Key Findings
- Out of 36,033 classified domains, 5,344 (14.8%) were flagged as problematic — either through automated scan verdicts, admin investigations, or classification as potentially malicious.
- Nearly 38.2% of all standard scans returned a Suspicious or Dangerous verdict.
- Cloudflare hosts the largest absolute number of problematic domains (2,418), though its scale (11,797 domains) means only 20.5% are flagged.
- Tencent stands out with 91.6% bad scan rates — the highest among major providers.
- Scam is the dominant threat category, appearing across 545 problematic domains, followed by phishing (311) and credential harvesting (248).
Methodology
We analyzed 36,033 domain classifications from URLert's database alongside 19,346 completed standard scan results. Each domain was mapped to its hosting provider via ASN (Autonomous System Number) lookups — identifying the infrastructure company serving each domain's traffic.
A domain was considered "problematic" if it met any of three criteria:
- Scan verdict: At least one standard scan returned
DANGEROUSorSUSPICIOUS(4,192 domains) - Classification: Classified as
POTENTIALLY_MALICIOUSby URLert's domain classification system (1,549 domains) - Admin flag: Manually flagged with a
WARNINGorDANGERadmin note (470 domains)
Many domains met multiple criteria simultaneously.
The Verdict Landscape
Across all 19,346 standard scans:
| Verdict | Count | % of Total |
|---|---|---|
| Safe | 11,400 | 58.9% |
| Suspicious | 4,954 | 25.6% |
| Dangerous | 2,432 | 12.6% |
| Parked | 303 | 1.6% |
| Unknown | 257 | 1.3% |
More than 1 in 3 scanned URLs (38.2%) received a Suspicious or Dangerous verdict, indicating a significant proportion of web traffic encounters potentially harmful content.
ASN Hosts: Who Hosts the Most Problematic Domains?
Across 2,561 unique ASN hosts, the top 30 by number of problematic domains are below.
ASN Risk Explorer: Volume vs. Density
Interact with the data below to see how sorting by density changes the threat landscape compared to sorting by pure volume.
Tier 1: Major Infrastructure (100+ problematic domains)
| ASN Host | Total Domains | Problematic | % Problematic | Bad Scans | % Bad |
|---|---|---|---|---|---|
| Cloudflare | 11,797 | 2,418 | 20.5% | 3,452 | 46.5% |
| Amazon (AWS) | 3,566 | 306 | 8.6% | 776 | 39.1% |
| Hostinger | 676 | 177 | 26.2% | 167 | 58.8% |
| Tencent | 268 | 112 | 41.8% | 109 | 91.6% |
Tier 2: Significant Presence (30–100 problematic domains)
| ASN Host | Total Domains | Problematic | % Problematic | Bad Scans | % Bad |
|---|---|---|---|---|---|
| Google Cloud | 661 | 70 | 10.6% | 124 | 26.2% |
| Amazon (AES) | 825 | 65 | 7.9% | 101 | 31.7% |
| Namecheap | 230 | 65 | 28.3% | 58 | 63.0% |
| OVH | 443 | 64 | 14.5% | 56 | 25.3% |
| Cloudflare (secondary ASN) | 1,166 | 58 | 5.0% | 7 | 11.7% |
| Alibaba (US) | 227 | 51 | 22.5% | 52 | 65.8% |
| 450 | 48 | 10.7% | 205 | 17.8% | |
| Microsoft | 424 | 46 | 10.9% | 121 | 28.7% |
| DigitalOcean | 264 | 45 | 17.1% | 50 | 42.7% |
| Hetzner | 386 | 41 | 10.6% | 56 | 40.9% |
| Fastly | 585 | 38 | 6.5% | 81 | 17.0% |
| Akamai (Linode) | 234 | 33 | 14.1% | 26 | 40.6% |
| HostPapa (ColoCrossing) | 39 | 31 | 79.5% | 60 | 88.2% |
Tier 3: Smaller but Notable (10–29 problematic domains)
| ASN Host | Total Domains | Problematic | % Problematic | Bad Scans | % Bad |
|---|---|---|---|---|---|
| Servers.com | 102 | 29 | 28.4% | 48 | 63.2% |
| FranTech (Ponynet) | 64 | 25 | 39.1% | 23 | 74.2% |
| Cloudflare Spectrum | 420 | 24 | 5.7% | 22 | 15.7% |
| Interserver | 47 | 21 | 44.7% | 28 | 80.0% |
| Wildcard UK | 32 | 17 | 53.1% | 25 | 53.2% |
| IONOS | 112 | 16 | 14.3% | 12 | 28.6% |
| Neon Core Networks | 24 | 14 | 58.3% | 31 | 96.9% |
| Akamai (International) | 388 | 14 | 3.6% | 18 | 7.1% |
| Oracle Cloud | 98 | 14 | 14.3% | 17 | 42.5% |
| Team Internet | 47 | 14 | 29.8% | 8 | 44.4% |
| Antbox Networks (HK) | 23 | 13 | 56.5% | 18 | 100.0% |
| GoDaddy | 67 | 13 | 19.4% | 9 | 34.6% |
Cloudflare dominates in raw numbers — hosting 2,418 problematic domains — but this is partially a function of its enormous market share (11,797 classified domains). Its 20.5% problematic rate, while concerning, is moderate relative to smaller providers.
