1. Target selection: the attacker identifies a popular domain / package / blockchain handle (the victim needs high traffic for good ROI). 2. Variant generation: typos (transposition, insertion, deletion, substitution), alternate TLDs, plurals, ccTLD abuse (.cm/.co/.om), Unicode homoglyphs, foreign-language spellings. Tools like 'dnstwist' automate generating thousands of variants. 3. Registration: the attacker mass-buys/registers variants in a cheap registry (~USD 8-15 per domain per year, effectively free for PyPI/npm/GitHub packages, a few USD per ENS name). 4. Setup: (a) ad-parking — passive monetisation; (b) phishing page — clone of the real site to harvest passwords; (c) malware drop — drive-by download; (d) redirect to an affiliate link or competitor; (e) email catcher — collecting messages sent to a corporate typo domain. 5. Victim: the user makes a typo, clicks a spam link, or a script/app/AI assistant itself runs pip install typo-name. 6. Scaling: the attacker does not need to 'hit' a specific victim — a fraction of a percent of the domain's/package's users is enough. For a popular target (Google.com: millions of hits per day), 0.01% error rate yields hundreds of visits.
Typosquatting does NOT solve a problem — it IS an attack/exploitation of typing mistakes. It solves the ATTACKER'S problem: how to intercept traffic, transactions, or credentials without breaching the victim's infrastructure. Answer: seize a name the victim does not control that users will type by mistake.
The real, popular name the attacker will imitate: google.com, react (npm), vitalik.eth (ENS), amazonaws.com. Selection criterion: traffic volume × typo probability.
Official
An algorithm / tool that produces potential typos: dnstwist, urlcrazy, custom scripts. Takes into account keyboard adjacency, common errors (transposition, insertion, deletion), Unicode homoglyphs, plurals, TLD swaps.
Official
The system where the attacker registers the name: DNS registrar (GoDaddy, Namecheap), package registry (PyPI, npm, RubyGems, crates.io), blockchain naming system (ENS, Unstoppable Domains, ADAHandles), certificate registry.
Official
What the user sees/executes after reaching the squatted name: site clone (phishing), advertising (parking), drive-by malware, affiliate redirect, email catcher, malicious package post-install script.
Official
The company registers only google.com; goggle.com, gogle.com, google.co, google.om are left available to attackers. Lego spent ~USD 500k on UDRP AFTER the fact.
Unicode homoglyphs (Cyrillic, Greek) are visually indistinguishable to the user. A doppelganger domain missing a period is often noticed only after login.
For years, PyPI/npm/RubyGems did not enforce maintainer identity verification; typosquatting a package (requests → requsts, python-dateutil → python-datetutil) was trivial.
On ENS/Unstoppable Domains, cryptocurrency sent to the wrong address is irreversible. The victim has no UDRP or chargeback — the funds are gone.
The US Congress passes ACPA — the first formal recognition of typosquatting as an actionable offense. Section 3(a) extends 15 USC 1117 with sub-section (d)(2)(B)(ii). Complements UDRP at WIPO (active since 1999).
McAfee documents the amount of malware installed via drive-by download on goggle.com — a typo of google.com. SpySheriff, a rogue anti-spyware, becomes the emblematic payload.
Ben Edelman and Tyler Moore publish 'Measuring Typosquatting Perpetrators and Funders', showing that typosquatting generates ~USD 500M/year from Google typo domains alone (New Scientist 2010).
John Oliver, on 'Last Week Tonight', registers equifacks.com, experianne.com, tramsonion.com to demonstrate how trivial typosquatting is.
Digital Shadows reports detecting more than 550 typosquats related to the US 2020 presidential election (candidates, campaign committees).
malware.news documents Magniber ransomware distribution via Chrome/Edge typo domains — the first major malware family using typosquatting as its main vector.
Muzammil et al. (APWG eCrime 2024) publish the first large-scale measurement of typosquatting in ENS, Unstoppable Domains, ADAHandles. Thousands of cryptocurrency transactions sent to squatted addresses. IEEE doi:10.1109/eCrime60373.2024.10896082.
Have I Been Squatted + Ctrl-Alt-Intel report (February 2026) the 'Diesel Vortex' phishing campaign by a Russian-Armenian cybercrime group. Targets: freight and logistics companies in the US and Europe. Outcome: >1,600 unique credentials stolen from logistics platforms. CERT-EU issues Cyber Brief 26-03.
July 2026: a Tel Aviv University + Technion + Intuit team publishes HalluSquatting. Instead of guessing user typos, the attacker determines which names LLMs hallucinate in code recommendations and pre-registers exactly those. A fundamental vector shift: from user typos to AI hallucinations.
Which generation mechanism is used: classic typo, TLD swap, homoglyphs, combosquatting, doppelganger domain, ccTLD abuse.
DNS (domain names), package registry (npm/pypi/rubygems/crates.io), blockchain naming (ENS/UD/ADAHandles), social handles (X, Instagram, GitHub org).
How the attacker profits: ad parking, credential phishing, malware distribution, affiliate marketing, cryptocurrency theft, selling the domain to the brand.
The trigger is external (a human error, an LLM hallucination, IDE autocompletion), not in the attack code.
Activation depends on what the victim types or what the name resolver picks (DNS, a package-registry resolver, a model search, or an LLM agent tool selector).
Hundreds or thousands of variants can be maintained in parallel; each one operates independently and only triggers when a victim mistakes it.
Typosquatting is a social-engineering + registry attack — it does not depend on the CPU, GPU, TPU or accelerator. It appears wherever there is a namespace with name registration.