Where Everybody Knows Your Name: Observing Malice-Complicit Nameservers

🎵 Sometimes you wanna go
Where everybody knows your name
And they’re always glad you came 🎵
~Theme from Cheers

Everyone should have a place to go where they’re comfortable, can pull up a comfy infrastructure barstool, and just kick back and enjoy life.

Everyone except malicious actors.

At DomainTools Investigations we take a special interest in the comfort and caretaking of bad actors, wherever it may occur. Whether it’s a den of aspiring hackers stretching their wings, domain registrar business decisions welcoming in Russian disinformation peddlers, or even mapping out ransomware actor musical chairs, you could say we pay keen attention to the care and feeding of predatory ecosystems. 

So it’s no surprise that we’re looking at DNS all the time, day, night and otherwise. Even during leap seconds.

Nameservers and Detecting Threats

They say “to reach people, meet them where they’re at” and in our corporate mission to reach more and more bad actors we’ve taken this to heart. By intensely monitoring nameservers where criminals feel comfortable, we’re able to understand the ebb and flow of whole campaigns as well as opportunistic one-offs as domains circulate between registrars, hosts, and transient infrastructure. 

We turn here to the Russian bulletproof hosting service DDoS-Guard. The name is familiar to most in cybersecurity, with a profile that’s led to the then-Chairwoman of the House Oversight Committee pointing out DDoS-Guard links to the Russian government as well as Brian Krebs laying out the complex web of controversies the hosting company supported at the time, from Hamas to 8chan. 

DDoS-Guard enablement of criminal activity, terrorism, and espionage is not exactly a secret.

Analyzing only a month’s worth of nameserver activity for DDoS-Guard provides an important glimpse into their current corner of the internet. Activity from 2025-05-13 through 2025-06-11 shows thousands of activities, from transfers in and out of the service (illuminating other sources and destinations) to domain creation and deletion. Analyzing this also allows better understanding of where DDoS-Guard sits in the nexus of services used for malicious interests, pointing at large spaces for possible future research.

In isolating domains transferred in and out of DDoS-Guard Nameservers 269 domains were observed being transferred in from other services, 408 domains transferred out from DDoS-Guard to other services, 677 new domains created, and 199 domains deleted. 

For the purposes of this post, we can sort observed domains into three separate buckets, in order of proportion seen: temporary gambling/betting domains, cryptocurrency-targeting domains, and indeterminate/other. The temporary domains were obvious thanks to repetitive, incremented numbers across many alike names as well as their short lifespans on the service: most were new, in non-English languages like Indonesian and Turkish, and deleted within two weeks of creation. A smaller subset was transferred out, mostly to my-ndns[.]com and cloudflare.   

Registrar[.]eu appears in the “transfer out” section as an outlier due to a single cluster of 72 domains either targeting or spamming for Russian gambling website Pokerdom. All examples include landing pages in Russian simulating Pokerdom terms of service or login paths, and all used the TLD top. Historical data shows this cluster was spun up on DDoS-Guard one year previous and transferred out to Registrar[.]eu instead of being renewed. 

Observing nameservers, as noted, also allowed us to see where DDoS-Guard lies in relation to bad actors constantly shopping their domains from service to service to try and avoid detection or blocklisting. Several notable examples came up in research.

Bioservamerica[.]com sounds like a perfectly reasonable domain from afar. However, seeing it become newly active after three years of dormancy and then bouncing between DDoS-Guard and Cloudflare caused us to take a closer look. In fact, bioservamerica[.]com is the domain for an Indonesian gambling website utilizing the age of the domain to evade some risk metrics.

An investigative rabbit hole deepened the more we dug. Bioservamerica[.]com redirected to capecodrestaurantweek[.]com; sharing that redirect was restaurantweekcapecod[.]com. A pivot on the registrant for the latter led to a dozen chef- or restaurant-themed websites that appear to serve as redirects for a massive network either supporting black-market gambling sites or attempting to phish those users. Passive DNS revealed suspiciously rapid and ongoing DNS changes suggestive of fast flux or a similar technique for capecodrestaurantweek[.]com. All told, this network appeared to be acquiring aged domains and utilizing sophisticated obfuscation and redirection techniques and is due for further research.

