September 2025 Report

• <strong>N/A</strong> leads in registrar abuse with <strong>819</strong> domains, followed closely by <strong>NICENIC INTERNATIONAL GROUP CO., LIMITED</strong> with <strong>721</strong> domains.
• Crypto brands like <strong>Generic Crypto</strong> and <strong>SushiSwap</strong> were heavily targeted, overshadowing traditional sectors like banking.
• The <strong>.com</strong> TLD remains the most weaponized with <strong>2,561</strong> domains, while <strong>.xyz</strong> and <strong>.live</strong> show growing abuse.
• The <strong>Angel Drainer</strong> kit was used in <strong>1,120</strong> incidents, indicating a focus on wallet draining and seed theft.
• The US hosts the majority of phishing infrastructure with <strong>5,931</strong> domains, but there is notable activity in <strong>Germany</strong> and <strong>Netherlands</strong>.
• Detection-to-takedown efficiency remains challenged with a mean response time of <strong>3,828.5</strong> hours, necessitating faster registrar actions.

Active Drainer Kits