Typosquatting examples

The scale of the problem#

Typosquatting is not a theoretical risk. In 2010, Tyler Moore and Benjamin Edelman published research on typosquatting economics that estimated at least 938,000 typosquatting domains targeting the top 3,264 .com sites. They found that roughly 80% were monetized through pay-per-click advertising, and that domains in categories with higher ad prices attracted more registrations, indicating that the economics of typosquatting follow the same incentives as legitimate advertising.

The cases below are drawn from court records, published research, and security-vendor reports. They move from individual domains to large-scale campaigns, each illustrating a distinct category of abuse.

Where the stories live. Other articles in this section explain permutation mechanics (omission, addition, transposition, and so on) and link here for named domains, dockets, and campaign details. That keeps case narratives in one place and avoids repeating the same history across multiple guides.

Google typo domains (goggle.com and related rulings)#

Google's typo-domain record shows how differently similar disputes can turn out. In a 2005 National Arbitration Forum action, Google won control of googkle.com, ghoogle.com, gfoogle.com, and gooigle.com. The panel found that the domains attempted to download viruses, trojan horses, and spyware to visitors' computers and ordered them transferred.

Google's separate 2011 complaint over goggle.com, goggle.net, and goggle.org ended differently. The panel dismissed that case as a business or contractual dispute outside the scope of the UDRP. Taken together, the rulings show that even obvious typo domains can produce very different outcomes depending on the record before the panel.

Credential harvesting and the "rnicrosoft" technique#

Replacing m with rn produces a string that looks nearly identical in most sans-serif typefaces, a homoglyph-style trick. Microsoft used rnicrosoft.com as a concrete example in its 2026 write-up on the RaccoonO365 phishing operation, which it said stole credentials from more than 5,000 customers across 94 countries. Because the visual difference is easy to miss at normal reading speed, the technique bypasses the kind of quick-glance verification that catches cruder misspellings.

The same principle extends to IDN homograph attacks, where Cyrillic or other Unicode characters replace Latin letters (e.g., Cyrillic а for Latin a). Rendered in a browser address bar, the substitution can be pixel-identical. Modern credential-harvesting campaigns often combine these visual tricks with adversary-in-the-middle reverse-proxy tools to capture session tokens alongside passwords, defeating multi-factor authentication entirely. The FBI's IC3 program continues to rank business email compromise among the costliest forms of cybercrime, with reported losses measured in billions of dollars each year.

Corporate email interception and doppelganger domains#

In 2011, researchers Peter Kim and Garrett Gee registered 30 "doppelganger" domains, variants that removed the dot between a subdomain and primary domain (e.g., seibm.com instead of se.ibm.com). Over six months, catch-all MX records on those 30 domains passively collected 120,000 misdirected emails totaling 20 GB of data from Fortune 500 companies. The intercepted messages contained employee credentials, VPN configurations, trade secrets, business contracts, and litigation documents.

In that same study, only one of the targeted companies detected the fake registration, and only two senders out of 120,000 noticed the error. The researchers also reported that several doppelganger domains for major corporations had already been registered by entities in China with MX records configured but no web content, suggesting active espionage interest. Of the Fortune 500, 151 companies (30%) were structurally vulnerable to this attack due to their use of multiple subdomains.

Legal enforcement and the courtroom record#

Courts and arbitration panels have repeatedly treated typosquatting as actionable conduct, whether through ACPA damages, injunctions, or domain-transfer proceedings.