Another elementary finding while observing DDoS-Guard nameservers involves a campaign targeting holders of Vanilla gift cards, a Visa product. DDos-Guard users are fans of “com” domains – beginning with apex domains containing “com” to utilize targeted subdomains and deceive targets about the actual site. In practice, the domain comtrackmycom[.]com utilizes subdomains like “www.vanillagift,” so the user sees www.vanillagift[.]comtrackmycom[.]com. In many situations, our perception blocks out everything after the first “com” so that the URL seems legitimate. This domain spun up on DDoS-Guard on 2025-06-02 and, while blocklisted, still appears to be active. 

Digital Assets

A popular target for DDoS-Guard users is players of the popular first-person shooter game CounterStrike: GO. CounterStrike has a long history of strangeness around its weapon skin system, which allows users to apply custom decorative designs to their in-game weapons rated by the rarity in which they emerge from game loot boxes (“cases”). Game company Valve halted the entire system in 2019 for a redesign after discovering nearly all transactions were involved in money laundering. DDoS-Guard nameservers reveal a number of candidates for investigation:

Csmoney[.]to, created on DDoS-Guard on 2025-05-28 is likely impersonating the trading marketplace cs[.]money for phishing purposes. 

The domain hellcase[.]com appears to be a legitimate site surrounding case-opening and exclusive skins. However, on DDoS-Guard we see at least one actor deeply comfortable with the service, spinning up over a dozen new domains targeting CS:GO and Hellcase users, as well as transferring domains in and out. Despite being less than a month old at the time of writing, the below domains all show as having already been added to third-party blocklists:

Cs2-hellcas[.]com
Hell2cs[.]com 
Hellcs2-events[.]com
Hellcs2promo[.]com
Hellcspromo[.]com
Hlcase-event[.]com
Hlcases-events[.]com 
Hlcases-promotional[.]com
Hlcs-promo[.]com
Hlcs-promotionals[.]com

Highlighting the traffic flows in and out of DDoS-Guard nameservers, we can observe hlcases-events[.]com transferred out to Cloudflare, and cs2-hellcas[.]com transferred in from 1reg[.]buzz. The actor(s) targeting CS:GO and Hellcase users seemed mostly comfortable with DDoS-Guard during the month of observation, but this kind of activity raises a question for further research about fingerprinting risk by measuring nameserver transitions.

Cryptocurrency

Video game weapon skins aren’t the only digital asset being targeted from Russia. DDoS-Guard nameserver activity provided a wealth of information on scams and phishing targeting cryptocurrency users. In one month, domains were observed aimed at the following protocols and platforms: Atomic, Bluefish, Brex, Coinbase, Cortex, DefiSaver, Dragonswap, Felix, Hybridge, Hyperion, Hyperlend, Hyperswap, Ledger, Mercury, MetaMask, Nexus, Odos, SoSoValue, Trezor, Tron, UsualMoney, and YieldNest. 

Pivots on those domains provided insight into additional apex-level domains or subdomains targeting DEXscreenr, MyEtherWallet, Phantom, Phala, Rabby, Rainbow, Rarible, Safepal, Sui, Trust, Uniswap, and more.

That’s quite the list for one month’s worth of watching, it feels like.

Patterns emerged in several cases of domains created on DDoS-Guard and either deleted within days or transferred out to another set of nameservers within a week. 

Let’s discuss some example findings.  

