Phishing Analytics

In March 2026, PhishDestroy detected <strong>6,635</strong> phishing domains, marking a <strong>63.6%</strong> decrease from the previous month. Despite this reduction, <strong>3,124</strong> domains remain active, highlighting a takedown rate of only <strong>52.6%</strong>. Attackers continue to focus on cryptocurrency platforms, with <strong>Coinbase</strong> and <strong>Exodus</strong> being the top targets. The operational impact is significant, as the takedown rate remains below the desired threshold, indicating a need for improved response times from registrars, particularly <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> and <strong>Cloudflare, Inc.</strong>.

In February 2026, PhishDestroy detected <strong>18,204</strong> phishing domains, marking a <strong>103.8%</strong> increase from the previous month. The takedown rate was <strong>68.2%</strong>, with <strong>5,792</strong> domains still active. Notably, <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> emerged as the top registrar with <strong>7,733</strong> abusive domains. Targeting shifted towards <strong>Facebook Pixel</strong> and <strong>generic crypto</strong> brands, indicating a pivot in attacker focus. The operational impact shows a need for improved registrar response times, averaging <strong>288.1</strong> hours, to enhance takedown efficiency.

The most significant finding for January 2026 is a <strong>24.1%</strong> decrease in detected phishing domains compared to the previous month, totaling <strong>8,932</strong> domains. Despite this reduction, <strong>1,823</strong> domains remain active, indicating a need for improved takedown strategies. The takedown rate stands at <strong>79.6%</strong>, showing effectiveness but also highlighting a gap in response times, with a mean registrar response time of <strong>782.6</strong> hours. Notably, there is a shift towards targeting crypto-related brands, with <strong>Crypto Scam</strong> domains leading at <strong>792</strong> detections, suggesting a change in attacker focus and potential vulnerabilities in the crypto sector.

In December 2025, PhishDestroy detected <strong>11,773</strong> phishing domains, marking a <strong>6.4%</strong> decrease from the previous month. The takedown rate was <strong>76.3%</strong>, with <strong>8,978</strong> domains neutralized. Notably, <strong>Crypto Scam</strong> targeting remains prevalent with <strong>820</strong> domains, while <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> emerged as the top registrar for abuse cases. The operational impact shows effective takedown efforts, though the mean registrar response time of <strong>1452.7</strong> hours indicates room for improvement in response speed.

In November 2025, PhishDestroy detected <strong>12,580</strong> phishing domains, marking a <strong>42.3%</strong> increase from the previous month. The takedown rate was <strong>85.4%</strong>, with <strong>1,842</strong> domains still active. Notably, <strong>Crypto Scam</strong> targeting surged with <strong>990</strong> domains, reflecting a shift towards cryptocurrency-related phishing. The mean registrar response time remains a concern at <strong>2189.3</strong> hours, indicating potential delays in domain takedowns.

In October 2025, PhishDestroy detected <strong>8,841</strong> phishing domains, marking a <strong>21.0%</strong> increase from the previous month. Notably, <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> emerged as the top abuse registrar with <strong>1,206</strong> domains, indicating a potential shift in attacker preferences for domain registration. The targeting of <strong>Generic Crypto</strong> brands remains prevalent, with <strong>669</strong> domains detected, while <strong>Angel Drainer</strong> kits were the most used, affecting victims through wallet drains. Despite an <strong>85.7%</strong> takedown rate, the mean registrar response time of <strong>2803.0</strong> hours highlights a critical gap in rapid domain deactivation.

In September 2025, PhishDestroy detected <strong>7,307</strong> phishing domains, marking a <strong>92.9%</strong> increase from the previous month, with a significant surge in activity on September 20th. The operational impact was notable with a takedown rate of <strong>82.2%</strong>, although the mean registrar response time remained high at <strong>3,828.5</strong> hours. Attackers continued to focus on the crypto sector, with <strong>Generic Crypto</strong> and <strong>SushiSwap</strong> as top targets, indicating a shift in targeting tactics. The dominance of the <strong>Angel Drainer</strong> kit suggests a persistent threat of wallet draining and seed theft for victims.

August 2025 saw a dramatic surge in phishing domains with <strong>3,788</strong> detected, marking a <strong>441.1%</strong> increase from the previous month. The takedown rate stood at <strong>67.6%</strong>, indicating significant operational success, though the mean registrar response time remains critically high at <strong>4426.9</strong> hours. Notably, <strong>Kraken</strong> and <strong>Ledger</strong> were heavily targeted, reflecting a strategic focus on cryptocurrency brands. The prevalence of the <strong>Angel Drainer</strong> kit, implicated in <strong>220</strong> cases, underscores a persistent threat of wallet draining for victims.

In July 2025, PhishDestroy detected <strong>700</strong> phishing domains, marking a <strong>17400.0%</strong> increase from the previous month, with a takedown rate of <strong>85.1%</strong>. Notably, <strong>Angel Drainer</strong> kits were identified on <strong>183</strong> domains, posing significant risks of wallet drains and seed theft. The mean registrar response time was a concerning <strong>4981.9</strong> hours, highlighting gaps in takedown efficiency. Despite the high volume, our operational impact remains strong with a substantial number of domains taken offline, though registrar responsiveness needs improvement.

In June 2025, PhishDestroy detected <strong>4</strong> phishing domains, representing a <strong>100.0%</strong> increase from the previous month. Despite the rise in detected domains, the takedown rate remained effective at <strong>75.0%</strong>, with <strong>3</strong> domains neutralized. Notably, <strong>Infomaniak Network SA</strong>, <strong>NameSilo, LLC</strong>, and <strong>PDR Ltd. d/b/a PublicDomainRegistry.com</strong> emerged as top abuse registrars. The targeting of <strong>apple</strong> indicates a shift towards high-value technology brands. The operational impact is positive, with a strong takedown rate, but vigilance is needed for the remaining active domain.