Top 20 Phishing TLDs in 2025: All blocked by ZipTunnel
At ZipTunnel, we’re always looking for smarter ways to protect your digital life. Our latest security enhancement directly addresses a rapidly growing threat: phishing attacks coming from malicious top-level domains (TLDs).
According to recent findings by cybersecurity analysts at ANY.RUN, certain TLDs have become popular choices for cybercriminals running phishing scams, fake login pages, delivery fraud, and credential theft. Among the worst offenders are .li, .es, .sbs, .dev, .cfd, and .ru, which frequently appear in phishing campaigns targeting individuals and businesses alike.
The .li domain, notably, has the highest malicious ratio with an alarming 57% of observed sites flagged for malicious activity. While many .li domains may not directly host harmful payloads, attackers commonly use them as redirects to more dangerous pages filled with malware or convincing fake login forms designed to steal sensitive information.
Budget-friendly domains such as .sbs, .cfd, and .icu are favored by threat actors due to their low registration costs, enabling mass creation of disposable phishing websites. Additionally, TLDs like .dev have increasingly become popular through legitimate hosting platforms such as pages.dev and workers.dev, often deceiving victims with credible-looking phishing pages.
To proactively combat these threats, ZipTunnel has introduced a robust domain-blocking feature. Our Zero Trust Internet Access service now automatically blocks domains from these high-risk TLDs, significantly reducing your exposure to phishing attacks and other online threats.
ZipTunnel’s commitment is clear: providing comprehensive, easy-to-use security that keeps pace with evolving threats. This latest update ensures safer browsing, greater peace of mind, and a stronger defense against cybercriminals.
Stay protected and try ZipTunnel free for 30 days to experience secure browsing firsthand!