YieldNest[.]finance is a restaking token aiming to increase earnings through advancing liquidity in the Ethereum ecosystem. Yet someone’s also looking to restake a claim:

Domain	Date Created	Date Deleted	Registrar
yicldnest[.]finance	2025-05-30	2025-06-06	OwnRegistrar
yielclnest[.]finance	2025-06-03	2025-06-06	OwnRegistrar
yieldnesf[.]finance	2025-05-27	2025-06-01	OwnRegistrar
yieldrest[.]financial	2025-06-04	2025-06-06	OwnRegistrar
yjeldnest[.]finance	2025-06-03	2025-06-06	OwnRegistrar

Despite all of these domains being up for less than a week, they all showed a connection to infrastructure, passive DNS indicated resolutions in the wild, and they all substantially diverged from YieldNest’s primary domain profile. IP address, MX record, and tracker pivots on these five domains surfaced several more targeting YieldNest, as well as domains targeting Coinbase, the Oasis protocol, payment processor Coinwall, PLANET token, and more. While PDR and Reg[.]ru were observed, behavior indicated an overwhelming preference for DDoS-Guard, as well as a strong preference for the use of Cloudflare and Namecheap. Many of these domains show abnormal daily changes to either MX or NS records during their period of activity.

While more research is necessary over a longer term to validate it, monitoring problematic nameservers shows promise as a traffic supernode to establish behavior patterns that can support more complex and targeted observation and detection of malicious actors. 

Another great example is several domains targeting the Ledger wallet and app. En-ledger[.]to was created on DDoS-Guard services on 2025-05-27 and provided an excellent IP address pivot to 70+ domains almost exclusively targeting cryptocurrency wallets like Atomic, MetaMask, MyEtherWallet, Trezor, and Trust (among others). Most are currently blocklisted with an astronomically high average third-party risk score.

Common infrastructure characteristics across the cluster:

Domain infra datapoint	Common/outliers of datapoint in cluster	Most popular (in order)
NS domain	1/4	DDoS-Guard
Server type	5/1	Nginx, sffe, DDoS-Guard, Cloudflare
SSL Issuer Common Name	5/3	R10, R11

Another popular target in this brief glimpse into DDoS-Guard was cross-chain swap Hybridge. Cross-chain bridges and swaps allow users to exchange tokens from one chain with tokens from a different chain, and in practice they hold a sizable amount of cryptocurrency in hot storage for this purpose, making them a juicy prize. 

App-hybridge[.]finance was created on DDoS-Guard on 2025-05-09, transferred to registrar[.]eu nameservers on 2025-05-30, and back to DDoS-Guard on 2025-05-31. A screenshot from urlscan[.]io of the landing page on 2025-05-26 shows an emulated login page.

It should be noted that no results either in the documentation of Hybridge nor on their social media indicate a domain of anything other than hybridge[.]xyz, so both hybridge[.]finance and app-hybridge[.]finance appear to be malicious; both connected to DDoS-Guard, with hybridge[.]finance transferring out to regery[.]net on 2025-05-27 and app-hybridge[.]finance transferring out and back in as noted above. 

Conclusion

Above we’ve discussed the results of observing nameservers for Russian bulletproof host DDoS-Guard for a single month, 2025-05-13 through 2025-06-11. Results showed a vast array of threats, but the most active targeted the cryptocurrency sphere in very specific ways, especially through emulating wallets, exchanges, and cross-chain swaps. 

There is more work to do and more bad actors, like DDoS-Guard, that provide a haven for criminal activity. Utilizing DNS and domain intelligence, as well as nameserver surveillance over an extended period of time, gives us a feel for the traffic flows of domain services, watching likely or proven malicious domains spin up, get deleted, and transfer in and out. 

Digital assets, cryptocurrency, and other decentralized finance services should ensure that they monitor not just new or newly active domains and subdomains but also identify those service providers that give comfort to scammers, phishers, and others. This allows those services a much more clear day-to-day understanding of the prolific and varied threat environment they face, informing both the ways they protect their infrastructure and how they can educate users to protect themselves.

Cryptocurrency and decentralized finance users can protect themselves by staying informed of the threats the sector faces and staying current on the news, as well as engaging with protective DNS solutions and other blocklists that not only use third-party data but allow the user to input domains, services, and other characteristics into their blocklist. The simple act of blocking any domain with ddos-guard[.]net nameservers may serve to cut dozens or hundreds of direct threats per month.

More research along these lines is forthcoming from DomainTools Investigations.

---

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.