"airdrop" Domain Bloom

1600+ were registered between 2024-06-19 and 2024-06-20

We observed a massive bloom of newly active domain registrations including the word “airdrop” between 2024-06-19 and 2024-06-20. Instead of the usual 40-60 domains per day, 1600+ were registered. 1549 of those domains appear to be by a single actor, with a common profile across MX, registrar, registrant, TLD, and more. The 1549 domains have an average risk score of 90, on a 0-100 scale of increasing risk.

Passive DNS (see screenshot from DNSDB Scout) shows an example domain moving from Dynadot to Onamae nameservers prior to expiration, and then moving to parked NS, possibly indicative of enforcement action, but not necessarily. Whois shows registrar moving from Dynadot to Onamae at the same time.

While not declarative of malicious activity, this massive renewal of activity in the number of “airdrop” domains is notable due to the regularity of airdrop scams in the cryptocurrency space – scams which often involve leading targets to malicious websites.

We encourage all cryptocurrency users and services to warn others of the possibility of a wave of airdrop scams.

Domain profile:
First Seen/newly-active and re-registered: 2024-06-19 or 2024-06-20
Registrar: GMO Internet Group, Inc. d/b/a Onamae[.]com
MX domain: h-email[.]net
ISP: Team Internet AG (ASN206834)
IPs: 104.247.81.50, 104.247.81.51, 104.247.81.52, 104.247.81.53, 104.247.81.54
TLD: xyz

‍