The IT Nerd

Bfore AI’s PreCrime Labs has some extensive research looking into scams and impersonation attacks leveraging the “Winter Olympics” and looking ahead to “Summer Olympics”. There is 6 months of data, preemptively warning users of what to expect with activities associated with LA28 Olympics. 

PreCrime Labs, the research division of BforeAI, observed a total of 1623 suspicious domains, majority used keywords highly relevant to the event, (e.g., “olympic”, “olympics”, “la28”, “milanocortina”). Alongside, several hundred domains, from legacy .com/.org to newer TLDs (“.shop”, “.store”, “.ai”, “.world”, “.app”, “.cloud”, “.top”, “.xyz”, “.games”, “.global”) were seen.

You can look at the research here: https://bfore.ai/report/cyber-threat-trends-winter-olympics-2026/

BforeAI has some extensive research looking into scams and impersonation attacks leveraging the commercial airline industry. While the data set primarily covers Q4 of 2025, the activity and TTPs associated with these types of threats are not slowing down.

PreCrime™ Labs, the research division of BforeAI, observed a total of 1,799 suspicious domains between September and December of 2025, targeting over 35 global airline brands. In the midst of the 2025 end-of-year holiday rush into the beginning-of-the-year annual travel planning season of 2026, the PreCrime Labs team analyzed a large set of threat data related to airlines. There was a much higher concentration of generic keywords, numbering close to 10,000, that focused on search terms such as “airline”, “flight”, “charter”, “airfare”, and “private jet”.

These domains demonstrate a consistent pattern of generalized phishing, attracting broader customer interest than merely focusing on a single airline company. The total count of suspicious domains targeting the airline industry surpasses 11,600 domains. The observed activity spans across phishing, fake promotions, fraudulent investments, betting abuse, and reputational harm, indicating both opportunistic fraud and coordinated campaign-style abuse.

The link to the report is here: https://bfore.ai/report/commercial-airline-industry-scam-impersonation-activity-2026/

PreCrime™ Labs, the threat research division of BforeAI, has been analyzing a set of recent suspicious domain registrations around the theme of love and romance, in anticipation of the Valentine’s Day holiday.  The surge of malicious campaigns spans across phishing, gifting, dating apps, chat platforms, crypto, and potential pig butchering activities that could lead to loss of financial and personal information. This report analyzes over 3280 suspicious domains containing strings such as “love”, “valentine”, “dating”, “tinder”, and “matchmaking”, registered primarily between December 2025 and February 2026, and highlights patterns in top level domain (TLD) usage, registrar choice, and geographic lures, indicating both opportunistic fraud and coordinated campaign-style abuse.

Interestingly, a cluster of 280 domains registered under a single IP using Domain Generation Algorithm (DGA) was actively operational and hosting random content to engage users to lure them to interact before moving to the main campaign operation. 

The link to access the report is here: https://bfore.ai/report/romance-scams-proliferate-domain-registrations-valentines-day/

Many of us are watching developments in Iran with interest. The threat researchers at BforeAI took a look at how these tensions are being used to fuel online scams and other fraudulent or malicious activity. While the timeframe for this analysis ranges from the beginning of December to mid-January, we feel that this is indicative of what can be expected, especially as rhetoric from the governments of the US and Iran, as well as regional powers in the Mideast, continues to escalate.

PreCrime™ Labs analyzed an organized surge of Iran-themed domain registrations across a small set of registrars and cheap top level domains (TLDs), indicating clear clusters around themes including protest, conflict, sanctions evasion, gambling, and infrastructure that can be used as predictive indicators for preemptive security controls.

There is a strong concentration around a handful of registrars, privacy protected records, and Cloudflare or Chinese DNS, which together act as early risk signals for coordinated campaigns tied to the ongoing Iran conflict and related information operations. Multiple thematic clusters using keywords such as “protests”, “no war”, “sanctions”, “logistics”, “casinos”, and “VPN”, provide high-value predictive indicators for proactive blocking, brand and policy enforcement, and sanctions risk monitoring before full campaigns go live.

You can read the threat report here: https://bfore.ai/report/malicious-infrastructure-campaigns-how-iran-is-weaponized-online

PreCrime Labs, the threat research team at BforeAI identified a large cluster of suspicious domain registrations leveraging US military operations in Venezuela and the resulting information vacuum.

When the PreCrime Labs team investigated new domains related to the Venezuela matter and registered from December 1- January 12, 2026, a total of 829 domains were determined to be suspicious. An even more recent surge in domain registrations, primarily in January 2026, dominates the dataset. Approximately 546 domains were registered in the time period between January 3-5, 2026 alone. This represents a significant spike in activity compared to the December 2025 period leading up to the January 2 military action in which 110 related domains were registered over the entire month.  

