How Typosquatting Campaigns Evolved in 2025

Typosquatting used to be a nuisance. Someone would register a misspelling of your domain, park it, and hope to earn a few dollars from accidental traffic. That era is over. In 2025, typosquatting is a fully industrialised attack vector, woven into phishing campaigns, credential harvesting operations, malware delivery chains, and even supply chain compromises targeting software developers.

The World Intellectual Property Organization handled 6,200 domain name disputes in 2025, the highest annual total on record. Research from Decodo found more than 28,000 deceptive domain variations tied to just 20 major global brands, with up to 13 per cent of all realistic domain variations already registered by unaffiliated parties. And that only covers the visible portion. Many of the most dangerous typosquat domains are registered, used within hours, and abandoned before they ever appear in a dispute filing.

This post examines what changed in 2025, the tactics defenders need to understand, and what security teams should be doing about it now.

The Scale Has Changed

Between February and July 2024, Zscaler ThreatLabz analysed typosquatting and brand impersonation activity across more than 500 of the most visited domains. They examined over 30,000 lookalike domains and found that more than 10,000 were actively malicious, not parked, not expired, but running live phishing pages, distributing malware, or harvesting credentials.

That ratio matters. One in three lookalike domains for major brands is actively hostile. And the total number of registrations continues to climb because the cost of registering a domain is negligible relative to the return from a successful attack.

The sectors most frequently targeted tell us where attackers see the highest return on effort. Internet services companies accounted for 29 per cent of impersonation targets, professional services firms for 26 per cent, and online shopping platforms for 22 per cent. These are the sectors that handle the most financial transactions and user credentials, which is exactly what attackers are after.

What Has Actually Changed

The basic mechanics of typosquatting have not changed: register a domain that looks like a legitimate one, and exploit the confusion. What has changed is every layer of sophistication built on top of that premise.

Automated Domain Generation at Scale

Attackers now use automated tooling to generate thousands of domain name variations within seconds. They combine classic misspellings with character substitutions, homograph attacks using non-Latin Unicode characters, and combosquatting, which appends plausible words like "login," "secure," or "support" to a brand name. A single campaign against a major brand may register 200 to 500 domains in a single day across multiple registrars and TLDs.

Ephemeral Domains

Many malicious typosquat domains in 2025 are designed to be disposable. They are registered, configured with phishing infrastructure, used for a targeted email campaign lasting a few hours, and then abandoned. This hit-and-run approach is specifically designed to outpace blocklist-based defences. By the time a domain appears on a threat intelligence feed, the campaign is already over and the attacker has moved on to the next batch.

Redirect Deception

CrowdStrike documented a technique where attackers register a typosquat domain and configure it to redirect visitors to the legitimate website using a 301 or 302 HTTP redirect. To any security team investigating the domain, it appears harmless: you visit it, you land on the real site, nothing suspicious happens. But the attacker retains the domain's MX records. This means they can send emails from the typosquatted domain, and those emails will pass basic validation checks because the domain is active and resolving. The redirect makes the domain look benign while the email infrastructure remains fully weaponised.

Expired Domain Hijacking

Attackers are systematically monitoring domain expiry registries and snapping up domains that were previously owned by legitimate businesses. These domains retain residual trust: they may still appear in search results, have existing backlinks, and even carry historical email reputation scores. When an attacker re-registers such a domain and uses it for phishing, the emails it sends may bypass spam filters that would flag a newly registered domain.

Package and Dependency Typosquatting

One of the most significant evolutions is the expansion of typosquatting beyond the browser and into software supply chains. Attackers upload malicious packages to open-source registries like PyPI, npm, and RubyGems using names that differ by a single character from popular libraries. A developer who mistypes "reqeusts" instead of "requests" in a pip install command downloads malware that runs with the same permissions as their development environment. This vector has compromised development machines at organisations of every size, and in some cases has led to production deployments containing backdoored dependencies.

The Mobile Problem

Typosquatting success rates are significantly higher on mobile devices. There is no hover function on mobile that allows users to preview a full URL before tapping through. Screen sizes are smaller, making it harder to spot subtle character substitutions. And autocorrect can mask the moment where a user recognises they have mistyped a domain.

For organisations whose customers primarily interact via mobile, whether that is banking, retail, travel, or food delivery, the risk from typosquat domains is materially higher than for desktop-first services.