• Facebook v. Cyber2Media. In 2013, a magistrate judge in the Northern District of California recommended that Facebook recover $2.8 million and 105 typo domains. The record included facebobk.com and many insertion-style labels such as facebokook.com, faceboocklogin.com, and facceebook.com. One defendant alone was assigned $1.34 million for 47 infringing domains. The recommendation is notable because it laid out a per-domain damages formula under ACPA.
• Verizon v. OnlineNIC. In 2008, a federal court in California awarded Verizon more than $33 million after finding that OnlineNIC had registered at least 663 domains identical or confusingly similar to Verizon trademarks.
• Microsoft's anti-cybersquatting campaign. In a 2007 announcement, Microsoft said it had reclaimed more than 1,100 infringing domain names worldwide over six months through lawsuits, settlements, and related enforcement actions against cybersquatters using Microsoft-branded and misspelled domains.
• Google v. Groovle. In a 2009 National Arbitration Forum decision, the panel held that groovle.com was not confusingly similar to GOOGLE, reasoning that it created a different word and meaning. It remains a useful example of a brand owner losing despite an aggressive enforcement history.
• Microsoft and Mike Rowe (mikerowesoft.com). Microsoft disputed a teenager's pun domain modeled on the company name. The case drew heavy press coverage and settled after public criticism of the enforcement approach, illustrating how narrative and proportionality matter alongside trademark theory.

These cases demonstrate that legal remedies exist, but they are slow, expensive, and highly fact-specific. Google won transfer of several spyware-laced typo domains in one proceeding, yet its separate goggle.com complaint was dismissed on procedural grounds. Proactive domain monitoring and defensive registration remain faster first lines of defense, catching new registrations within hours rather than litigating them after damage occurs.

Supply-chain typosquatting and package managers#

In a 2016 proof-of-concept study, security researcher Nikolai Tschacher uploaded typosquatted packages to PyPI, npm, and RubyGems. The imposter packages executed on more than 17,000 machines across 45,000 installations, and roughly half ran with administrative privileges. Two affected hosts belonged to .mil domains and 23 to .gov domains. The technique has since been industrialized.

Modern supply-chain typosquatting attacks exploit the same omission, addition, and transposition patterns as domain typosquatting, applied to package names instead of URLs. Research presented at USENIX Security 2023 by Pranshu Neupane and co-authors catalogued 13 distinct confusion mechanisms beyond simple character-level typos, including semantic-level attacks where a plausible alternative name (not a misspelling) tricks developers into installing the wrong package.

Malvertising and typo campaigns#

Malwarebytes documented in 2022 a campaign using typosquatted .cm domains (the Cameroon ccTLD) against U.S. financial brands. Domains like wellsfargo.cm relied on a different vector. Users who omit the o in .com land on the .cm ccTLD instead, a form of TLD squatting. Victims were redirected through malvertising chains hosted on Amazon AWS to tech-support scam pages.

Affiliate fraud and ad parking#

Not all typosquatting is overtly malicious. Many squatted domains redirect visitors through affiliate links or serve parked ad pages. A domain like amazom.com configured to redirect through an affiliate URL earns commission on any purchase the visitor completes. The visitor arrives at the correct site, completes a normal transaction, and the abuse goes undetected for months.

Moore and Edelman also found that 63% of typosquatting domains displaying Google ads used one of just five advertising IDs, suggesting that a small number of operators controlled the majority of ad-monetized typosquats. This concentration makes enforcement theoretically tractable but practically slow without automated domain monitoring.

The same 2010 measurement work found that sites in high-value advertising categories such as finance, insurance, and travel attracted disproportionate typosquatting activity. The economics are straightforward. A typosquatting permutation of a high-traffic commercial domain receives enough accidental visitors to generate meaningful ad revenue at near-zero ongoing cost.

Detection at scale#

The common thread across these cases is that every attack begins with a predictable permutation of a legitimate domain. Omission, transposition, homoglyphs, IDN homograph attacks, and combosquatting all produce finite, enumerable sets of candidate strings. Monitoring those candidates against DNS resolution, WHOIS/RDAP registration data, Certificate Transparency logs, and passive DNS records converts the examples above from after-the-fact case studies into early-warning signals.

Have I Been Squatted generates the full set of typosquatting permutations for a monitored domain, checks registration status, and enriches results with DNS, HTTP, RDAP, and screenshot data. Combined with Certificate Transparency extended search, this surfaces squatted variants before they are weaponized, turning the case studies above into preventable incidents rather than post-mortem lessons. See typosquatting protection for the full defensive playbook.