The link to the live report will be: https://bfore.ai/report/scam-activity-leveraging-united-states-actions-in-venezuela/

BforeAI has releasee its latest research identifying over 1,000 domains leveraging the popularity of luxury brands in a campaign leading up to the high-traffic holiday season. These domains show coordinated registration patterns, with registrar preferences, top level domain abuse, and linguistic tricks. 

The campaign primarily impersonates high-end fashion and luxury brands, using domain strings impersonating or abusing names such as Gucci, Prada, Louis Vuitton, Rolex, Chanel, Dior, Versace, and Dolce & Gabbana. 

Since luxury retail brands are less frequently purchased online, these hackers are offering coupons and discounts to attract visitors.

You can read the research here: https://bfore.ai/report/luxury-fashion-brands-threats-in-2025-holiday-shopping-season/

Today, BforeAI released the company’s research of an investigation into fraudulent and malicious activities targeting users seeking to download Perplexity’s Comet AI browser.

The analysis reveals a coordinated campaign of domain squatting, fraudulent mobile applications, and deceptive advertising designed to capitalize on the legitimate Comet browser’s popularity.

The research dives reveals:

• Suspicious domains investigated with varying threat levels
• Critical-level mobile app threats identified on Google Play Store
• Domains registered in 2025 following Comet’s launch timeline
• Multiple attack vectors including fake downloads, malvertising, and brand impersonation observed on search engines.

You can find the research here: https://bfore.ai/report/malicious-activity-surrounding-perplexity-comet-browser-launch-threat-research/

BforeAI has released a new report revealing a surge in opportunistic domain registrations and digital infrastructure aimed at exploiting public fear, disaster relief mechanisms, and donation campaigns in the wake of the severe 2025 Texas flooding disaster.

BforeAI’s research reveals the main threat themes and motifs to include disaster claims fraud, donation and relief fraud, volunteer/registration bait, e-commerce abuse, search redirection and cloaking, and reputation piggybacking.

Key findings include 45 domain registrations observed to be suspicious, with less than 10% blocklisted on VirusTotal or major thread feeds until BforeAI started disruption, and most hosted with free page builders.

The research team identified over 70 suspicious or malicious domains within 10 days of the flooding onset, out of which 13 were registered within a week, exactly when the news of the Texas flooding started making headlines. Other than this, 46 domains have been updated since January 2025. 

Many of the domains analyzed as part of this advisory feature typically have themes that leverage flood-related services, donation drives, and legal fraud baits like fake flood insurance claims and lawsuits. 

The researchers also observed volunteer registration forms with PII-harvesting risks and Google SEO or sponsored ad manipulation and infrastructure patterns linked to prior natural disaster scams and several domains hosted on cheap/free registrars, with rotating hosting infrastructure.

You can read the research here: https://bfore.ai/report/advisory-2025-texas-flooding-crisis-scams/

BforeAI has released its new threat report analyzing BEC in the financial services sector, finding 3756 suspicious and newly registered domains in April, May, and June of this year.

In Q2 2025, BforeAI observed 

• Top 3 registrars: GoDaddy.com, LLC, Dynadot Inc., Tucows Domains Inc.
• Top 3 registering countries: United States, China, United Kingdom
• Top 5 TLDs (Top Level Domains): .com (1992), .info (260), .xyz (203), .online (105), .icu (104)
• Finance-based TLDs: .finance, .financial, .money, .loan, .cash, .fund, .credit, .cards, .accountant, .bank, .investments, .capital, .exchange, .market, .insurance

Domain registration trends throughout the quarter showed a notable spike in activity, especially targeting financial brands. 

April saw a high volume of registrations, followed by a slight dip in May, and then a sharp rise in June, especially towards the end of the month. 

June also recorded the highest number of domain registrations overall. Between June 22 and June 30, 2025, there were at least 22 domains registered daily, peaking at 81 registrations on June 27 alone.

Beyond this, a consistent count of 10 or more newly registered domains was observed daily, with fluctuations continuing through the end of the quarter.

This sudden surge could indicate a sign of preparation for upcoming seasonal retail sales or early travel-related promotions, during which many financial institutions roll out offers and rewards, making this period a prime target for cybercriminals looking to spoof legitimate offers.

You can read the report here: https://bfore.ai/report/bec-in-the-financial-services-sector/

BforeAI has revealed that its threat research division has identified a large malicious campaign of 607 domains linked to a large-scale phishing and malware campaign actively distributing application files claiming to be Telegram Messenger, registered through the Gname registrar, and are primarily hosted in the Chinese language. 

There were two instances in which applications were prompted for download, each being 60MB and 70MB in size, respectively. The new report provides the hash values gathered from this APK, depicts the blog-like appearance of a phishing site distributing the malicious Telegram APK, and shows the permissions requested by the malicious Telegram APK, flagged according to severity as well as proposed mitigations.

You can read the research here: https://bfore.ai/report/malicious-telegram-apk-campaign-advisory