Project Evolution

We began developing a proof of concept in September 2019 with a single domain block list, the Spamhaus Domain Blocklist, DBL.

We chose a subset of twenty-three Top-level Domains and began collecting Spamhaus DBL data daily for these. We complemented the metadata that the DBL provides by adding DNS zone data, domain name and IP Whois (or RDAP), and ICANN registry statistics. From this data set, we produced our the report, Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access.

Learning from our experience with this proof of concept, we modified our methodology, developed a schema for composite records, and adopted a framework that would accommodate collection of threat intelligence information for multiple threats, from multiple threat intelligence data sources. The report, Phishing Landscape 2020: A study of the Scope and Distribution of Phishing, proved the viability of this experimental platform.


Having demonstrated that the framework can expand to collect and warehouse threat intelligence data from multiple sources for a single cybercrime (phishing), we expanded began to collect threat data for other malware and spam. We met our benchmark dates for 2021 and 2022. We transitioned most of our system to a production environment, acquired partners who contributed threat intelligence feeds and passive DNS data, and developed new methodologies for phishing and malware.

We have published Phishing Landscape studies from 2021 - 2024 and Malware Landscape studies in 2021, 2022 and 2023. We published our first Cybercrime Supply Chain study, which looks at cyberattacks that use spam, malware and phishing in combination or sequence, in 2023.

Project Evolution and Timeline

As the timeline illustrates, our project development includes both ongoing reporting of measurements of cybercrimes that we have successfully folded into the Center platform (e.g., phishing in 2020) and expansion into additional cybercrimes for which we are able to obtain multiple, high-confidence sources of threat intelligence data. As we expand in these two areas, we intend to explore opportunities for academic collaboration, where academic instit