May 2022: Elon Musk Buys Twitter, Mother’s Day Celebration, the Return of Operation Dream Job, and NFT Mania | WhoisXML API

WhoisXML API Blog

May 2022: Elon Musk Buys Twitter, Mother’s Day Celebration, the Return of Operation Dream Job, and NFT Mania

We detected significant domain and DNS activity relevant to some of the top current events seen in April 2022. Check out the overview below, and feel free to download the dedicated threat reports where available.

1. Elon Musk Buys Twitter

When Elon Musk made an offer to buy Twitter for US$44 billion on 14 April 2022, we immediately started tracking the DNS for domains and subdomains related to the news. Over a dozen domains containing the string combination “elon + musk + twitter” were registered in the two weeks that followed, joining the 22,000+ possibly related properties added over time. You can download enriched data samples and related threat research materials from Threat Actors Might Be Interested in Elon Musk's Twitter Purchase, Too.

You can see how Musk’s Twitter purchase likely affected domain registrations in the chart below. From less than 500 domains containing the strings “twitter” and “elon + musk” that were added each month from January to March, it rose to more than 1,000 by the end of April.

The most common text strings used in the domains are shown in the word cloud below.

2. Mother’s Day Celebration

We analyzed over a thousand domains and subdomains related to the Mother’s Day celebration before it happened on 8 May 2022, looking for signs of potential scams and malicious activities. These digital properties contained relevant string combinations, such as “mother,” “mom,” “day,” “shop,” and “gift.” Our screenshot and malware analysis revealed interesting findings, which you may download along with other threat research materials, from We Don’t Want to Spoil Mother’s Day but These Domains Might.

Monitoring the DNS every day for Mother’s Day-related domains from 1 April to 9 May 2022 revealed that registrations peaked on 1 May and dwindled three days later, except for a slight increase on Mother’s Day. A day after the event, no connected domains were added at all. You can see the trend throughout the period in the chart below.

The following word cloud shows some of the words used in the Mother’s Day-related domains.

3. Operation Dream Job Is Back

With Operation Dream Job luring job seekers again, we monitored the DNS for domains that could be relevant to the campaign. With thousands of job-related domains, there could be traces of cybercriminal infrastructure hiding. Our findings include domains using career-related string combinations, such as “job,” “recruit,” and “career.” We found more than 15,000 properties added since the beginning of the year.

We also found domains using the names of popular recruitment sites like Glassdoor, Indeed, and LinkedIn. You may download the threat research materials from Operation Dream Job: Same Tactics, New Vulnerability and Domains?

Zooming in on the three generic job hunting-related strings (job, recruit, and career), we found thousands of relevant domains registered every week throughout April. The chart below shows this.

The text strings that repeatedly appeared in these domains can be seen below.

4. NFT Mania

Non-fungible tokens (NFTs) repeatedly made headlines recently with defensive domain registrations, NFTs theft, and cyber attacks. On April 25, for instance, Bored Ape Yacht Club, a collection of unique NFTs, was hit with a massive hack resulting in millions of dollars in NFTs being stolen. We decided to monitor the DNS for relevant domain registrations again. Back in January, we uncovered 65,000+ NFT-related domains and subdomains that contained text strings like “nft + mint,” “opensea,” “metamask,” “axie,” “nifty,” and “theta.” You may download our analysis and threat research materials from 65,000+ NFT-Related Domains and Subdomains: Possible Vehicles for NFT Scams?

In April, we tracked hundreds of NFT-related domain registrations weekly, as shown in the chart below. These domains contain string combinations like “nft,” “crypto,” “token,” “crypto + kitties,” “axie,” and “nifty.”

The word cloud below shows the most common text strings used in the NFT-related domains.


Please do not hesitate to contact us for more information about the above-mentioned domain registration events and analyses or any inquiries about enterprise commercial solutions.

Try our WhoisXML API for free
Get started