Sometimes keeping safe from cybercriminals really is this easy. Sometimes there’s such a blatant telltale sign you don’t need to think twice. Yes, AI is making cyber threats more frightening, more realistic, harder to detect. But if you ever see these three letters in a text, you should ignore the rest. It’s dangerous. It’s an attack. Hit delete.
Whether it’s an unpaid road toll, an undelivered package or a problem with one of your accounts, malicious text messages almost always include a lure and a link. The text at the top is the convincer, including the organization being mimicked, and the link is the call to action: Pay your bill, update your account, retrieve your package.
To fuel such attacks, cybercriminals register hundreds of thousands of new domains, crafting names to match an attack with relevant keywords and brand names. Such domains are usually live for less than a day, sometimes as little as ten minutes. But that’s all it takes when you can send millions of malicious texts every month.
Each of those domains sits under a top level domain (TLD), an equivalent to .COM or .NET. There are now countless TLDs, operated by different players in the market. But just as much of the malicious texting market is driven by Chinese gangs, the most dangerous TLDs are issued by Chinese registrars.
Say hello to the .TOP domain, the most dangerous of them all. If you’re in the United States or Europe and you receive any text with a link under that TLD with those three letters, delete it right away. It doesn’t matter what the rest of the link or text says.
“.TOP was first introduced in 2014 aimed at businesses looking to highlight premium or ‘top’ services,” Spamhaus explains, but by 2017 “this TLD had become China’s most registered domain name even overtaking .com and .cn domains. However, its low-cost registrations and minimal oversight have made it a hotspot for abuse.”
The numbers are stark. According to Interisle, while “four of the top 10 TLDs – .TOP, .XYZ, .CC, and .VIP – had more than 10% of their domains under management reported for use in cybercrime activities. Worst among these was .TOP, where 30% of that TLD’s domains were reported for cybercrime use. By comparison, the 3.2 million cybercrime domains reported in .COM represented only 2% of that TLD’s domains.” That 30% is just the reported number — and it’s getting worse. Up more than 300% year-on-year.
So, what about the other 70% you might ask. Could they be legitimate domains? The Anti-phishing Working Group (APWG) warns “phishers set up these phishing sites using cheap domain names they register in lesser-known top-level domains such as .TOP, .CYOU, and .XIN. This is one way to spot these scam messages. The .TOP domain registry is operated in China, and has a notable history of being used by phishers.” It is beyond unlikely for a legitimate western organization to use a .TOP domain.
As Spamhaus says, the registrar behind the TOP domain changed its name in 2024, “exactly five months after ICANN issued a [still unresolved] compliance notice on March 27th, 2024, citing the registrar’s ‘failure to take reasonable and prompt steps to investigate and respond appropriately to reports of abuse’ — the very same issue raised with .TOP. Coincidence? Given .TOP’s track record, it seems unlikely.” .TOP consistently and ironically tops the charts when it comes to abuse.
“Right now, .TOP isn’t just skirting the rules, it’s blatantly disregarding them,” Spamhaus warned this month. “Despite ICANN issuing a formal notice to .TOP citing a breach of contract for failing to address DNS abuse, the situation has not improved. Over the last six months, abuse of .TOP hasn’t just persisted, it’s gotten 50% worse!”
If you see that .TOP domain in any text— just hit delete.