This study systematically investigates the key drivers of malicious domain registration, addressing a critical gap in understanding the causal mechanisms underlying cybercriminal behavior. Leveraging large-scale domain registration logs, we construct— for the first time—a comprehensive feature set comprising 73 registration attributes, active verification practices, and passive security measures, and apply generalized linear modeling (GLM) for quantitative causal analysis. Results reveal that: (i) a $1 reduction in registration fee increases malicious domain registrations by 49%; (ii) free web hosting services amplify phishing domain registrations by 88%; (iii) stringent registration restrictions reduce abuse by 63%, whereas open API-based registration increases it by 401%. These findings establish statistically significant causal effects of pricing strategies, verification rigor, and API openness on abuse prevalence. The work provides empirically grounded, actionable guidance for registrars—including tiered pricing, API access controls, and enhanced verification protocols—to design targeted anti-abuse policies.

Cybercriminals have long depended on domain names for phishing, spam, malware distribution, and botnet operation. To facilitate the malicious activities, they continually register new domain names for exploitation. Previous work revealed an abnormally high concentration of malicious registrations in a handful of domain name registrars and top-level domains (TLDs). Anecdotal evidence suggests that low registration prices attract cybercriminals, implying that higher costs may potentially discourage them. However, no existing study has systematically analyzed the factors driving abuse, leaving a critical gap in understanding how different variables influence malicious registrations. In this report, we carefully distill the inclinations and aversions of malicious actors during the registration of new phishing domain names. We compile a comprehensive list of 73 features encompassing three main latent factors: registration attributes, proactive verification, and reactive security practices. Through a GLM regression analysis, we find that each dollar reduction in registration fees corresponds to a 49% increase in malicious domains. The availability of free services, such as web hosting, drives an 88% surge in phishing activities. Conversely, stringent restrictions cut down abuse by 63%, while registrars providing API access for domain registration or account creation experience a staggering 401% rise in malicious domains. This exploration may assist intermediaries involved in domain registration to develop tailored anti-abuse practices, yet aligning them with their economic incentives.