Tencent is the most alarming among major providers: 91.6% of all scans for Tencent-hosted domains returned Suspicious or Dangerous verdicts, and 41.8% of its domains are flagged as problematic.
Hostinger and Namecheap — popular budget hosting and domain registration services — show elevated rates at 26.2% and 28.3% problematic respectively, with Namecheap's bad scan rate reaching 63.0%.
The 100% Club: Providers Where Every Scan Is Bad
Among providers with at least 10 scans, the following showed near-perfect bad scan rates:
| ASN Host | % Bad Scans | Total Scans | Problematic Domains | Total Domains |
|---|---|---|---|---|
| Antbox Networks (HK) | 100.0% | 18 | 13 | 23 |
| Shinjiru Technology (MY) | 100.0% | 17 | 5 | 11 |
| JSC IOT (RU) | 100.0% | 10 | 5 | 15 |
| Neon Core Networks (US) | 96.9% | 32 | 14 | 24 |
| IT7 Networks (CA) | 93.3% | 30 | 5 | 10 |
| Tencent (CN) | 91.6% | 119 | 112 | 268 |
| Shock Hosting (US) | 90.9% | 11 | 5 | 8 |
| Private Layer (CH) | 90.0% | 10 | 7 | 13 |
| WIBO Baltic (LT) | 90.0% | 40 | 6 | 15 |
| Zillion Network (US) | 90.0% | 10 | 5 | 9 |
These providers — often offshore or privacy-focused hosting companies — appear almost exclusively associated with malicious content, functioning effectively as "bulletproof hosting" for bad actors.
Notably, Tencent is the only major-scale provider in this list, with 268 total domains and 119 scans — far larger than the typical bulletproof host, yet maintaining a 91.6% bad scan rate. The geographic pattern is also striking: Hong Kong, Malaysia, Russia, Switzerland, and Lithuania feature prominently — jurisdictions where takedown enforcement can be challenging.
Threat Categories: What Are the Dangers?
Among problematic domains, the most common threat types detected are:
| Threat Category | Domains Affected |
|---|---|
| Scam | 545 |
| Phishing | 311 |
| Credential Harvesting | 248 |
| Suspicious Redirect | 177 |
| Malware | 122 |
| Privacy Risk | 91 |
| Tracking | 13 |
Scam content is the dominant threat, appearing nearly twice as often as phishing. Credential harvesting — fake login pages designed to steal usernames and passwords — affects 248 domains, often overlapping with phishing campaigns.
Admin-Flagged Domains: Human Intelligence
URLert's security team manually flagged 470 domains with WARNING (245) or DANGER (225) admin notes — representing the most heavily investigated sites.
The hosting distribution of these admin-flagged domains:
| ASN Host | Admin-Flagged Domains |
|---|---|
| Cloudflare | 257 |
| Amazon (AWS) | 26 |
| Unknown (no classification) | 13 |
| Hostinger | 12 |
| HostPapa (ColoCrossing) | 11 |
| Google Cloud | 10 |
| Namecheap | 7 |
| Amazon (AES) | 6 |
| WIBO Baltic | 5 |
| Cloudflare (secondary ASN) | 5 |
Cloudflare's dominance here (54.7% of all admin-flagged domains) is notable and disproportionate even relative to its market share. Two operational factors likely drive this concentration:
- Scam sites that survive abuse reports: A large share of Cloudflare-flagged domains are scam operations — fake shops, deceptive "investment" platforms, misleading subscription traps — rather than classic phishing or malware. Because these sites don't distribute malware binaries or host credential-harvesting forms in the traditional sense, they often don't violate hosting abuse policies clearly enough to be taken down quickly. They stay online for weeks or months, requiring the security team to manually flag them each time they resurface in user submissions.
- Anti-bot shielding obscures automated detection: Cloudflare's bot protection — designed to defend legitimate sites — inadvertently shields malicious actors as well. When automated scanners are blocked by challenge pages, URLert's security team must manually review and flag these domains, inflating the admin-flagged count relative to providers without similar protections.
These factors compound: threat actors deliberately leverage Cloudflare's free tier, DDoS protection, and domain proxying capabilities to obscure their origin servers — while the platform's own defenses make it harder for security tools to automatically classify the threats hiding behind them.
WIBO Baltic (Lithuania) is noteworthy as a small provider with only 15 total domains yet 5 admin-flagged — a 33% manual flag rate, indicating concentrated human-verified malicious activity.
