Products APIs Data Feeds Web Tools Domain Research & Monitoring Enterprise Packages AI Deep Research
WHOIS / WHOIS History
WHOIS / WHOIS History

Provide current and historical ownership information on domains / IPs. Identify all connections between domains, registrants, registrars, and DNS servers.

DNS / DNS History
DNS / DNS History

Look into all current and historical DNS / IP connections between domains and A, MX, NS, and other records. Monitor suspicious changes to DNS records.

IP Geolocation / IP Netblocks
IP Geolocation / IP Netblocks

Get detailed context on an IP address, including its user’s geolocation, time zone, connected domains, connection type, IP range, ASN, and other network ownership details.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Access our web-based solution to dig into and monitor all domain events of interest.

Domain Research Suite (DRS)
Domain Research Suite (DRS)

Get access to a web-based enterprise-grade solution to search and monitor domain registrations and ownership details for branded terms, fuzzy matches, registrants of interest, and more.

New gTLD Intelligence Services (NGIS)
New gTLD Intelligence Services (NGIS)

Independent, evidence-based DNS and abuse intelligence for applicants, advisors, governments, and counsel participating in the ICANN 2026 New gTLD Program.

Research
Monitoring
White-Label
Predictive Threat Intelligence Feeds
Predictive Threat Intelligence Feeds

Predictive threat intelligence is your best first line of defense. Subscribe to the feeds to strengthen your cybersecurity posture. Contact us today for more information.

WhoisXML API Internet Infrastructure
Internet Infrastructure

Unlock integrated intelligence on Internet properties and their ownership, infrastructure, and other attributes.

Enterprise API Packages
Enterprise API Packages

Our complete set of domain, IP, and DNS intelligence available via API calls as an annual subscription with predictable pricing.

Security Intelligence (SI) Suite
Security Intelligence (SI) Suite

Offers complete access to WHOIS, IP, DNS, and subdomain data for product enrichment, threat hunting and more.

Attack Surface Discovery API
Attack Surface Discovery API

Uncover entire attack surfaces with this API to embed asset discovery, vulnerability scanning, and technology metadata into your platform. Now in early access.

MCP Server
MCP Server

Talk to our APIs using LLMs. Connect your preferred LLM to WhoisXML API and simply chat about WHOIS, DNS, threat intelligence, and more.

Jake AI
Jake AI

I’m your Domain Intelligence Assistant. I make it easy to explore WHOIS, DNS, and threat data from WhoisXML API — I’m cloud-based, fast, and always ready to help.

WhoisXML API Domain Intelligence Advisor (via ChatGPT)
WhoisXML API Domain Intelligence Advisor (via ChatGPT)

A custom GPT for WHOIS, DNS, IP, and threat intelligence research. Connects ChatGPT directly to WhoisXML API to enable fast, conversational investigations and domain insights.

Discover what you really pay for when buying commercial Internet intelligence data.

Download now
×
Contact Us
Specifications Pricing Blog
Read other articles Download PDF

February 2026: Domain Activity Highlights

WhoisXML API analyzed 8.7+ million domains registered between 1 and 28 February 2026 that appeared in Newly Registered Domains to identify the most popular registrars, TLD extensions, and other global domain registration trends. This number dropped by 0.5% from 8.8+ million NRDs last month.

We also determined the top TLD extensions used by 2.3+ million domains registered with malicious intent from the First Watch Malicious Domains Data Feed in February 2026. This number increased by 5.4% from the previous month.

Next, we studied the top TLD extensions of 1.08+ million confirmed malicious domains from the Threat Intelligence Data Feeds this month, which dropped by 1.4% from 1.09+ million in January.

Finally, we summed up our findings and provided links to the threat reports produced using DNS and domain intelligence sources during the period.

Zooming in on the February 2026 NRDs

TLD Distribution

Out of the 8.7+ million domains registered in February 2026, 82.0%, up from 81.8% last month, used gTLD extensions. The remaining 18.0%, down from 18.2%, meanwhile, used ccTLD extensions.

