Security researchers at DomainTools have released a detailed analysis revealing the ongoing use of specific domain registrars by Russian state-sponsored disinformation actors, despite increasing efforts to curb their activities. These actors, including well-known groups such as APT28 (Fancy Bear), APT29 (Cozy Bear), and the Internet Research Agency (IRA), have long relied on domain registrations to impersonate trusted organizations, spread false narratives, and conduct cyber-enabled espionage.
Russian-aligned threat groups have been leveraging domain registration services as part of a broader strategy to manipulate public opinion and sow discord in Western democracies. The operations typically involve the creation of counterfeit media websites that imitate well-known news outlets, while simultaneously pushing pro-Kremlin content. In some instances, these sites fabricate stories and distort news articles, often translating them into multiple languages to target diverse audiences.
For instance, the Russian state-sponsored hacking group SEABORGIUM registered domains intended to mimic major Western think tanks and respected media outlets. Examples of their deceptive tactics include domains like bloomberg-us[.]com (impersonating Bloomberg), bbcnews[.]site (impersonating BBC News), and nato-int[.]org (targeting NATO).
To increase credibility and mislead unsuspecting users, Russian actors use techniques like typosquatting and homoglyph attacks. Typosquatting involves registering domains that closely resemble the names of legitimate websites but with small spelling errors. Homoglyph attacks involve the use of characters that look like others but are different, such as substituting a lowercase “o” for a zero. A notable example from APT28 (Fancy Bear) included the domain dnc-email[.]org to exploit the Democratic National Committee’s legitimate domain dnc.org during the 2016 US election hack.
Russian influence campaigns are also known to take advantage of bulletproof hosting providers that turn a blind eye to abuse complaints and refuse to cooperate with law enforcement agencies. These hosting services are often based in jurisdictions with weak regulatory frameworks, such as Russia, Moldova, and the Netherlands. Many of these providers offer anonymous hosting solutions, enabling the actors to remain hidden while running malicious infrastructure.
Russian actors have consistently rely on certain registrars for their operations, the report says. Some of the most commonly used registrars include NameCheap, Reg.ru (Russia), Tucows, PublicDomainRegistry, and Epik. In 2022, security researchers uncovered a network of fake media domains registered through NameCheap and Reg.ru, specifically used to promote anti-Ukraine narratives across Western countries.
Russian-aligned actors are adapting their methods to maintain their influence. Rather than immediately deploying newly registered domains, many now secure domain names months in advance. This tactic allows them to establish a sense of legitimacy before using the domains in active disinformation campaigns.
Moreover, Russian operatives have increasingly turned to domain resellers—companies operating under larger registrars but with weaker oversight policies. This circumvents efforts to detect and block malicious domain registrations at the registrar level.
Another emerging trend is the exploration of blockchain-based domain name services, such as .eth and .crypto, as well as peer-to-peer hosting.
To further hide their activities, Russian actors often make use of services like Cloudflare and reverse proxies to mask the true hosting locations of malicious websites. This makes it much harder for security teams to track down and take down the disinformation campaigns. Additionally, rather than registering new domains outright, Russian disinformation operators increasingly hijack legitimate websites. By compromising and repurposing existing, trusted domains, they add a layer of credibility to the fake news operations.