The Worst Individual Domains
The top individual domains generating the most bad scans:
| Domain | Host | Bad Scans | Total Scans | Threats |
|---|---|---|---|---|
| shrinkme.click | Cloudflare | 247 | 248 | Scam, Suspicious redirect |
| nowplaytoc.com | Cloudflare | 105 | 105 | Suspicious redirect, Tracking |
| google.com | 82 | 364 | Credential harvesting, Phishing, Scam | |
| t.co | Cloudflare | 69 | 125 | Multiple threat categories |
| tinyurl.com | Cloudflare | 46 | 68 | Credential harvesting, Phishing, Scam |
| ln.run | Cloudflare | 42 | 90 | Phishing, Scam, Suspicious redirect |
| t.me | Telegram | 38 | 149 | Scam |
| is.gd | Cloudflare | 36 | 46 | Credential harvesting, Phishing, Scam |
| bit.ly | Google Cloud | 32 | 66 | Phishing, Scam, Suspicious redirect |
| share.google | 32 | 92 | Phishing, Scam, Suspicious redirect | |
| ey43.com | Cloudflare | 32 | 32 | Credential harvesting, Phishing |
| outlook.com | Microsoft | 29 | 80 | Credential harvesting, Malware, Phishing, Scam |
| blogspot.com | 28 | 106 | Credential harvesting, Malware, Phishing, Scam | |
| roblox.com.ge | WIBO Baltic | 26 | 26 | Credential harvesting, Phishing, Scam |
Patterns in the Top Individual Domains
Dedicated malicious domains like shrinkme.click (99.6%), nowplaytoc.com (100%), and ey43.com (100%) are purpose-built for malicious activity — scam operations and redirect chains.
URL shorteners are heavily abused: tinyurl.com, ln.run, is.gd, and bit.ly all appear in the top results. These services mask destination URLs, making them ideal vectors for distributing phishing and scam links. Of 68 total scans for tinyurl.com, 46 (67.6%) were bad.
Major platforms like google.com, t.co, t.me, outlook.com, and blogspot.com appear due to user-generated content — the scanned URLs are paths within these domains that lead to phishing or scam content, not the platforms themselves. Telegram (t.me) is notable: while only 25.5% of its scans return bad verdicts, it still ranks 8th by absolute bad scan count (38), confirming its role as a distribution channel for scam content.
roblox.com.ge is a typosquatting domain impersonating Roblox, hosted on WIBO Baltic (Lithuania) — every single scan (26/26) returned a bad verdict, flagged for credential harvesting and phishing targeting young gamers.
Conclusions
- Scale ≠ safety: Large providers like Cloudflare and Amazon host the most problematic domains in absolute terms, but their scale means the rate is moderate (8–20%). The real outliers are mid-tier and niche providers with 60–100% bad scan rates.
- A clear three-tier risk model: Major cloud providers (Google, AWS, Microsoft) cluster around 8–11% problematic rates. Budget hosts (Hostinger, Namecheap, DigitalOcean) run 17–28%. Niche/offshore providers (HostPapa, Interserver, FranTech, Neon Core, Antbox) hit 40–80%+ — a strong signal for automated risk scoring.
- Budget hosting attracts bad actors: Hostinger (26.2% problematic), Namecheap (28.3%), and Alibaba US (22.5%) — known for low-cost hosting and domain registration — show significantly elevated rates compared to premium cloud providers.
- Offshore hosting remains a haven: Providers like Antbox Networks (Hong Kong), Shinjiru (Malaysia), JSC IOT (Russia), Private Layer (Switzerland), and WIBO Baltic (Lithuania) show 90–100% bad scan rates, functioning as de facto bulletproof hosting. The jurisdictional diversity makes coordinated takedowns difficult.
- Tencent is a red flag: With 91.6% of scans returning bad verdicts across 119 scans and 268 domains, Tencent-hosted domains should be treated with high suspicion by URL safety systems. This is unprecedented for a provider of its scale.
- URL shorteners are a major attack surface: Several of the worst individual domains are URL shorteners (tinyurl.com, ln.run, is.gd, bit.ly, shrinkme.click). Link obfuscation remains the primary distribution method for phishing and scam campaigns.
- Scam surpasses phishing: Scam content (545 domains) is now nearly twice as prevalent as traditional phishing (311), suggesting a shift in threat actor tactics toward broader social engineering rather than targeted credential theft.
- Cloudflare's admin-flag concentration: While Cloudflare hosts 20.5% of problematic domains overall, it hosts 54.7% of all admin-flagged domains — a disproportionate share that suggests threat actors deliberately leverage Cloudflare's free tier and proxy capabilities to obscure their infrastructure.
Data collected April 3, 2026. Analysis covers 36,033 domain classifications and 19,346 standard scan results from URLert's production database. Domain classifications use eTLD+1 (registered domain) granularity. ASN hosting provider is determined via BGP routing table lookups from RouteViews.