Threat actors are increasingly using cybersquatting (e.g., typosquatting, combosquatting, TLD squatting, and homograph domains) to impersonate legitimate brands and services for credential phishing, malware delivery, and fraud. Reporting cited WIPO handling a record ~6,200 domain disputes in 2025 (up 68% since 2020) and research indicating a sharp rise in malicious campaigns leveraging squatted domains, with the vast majority used to phish credentials or deliver malware; one example described impersonation of Decodo (formerly Smartproxy) via lookalike domains such as smartproxy.org and smartproxy.cn, which allegedly led to customer losses and reputational damage for the legitimate firm.
Separately, incident response research described an AI-assisted business impersonation operation that registered 150+ domains spoofing law firms, using multiple registrars and IP ranges, unique SSL/TLS certificates, and Cloudflare to conceal infrastructure. The operation appeared designed to target scam victims repeatedly (including reuse of a phone number tied to prior scam campaigns), and researchers warned that AI is lowering the barrier for less-skilled actors to run more convincing phishing/social engineering and fraud operations at higher scale.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
A case study described Decodo, formerly Smartproxy, being impersonated through domains including smartproxy.org and smartproxy.cn, allegedly by actors in China. The spoofed domains reportedly caused customer losses and reputational damage.
Sygnia reported an AI-assisted business impersonation scam using more than 150 domains spoofing law firms. The infrastructure used multiple registrars, distinct IP ranges, unique SSL/TLS certificates, and Cloudflare concealment, with signs it repeatedly targeted prior scam victims.
The World Intellectual Property Organization handled 6,200 domain disputes in 2025, reflecting a 68% increase since 2020. The figure illustrates the growing scale of domain abuse and brand impersonation activity.
SecPod reported a 19-fold increase in malicious cybersquatting campaigns from late 2024 to mid-2025, with 99% of squatted domains used for phishing or malware delivery. The trend marked a major escalation in the use of lookalike domains for cybercrime.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.