Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.
WhoisXML API analyzed 8.8+ million domains registered between 1 and 31 January 2026 that appeared in Newly Registered Domains to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number dropped by 14.0% from 10.2+ million NRDs last month.
We also determined the top TLD extensions used by 2.2+ million domains registered with malicious intent from the First Watch Malicious Domains Data Feed in January 2026.
Next, we studied the top TLD extensions of 1.0+ million confirmed malicious domains from the Threat Intelligence Data Feeds this month, which dropped by 2.3% from 1.1+ million in December.
Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.
Zooming in on the January 2026 NRDs
TLD Distribution
Out of the 8.8+ million domains registered in January 2026, 81.8%, down from 84.9% last month, used gTLD extensions. The remaining 18.2%, up from 15.1%, meanwhile, used ccTLD extensions.
The .com TLD remained the most popular extension used by 39.3% of all NRDs registered in January 2026. This is not surprising despite the proliferation of more than 1,500 other extensions. Why? The .com TLD remains the “gold standard” due to the unmatched trust people put on it, its global recognition, and the fact that everyone expects business websites to use it.
Here is a MoM comparison and ranking changes for the top 5 TLD extensions used by the NRDs.
| JANUARY 2026 TOP TLD | JANUARY 2026 TLD VOLUME | DECEMBER 2025 TLD VOLUME | RANKING CHANGE FROM DECEMBER 2025 TO JANUARY 2026 |
| .com | 3,475,649 | 3,360,218 | → (Unchanged) |
| .top | 378,803 | 370,542 | ↑ from 4 to 2 |
| .shop | 273,809 | 302,108 | ↑ from 6 to 3 |
| .xyz | 269,778 | 1,106,355 | ↓ from 2 to 4 |
| .online | 264,622 | 275,052 | ↑ from 7 to 5 |
Overall, the top 5 NRD TLD volume dropped by 22.3% from 5.7+ million in December 2025 to 4.6+ million in January 2026.
We then analyzed the January 2026 TLDs further to identify the most popular gTLDs and ccTLDs among the new domain registrations.
We learned that the top 5 TLDs for January 2026 were also the top gTLDs for the month.
Meanwhile, .cn continued to top the list of ccTLD extensions with a 12.2% share, ahead of major ccTLDs like Germany’s .de, reflecting the scale of China’s digital economy, strong localization preferences, and regulatory frameworks that incentivize businesses to maintain a locally compliant online presence.
Here is a MoM comparison and ranking changes for the top 5 ccTLD extensions used by the NRDs.
| JANUARY 2026 TOP ccTLD | JANUARY 2026 ccTLD VOLUME | DECEMBER 2025 ccTLD VOLUME | RANKING CHANGE FROM DECEMBER 2025 TO JANUARY 2026 |
| .cn | 195,402 | 241,760 | → (Unchanged) |
| .uk | 166,250 | 125,526 | ↑ from 4 to 2 |
| .ru | 137,977 | 151,868 | ↓ from 2 to 3 |
| .cc | 125,457 | 129,090 | ↓ from 3 to 4 |
| .br | 109,218 | 99,437 | → (Unchanged) |
Overall, the top 5 NRD ccTLD volume dropped by 1.8% from 747,681 in December 2025 to 734,304 in January 2026.
Registrar Distribution
This time around, GoDaddy ousted GMO Internet Group from the top spot of the NRD registrars with a 12.9% share. Possible reasons for this could be GoDaddy’s all-in-one ecosystem, use of AI-powered tools, employment of strategic marketing and trust, massive domain aftermarket, and aggressive pricing and promotion.
Here is a MoM comparison and ranking changes for the top 5 NRD registrars.
| JANUARY 2026 TOP REGISTRAR | JANUARY 2026 REGISTRAR VOLUME | DECEMBER 2025 REGISTRAR VOLUME | RANKING CHANGE FROM DECEMBER 2025 TO JANUARY 2026 |
| GoDaddy | 1,143,842 | 1,167,579 | ↑ from 2 to 1 |
| Namecheap | 939,086 | 896,561 | ↑ from 3 to 2 |
| Dynadot | 457,253 | 503,982 | → (Unchanged) |
| Hostinger Operations | 454,314 | 313,980 | ↑ from 7 to 4 |
| NameSilo | 422,327 | 422,524 | → (Unchanged) |
Overall, the top 5 NRD registrar volume dropped by 26.4% from 4.3+ million in December 2025 to 3.4+ million in January 2026.
A Closer Look at the Domains Registered with Malicious Intent in January 2026
TLD Distribution
For the first time in this report, we sought to take a closer look at the domains that our tool deemed to have been registered with malicious intent from the get-go in January 2026. We determined that 2.2+ million domains in all appeared on the First Watch Malicious Domains Data Feed.
We also learned that these domains mostly used the .com TLD (27.7%) probably because of its immense popularity worldwide due to the reasons we stated in the previous section.
The top 5 TLDs of the domains registered with malicious intent accounted for 1.2+ million domains, 55.8% of the total number.
How Many NRDs Were Registered with Malicious Intent?
We also sought to find out how many of the domains registered in January 2026 were registered with malicious intent. Our findings showed that 24.6% of the NRDs under the top 5 TLDs were deemed likely to turn malicious as soon as they were registered.
Cybersecurity through the DNS Lens
TLD Distribution
We analyzed 1.0+ million domains that have been confirmed malicious in January 2026. Our analysis revealed that .com remained the most popular TLD with a 17.9% share. This is congruent with our findings for the NRDs. Threat actors are bound to use .com domains for their attacks because they remain the most used regardless of users’ geolocation.
Threat Reports
Take a quick look at the threat reports we published in January 2026 below.
- An In-Depth Analysis of the Ashen Lepus AshTag-Enabled Attack: Palo Alto Networks’ Unit 42 discovered Ashen Lepus’s use of a new malware suite they dubbed “AshTag.” We analyzed 22 IoCs and discovered that 12 subdomains identified as IoCs were tagged as malware distributors. We uncovered 80 new artifacts and other pertinent findings about the IoCs.
- DNS Spotlight: The Silver Fox in the Henhouse: Chinese APT group Silver Fox managed to infiltrate well-protected targets via an SEO poisoning campaign that deployed ValleyRAT into target networks. We analyzed 55 IoCs based on ReliaQuest’s original list, which led to the discovery of 46,006 new artifacts and other important facts about the IoCs.
- Analyzing Account Takeover Attacks Leveraging SquarePhish2 and Graphish: Proofpoint published a report on several state-sponsored and financially motivated attacks enabled by SquarePhish2 and Graphish, among other phishing tools. Jumping off their original list of IoCs, we analyzed 46 IoCs and unearthed 133 new artifacts along with other IoC-related findings.
- Divulging the DNS Secrets of DarkSpectre: Koi Security monitored DarkSpectre for more than a year and published their analysis of a newly identified campaign that leveraged a GhostPoster-linked Opera browser extension. We analyzed 15 IoCs and found 8,852 new artifacts and other critical insights on the IoCs.
You can find more reports created in the past months here.
Feel free to contact us for more information about the products and capabilities used to analyze domain registration events or support other use cases.