Malware Distribution via Typosquat Infrastructure

The malware most commonly distributed through typosquat infrastructure in 2025 falls into three categories: infostealers, botnets, and downloaders. Infostealers alone account for roughly half of all malware tied to abused domains, with Lumma Stealer and FormBook dominating. Among botnets, Amadey and Mirai variants are the most frequently observed.

The connection between typosquatting and infostealer distribution is particularly worth noting. An employee who visits a typosquat domain from a corporate device and downloads what appears to be a legitimate software update may unknowingly install an infostealer that harvests browser-saved credentials, session tokens, and autofill data. Those credentials then appear on dark web markets within days, creating a second, entirely separate attack vector against the organisation.

TLD Exploitation

Not all top-level domains are equally policed. One notable trend in 2025 was a reported 19-fold increase in malicious campaigns using .es (Spain) domains between late 2024 and mid-2025. Attackers exploit TLDs with lower registration barriers and less aggressive abuse monitoring. Country-code TLDs that are marketed as general-purpose domains, such as .co, .io, and .me, are also heavily abused because they look plausible in a corporate context.

What Defenders Should Be Doing

If your organisation is not actively monitoring for typosquat domains, you are relying entirely on your employees and customers to spot the fakes themselves. That is not a defensible strategy given the sophistication of modern campaigns.

Continuous Domain Monitoring

Automated monitoring of newly registered domains that resemble your brand, subsidiaries, and key product names is the foundation. This is not a one-time search. New domains are registered constantly, and the monitoring needs to run continuously. A typosquat domain registered on Monday morning and used for a phishing campaign by Monday afternoon will not be caught by a weekly check.

Email Authentication

Deploy SPF, DKIM, and DMARC on all your domains, and enforce a reject policy. This does not prevent attackers from registering lookalike domains, but it ensures they cannot spoof your actual domain in email headers. Organisations that have not implemented DMARC enforcement are leaving their brand wide open to impersonation.

Defensive Domain Registrations

Register the most obvious misspellings and TLD variants of your primary domains. This is a cost of doing business in 2025. You will not catch every possible variation, the combinatorial space is too large, but covering the top 20 to 50 variants significantly reduces the attack surface.

Employee and Customer Awareness

Train employees to verify URLs before entering credentials, particularly on mobile. Notify customers about how to identify legitimate communications from your organisation. And provide a clear channel for reporting suspected phishing attempts.

Takedown Capabilities

When a malicious typosquat domain is identified, you need the ability to act quickly. This means having established relationships with registrars and domain abuse reporting services, or using a monitoring platform that includes takedown orchestration. Speed matters: a domain used for an active phishing campaign needs to be disrupted in hours, not weeks.

The Broader Pattern

Typosquatting in 2025 is not a standalone threat. It is a component of larger attack chains. A typosquat domain provides the initial phishing infrastructure. The phishing page harvests credentials. Those credentials are used to access corporate email. From inside the email system, the attacker launches business email compromise fraud or exfiltrates sensitive data. Each step in the chain has its own defences, but the chain begins with a domain that looks almost, but not quite, like yours.

The organisations that manage this risk well are the ones that treat domain monitoring as a continuous, automated function rather than an occasional manual check. The ones that do not tend to find out about typosquat campaigns the way most organisations discover security failures: after the damage is already done.

Frequently Asked Questions

What is typosquatting?

Typosquatting is the practice of registering domain names that closely resemble legitimate domains, using common misspellings, character substitutions, or homograph attacks with non-Latin Unicode characters. Attackers use these lookalike domains to host phishing pages, harvest credentials, distribute malware, and impersonate trusted brands.

How has typosquatting evolved in recent years?

Typosquatting has shifted from opportunistic domain parking to fully industrialised attack infrastructure. Attackers now use automated tooling to generate and register hundreds of domain variations per campaign, deploy ephemeral domains that are active for only hours before being abandoned, and combine typosquatting with redirect deception techniques that make malicious domains appear harmless to investigators.

What is package typosquatting?

Package typosquatting targets software supply chains by uploading malicious packages to open-source registries like PyPI, npm, and RubyGems with names that differ by a single character from popular libraries. A developer who mistypes a package name during installation downloads malware that runs with the same permissions as their development environment, potentially compromising production systems.

How can organisations detect typosquat domains?

Continuous automated monitoring of newly registered domains that resemble your brand, subsidiaries, and key product names is the most effective detection method. This monitoring must run daily, because typosquat domains are often registered and used for phishing within hours. Combining domain monitoring with DMARC enforcement, defensive domain registrations, and takedown capabilities creates a complete defence against brand impersonation.