February 2026 NRD gTLD vs ccTLD shares

In February 2026, the .online TLD dropped out of the top 5 TLDs for NRDs. Meanwhile, .info entered the list. This shift may reflect a combination of factors, including preregistration activity ahead of announced price adjustments in early 2026, registrar promotions or bulk registrations, and broader diversification beyond using .com, as availability constraints continue to push some registrants toward alternative TLDs.

As with many NRD spikes, the trend may also be influenced by large-scale automated registrations, which can temporarily elevate specific TLDs in NRD datasets.

While the .com TLD remains dominant and continues to account for the largest share of NRD registrations, this trend has gone on for more than 20 years now. That said, many .com names may already be taken, benefiting new TLDs and legacy TLDs like .info.

February 2026 top NRD TLDs

Here is a MoM comparison and ranking changes for the top 5 TLD extensions used by the NRDs.

FEBRUARY 2026 TOP TLDFEBRUARY 2026 TLD VOLUMEJANUARY 2026 TLD VOLUMERANKING CHANGE FROM JANUARY TO FEBRUARY 2026
.com3,210,8623,475,649→ (Unchanged)
.top343,734378,803→ (Unchanged)
.info308,418241,941↑ from 7 to 3
.xyz303,749269,778→ (Unchanged)
.shop283,267273,809↓ from 3 to 5

Overall, the top 5 NRD TLD volume dropped by 4.6% from 4.6+ million in January to 4.4+ million in February 2026.

We then analyzed the February 2026 TLDs further to identify the most popular gTLDs and ccTLDs among the new domain registrations.

As in the last month, the top 5 TLDs for February 2026 were also the top gTLDs for the month.

February 2026 top NRD gTLDs

Meanwhile, .cn remained the most represented ccTLD in the ranking. However, the .in ccTLD replaced Cocos (Keeling) Islands’ .cc in the top 5. This shift may reflect continued growth in India’s digital economy and startup ecosystem as well as periodic fluctuations in registration activity tied to registrar promotions and pricing campaigns.

February 2026 top NRD ccTLDs

Here is a MoM comparison and ranking changes for the top 5 ccTLD extensions used by the NRDs.

FEBRUARY 2026 TOP ccTLDFEBRUARY 2026 ccTLD VOLUMEJANUARY 2026 ccTLD VOLUMERANKING CHANGE FROM JANUARY TO FEBRUARY 2026
.cn164,311195,402→ (Unchanged)
.uk157,831166,250→ (Unchanged)
.ru153,937137,977→ (Unchanged)
.in107,568100,844↑ from 6 to 4
.br106,128109,218→ (Unchanged)

Overall, the top 5 NRD ccTLD volume dropped by 6.1% from 734,304 in January to 689,775 in February 2026.

Registrar Distribution

The registrars in this month’s top 5 list remained unchanged, although their ranking shifted slightly. Notably, Hostinger Operations and Dynadot swapped positions, possibly reflecting fluctuations in promotional pricing campaigns and Hostinger’s continued growth in bundled hosting-and-domain offerings targeting small businesses and developers.

February 2026 top NRD registrars

Here is a MoM comparison and ranking changes for the top 5 NRD registrars.

FEBRUARY 2026 TOP REGISTRARFEBRUARY 2026 REGISTRAR VOLUMEJANUARY 2026 REGISTRAR VOLUMERANKING CHANGE FROM JANUARY TO FEBRUARY 2026
GoDaddy1,041,9981,143,842→ (Unchanged)
Namecheap876,171939,086→ (Unchanged)
Hostinger Operations441,136454,314↑ from 4 to 3
Dynadot409,451457,253↓ from 3 to 4
NameSilo378,979422,327→ (Unchanged)

Overall, the top 5 NRD registrar volume dropped by 7.9% from 3.4+ million in January to 3.1+ million in February 2026.

