Now You See It, Now You Don’t: A Large-scale Analysis of Early Domain Deletions


Timothy Barron, Najmeh Miramirkhani, and Nick Nikiforakis, Stony Brook University


Domain names are a valuable resource on the web. Most domains are available to the public on a first-come, first-serve basis and once a domain is purchased, the owners keep them for a period of at least one year before they may choose to renew them. Common wisdom suggests that even if a domain name stops being useful to its owner, the owner will merely wait until the domain organically expires and choose not to renew.

In this paper, contrary to common wisdom, we report on the discovery that domain names are often deleted before their expiration date. This is concerning because this practice offers no advantage for legitimate users, while malicious actors deleting domains may hamper forensic analysis of malicious campaigns, and registrars deleting domains instead of suspending them enable re-registration and continued abuse. Specifically, we present the first systematic analysis of early domain name disappearances from the largest top-level domains (TLDs). We find more than 386,000 cases where domain names were deleted before expiring and we discover individuals with more than 1,000 domains deleted in a single day. Moreover, we identify the specific registrars that choose to delete domain names instead of suspending them. We compare lexical features of these domains, finding significant differences between domains that are deleted early, suspended, and organically expiring. Furthermore, we explore potential reasons for deletion finding over 7,000 domain names squatting more popular domains and more than 10,000 associated with malicious registrants.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {242060,
author = {Timothy Barron and Najmeh Miramirkhani and Nick Nikiforakis},
title = {Now You See It, Now You {Don{\textquoteright}t}: A Large-scale Analysis of Early Domain Deletions},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {383--397},
url = {},
publisher = {USENIX Association},
month = sep