This study addresses the defensive lag across the full lifecycle (registration–detection–takedown) of phishing domains. We conduct a 39-month longitudinal analysis of over 690,000 phishing domains to systematically characterize their end-to-end behavioral chain. Our findings reveal that 66.1% are maliciously registered de novo, with strong preference for low-cost TLDs used for brand impersonation; average detection latency is 11.5 days—creating a high-risk “window of exposure”—and blacklist updates across platforms exhibit severe asynchrony. Leveraging large-scale DNS log analysis, TLD-level registration pattern mining, and behavioral modeling, we identify malicious registration as the dominant driver of the phishing ecosystem. The work provides empirically grounded insights and actionable technical levers for real-time DNS-layer interception and collaborative, registration-stage prevention.

Phishing continues to pose a significant cybersecurity threat. While blocklists currently serve as a primary defense, due to their reactive, passive nature, these delayed responses leave phishing websites operational long enough to harm potential victims. It is essential to address this fundamental challenge at the root, particularly in phishing domains. Domain registration presents a crucial intervention point, as domains serve as the primary gateway between users and websites. We conduct a comprehensive longitudinal analysis of 690,502 unique phishing domains, spanning a 39 month period, to examine their characteristics and behavioral patterns throughout their lifecycle-from initial registration to detection and eventual deregistration. We find that 66.1% of the domains in our dataset are maliciously registered, leveraging cost-effective TLDs and targeting brands by mimicking their domain names under alternative TLDs (e.g., .top and .tk) instead of the TLDs under which the brand domains are registered (e.g., .com and .ru). We also observe minimal improvements in detection speed for maliciously registered domains compared to compromised domains. Detection times vary widely across blocklists, and phishing domains remain accessible for an average of 11.5 days after detection, prolonging their potential impact. Our systematic investigation uncovers key patterns from registration through detection to deregistration, which could be leveraged to enhance anti-phishing active defenses at the DNS level.