Digital squatting has reached unprecedented levels, with cybercriminals registering thousands of lookalike domains designed to impersonate the world’s most recognisable brands.
New research by Decodo analysed domain permutations for 20 popular brands visited in January 2026. The study found that across the 20 sites, 28 212 deceptive domain variations were already registered online, exposing consumers and businesses to fraud, phishing, and malware attacks on a massive scale.
Live.com alone has 2 924 registered lookalike domains currently active, out of 22 972 plausible variations identified by the squatting analysis platform Have I Been Squatted? This highlights how cheaply attackers can control thousands of deceptive domains, while legitimate companies may spend years and significant legal resources attempting to recover them.
With the rapid growth of AI-driven services, it is unsurprising that platforms such as Gemini and ChatGPT rank among the most targeted domains online. Gemini-related domains account for more than 2 800 registered variations, while 1 200 ChatGPT-related domains are already registered.
The table shows the most targeted domains based on the percentage of plausible domain permutations already registered by third parties.
| Websites | Number of possible domains | Registered Domains | % Registered
|
| live.com | 22 972 | 2924 | 13% |
| amazon.com | 23 175 | 2 860 | 12% |
| gemini.google.com | 23 164 | 2 412 | 10% |
| google.com | 23 123 | 2 395 | 10% |
| yahoo.com | 23 124 | 2 017 | 9% |
| office.com | 32 153 | 2 241 | 7% |
| YouTube.com | 23 744 | 1 546 | 7% |
| microsoft.com | 23 298 | 1 377 | 6% |
| weather.com | 23 260 | 1316 | 6% |
| TikTok.com | 23 056 | 1 262 | 5% |
| chatgpt.com | 23 103 | 1 200 | 5% |
| ebay.com | 22 984 | 1 142 | 5% |
| bing.com | 22 948 | 1 119 | 5% |
| netflix.com | 23 106 | 935 | 4% |
| temu.com | 22 984 | 881 | 4% |
Even brands with global legal teams and mature security programs are unable to register every possible variation defensively. In many cases, one in 10 potential domains is already controlled by third parties, enabling large-scale impersonation and fraud campaigns.
In 2025, the World Intellectual Property Organization (WIPO) handled 6 200 domain name disputes, the highest number in its history and a 68% increase since 2020.
According to Decodo’s findings, this surge reflects a shift from opportunistic abuse to organized, automated domain registration campaigns.
Criminal groups now generate 10 of thousands of permutations per brand, mixing misspellings, added keywords, alternate TLDs, and homograph tricks to create domains that are nearly indistinguishable from legitimate ones.
Several distinct types of domain squatting have appeared over the years:
- Typosquattinginvolves registering common misspellings of popular domains, such as com instead of google.com.
- Combosquattingadds keywords to legitimate brand names, creating domains like amazon-deals.com or netflix-login.com.
- TLD (Top-Level Domain)squatting exploits different domain extensions, registering a brand name under .org, .net, .biz, or newer extensions like .io and .ai.
- Homographattacks use visually similar characters from different alphabets, such as substituting a Cyrillic а for a Latin a to create nearly undetectable fakes.
High-profile cases across the tech industry
Two individuals in Australia registered tiktoks.com for $2 000, anticipating TikTok’s explosive growth. ByteDance offered $145 000 to purchase the domain, but the registrants refused. The company filed a cybersquatting complaint with WIPO, which ruled in ByteDance’s favor and ordered the domains transferred.
Microsoft’s dispute with Canadian teen Mike Rowe became one of the most publicised domain name cases in internet history. Rowe registered mikerowesoft.com for his small web design business, creating a phonetic match with Microsoft’s name. After public backlash, Microsoft backed down, and the case ended in a friendly settlement that included an Xbox gift for the teen.
Google has fought numerous typosquatting campaigns targeting domains like googkle.com, ghoogle.com, and gooigle.com. Many of these misspelled domains were linked to malware distribution campaigns targeting users who make simple typing errors.