Study finds 28,000 fake domains mimic top websites

More than 28,000 deceptive domain variations linked to 20 of the world's most visited websites have already been registered by third parties, a new analysis finds, highlighting persistent risks from brand impersonation, phishing and malware.

The research, published by web data company Decodo, examined plausible permutations of domains associated with brands that drew heavy traffic in January 2026. It identified 28,212 registered lookalike domains across the set, with some brands seeing up to 13% of potential variants already taken.

Using the squatting analysis platform Have I Been Squatted? the study generated and assessed likely domain permutations. The findings show how quickly third parties can acquire large volumes of similar-looking domains, while brand owners face a slower, more expensive process to challenge registrations or reclaim names.

Most targeted

Live.com ranked highest by share of plausible variations registered by third parties. The analysis identified 22,972 possible variants for Live.com and found 2,924 already registered, or 13%.

Amazon.com followed with 2,860 registered lookalike domains out of 23,175 possible variants, or 12%. Gemini.google.com and Google.com each had about one in 10 variants registered: 2,412 out of 23,164 and 2,395 out of 23,123, respectively.

Other brands showed similar patterns. Yahoo.com had 2,017 registered domains out of 23,124 possible variants (9%). Office.com had 2,241 registered variants out of 32,153 (7%).

YouTube.com had 1,546 registered variations out of 23,744 (7%). Microsoft.com recorded 1,377 out of 23,298 (6%), and Weather.com was similar at 1,316 out of 23,260 (6%).

TikTok.com had 1,262 registered variants out of 23,056 (5%). Chatgpt.com also sat at 5%, with 1,200 out of 23,103. Ebay.com and Bing.com were also at 5%, with 1,142 out of 22,984 and 1,119 out of 22,948, respectively. Netflix.com and Temu.com each had 4% registered, at 935 out of 23,106 and 881 out of 22,984.

AI brands

The analysis points to a concentration of lookalike registrations around fast-growing AI services. Gemini-related domains accounted for more than 2,800 registered variations, while ChatGPT-related domains accounted for 1,200 in the dataset.

Attackers often use lookalike domains for impersonation, hosting fake login pages, mimicking customer support, or distributing malware through downloads and links. Even without active content, domains can be held for resale or deployed later in time-bound campaigns that exploit breaking news and product launches.

Disputes rising

Formal challenges over domain ownership have increased as well. In 2025, the World Intellectual Property Organisation handled 6,200 domain name disputes, Decodo said-WIPO's highest number on record and a 68% increase since 2020.

Decodo argues the pattern reflects a shift away from isolated opportunistic registrations. Instead, organised groups increasingly use automation and large-scale registration to capture many variants per brand.

Common tactics

Lookalike domain schemes typically take several forms. Typosquatting relies on common misspellings, such as gooogle.com instead of google.com. Combosquatting adds keywords to a brand name, in domains such as amazon-deals.com or netflix-login.com.

Other approaches include registering brand names across different domain extensions, such as .org or .net, as well as newer extensions such as .io and .ai. Homograph attacks use visually similar characters from different alphabets, making a fraudulent domain difficult to spot at a glance.

Notable cases

Several well-known disputes show how domain conflicts can become protracted and public. Two individuals in Australia registered tiktoks.com for $2,000, anticipating TikTok's growth. ByteDance later offered $145,000 for the domain, but the registrants refused, according to the account cited in the analysis.

The matter went to WIPO through a cybersquatting complaint. WIPO ruled in ByteDance's favour and ordered the domain transferred.

Another widely cited case involved Microsoft and Canadian teenager Mike Rowe, who registered mikerowesoft.com for a web design business. The phonetic similarity sparked a dispute that drew public attention and ended in a settlement that included an Xbox gift.

Google has also faced repeated typosquatting campaigns involving misspelled domains such as googkle.com, ghoogle.com and gooigle.com. The analysis links many of these domains to malware distribution campaigns targeting users who make typing errors.

"Squatting is no longer opportunistic; it's industrialized," Decodo said.

Decodo, which operates web data collection infrastructure and previously traded under the Smartproxy brand, said the scale of lookalike registrations shows defensive domain registration cannot cover every plausible variation, even for brands with large legal and security teams.