A 2022 Microsoft report detailed how SEABORGIUM, a Russian state-sponsored group, registered domains mimicking major Western think tanks and media outlets, such as:
- bloomberg-us[.]com (mimicking Bloomberg)
- bbcnews[.]site (spoofing BBC News)
- nato-int[.]org (targeting NATO)
Typosquatting and Homoglyph Attacks
To enhance credibility and fool unsuspecting users, Russian actors frequently engage in typosquatting (registering domains with minor spelling variations) and homoglyph attacks (substituting characters with lookalikes).
Example:
- APT28 (Fancy Bear) used domains like:
- dnc-email[.]org instead of dnc.org (2016 U.S. election hack)
- o365-portal[.]net mimicking Microsoft’s login page
Bulletproof Hosting & Fast Flux Networks
Domain registrations alone are not enough—where a website is hosted matters just as much. Russian influence operators often leverage bulletproof hosting providers in Russia, Moldova, and the Netherlands that turn a blind eye to takedown requests.
Fast Flux techniques (where domain IPs frequently change) further complicate tracking efforts, making it difficult for security teams to take down malicious infrastructure.
Which Domain Registrars Do Russian Disinformation Actors Prefer?
Cyber threat intelligence reports from Mandiant, Recorded Future, Microsoft, Graphika, and Spamhaus reveal a pattern of Russian threat actors registering domains with registrars that offer low-cost, privacy-protected, and anonymous domain services.
Commonly Used Registrars
Registrar | Why It’s Used | Examples of Use in Disinformation Ops |
Namecheap | Affordable, easy to register anonymously | IRA-linked domains used in 2016 U.S. election meddling |
Reg.ru (Russia) | Domestic registrar, less likely to comply with Western takedowns | Used in pro-Kremlin media campaigns |
PublicDomainRegistry | Bulk domain purchases allowed | Used for bot networks spreading fake news |
Tucows | Lax oversight on domain abuse | Hosted domains impersonating U.S. government agencies |
Epik | Historically associated with extremist content and disinformation | Favored by fringe political disinformation campaigns |
Case Study:
In 2022, security researchers uncovered a Russian disinformation network that registered over 100 fake media domains via Namecheap and Reg.ru, promoting anti-Ukraine narratives in Western countries.
Russian Disinformation Hosting & Infrastructures
Beyond registrars, Russian actors strategically select hosting providers that offer either complete anonymity or jurisdictional protection from Western law enforcement.
- Bulletproof Hosting: These providers ignore abuse complaints and host malware, phishing sites, and fake news portals.
- Cloudflare & Reverse Proxies: Russian threat actors often hide behind Cloudflare to mask their hosting locations.
- Compromised Websites: Instead of registering new domains, Russian operations increasingly hijack legitimate websites to host disinformation.
Example:
- The Secondary Infektion campaign (Graphika, 2020) used compromised WordPress sites across Europe to spread anti-NATO propaganda while avoiding detection.
Emerging Trends: How Russian Actors Are Evolving Their Tactics
As domain registration oversight improves, Russian actors are adapting their methods to maintain their influence.
Aging Domains for Credibility
Instead of launching new domains immediately, Russian disinformation operators are now registering domains months in advance to make them appear more legitimate before deploying them in active campaigns.
Greater Use of Third-Party Resellers
Rather than registering domains directly, Russian actors are purchasing through resellers that operate under major registrars but have weaker oversight policies.
Shift Toward Encrypted & Decentralized Infrastructure
There is growing evidence that Russian-aligned actors are exploring blockchain-based domain name services (e.g., .eth, .crypto) and peer-to-peer hosting to avoid centralized control.
Strategically Registered Domains for Disinformation Campaigns
The use of strategically registered domains is a cornerstone of Russian disinformation campaigns, and despite increased scrutiny, these operations remain highly adaptable. By exploiting privacy-friendly registrars, bulletproof hosting, and emerging technologies, Russian actors continue to manipulate public discourse and influence geopolitics.
As cyber defenders, journalists, and policymakers, it is crucial to stay ahead of these evolving tactics and disrupt their ability to weaponize domain infrastructure for disinformation.
Sign Up For DomainTools Investigations’ Newsletter for the Latest Research
Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.