March 13, 2024
Web2/Web3 crossover: Brand-related crypto-infringements
Web2/Web3 crossover: Brand-related crypto-infringements

Following on from our initial article on the emergence of connections between the classic Web2 world and the decentralised Web3 world[1], we take a deeper dive into this evolving landscape. Linkages (or ‘crossover’) between the Web2 and Web3 ecosystems can take a variety of forms, including instances where specific domain names resolve to content in both environments (as is planned for the offerings on .box and .shib), cases where Web2 URLs ‘map’ to Web3 content (as for the service)[2], and promotion of Web3 services and offerings within the Web2 landscape – or a combination of all of these.

One increasingly common manifestation of this crossover is the promotion of (potentially fraudulent) cryptocurrencies (or related services such as exchanges) claiming to be associated with, or endorsed by, well-known and trusted brands, or making unauthorised use of branded imagery. In many cases, this type of infringement occurs in conjunction with the use of a branded domain registration, typically featuring the brand name in conjunction with a relevant keyword such as ‘coin’ or ‘token’. Indeed, this type of infringement is becoming sufficiently popular that – of the large numbers of such registrations – many are being monetised through the inclusion of pay-per-click links or offers to sell the domain names (in some cases for prices of $1 million+), and many others are currently inactive suggesting that they have been registered speculatively, or with the intention of subsequent use or sale.

As of February 2024, there are over 154,000 registered gTLD domains with names ending with ‘coin’, ‘token’ or ‘deployer’ (an additional keyword sometimes used in these types of infringement). Of these, over 500 also include the name of any of the top twelve technology brands[3] (including organisations such as Apple, Google, Microsoft, Facebook and Amazon). Within this dataset, there are numerous examples of domains resolving to live sites using brand references to promote cryptocurrency-related content (Figure 1).



Figure 1: Examples of live sites using references to any of the top technology brands to promote cryptocurrency-related content (second-level domain (SLD) names (the part of the domain name to the left of the dot): applecoin, googlecarboncoin, amazonrivercryptocoin)


Beyond this list of companies, numerous other high-profile brands are also targeted in similar ways (sometimes using ‘mash-ups’ of multiple brands) (Figure 2), as are prominent figures such as technology leaders (Figure 3). Overall the X (Twitter) brand (together with Elon Musk specifically and the associated Grok AI brand) appear to be particularly heavily targeted (as also noted in previous articles[4],[5]).



Figure 2: Examples of live sites using other brand references to promote cryptocurrency-related content (SLD names: elonxtoken, grokcoin, gptcoin, aol-coin, grokacolacoin)



Figure 3: Examples of live sites using references to prominent technology leaders to promote cryptocurrency-related content (SLD names: bezos-coin, elonmarkcoin)


It is worth noting that several brand protection technology providers already offer VIP monitoring within their suites of services, in recognition of the fact that fraud campaigns of these sorts often capitalise on an outspoken SEO or brand leader, rather than simply the brand name. Individuals such as Elon, Bezos and Zuckerberg are commonly targeted, in addition to familiar figures in the Web3 world, such as Michael Saylor, the founder of Microstrategy. This type of abuse is well established in the Web3 world, but may be becoming more common generally, perhaps in view of the increasing ‘media-savvy’ nature of these industry leaders and their interactions with social media.

It is also informative to consider similar trends of infringement activity across the blockchain domain landscape since – by the very nature of the Web2/Web3 crossover – we might expect these types of scams to be associated with analogous registrations in the Web3 environment. Based on data from Dune Analytics[6], we consider one year’s worth of .eth blockchain domain registrations through the major Ethereum Name Service (ENS) provider.

The dataset gives 7,266 .eth blockchain domains with names containing ‘coin’, ‘token’ or ‘deployer’ registered between 22-Feb-2023 and 22-Feb-2024. Of these, 37 also contain the names of any of the top twelve technology brands considered previously, and an additional 69 were found to contain the names of other brands or individuals (including Twitter (and the misspelling ‘Tvvitter’), Grok, GPT, Yahoo, iPhone, Blackrock, and Elon, Musk, and Bezos) commonly targeted in the same way. As of the time of analysis, none resolved to any live content, although this type of infringement clearly continues to be of active interest to bad actors, and means the space is worthy of monitoring for developments.

A final note is that there is no clear long-term trend over the one-year analysis period, although there were two notable spikes in activity on 10 and 12-Dec-2023 (Figure 4). Many of the associated domains appear to constitute ‘clusters’ of similar names targeting prominent celebrities, with multiple examples of domains of the form [name]deployer.eth all registered at the same time, presumably by one or more related entities. For example, a batch of 45 celebrity infringements is recorded at 10:45 on 12-Dec-2023, with examples including jeffbezosdeployer.eth, andrewtatedeployer.eth, johnnydeppdeployer.eth, arnoldschwarzeneggerdeployer.eth, kaynewestdeployer.eth (possibly a non-deliberate typosquat?), angelinajoliedeployer.eth, scarlettjohanssondeployer.eth, edwardsnowdendeployer.eth, mileycyrusdeployer.eth and dollypartondeployer.eth.



Figure 4: Daily numbers of registrations of ENS .eth blockchain domains with names containing ‘coin’, ‘token’ or ‘deployer’










Online Brand Enforcement /  Domains /  Tech

Found this article interesting today?
Send us your thoughts: