How Russian Disinformation Campaigns Exploit Domain Registrars

A new investigation by DomainTools reveals that Russian-backed threat actors are increasingly leveraging domain registration services—specifically targeting low-regulation registrars—to launch and maintain disinformation campaigns around the globe.

These tactics aren't new. But as oversight mechanisms change, so do the strategies of threat groups like APT28 (Fancy Bear), APT29 (Cozy Bear), and the Internet Research Agency (IRA). This analysis shows that these actors are exploiting a complex network of registrars, bulletproof hosting providers, and obfuscation techniques to evade detection and manipulate public opinion at scale.

Weaponizing Domain Infrastructure

At the core of these campaigns is a deceptively simple strategy: register domains that closely resemble legitimate news, governmental, or nonprofit websites and use them to distribute propaganda or phishing content. The effectiveness of this tactic relies on two elements: the domain’s perceived credibility and its resistance to takedown efforts.

In one example highlighted by DomainTools, SEABORGIUM—another Russian-aligned group—registered domains mimicking outlets like Bloomberg (bloomberg-us[.]com) and BBC (bbcnews[.]site). These lookalike domains are then used in phishing campaigns, content injection, or as part of broader influence operations that appear to be authentic to unsuspecting users.

Typo Tricks and Visual Deception

Russian operators don’t stop at basic spoofing. They regularly employ typosquatting—registering domains that are off by a single character—and homoglyph attacks, which swap Latin characters with visually similar ones from other alphabets (like Cyrillic “а” for Latin “a”).

These subtle deceptions allow malicious domains to pass quick inspection, both by users and automated scanning tools. The goal is to impersonate trusted brands or institutions long enough to publish disinformation, redirect traffic, or harvest credentials.

The Role of Domain Registrars

Key to enabling this infrastructure are domain registrars—companies that sell domain names and maintain control over their records. According to DomainTools, Russian threat actors consistently choose registrars that offer the following:

• Low pricing

• Privacy by default (WHOIS protection)

• Minimal compliance with Western takedown requests

Registrars commonly cited in campaigns include:

• Namecheap – Frequently used due to anonymous registration support; linked to IRA-controlled domains in the 2016 U.S. election influence campaign.

• Reg.ru – A Russian-based registrar, often non-compliant with international abuse requests.

• PublicDomainRegistry – Known for allowing bulk purchases and used in botnet-related disinformation operations.

• Tucows – A larger registrar with historically lax enforcement against domain abuse.

• Epik – Associated with far-right and fringe political movements, frequently appears in domain infrastructure tied to disinformation.

The use of these registrars provides attackers with an added layer of insulation. Domains can remain online for weeks or months, often outlasting the news cycle they aim to manipulate.

Beyond Domains: Hosting and Fast Flux

While domains are the tip of the spear, hosting providers play a critical support role in these operations. Russian actors frequently choose bulletproof hosting providers located in jurisdictions like Moldova, Russia, and the Netherlands, which ignore abuse complaints or are outside the reach of Western law enforcement.

Many campaigns also rely on Fast Flux DNS networks, where the domain's IP address changes rapidly across multiple nodes. This makes tracking and takedown efforts exponentially harder, particularly when the domains are used in hit-and-run propaganda operations.

To mask infrastructure even further, many campaigns sit behind Cloudflare or similar reverse proxies, concealing the actual origin server and complicating attribution.

From New Registrations to “Aged” Infrastructure

According to DomainTools, a notable trend in 2025 is the strategic “aging” of domains. Instead of deploying fake news portals immediately after registration, operators now create domains months in advance and let them sit. When the time is right, these domains are activated with content designed to sway opinion or target geopolitical fault lines.

This tactic is aimed at bypassing domain reputation filters. A freshly registered domain with immediate traffic or content may be flagged by threat intelligence platforms, but an older domain is more likely to pass under the radar.

Additionally, Russian actors are increasingly using third-party resellers instead of registering directly with major registrars. These resellers often lack robust abuse monitoring or security policies, creating yet another blind spot in the domain ecosystem.

Emerging Trends: Decentralized and Blockchain Infrastructure

In parallel, some disinformation actors are experimenting with blockchain-based domain systems such as those offered through Ethereum Name Service (.eth) or Unstoppable Domains (.crypto). These decentralized naming systems resist takedown efforts because they operate outside traditional DNS governance structures.

Though still emerging, these tools pose a growing challenge to defenders, as there are no centralized authorities to appeal to for domain suspension. Hosting can also be decentralized through peer-to-peer systems, further complicating attribution and response.

Real-World Impact: Disinformation at Scale

The cumulative effect of this infrastructure is huge. Russian-backed operations have been linked to hundreds of fake media websites pushing anti-Ukraine, anti-NATO, and pro-Kremlin narratives. In one 2022 campaign, researchers tracked over 100 fake news domains promoting Russian state propaganda across Western Europe and North America.

In addition to spreading propaganda, these operations are designed to erode trust in democratic institutions and media. Disinformation content is often amplified through AI-generated personas, deepfake videos, and bot-driven engagement on social media platforms.

The Strategic Withdrawal of U.S. Defenses

While Russia and China scale their information warfare capabilities, the United States is doing the opposite. As Dark Reading reported, the U.S. government has recently shut down key disinformation counter-efforts, including:

• The Global Engagement Center (GEC) at the State Department, defunded by Congress in December 2024

• The U.S. Agency for Global Media, dismantled by executive order in early 2025

These closures represent a significant reduction in U.S. capacity to respond to foreign influence operations, even as Russia plans to spend over $1.6 billion this year on state media and propaganda, and China invests over $10 billion in its messaging ecosystem.

Technical Visibility, Policy Blindness

Despite losing institutional defenses, the technical signals of disinformation campaigns remain visible. Daniel Schwalbe, CISO at DomainTools, notes that the challenge isn’t a lack of data, but a lack of coordinated response.

"From a strictly technical aspect, we've not lost visibility — we still see all of that stuff,” Schwalbe said. “It is the public appetite and the regulatory appetite from government entities who actually could affect some pushback at scale. That's where I think we've taken several steps back.”

What Comes Next?

With disinformation domains proliferating and defenses shrinking, the global cybersecurity community faces a difficult road ahead. Combating domain abuse requires a coordinated approach across registrars, hosting providers, governments, and threat intelligence firms.

Key recommendations from analysts include:

• Stricter vetting of new domain registrations

• Greater transparency in WHOIS data for geopolitical hot zones

• Public-private partnerships for rapid takedown response

• Investment in AI-powered domain reputation and content analysis tools

Ultimately, the domain name system—originally built for openness and decentralization—has become a primary attack surface for digital authoritarianism. The longer that security teams, regulators, and platform providers delay systemic reforms, the more entrenched these disinformation networks will become.