A Closer Look at the Domains Registered with Malicious Intent in February 2026

TLD Distribution

Next up, we sought to take a closer look at the domains deemed to have been registered with malicious intent from the get-go in February 2026. We determined that 2.3+ million domains in all appeared on the First Watch Malicious Domains Data Feed, up by 5.8% from 2.2+ million last month.

The same TLDs figured in this month’s top 5 albeit slight changes in ranking. Specifically, the TLDs .xyz and .online exchanged places.

February 2026 top First Watch Domain TLDs

Here is a MoM comparison and ranking changes for the top 5 TLDs of the domains registered with malicious intent.

FEBRUARY 2026 TOP FIRST WATCH TLDFEBRUARY 2026 FIRST WATCH TLD VOLUMEJANUARY 2026 FIRST WATCH TLD VOLUMERANKING CHANGE FROM JANUARY TO FEBRUARY 2026
.com561,902623,278→ (Unchanged)
.top214,170213,268→ (Unchanged)
.info198,721153,039→ (Unchanged)
.xyz185,281130,735↑ from 5 to 4
.online116,363135,636↓ from 4 to 5

Overall, the top 5 First Watch TLD volume rose by 1.6% from 1.25+ million in January to 1.27+ million in February 2026.

How Many NRDs Were Registered with Malicious Intent?

We also sought to find out how many of the domains registered in February 2026 were registered with malicious intent. Our findings showed that 27.1% of the NRDs under the top 5 TLDs were deemed likely to turn malicious as soon as they were registered.

February 2026 top TLDs of the NRDs registered with malicious intent

Cybersecurity through the DNS Lens

TLD Distribution

The top 5 TLDs of the confirmed malicious domains found in February 2026 were the same as those identified in January.

February 2026 top confirmed malicious domain TLDs

Here is a MoM comparison with ranking changes for the top 5 TLDs of the domains registered with malicious intent.

FEBRUARY 2026 TOP DOMAIN IoC TLDFEBRUARY 2026 DOMAIN IoC TLD VOLUMEJANUARY 2026 DOMAIN IoC TLD VOLUMERANKING CHANGE FROM JANUARY TO FEBRUARY 2026
.com170,526196,229→ (Unchanged)
.org157,077169,928→ (Unchanged)
.net147,198160,502→ (Unchanged)
.biz102,293111,402→ (Unchanged)
.bazar78,44178,604→ (Unchanged)

Overall, the number of confirmed malicious domains sporting the top 5 TLDs decreased by 8.5% from 716,665 in January to 655,535 this month.

Threat Reports

Take a quick look at the threat reports we published in February 2026 below.

  • Probing the DNS Depths of PHALT#BLYX: We further investigated the PHALT#BLYX campaign that targeted the European hospitality sector. It used click-fix social engineering, fake CAPTCHAs, and fake BSOD pages to trick users into downloading DCRat. As a result, the threat actors took full remote access to infected systems and dropped secondary payloads. Our analysis of 12 IoCs uncovered thousands of new artifacts and other pertinent insights.
  • A Look Back at the Top Ransomware Attack Targeting the Salesforce Supply Chain: Several high-impact ransomware operations in 2025 leveraged SaaS supply chain access to infiltrate enterprise environments. But the Salesforce SaaS supply chain attack stood out for its scale and cross-sector impact. We analyzed 39 IoCs related to the threat and unearthed thousands of new artifacts and critical information on the IoCs.
  • Top 10 Malware of Q4 2025: A DNS Deep Dive: On 29 January 2026, the Center for Internet Security (CIS) published its list of the top 10 malware for Q4 2025. They identified network IoCs for seven families—SocGholish, CoinMiner, Agent Tesla, Calendaromatic, ZPHP, VenomRAT, and ACR Stealer. We analyzed 46 IoCs and uncovered more than a thousand new artifacts and other pertinent IoC-related insights.

You can find more reports created in the past months here.

Feel free to contact us for more information about the products and capabilities used to analyze domain registration events or support other use cases.

Related posts
Read other articles Download PDF
Try our WhoisXML API for free
Get started